* [PATCH 5.4 000/224] 5.4.301-rc1 review
@ 2025-10-27 18:32 Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 001/224] scsi: target: target_core_configfs: Add length check to avoid buffer overflow Greg Kroah-Hartman
` (231 more replies)
0 siblings, 232 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 5.4.301 release.
There are 224 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 29 Oct 2025 18:34:15 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.301-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.4.301-rc1
Zhengchao Shao <shaozhengchao@huawei.com>
net: rtnetlink: fix module reference count leak issue in rtnetlink_rcv_msg
Arnd Bergmann <arnd@arndb.de>
media: s5p-mfc: remove an unused/uninitialized variable
Sergey Bashirov <sergeybashirov@gmail.com>
NFSD: Fix last write offset handling in layoutcommit
Sergey Bashirov <sergeybashirov@gmail.com>
NFSD: Minor cleanup in layoutcommit processing
Xiao Liang <shaw.leon@gmail.com>
padata: Reset next CPU when reorder sequence wraps around
Eric Biggers <ebiggers@kernel.org>
KEYS: trusted_tpm1: Compare HMAC values in constant time
Chuck Lever <chuck.lever@oracle.com>
NFSD: Define a proc_layoutcommit for the FlexFiles layout type
Jan Kara <jack@suse.cz>
vfs: Don't leak disconnected dentries on umount
Zhang Yi <yi.zhang@huawei.com>
jbd2: ensure that all ongoing I/O complete before freeing blocks
Deepanshu Kartikey <kartikey406@gmail.com>
ext4: detect invalid INLINE_DATA + EXTENTS flag combination
Gui-Dong Han <hanguidong02@gmail.com>
drm/amdgpu: use atomic functions with memory barriers for vm fault info
Theodore Ts'o <tytso@mit.edu>
ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
Pratyush Yadav <pratyush@kernel.org>
spi: cadence-quadspi: Flush posted register writes before DAC access
Pratyush Yadav <pratyush@kernel.org>
spi: cadence-quadspi: Flush posted register writes before INDAC access
Zhen Ni <zhen.ni@easystack.cn>
memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe
Krzysztof Kozlowski <krzk@kernel.org>
memory: samsung: exynos-srom: Correct alignment
Mark Rutland <mark.rutland@arm.com>
arm64: errata: Apply workarounds for Neoverse-V3AE
Mark Rutland <mark.rutland@arm.com>
arm64: cputype: Add Neoverse-V3AE definitions
Deepanshu Kartikey <kartikey406@gmail.com>
comedi: fix divide-by-zero in comedi_buf_munge()
Alice Ryhl <aliceryhl@google.com>
binder: remove "invalid inc weak" check
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: dbc: enable back DbC in resume if it was enabled before suspend
Tim Guttzeit <t.guttzeit@tuxedocomputers.com>
usb/core/quirks: Add Huawei ME906S to wakeup quirk
LI Qingwu <Qing-wu.Li@leica-geosystems.com.cn>
USB: serial: option: add Telit FN920C04 ECM compositions
Reinhard Speyerer <rspmn@arcor.de>
USB: serial: option: add Quectel RG255C
Renjun Wang <renjunw0@foxmail.com>
USB: serial: option: add UNISOC UIS7720
Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
net: ravb: Ensure memory write completes before ringing TX doorbell
Michal Pecio <michal.pecio@gmail.com>
net: usb: rtl8150: Fix frame padding
Deepanshu Kartikey <kartikey406@gmail.com>
ocfs2: clear extent cache after moving/defragmenting extents
Maciej W. Rozycki <macro@orcam.me.uk>
MIPS: Malta: Fix keyboard resource preventing i8042 driver from registering
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Revert "cpuidle: menu: Avoid discarding useful information"
Tonghao Zhang <tonghao@bamaicloud.com>
net: bonding: fix possible peer notify event loss or dup issue
Alexey Simakov <bigalex934@gmail.com>
sctp: avoid NULL dereference when chunk data buffer is missing
Huang Ying <ying.huang@linux.alibaba.com>
arm64, mm: avoid always making PTE dirty in pte_mkwrite()
Wei Fang <wei.fang@nxp.com>
net: enetc: correct the value of ENETC_RXB_TRUESIZE
Johannes Wiesböck <johannes.wiesboeck@aisec.fraunhofer.de>
rtnetlink: Allow deleting FDB entries in user namespace
Nikolay Aleksandrov <razor@blackwall.org>
net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del
Nikolay Aleksandrov <razor@blackwall.org>
net: add ndo_fdb_del_bulk
Nikolay Aleksandrov <razor@blackwall.org>
net: rtnetlink: add bulk delete support flag
Nikolay Aleksandrov <razor@blackwall.org>
net: netlink: add NLM_F_BULK delete request modifier
Nikolay Aleksandrov <razor@blackwall.org>
net: rtnetlink: use BIT for flag values
Nikolay Aleksandrov <razor@blackwall.org>
net: rtnetlink: add helper to extract msg type's kind
Nikolay Aleksandrov <razor@blackwall.org>
net: rtnetlink: add msg kind names
Colin Ian King <colin.king@canonical.com>
net: rtnetlink: remove redundant assignment to variable err
Geert Uytterhoeven <geert@linux-m68k.org>
m68k: bitops: Fix find_*_bit() signatures
Yangtao Li <frank.li@vivo.com>
hfsplus: return EIO when type of hidden directory mismatch in hfsplus_fill_super()
Viacheslav Dubeyko <slava@dubeyko.com>
hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
Alexander Aring <aahringo@redhat.com>
dlm: check for defined force value in dlm_lockspace_release
Viacheslav Dubeyko <slava@dubeyko.com>
hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
Yang Chenzhi <yang.chenzhi@vivo.com>
hfs: validate record offset in hfsplus_bmap_alloc
Viacheslav Dubeyko <slava@dubeyko.com>
hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
Viacheslav Dubeyko <slava@dubeyko.com>
hfs: make proper initalization of struct hfs_find_data
Viacheslav Dubeyko <slava@dubeyko.com>
hfs: clear offset and space out of valid records in b-tree node
Xichao Zhao <zhao.xichao@vivo.com>
exec: Fix incorrect type for ret
Viacheslav Dubeyko <slava@dubeyko.com>
hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()
Randy Dunlap <rdunlap@infradead.org>
ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings
Vincent Guittot <vincent.guittot@linaro.org>
sched/fair: Fix pelt lost idle time detection
Ingo Molnar <mingo@kernel.org>
sched/balancing: Rename newidle_balance() => sched_balance_newidle()
Barry Song <song.bao.hua@hisilicon.com>
sched/fair: Trivial correction of the newidle_balance() comment
Chen Yu <yu.c.chen@intel.com>
sched: Make newidle_balance() static again
Sabrina Dubroca <sd@queasysnail.net>
tls: don't rely on tx_work during send()
Sabrina Dubroca <sd@queasysnail.net>
tls: always set record_type in tls_process_cmsg
Alexey Simakov <bigalex934@gmail.com>
tg3: prevent use of uninitialized remote_adv and local_adv variables
Eric Dumazet <edumazet@google.com>
tcp: fix tcp_tso_should_defer() vs large RTT
Raju Rangoju <Raju.Rangoju@amd.com>
amd-xgbe: Avoid spurious link down messages during interface toggle
Dmitry Safonov <0x7f454c46@gmail.com>
net/ip6_tunnel: Prevent perpetual tunnel growth
Yeounsu Moon <yyyynoom@gmail.com>
net: dlink: handle dma_map_single() failure properly
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
net: dl2k: switch from 'pci_' to 'dma_' API
Thomas Fourier <fourier.thomas@gmail.com>
media: pci: ivtv: Add missing check after DMA map
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
media: pci/ivtv: switch from 'pci_' to 'dma_' API
Jason Andryuk <jason.andryuk@amd.com>
xen/events: Update virq_to_irq on migration
Ma Ke <make24@iscas.ac.cn>
media: lirc: Fix error handling in lirc_register()
keliu <liuke94@huawei.com>
media: rc: Directly use ida_free()
Kaustabh Chakraborty <kauschluss@disroot.org>
drm/exynos: exynos7_drm_decon: remove ctx->suspended
Anderson Nascimento <anderson@allelesecurity.com>
btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
Jisheng Zhang <jszhang@kernel.org>
pwm: berlin: Fix wrong register in suspend/resume
Thomas Fourier <fourier.thomas@gmail.com>
media: cx18: Add missing check after DMA map
Jason Andryuk <jason.andryuk@amd.com>
xen/events: Cleanup find_virq() return codes
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
cramfs: Verify inode mode when loading from disk
Lichen Liu <lichliu@redhat.com>
fs: Add 'initramfs_options' to set initramfs mount options
gaoxiang17 <gaoxiang17@xiaomi.com>
pid: Add a judgment for ns null in pid_nr_ns
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
minixfs: Verify inode mode when loading from disk
Yuan Chen <chenyuan@kylinos.cn>
tracing: Fix race condition in kprobe initialization causing NULL pointer dereference
Zheng Qixing <zhengqixing@huawei.com>
dm: fix NULL pointer dereference in __dm_suspend()
Hans de Goede <hansg@kernel.org>
mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type
Hans de Goede <hdegoede@redhat.com>
mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register value
Phillip Lougher <phillip@squashfs.org.uk>
Squashfs: reject negative file sizes in squashfs_read_inode()
Phillip Lougher <phillip@squashfs.org.uk>
Squashfs: add additional inode sanity checking
Edward Adam Davis <eadavis@qq.com>
media: mc: Clear minor number before put device
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()
Larshin Sergey <Sergey.Larshin@kaspersky.com>
fs: udf: fix OOB read in lengthAllocDescs handling
Sean Christopherson <seanjc@google.com>
KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O
Nalivayko Sergey <Sergey.Nalivayko@kaspersky.com>
net/9p: fix double req put in p9_fd_cancelled
Ahmet Eray Karadag <eraykrdg1@gmail.com>
ext4: guard against EA inode refcount underflow in xattr update
Ojaswin Mujoo <ojaswin@linux.ibm.com>
ext4: correctly handle queries for metadata mappings
Yongjian Sun <sunyongjian1@huawei.com>
ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch()
Olga Kornievskaia <okorniev@redhat.com>
nfsd: nfserr_jukebox in nlm_fopen should lead to a retry
Sean Christopherson <seanjc@google.com>
x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases)
Sean Christopherson <seanjc@google.com>
x86/umip: Check that the instruction opcode is at least two bytes
Siddharth Vadapalli <s-vadapalli@ti.com>
PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit
Niklas Schnelle <schnelle@linux.ibm.com>
PCI/AER: Fix missing uevent on recovery when a reset is requested
Niklas Schnelle <schnelle@linux.ibm.com>
PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV
Sean Christopherson <seanjc@google.com>
rseq/selftests: Use weak symbol reference, not definition, to link with glibc
Esben Haabendal <esben@geanix.com>
rtc: interface: Fix long-standing race when setting alarm
Esben Haabendal <esben@geanix.com>
rtc: interface: Ensure alarm irq is enabled when UIE is enabled
Rex Chen <rex.chen_1@nxp.com>
mmc: core: SPI mode remove cmd7
Linus Walleij <linus.walleij@linaro.org>
mtd: rawnand: fsmc: Default to autodetect buswidth
Ma Ke <make24@iscas.ac.cn>
sparc: fix error handling in scan_one_device()
Anthony Yznaga <anthony.yznaga@oracle.com>
sparc64: fix hugetlb for sun4u
Eric Biggers <ebiggers@kernel.org>
sctp: Fix MAC comparison to be constant-time
Thorsten Blum <thorsten.blum@linux.dev>
scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()
Sam James <sam@gentoo.org>
parisc: don't reference obsolete termio struct for TC* constants
Johan Hovold <johan@kernel.org>
lib/genalloc: fix device leak in of_gen_pool_get()
Michael Hennerich <michael.hennerich@analog.com>
iio: frequency: adf4350: Fix prescaler usage.
Qianfeng Rong <rongqianfeng@vivo.com>
iio: dac: ad5421: use int type to store negative error codes
Qianfeng Rong <rongqianfeng@vivo.com>
iio: dac: ad5360: use int type to store negative error codes
Thomas Fourier <fourier.thomas@gmail.com>
crypto: atmel - Fix dma_unmap_sg() direction
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()
Shuhao Fu <sfual@cse.ust.hk>
drm/nouveau: fix bad ret code in nouveau_bo_move_prep
Qianfeng Rong <rongqianfeng@vivo.com>
media: i2c: mt9v111: fix incorrect type for ret
Johan Hovold <johan@kernel.org>
firmware: meson_sm: fix device leak at probe
Lukas Wunner <lukas@wunner.de>
xen/manage: Fix suspend error path
Stephan Gerhold <stephan.gerhold@linaro.org>
arm64: dts: qcom: msm8916: Add missing MDSS reset
Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
ACPI: debug: fix signedness issues in read/write helpers
Daniel Tang <danielzgtg.opensource@gmail.com>
ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT
Gunnar Kudrjavets <gunnarku@amazon.com>
tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single
Lino Sanfilippo <l.sanfilippo@kunbus.com>
tpm, tpm_tis: Claim locality before writing interrupt registers
Herbert Xu <herbert@gondor.apana.org.au>
crypto: essiv - Check ssize for decryption and in-place encryption
Harini T <harini.t@amd.com>
mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes
Harini T <harini.t@amd.com>
mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call
Leo Yan <leo.yan@arm.com>
tools build: Align warning options with perf
Erick Karanja <karanja99erick@gmail.com>
net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe
Kuniyuki Iwashima <kuniyu@google.com>
tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
Alexandr Sapozhnikov <alsp705@gmail.com>
net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()
Ian Forbes <ian.forbes@broadcom.com>
drm/vmwgfx: Fix Use-after-free in validation
Dan Carpenter <dan.carpenter@linaro.org>
net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()
Duoming Zhou <duoming@zju.edu.cn>
scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
John Garry <john.garry@huawei.com>
scsi: mvsas: Use sas_task_find_rq() for tagging
John Garry <john.garry@huawei.com>
scsi: mvsas: Delete mvs_tag_init()
John Garry <john.garry@huawei.com>
scsi: libsas: Add sas_task_find_rq()
Alok Tiwari <alok.a.tiwari@oracle.com>
clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver
Brian Masney <bmasney@redhat.com>
clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()
Leo Yan <leo.yan@arm.com>
perf session: Fix handling when buffer exceeds 2 GiB
Rob Herring (Arm) <robh@kernel.org>
rtc: x1205: Fix Xicor X1205 vendor prefix
Yunseong Kim <ysk@kzalloc.com>
perf util: Fix compression checks returning -1 as bool
Michael Hennerich <michael.hennerich@analog.com>
iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE
Zhen Ni <zhen.ni@easystack.cn>
clocksource/drivers/clps711x: Fix resource leaks in error paths
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
pinctrl: check the return value of pinmux_ops::get_function_name()
Zhen Ni <zhen.ni@easystack.cn>
Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
Yang Shi <yang@os.amperecomputing.com>
mm: hugetlb: avoid soft lockup when mprotect to large memory area
Naman Jain <namjain@linux.microsoft.com>
uio_hv_generic: Let userspace take care of interrupt mask
Phillip Lougher <phillip@squashfs.org.uk>
Squashfs: fix uninit-value in squashfs_get_parent
Jakub Kicinski <kuba@kernel.org>
Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set"
Kohei Enju <enjuk@amazon.com>
net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable
Kohei Enju <enjuk@amazon.com>
nfp: fix RSS hash key size when RSS is not supported
Donet Tom <donettom@linux.ibm.com>
drivers/base/node: fix double free in register_one_node()
Dan Carpenter <dan.carpenter@linaro.org>
ocfs2: fix double free in user_cluster_connect()
I Viswanath <viswanathiyyappan@gmail.com>
net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
Bernard Metzler <bernard.metzler@linux.dev>
RDMA/siw: Always report immediate post SQ errors
Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
usb: vhci-hcd: Prevent suspending virtually attached devices
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()
Slavin Liu <slavin452@gmail.com>
ipvs: Defer ip_vs_ftp unregister during netns cleanup
Anthony Iliopoulos <ailiop@suse.com>
NFSv4.1: fix backchannel max_resp_sz verification check
Stephan Gerhold <stephan.gerhold@linaro.org>
remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice
Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
sparc: fix accurate exception reporting in copy_{from,to}_user for M7
Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
sparc: fix accurate exception reporting in copy_to_user for Niagara 4
Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara
Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III
Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC
Baochen Qiang <baochen.qiang@oss.qualcomm.com>
wifi: ath10k: avoid unnecessary wait for service ready message
Vlad Dumitrescu <vdumitrescu@nvidia.com>
IB/sa: Fix sa_local_svc_timeout_ms read race
Parav Pandit <parav@nvidia.com>
RDMA/core: Resolve MAC of next-hop device without ARP support
Abdun Nihaal <abdun.nihaal@gmail.com>
wifi: mt76: fix potential memory leak in mt76_wmac_probe()
Donet Tom <donettom@linux.ibm.com>
drivers/base/node: handle error properly in register_one_node()
Christophe Leroy <christophe.leroy@csgroup.eu>
watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog
Zhen Ni <zhen.ni@easystack.cn>
netfilter: ipset: Remove unused htable_bits in macro ahash_region
Hans de Goede <hansg@kernel.org>
iio: consumers: Fix offset handling in iio_convert_raw_to_processed()
Takashi Iwai <tiwai@suse.de>
ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping
Takashi Iwai <tiwai@suse.de>
ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping
Takashi Iwai <tiwai@suse.de>
ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping
Wang Liang <wangliang74@huawei.com>
pps: fix warning in pps_register_cdev when register device fail
Colin Ian King <colin.i.king@gmail.com>
misc: genwqe: Fix incorrect cmd field being reported in error
William Wu <william.wu@rock-chips.com>
usb: gadget: configfs: Correctly set use_os_string at bind
Xichao Zhao <zhao.xichao@vivo.com>
usb: phy: twl6030: Fix incorrect type for ret
Eric Dumazet <edumazet@google.com>
tcp: fix __tcp_close() to only send RST when required
Alok Tiwari <alok.a.tiwari@oracle.com>
PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation
Stefan Kerkmann <s.kerkmann@pengutronix.de>
wifi: mwifiex: send world regulatory domain to driver
Qianfeng Rong <rongqianfeng@vivo.com>
ALSA: lx_core: use int type to store negative error codes
Zhang Shurong <zhang_shurong@foxmail.com>
media: rj54n1cb0c: Fix memleak in rj54n1_probe()
Thomas Fourier <fourier.thomas@gmail.com>
scsi: myrs: Fix dma_alloc_coherent() error check
Niklas Cassel <cassel@kernel.org>
scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod
Dan Carpenter <dan.carpenter@linaro.org>
serial: max310x: Add error checking in probe()
Dan Carpenter <dan.carpenter@linaro.org>
usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup
Brahmajit Das <listout@listout.xyz>
drm/radeon/r600_cs: clean up of dead code in r600_cs
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
i2c: designware: Add disabling clocks when probe fails
Leilk.Liu <leilk.liu@mediatek.com>
i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD
Paul Chaignon <paul.chaignon@gmail.com>
bpf: Explicitly check accesses to bpf_sock_addr
Akhilesh Patil <akhilesh@ee.iitb.ac.in>
selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: tiehrpwm: Fix corner case in clock divisor calculation
Qianfeng Rong <rongqianfeng@vivo.com>
block: use int to store blk_stack_limits() return value
Li Nan <linan122@huawei.com>
blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx
Da Xue <da@libre.computer>
pinctrl: meson-gxl: add missing i2c_d pinmux
Sneh Mankad <sneh.mankad@oss.qualcomm.com>
soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS
Huisong Li <lihuisong@huawei.com>
ACPI: processor: idle: Fix memory leak when register cpuidle device failed
Geert Uytterhoeven <geert+renesas@glider.be>
regmap: Remove superfluous check for !config in __regmap_init()
Uros Bizjak <ubizjak@gmail.com>
x86/vdso: Fix output operand size of RDPID
Leo Yan <leo.yan@arm.com>
perf: arm_spe: Prevent overflow in PERF_IDX2OFF()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
driver core/PM: Set power.no_callbacks along with power.no_pm
Ovidiu Panait <ovidiu.panait.oss@gmail.com>
staging: axis-fifo: flush RX FIFO on read errors
Ovidiu Panait <ovidiu.panait.oss@gmail.com>
staging: axis-fifo: fix maximum TX packet length check
hupu <hupu.gm@gmail.com>
perf subcmd: avoid crash in exclude_cmds when excludes is empty
Mikulas Patocka <mpatocka@redhat.com>
dm-integrity: limit MAX_TAG_SIZE to 255
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188
Xiaowei Li <xiaowei.li@simcom.com>
USB: serial: option: add SIMCom 8230C compositions
Larshin Sergey <Sergey.Larshin@kaspersky.com>
media: rc: fix races with imon_disconnect()
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
media: imon: grab lock earlier in imon_ir_change_protocol()
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
media: imon: reorganize serialization
Flavius Georgescu <pretoriano.mp@gmail.com>
media: rc: Add support for another iMON 0xffdc device
Duoming Zhou <duoming@zju.edu.cn>
media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe
Duoming Zhou <duoming@zju.edu.cn>
media: tuner: xc5000: Fix use-after-free in xc5000_release
Ricardo Ribalda <ribalda@chromium.org>
media: tunner: xc5000: Refactor firmware load
Kuniyuki Iwashima <kuniyu@amazon.com>
udp: Fix memory accounting leak.
Duoming Zhou <duoming@zju.edu.cn>
media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove
Wang Haoran <haoranwangsec@gmail.com>
scsi: target: target_core_configfs: Add length check to avoid buffer overflow
-------------
Diffstat:
Documentation/admin-guide/kernel-parameters.txt | 3 +
Documentation/arm64/silicon-errata.rst | 2 +
Makefile | 4 +-
arch/arm64/Kconfig | 1 +
arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +
arch/arm64/include/asm/cputype.h | 2 +
arch/arm64/include/asm/pgtable.h | 3 +-
arch/arm64/kernel/cpu_errata.c | 1 +
arch/m68k/include/asm/bitops.h | 25 +--
arch/mips/mti-malta/malta-setup.c | 2 +-
arch/parisc/include/uapi/asm/ioctls.h | 8 +-
arch/sparc/kernel/of_device_32.c | 1 +
arch/sparc/kernel/of_device_64.c | 1 +
arch/sparc/lib/M7memcpy.S | 20 +--
arch/sparc/lib/Memcpy_utils.S | 9 +
arch/sparc/lib/NG4memcpy.S | 2 +-
arch/sparc/lib/NGmemcpy.S | 29 ++--
arch/sparc/lib/U1memcpy.S | 19 ++-
arch/sparc/lib/U3memcpy.S | 2 +-
arch/sparc/mm/hugetlbpage.c | 20 +++
arch/x86/include/asm/kvm_emulate.h | 2 +-
arch/x86/include/asm/segment.h | 8 +-
arch/x86/kernel/umip.c | 15 +-
arch/x86/kvm/emulate.c | 10 +-
arch/x86/kvm/x86.c | 9 +-
block/blk-mq-sysfs.c | 6 +-
block/blk-settings.c | 3 +-
crypto/essiv.c | 14 +-
drivers/acpi/acpi_dbg.c | 26 +--
drivers/acpi/acpi_tad.c | 3 +
drivers/acpi/processor_idle.c | 3 +
drivers/android/binder.c | 11 +-
drivers/base/node.c | 4 +
drivers/base/regmap/regmap.c | 2 +-
drivers/char/tpm/tpm_tis_core.c | 26 +--
drivers/clk/nxp/clk-lpc18xx-cgu.c | 20 ++-
drivers/clocksource/clps711x-timer.c | 23 ++-
drivers/cpufreq/intel_pstate.c | 8 +-
drivers/cpuidle/governors/menu.c | 21 +--
drivers/crypto/atmel-tdes.c | 2 +-
drivers/firmware/meson/meson_sm.c | 7 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 5 +-
drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c | 7 +-
drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 7 +-
drivers/gpu/drm/exynos/exynos7_drm_decon.c | 36 ----
drivers/gpu/drm/nouveau/nouveau_bo.c | 2 +-
drivers/gpu/drm/radeon/r600_cs.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_validation.c | 4 +-
drivers/i2c/busses/i2c-designware-platdrv.c | 1 +
drivers/i2c/busses/i2c-mt65xx.c | 17 +-
drivers/iio/dac/ad5360.c | 2 +-
drivers/iio/dac/ad5421.c | 2 +-
drivers/iio/frequency/adf4350.c | 20 ++-
drivers/iio/inkern.c | 2 +-
drivers/infiniband/core/addr.c | 10 +-
drivers/infiniband/core/sa_query.c | 6 +-
drivers/infiniband/sw/siw/siw_verbs.c | 25 +--
drivers/input/misc/uinput.c | 1 +
drivers/mailbox/zynqmp-ipi-mailbox.c | 7 +-
drivers/md/dm-integrity.c | 2 +-
drivers/md/dm.c | 7 +-
drivers/media/i2c/mt9v111.c | 2 +-
drivers/media/i2c/rj54n1cb0c.c | 9 +-
drivers/media/i2c/tc358743.c | 4 +-
drivers/media/mc/mc-devnode.c | 6 +-
drivers/media/pci/b2c2/flexcop-pci.c | 2 +-
drivers/media/pci/cx18/cx18-queue.c | 12 +-
drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
drivers/media/pci/ivtv/ivtv-irq.c | 2 +-
drivers/media/pci/ivtv/ivtv-queue.c | 18 +-
drivers/media/pci/ivtv/ivtv-streams.c | 22 +--
drivers/media/pci/ivtv/ivtv-udma.c | 19 ++-
drivers/media/pci/ivtv/ivtv-yuv.c | 18 +-
drivers/media/platform/s5p-mfc/s5p_mfc_cmd_v6.c | 35 ++--
drivers/media/rc/imon.c | 189 +++++++++++++--------
drivers/media/rc/lirc_dev.c | 15 +-
drivers/media/rc/rc-main.c | 6 +-
drivers/media/tuners/xc5000.c | 41 ++---
drivers/memory/samsung/exynos-srom.c | 32 ++--
drivers/mfd/intel_soc_pmic_chtdc_ti.c | 5 +-
drivers/mfd/vexpress-sysreg.c | 6 +-
drivers/misc/genwqe/card_ddcb.c | 2 +-
drivers/mmc/core/sdio.c | 6 +-
drivers/mtd/nand/raw/fsmc_nand.c | 6 +-
drivers/mtd/spi-nor/cadence-quadspi.c | 5 +
drivers/net/bonding/bond_main.c | 40 ++---
drivers/net/ethernet/amazon/ena/ena_ethtool.c | 5 +-
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 1 -
drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 1 +
drivers/net/ethernet/broadcom/tg3.c | 5 +-
drivers/net/ethernet/dlink/dl2k.c | 99 ++++++-----
drivers/net/ethernet/freescale/enetc/enetc.h | 2 +-
drivers/net/ethernet/freescale/fsl_pq_mdio.c | 2 +
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 2 +-
.../ethernet/mellanox/mlx5/core/en/port_buffer.h | 12 --
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 17 +-
.../net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 +-
drivers/net/ethernet/renesas/ravb_main.c | 8 +
drivers/net/usb/rtl8150.c | 13 +-
drivers/net/wireless/ath/ath10k/wmi.c | 39 +++--
drivers/net/wireless/marvell/mwifiex/cfg80211.c | 7 +-
drivers/net/wireless/mediatek/mt76/mt7603/soc.c | 2 +-
.../net/wireless/realtek/rtlwifi/rtl8192cu/sw.c | 1 -
drivers/pci/controller/dwc/pci-keystone.c | 4 +-
drivers/pci/controller/pci-tegra.c | 2 +-
drivers/pci/iov.c | 5 +
drivers/pci/pci-driver.c | 1 +
drivers/perf/arm_spe_pmu.c | 3 +-
drivers/pinctrl/meson/pinctrl-meson-gxl.c | 10 ++
drivers/pinctrl/pinmux.c | 2 +-
drivers/pps/kapi.c | 5 +-
drivers/pps/pps.c | 5 +-
drivers/pwm/pwm-berlin.c | 4 +-
drivers/pwm/pwm-tiehrpwm.c | 4 +-
drivers/remoteproc/qcom_q6v5.c | 3 -
drivers/rtc/interface.c | 27 +++
drivers/rtc/rtc-x1205.c | 2 +-
drivers/scsi/hpsa.c | 21 ++-
drivers/scsi/mpt3sas/mpt3sas_transport.c | 8 +-
drivers/scsi/mvsas/mv_defs.h | 1 +
drivers/scsi/mvsas/mv_init.c | 13 +-
drivers/scsi/mvsas/mv_sas.c | 42 ++---
drivers/scsi/mvsas/mv_sas.h | 8 +-
drivers/scsi/myrs.c | 8 +-
drivers/scsi/pm8001/pm8001_sas.c | 9 +-
drivers/soc/qcom/rpmh-rsc.c | 7 +-
drivers/staging/axis-fifo/axis-fifo.c | 32 ++--
drivers/staging/comedi/comedi_buf.c | 2 +-
drivers/target/target_core_configfs.c | 2 +-
drivers/tty/serial/max310x.c | 2 +
drivers/uio/uio_hv_generic.c | 7 +-
drivers/usb/core/quirks.c | 2 +
drivers/usb/gadget/configfs.c | 2 +
drivers/usb/host/max3421-hcd.c | 2 +-
drivers/usb/host/xhci-dbgcap.c | 9 +-
drivers/usb/phy/phy-twl6030-usb.c | 3 +-
drivers/usb/serial/option.c | 16 ++
drivers/usb/usbip/vhci_hcd.c | 22 +++
drivers/watchdog/mpc8xxx_wdt.c | 2 +
drivers/xen/events/events_base.c | 25 ++-
drivers/xen/manage.c | 3 +-
fs/btrfs/export.c | 8 +-
fs/cramfs/inode.c | 11 +-
fs/dcache.c | 2 +
fs/dlm/lockspace.c | 2 +-
fs/exec.c | 2 +-
fs/ext4/fsmap.c | 14 +-
fs/ext4/inode.c | 18 +-
fs/ext4/super.c | 10 +-
fs/ext4/xattr.c | 15 +-
fs/hfs/bfind.c | 8 +-
fs/hfs/brec.c | 27 ++-
fs/hfs/mdb.c | 2 +-
fs/hfsplus/bfind.c | 8 +-
fs/hfsplus/bnode.c | 41 -----
fs/hfsplus/btree.c | 6 +
fs/hfsplus/hfsplus_fs.h | 42 +++++
fs/hfsplus/super.c | 25 ++-
fs/hfsplus/unicode.c | 24 +++
fs/jbd2/transaction.c | 13 +-
fs/minix/inode.c | 8 +-
fs/namespace.c | 11 +-
fs/nfs/nfs4proc.c | 2 +-
fs/nfsd/blocklayout.c | 5 +-
fs/nfsd/flexfilelayout.c | 8 +
fs/nfsd/lockd.c | 15 ++
fs/nfsd/nfs4proc.c | 34 ++--
fs/ocfs2/move_extents.c | 5 +
fs/ocfs2/stack_user.c | 1 +
fs/squashfs/inode.c | 31 +++-
fs/squashfs/squashfs_fs_i.h | 2 +-
fs/udf/inode.c | 3 +
include/linux/device.h | 3 +
include/linux/iio/frequency/adf4350.h | 2 +-
include/linux/netdevice.h | 9 +
include/net/ip_tunnels.h | 15 ++
include/net/rtnetlink.h | 16 +-
include/scsi/libsas.h | 18 ++
include/uapi/linux/netlink.h | 1 +
kernel/padata.c | 6 +-
kernel/pid.c | 2 +-
kernel/sched/fair.c | 38 +++--
kernel/sched/sched.h | 4 -
kernel/trace/trace_kprobe.c | 11 +-
kernel/trace/trace_probe.h | 9 +-
kernel/trace/trace_uprobe.c | 12 +-
lib/genalloc.c | 5 +-
mm/hugetlb.c | 2 +
net/9p/trans_fd.c | 8 +-
net/core/filter.c | 16 +-
net/core/rtnetlink.c | 89 +++++++---
net/ipv4/ip_tunnel.c | 14 --
net/ipv4/tcp.c | 9 +-
net/ipv4/tcp_input.c | 1 -
net/ipv4/tcp_output.c | 19 ++-
net/ipv4/udp.c | 16 +-
net/ipv6/ip6_tunnel.c | 3 +-
net/netfilter/ipset/ip_set_hash_gen.h | 8 +-
net/netfilter/ipvs/ip_vs_ftp.c | 4 +-
net/sctp/inqueue.c | 13 +-
net/sctp/sm_make_chunk.c | 3 +-
net/sctp/sm_statefuns.c | 6 +-
net/tls/tls_main.c | 7 +-
net/tls/tls_sw.c | 13 ++
security/keys/trusted.c | 7 +-
sound/firewire/amdtp-stream.h | 2 +-
sound/pci/lx6464es/lx_core.c | 4 +-
sound/soc/intel/boards/bytcht_es8316.c | 20 ++-
sound/soc/intel/boards/bytcr_rt5640.c | 7 +-
sound/soc/intel/boards/bytcr_rt5651.c | 26 ++-
tools/build/feature/Makefile | 4 +-
tools/lib/subcmd/help.c | 3 +
tools/perf/util/lzma.c | 2 +-
tools/perf/util/session.c | 2 +-
tools/perf/util/zlib.c | 2 +-
tools/testing/selftests/rseq/rseq.c | 8 +-
tools/testing/selftests/watchdog/watchdog-test.c | 6 +
217 files changed, 1530 insertions(+), 941 deletions(-)
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 001/224] scsi: target: target_core_configfs: Add length check to avoid buffer overflow
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 002/224] media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove Greg Kroah-Hartman
` (230 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wang Haoran, ziiiro,
Martin K. Petersen
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Haoran <haoranwangsec@gmail.com>
commit 27e06650a5eafe832a90fd2604f0c5e920857fae upstream.
A buffer overflow arises from the usage of snprintf to write into the
buffer "buf" in target_lu_gp_members_show function located in
/drivers/target/target_core_configfs.c. This buffer is allocated with
size LU_GROUP_NAME_BUF (256 bytes).
snprintf(...) formats multiple strings into buf with the HBA name
(hba->hba_group.cg_item), a slash character, a devicename (dev->
dev_group.cg_item) and a newline character, the total formatted string
length may exceed the buffer size of 256 bytes.
Since snprintf() returns the total number of bytes that would have been
written (the length of %s/%sn ), this value may exceed the buffer length
(256 bytes) passed to memcpy(), this will ultimately cause function
memcpy reporting a buffer overflow error.
An additional check of the return value of snprintf() can avoid this
buffer overflow.
Reported-by: Wang Haoran <haoranwangsec@gmail.com>
Reported-by: ziiiro <yuanmingbuaa@gmail.com>
Signed-off-by: Wang Haoran <haoranwangsec@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/target_core_configfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -2563,7 +2563,7 @@ static ssize_t target_lu_gp_members_show
config_item_name(&dev->dev_group.cg_item));
cur_len++; /* Extra byte for NULL terminator */
- if ((cur_len + len) > PAGE_SIZE) {
+ if ((cur_len + len) > PAGE_SIZE || cur_len > LU_GROUP_NAME_BUF) {
pr_warn("Ran out of lu_gp_show_attr"
"_members buffer\n");
break;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 002/224] media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 001/224] scsi: target: target_core_configfs: Add length check to avoid buffer overflow Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 003/224] udp: Fix memory accounting leak Greg Kroah-Hartman
` (229 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Hans Verkuil
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit 01e03fb7db419d39e18d6090d4873c1bff103914 upstream.
The original code uses cancel_delayed_work() in flexcop_pci_remove(), which
does not guarantee that the delayed work item irq_check_work has fully
completed if it was already running. This leads to use-after-free scenarios
where flexcop_pci_remove() may free the flexcop_device while irq_check_work
is still active and attempts to dereference the device.
A typical race condition is illustrated below:
CPU 0 (remove) | CPU 1 (delayed work callback)
flexcop_pci_remove() | flexcop_pci_irq_check_work()
cancel_delayed_work() |
flexcop_device_kfree(fc_pci->fc_dev) |
| fc = fc_pci->fc_dev; // UAF
This is confirmed by a KASAN report:
==================================================================
BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0
Write of size 8 at addr ffff8880093aa8c8 by task bash/135
...
Call Trace:
<IRQ>
dump_stack_lvl+0x55/0x70
print_report+0xcf/0x610
? __run_timer_base.part.0+0x7d7/0x8c0
kasan_report+0xb8/0xf0
? __run_timer_base.part.0+0x7d7/0x8c0
__run_timer_base.part.0+0x7d7/0x8c0
? __pfx___run_timer_base.part.0+0x10/0x10
? __pfx_read_tsc+0x10/0x10
? ktime_get+0x60/0x140
? lapic_next_event+0x11/0x20
? clockevents_program_event+0x1d4/0x2a0
run_timer_softirq+0xd1/0x190
handle_softirqs+0x16a/0x550
irq_exit_rcu+0xaf/0xe0
sysvec_apic_timer_interrupt+0x70/0x80
</IRQ>
...
Allocated by task 1:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_noprof+0x1be/0x460
flexcop_device_kmalloc+0x54/0xe0
flexcop_pci_probe+0x1f/0x9d0
local_pci_probe+0xdc/0x190
pci_device_probe+0x2fe/0x470
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__driver_attach+0xd2/0x310
bus_for_each_dev+0xed/0x170
bus_add_driver+0x208/0x500
driver_register+0x132/0x460
do_one_initcall+0x89/0x300
kernel_init_freeable+0x40d/0x720
kernel_init+0x1a/0x150
ret_from_fork+0x10c/0x1a0
ret_from_fork_asm+0x1a/0x30
Freed by task 135:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x3f/0x50
kfree+0x137/0x370
flexcop_device_kfree+0x32/0x50
pci_device_remove+0xa6/0x1d0
device_release_driver_internal+0xf8/0x210
pci_stop_bus_device+0x105/0x150
pci_stop_and_remove_bus_device_locked+0x15/0x30
remove_store+0xcc/0xe0
kernfs_fop_write_iter+0x2c3/0x440
vfs_write+0x871/0xd70
ksys_write+0xee/0x1c0
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the delayed work item is properly canceled and any executing delayed
work has finished before the device memory is deallocated.
This bug was initially identified through static analysis. To reproduce
and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced
artificial delays within the flexcop_pci_irq_check_work() function to
increase the likelihood of triggering the bug.
Fixes: 382c5546d618 ("V4L/DVB (10694): [PATCH] software IRQ watchdog for Flexcop B2C2 DVB PCI cards")
Cc: stable@vger.kernel.org
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/pci/b2c2/flexcop-pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/pci/b2c2/flexcop-pci.c
+++ b/drivers/media/pci/b2c2/flexcop-pci.c
@@ -411,7 +411,7 @@ static void flexcop_pci_remove(struct pc
struct flexcop_pci *fc_pci = pci_get_drvdata(pdev);
if (irq_chk_intv > 0)
- cancel_delayed_work(&fc_pci->irq_check_work);
+ cancel_delayed_work_sync(&fc_pci->irq_check_work);
flexcop_pci_dma_exit(fc_pci);
flexcop_device_exit(fc_pci->fc_dev);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 003/224] udp: Fix memory accounting leak.
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 001/224] scsi: target: target_core_configfs: Add length check to avoid buffer overflow Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 002/224] media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 004/224] media: tunner: xc5000: Refactor firmware load Greg Kroah-Hartman
` (228 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Dowling, Kuniyuki Iwashima,
Willem de Bruijn, Jakub Kicinski, Yifei Liu
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
commit df207de9d9e7a4d92f8567e2c539d9c8c12fd99d upstream.
Matt Dowling reported a weird UDP memory usage issue.
Under normal operation, the UDP memory usage reported in /proc/net/sockstat
remains close to zero. However, it occasionally spiked to 524,288 pages
and never dropped. Moreover, the value doubled when the application was
terminated. Finally, it caused intermittent packet drops.
We can reproduce the issue with the script below [0]:
1. /proc/net/sockstat reports 0 pages
# cat /proc/net/sockstat | grep UDP:
UDP: inuse 1 mem 0
2. Run the script till the report reaches 524,288
# python3 test.py & sleep 5
# cat /proc/net/sockstat | grep UDP:
UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT
3. Kill the socket and confirm the number never drops
# pkill python3 && sleep 5
# cat /proc/net/sockstat | grep UDP:
UDP: inuse 1 mem 524288
4. (necessary since v6.0) Trigger proto_memory_pcpu_drain()
# python3 test.py & sleep 1 && pkill python3
5. The number doubles
# cat /proc/net/sockstat | grep UDP:
UDP: inuse 1 mem 1048577
The application set INT_MAX to SO_RCVBUF, which triggered an integer
overflow in udp_rmem_release().
When a socket is close()d, udp_destruct_common() purges its receive
queue and sums up skb->truesize in the queue. This total is calculated
and stored in a local unsigned integer variable.
The total size is then passed to udp_rmem_release() to adjust memory
accounting. However, because the function takes a signed integer
argument, the total size can wrap around, causing an overflow.
Then, the released amount is calculated as follows:
1) Add size to sk->sk_forward_alloc.
2) Round down sk->sk_forward_alloc to the nearest lower multiple of
PAGE_SIZE and assign it to amount.
3) Subtract amount from sk->sk_forward_alloc.
4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated().
When the issue occurred, the total in udp_destruct_common() was 2147484480
(INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release().
At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and
2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't
see a warning in inet_sock_destruct(). However, udp_memory_allocated
ends up doubling at 4).
Since commit 3cd3399dd7a8 ("net: implement per-cpu reserves for
memory_allocated"), memory usage no longer doubles immediately after
a socket is close()d because __sk_mem_reduce_allocated() caches the
amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP
socket receives a packet, the subtraction takes effect, causing UDP
memory usage to double.
This issue makes further memory allocation fail once the socket's
sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet
drops.
To prevent this issue, let's use unsigned int for the calculation and
call sk_forward_alloc_add() only once for the small delta.
Note that first_packet_length() also potentially has the same problem.
[0]:
from socket import *
SO_RCVBUFFORCE = 33
INT_MAX = (2 ** 31) - 1
s = socket(AF_INET, SOCK_DGRAM)
s.bind(('', 0))
s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX)
c = socket(AF_INET, SOCK_DGRAM)
c.connect(s.getsockname())
data = b'a' * 100
while True:
c.send(data)
Fixes: f970bd9e3a06 ("udp: implement memory accounting helpers")
Reported-by: Matt Dowling <madowlin@amazon.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20250401184501.67377-3-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Yifei: resolve minor conflicts ]
Signed-off-by: Yifei Liu <yifei.l.liu@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/udp.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1371,12 +1371,12 @@ static bool udp_skb_has_head_state(struc
}
/* fully reclaim rmem/fwd memory allocated for skb */
-static void udp_rmem_release(struct sock *sk, int size, int partial,
- bool rx_queue_lock_held)
+static void udp_rmem_release(struct sock *sk, unsigned int size,
+ int partial, bool rx_queue_lock_held)
{
struct udp_sock *up = udp_sk(sk);
struct sk_buff_head *sk_queue;
- int amt;
+ unsigned int amt;
if (likely(partial)) {
up->forward_deficit += size;
@@ -1396,10 +1396,8 @@ static void udp_rmem_release(struct sock
if (!rx_queue_lock_held)
spin_lock(&sk_queue->lock);
-
- sk->sk_forward_alloc += size;
- amt = (sk->sk_forward_alloc - partial) & ~(SK_MEM_QUANTUM - 1);
- sk->sk_forward_alloc -= amt;
+ amt = (size + sk->sk_forward_alloc - partial) & ~(PAGE_SIZE - 1);
+ sk->sk_forward_alloc += size - amt;
if (amt)
__sk_mem_reduce_allocated(sk, amt >> SK_MEM_QUANTUM_SHIFT);
@@ -1583,7 +1581,7 @@ EXPORT_SYMBOL_GPL(skb_consume_udp);
static struct sk_buff *__first_packet_length(struct sock *sk,
struct sk_buff_head *rcvq,
- int *total)
+ unsigned int *total)
{
struct sk_buff *skb;
@@ -1616,8 +1614,8 @@ static int first_packet_length(struct so
{
struct sk_buff_head *rcvq = &udp_sk(sk)->reader_queue;
struct sk_buff_head *sk_queue = &sk->sk_receive_queue;
+ unsigned int total = 0;
struct sk_buff *skb;
- int total = 0;
int res;
spin_lock_bh(&rcvq->lock);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 004/224] media: tunner: xc5000: Refactor firmware load
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 003/224] udp: Fix memory accounting leak Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 005/224] media: tuner: xc5000: Fix use-after-free in xc5000_release Greg Kroah-Hartman
` (227 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuah Khan, Ricardo Ribalda,
Hans Verkuil, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
[ Upstream commit 8e1f5da59dd4a1966f859639860b803a7e8b8bfb ]
Make sure the firmware is released when we leave
xc_load_fw_and_init_tuner()
This change makes smatch happy:
drivers/media/tuners/xc5000.c:1213 xc_load_fw_and_init_tuner() warn: 'fw' from request_firmware() not released on lines: 1213.
Cc: Shuah Khan <shuah.kh@samsung.com>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Stable-dep-of: 40b7a19f321e ("media: tuner: xc5000: Fix use-after-free in xc5000_release")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/tuners/xc5000.c | 41 ++++++++++++++++++-----------------------
1 file changed, 18 insertions(+), 23 deletions(-)
--- a/drivers/media/tuners/xc5000.c
+++ b/drivers/media/tuners/xc5000.c
@@ -58,7 +58,7 @@ struct xc5000_priv {
struct dvb_frontend *fe;
struct delayed_work timer_sleep;
- const struct firmware *firmware;
+ bool inited;
};
/* Misc Defines */
@@ -1110,23 +1110,19 @@ static int xc_load_fw_and_init_tuner(str
if (!force && xc5000_is_firmware_loaded(fe) == 0)
return 0;
- if (!priv->firmware) {
- ret = request_firmware(&fw, desired_fw->name,
- priv->i2c_props.adap->dev.parent);
- if (ret) {
- pr_err("xc5000: Upload failed. rc %d\n", ret);
- return ret;
- }
- dprintk(1, "firmware read %zu bytes.\n", fw->size);
-
- if (fw->size != desired_fw->size) {
- pr_err("xc5000: Firmware file with incorrect size\n");
- release_firmware(fw);
- return -EINVAL;
- }
- priv->firmware = fw;
- } else
- fw = priv->firmware;
+ ret = request_firmware(&fw, desired_fw->name,
+ priv->i2c_props.adap->dev.parent);
+ if (ret) {
+ pr_err("xc5000: Upload failed. rc %d\n", ret);
+ return ret;
+ }
+ dprintk(1, "firmware read %zu bytes.\n", fw->size);
+
+ if (fw->size != desired_fw->size) {
+ pr_err("xc5000: Firmware file with incorrect size\n");
+ release_firmware(fw);
+ return -EINVAL;
+ }
/* Try up to 5 times to load firmware */
for (i = 0; i < 5; i++) {
@@ -1204,6 +1200,7 @@ static int xc_load_fw_and_init_tuner(str
}
err:
+ release_firmware(fw);
if (!ret)
printk(KERN_INFO "xc5000: Firmware %s loaded and running.\n",
desired_fw->name);
@@ -1274,7 +1271,7 @@ static int xc5000_resume(struct dvb_fron
/* suspended before firmware is loaded.
Avoid firmware load in resume path. */
- if (!priv->firmware)
+ if (!priv->inited)
return 0;
return xc5000_set_params(fe);
@@ -1293,6 +1290,8 @@ static int xc5000_init(struct dvb_fronte
if (debug)
xc_debug_dump(priv);
+ priv->inited = true;
+
return 0;
}
@@ -1306,10 +1305,6 @@ static void xc5000_release(struct dvb_fr
if (priv) {
cancel_delayed_work(&priv->timer_sleep);
- if (priv->firmware) {
- release_firmware(priv->firmware);
- priv->firmware = NULL;
- }
hybrid_tuner_release_state(priv);
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 005/224] media: tuner: xc5000: Fix use-after-free in xc5000_release
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 004/224] media: tunner: xc5000: Refactor firmware load Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 006/224] media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe Greg Kroah-Hartman
` (226 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Hans Verkuil,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
[ Upstream commit 40b7a19f321e65789612ebaca966472055dab48c ]
The original code uses cancel_delayed_work() in xc5000_release(), which
does not guarantee that the delayed work item timer_sleep has fully
completed if it was already running. This leads to use-after-free scenarios
where xc5000_release() may free the xc5000_priv while timer_sleep is still
active and attempts to dereference the xc5000_priv.
A typical race condition is illustrated below:
CPU 0 (release thread) | CPU 1 (delayed work callback)
xc5000_release() | xc5000_do_timer_sleep()
cancel_delayed_work() |
hybrid_tuner_release_state(priv) |
kfree(priv) |
| priv = container_of() // UAF
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the timer_sleep is properly canceled before the xc5000_priv memory
is deallocated.
A deadlock concern was considered: xc5000_release() is called in a process
context and is not holding any locks that the timer_sleep work item might
also need. Therefore, the use of the _sync() variant is safe here.
This bug was initially identified through static analysis.
Fixes: f7a27ff1fb77 ("[media] xc5000: delay tuner sleep to 5 seconds")
Cc: stable@vger.kernel.org
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[hverkuil: fix typo in Subject: tunner -> tuner]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/tuners/xc5000.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/tuners/xc5000.c
+++ b/drivers/media/tuners/xc5000.c
@@ -1304,7 +1304,7 @@ static void xc5000_release(struct dvb_fr
mutex_lock(&xc5000_list_mutex);
if (priv) {
- cancel_delayed_work(&priv->timer_sleep);
+ cancel_delayed_work_sync(&priv->timer_sleep);
hybrid_tuner_release_state(priv);
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 006/224] media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 005/224] media: tuner: xc5000: Fix use-after-free in xc5000_release Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 007/224] media: rc: Add support for another iMON 0xffdc device Greg Kroah-Hartman
` (225 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Hans Verkuil,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
[ Upstream commit 79d10f4f21a92e459b2276a77be62c59c1502c9d ]
The state->timer is a cyclic timer that schedules work_i2c_poll and
delayed_work_enable_hotplug, while rearming itself. Using timer_delete()
fails to guarantee the timer isn't still running when destroyed, similarly
cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has
terminated if already executing. During probe failure after timer
initialization, these may continue running as orphans and reference the
already-freed tc358743_state object through tc358743_irq_poll_timer.
The following is the trace captured by KASAN.
BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0
Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0
...
Call Trace:
<IRQ>
dump_stack_lvl+0x55/0x70
print_report+0xcf/0x610
? __pfx_sched_balance_find_src_group+0x10/0x10
? __run_timer_base.part.0+0x7d7/0x8c0
kasan_report+0xb8/0xf0
? __run_timer_base.part.0+0x7d7/0x8c0
__run_timer_base.part.0+0x7d7/0x8c0
? rcu_sched_clock_irq+0xb06/0x27d0
? __pfx___run_timer_base.part.0+0x10/0x10
? try_to_wake_up+0xb15/0x1960
? tmigr_update_events+0x280/0x740
? _raw_spin_lock_irq+0x80/0xe0
? __pfx__raw_spin_lock_irq+0x10/0x10
tmigr_handle_remote_up+0x603/0x7e0
? __pfx_tmigr_handle_remote_up+0x10/0x10
? sched_balance_trigger+0x98/0x9f0
? sched_tick+0x221/0x5a0
? _raw_spin_lock_irq+0x80/0xe0
? __pfx__raw_spin_lock_irq+0x10/0x10
? tick_nohz_handler+0x339/0x440
? __pfx_tmigr_handle_remote_up+0x10/0x10
__walk_groups.isra.0+0x42/0x150
tmigr_handle_remote+0x1f4/0x2e0
? __pfx_tmigr_handle_remote+0x10/0x10
? ktime_get+0x60/0x140
? lapic_next_event+0x11/0x20
? clockevents_program_event+0x1d4/0x2a0
? hrtimer_interrupt+0x322/0x780
handle_softirqs+0x16a/0x550
irq_exit_rcu+0xaf/0xe0
sysvec_apic_timer_interrupt+0x70/0x80
</IRQ>
...
Allocated by task 141:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_node_track_caller_noprof+0x198/0x430
devm_kmalloc+0x7b/0x1e0
tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__device_attach_driver+0x174/0x220
bus_for_each_drv+0x100/0x190
__device_attach+0x206/0x370
bus_probe_device+0x123/0x170
device_add+0xd25/0x1470
i2c_new_client_device+0x7a0/0xcd0
do_one_initcall+0x89/0x300
do_init_module+0x29d/0x7f0
load_module+0x4f48/0x69e0
init_module_from_file+0xe4/0x150
idempotent_init_module+0x320/0x670
__x64_sys_finit_module+0xbd/0x120
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 141:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x3f/0x50
kfree+0x137/0x370
release_nodes+0xa4/0x100
devres_release_group+0x1b2/0x380
i2c_device_probe+0x694/0x880
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__device_attach_driver+0x174/0x220
bus_for_each_drv+0x100/0x190
__device_attach+0x206/0x370
bus_probe_device+0x123/0x170
device_add+0xd25/0x1470
i2c_new_client_device+0x7a0/0xcd0
do_one_initcall+0x89/0x300
do_init_module+0x29d/0x7f0
load_module+0x4f48/0x69e0
init_module_from_file+0xe4/0x150
idempotent_init_module+0x320/0x670
__x64_sys_finit_module+0xbd/0x120
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
Replace timer_delete() with timer_delete_sync() and cancel_delayed_work()
with cancel_delayed_work_sync() to ensure proper termination of timer and
work items before resource cleanup.
This bug was initially identified through static analysis. For reproduction
and testing, I created a functional emulation of the tc358743 device via a
kernel module and introduced faults through the debugfs interface.
Fixes: 869f38ae07f7 ("media: i2c: tc358743: Fix crash in the probe error path when using polling")
Fixes: d32d98642de6 ("[media] Driver for Toshiba TC358743 HDMI to CSI-2 bridge")
Cc: stable@vger.kernel.org
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[ replaced del_timer() instead of timer_delete() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/tc358743.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/i2c/tc358743.c
+++ b/drivers/media/i2c/tc358743.c
@@ -2200,10 +2200,10 @@ static int tc358743_probe(struct i2c_cli
err_work_queues:
cec_unregister_adapter(state->cec_adap);
if (!state->i2c_client->irq) {
- del_timer(&state->timer);
+ timer_delete_sync(&state->timer);
flush_work(&state->work_i2c_poll);
}
- cancel_delayed_work(&state->delayed_work_enable_hotplug);
+ cancel_delayed_work_sync(&state->delayed_work_enable_hotplug);
mutex_destroy(&state->confctl_mutex);
err_hdl:
media_entity_cleanup(&sd->entity);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 007/224] media: rc: Add support for another iMON 0xffdc device
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 006/224] media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 008/224] media: imon: reorganize serialization Greg Kroah-Hartman
` (224 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Flavius Georgescu, Chris Vandomelen,
Sean Young, Mauro Carvalho Chehab, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Flavius Georgescu <pretoriano.mp@gmail.com>
[ Upstream commit cf330691668a3bee37b8ac8212709b3ccdd87997 ]
The device it's an iMON UltraBay (0x98 in config byte) with LCD,
IR and dual-knobs front panel.
To work properly the device also require its own key table,
and repeat suppression for all buttons.
Signed-off-by: Flavius Georgescu <pretoriano.mp@gmail.com>
Co-developed-by: Chris Vandomelen <chris@sightworks.com>
Signed-off-by: Chris Vandomelen <chris@sightworks.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Stable-dep-of: fa0f61cc1d82 ("media: rc: fix races with imon_disconnect()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/imon.c | 61 ++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 51 insertions(+), 10 deletions(-)
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -83,6 +83,7 @@ struct imon_usb_dev_descr {
__u16 flags;
#define IMON_NO_FLAGS 0
#define IMON_NEED_20MS_PKT_DELAY 1
+#define IMON_SUPPRESS_REPEATED_KEYS 2
struct imon_panel_key_table key_table[];
};
@@ -149,8 +150,9 @@ struct imon_context {
struct timer_list ttimer; /* touch screen timer */
int touch_x; /* x coordinate on touchscreen */
int touch_y; /* y coordinate on touchscreen */
- struct imon_usb_dev_descr *dev_descr; /* device description with key
- table for front panels */
+ const struct imon_usb_dev_descr *dev_descr;
+ /* device description with key */
+ /* table for front panels */
};
#define TOUCH_TIMEOUT (HZ/30)
@@ -315,6 +317,32 @@ static const struct imon_usb_dev_descr i
}
};
+/* imon ultrabay front panel key table */
+static const struct imon_usb_dev_descr ultrabay_table = {
+ .flags = IMON_SUPPRESS_REPEATED_KEYS,
+ .key_table = {
+ { 0x0000000f0000ffeell, KEY_MEDIA }, /* Go */
+ { 0x000000000100ffeell, KEY_UP },
+ { 0x000000000001ffeell, KEY_DOWN },
+ { 0x000000160000ffeell, KEY_ENTER },
+ { 0x0000001f0000ffeell, KEY_AUDIO }, /* Music */
+ { 0x000000200000ffeell, KEY_VIDEO }, /* Movie */
+ { 0x000000210000ffeell, KEY_CAMERA }, /* Photo */
+ { 0x000000270000ffeell, KEY_DVD }, /* DVD */
+ { 0x000000230000ffeell, KEY_TV }, /* TV */
+ { 0x000000050000ffeell, KEY_PREVIOUS }, /* Previous */
+ { 0x000000070000ffeell, KEY_REWIND },
+ { 0x000000040000ffeell, KEY_STOP },
+ { 0x000000020000ffeell, KEY_PLAYPAUSE },
+ { 0x000000080000ffeell, KEY_FASTFORWARD },
+ { 0x000000060000ffeell, KEY_NEXT }, /* Next */
+ { 0x000100000000ffeell, KEY_VOLUMEUP },
+ { 0x010000000000ffeell, KEY_VOLUMEDOWN },
+ { 0x000000010000ffeell, KEY_MUTE },
+ { 0, KEY_RESERVED },
+ }
+};
+
/*
* USB Device ID for iMON USB Control Boards
*
@@ -1261,9 +1289,11 @@ static u32 imon_mce_key_lookup(struct im
static u32 imon_panel_key_lookup(struct imon_context *ictx, u64 code)
{
- int i;
+ const struct imon_panel_key_table *key_table;
u32 keycode = KEY_RESERVED;
- struct imon_panel_key_table *key_table = ictx->dev_descr->key_table;
+ int i;
+
+ key_table = ictx->dev_descr->key_table;
for (i = 0; key_table[i].hw_code != 0; i++) {
if (key_table[i].hw_code == (code | 0xffee)) {
@@ -1547,7 +1577,6 @@ static void imon_incoming_packet(struct
u32 kc;
u64 scancode;
int press_type = 0;
- long msec;
ktime_t t;
static ktime_t prev_time;
u8 ktype;
@@ -1649,14 +1678,16 @@ static void imon_incoming_packet(struct
spin_lock_irqsave(&ictx->kc_lock, flags);
t = ktime_get();
- /* KEY_MUTE repeats from knob need to be suppressed */
- if (ictx->kc == KEY_MUTE && ictx->kc == ictx->last_keycode) {
- msec = ktime_ms_delta(t, prev_time);
- if (msec < ictx->idev->rep[REP_DELAY]) {
+ /* KEY repeats from knob and panel that need to be suppressed */
+ if (ictx->kc == KEY_MUTE ||
+ ictx->dev_descr->flags & IMON_SUPPRESS_REPEATED_KEYS) {
+ if (ictx->kc == ictx->last_keycode &&
+ ktime_ms_delta(t, prev_time) < ictx->idev->rep[REP_DELAY]) {
spin_unlock_irqrestore(&ictx->kc_lock, flags);
return;
}
}
+
prev_time = t;
kc = ictx->kc;
@@ -1844,6 +1875,14 @@ static void imon_get_ffdc_type(struct im
dev_info(ictx->dev, "0xffdc iMON Inside, iMON IR");
ictx->display_supported = false;
break;
+ /* Soundgraph iMON UltraBay */
+ case 0x98:
+ dev_info(ictx->dev, "0xffdc iMON UltraBay, LCD + IR");
+ detected_display_type = IMON_DISPLAY_TYPE_LCD;
+ allowed_protos = RC_PROTO_BIT_IMON | RC_PROTO_BIT_RC6_MCE;
+ ictx->dev_descr = &ultrabay_table;
+ break;
+
default:
dev_info(ictx->dev, "Unknown 0xffdc device, defaulting to VFD and iMON IR");
detected_display_type = IMON_DISPLAY_TYPE_VFD;
@@ -1975,10 +2014,12 @@ out:
static struct input_dev *imon_init_idev(struct imon_context *ictx)
{
- struct imon_panel_key_table *key_table = ictx->dev_descr->key_table;
+ const struct imon_panel_key_table *key_table;
struct input_dev *idev;
int ret, i;
+ key_table = ictx->dev_descr->key_table;
+
idev = input_allocate_device();
if (!idev)
goto out;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 008/224] media: imon: reorganize serialization
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 007/224] media: rc: Add support for another iMON 0xffdc device Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 009/224] media: imon: grab lock earlier in imon_ir_change_protocol() Greg Kroah-Hartman
` (223 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Tetsuo Handa, Alan Stern,
Sean Young, Mauro Carvalho Chehab, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit db264d4c66c0fe007b5d19fd007707cd0697603d ]
Since usb_register_dev() from imon_init_display() from imon_probe() holds
minor_rwsem while display_open() which holds driver_lock and ictx->lock is
called with minor_rwsem held from usb_open(), holding driver_lock or
ictx->lock when calling usb_register_dev() causes circular locking
dependency problem.
Since usb_deregister_dev() from imon_disconnect() holds minor_rwsem while
display_open() which holds driver_lock is called with minor_rwsem held,
holding driver_lock when calling usb_deregister_dev() also causes circular
locking dependency problem.
Sean Young explained that the problem is there are imon devices which have
two usb interfaces, even though it is one device. The probe and disconnect
function of both usb interfaces can run concurrently.
Alan Stern responded that the driver and USB cores guarantee that when an
interface is probed, both the interface and its USB device are locked.
Ditto for when the disconnect callback gets run. So concurrent probing/
disconnection of multiple interfaces on the same device is not possible.
Therefore, we don't need locks for handling race between imon_probe() and
imon_disconnect(). But we still need to handle race between display_open()
/vfd_write()/lcd_write()/display_close() and imon_disconnect(), for
disconnect event can happen while file descriptors are in use.
Since "struct file"->private_data is set by display_open(), vfd_write()/
lcd_write()/display_close() can assume that "struct file"->private_data
is not NULL even after usb_set_intfdata(interface, NULL) was called.
Replace insufficiently held driver_lock with refcount_t based management.
Add a boolean flag for recording whether imon_disconnect() was already
called. Use RCU for accessing this boolean flag and refcount_t.
Since the boolean flag for imon_disconnect() is shared, disconnect event
on either intf0 or intf1 affects both interfaces. But I assume that this
change does not matter, for usually disconnect event would not happen
while interfaces are in use.
Link: https://syzkaller.appspot.com/bug?extid=c558267ad910fc494497
Reported-by: syzbot <syzbot+c558267ad910fc494497@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Tested-by: syzbot <syzbot+c558267ad910fc494497@syzkaller.appspotmail.com>
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Stable-dep-of: fa0f61cc1d82 ("media: rc: fix races with imon_disconnect()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/imon.c | 99 ++++++++++++++++++++++--------------------------
1 file changed, 47 insertions(+), 52 deletions(-)
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -153,6 +153,24 @@ struct imon_context {
const struct imon_usb_dev_descr *dev_descr;
/* device description with key */
/* table for front panels */
+ /*
+ * Fields for deferring free_imon_context().
+ *
+ * Since reference to "struct imon_context" is stored into
+ * "struct file"->private_data, we need to remember
+ * how many file descriptors might access this "struct imon_context".
+ */
+ refcount_t users;
+ /*
+ * Use a flag for telling display_open()/vfd_write()/lcd_write() that
+ * imon_disconnect() was already called.
+ */
+ bool disconnected;
+ /*
+ * We need to wait for RCU grace period in order to allow
+ * display_open() to safely check ->disconnected and increment ->users.
+ */
+ struct rcu_head rcu;
};
#define TOUCH_TIMEOUT (HZ/30)
@@ -160,18 +178,18 @@ struct imon_context {
/* vfd character device file operations */
static const struct file_operations vfd_fops = {
.owner = THIS_MODULE,
- .open = &display_open,
- .write = &vfd_write,
- .release = &display_close,
+ .open = display_open,
+ .write = vfd_write,
+ .release = display_close,
.llseek = noop_llseek,
};
/* lcd character device file operations */
static const struct file_operations lcd_fops = {
.owner = THIS_MODULE,
- .open = &display_open,
- .write = &lcd_write,
- .release = &display_close,
+ .open = display_open,
+ .write = lcd_write,
+ .release = display_close,
.llseek = noop_llseek,
};
@@ -439,9 +457,6 @@ static struct usb_driver imon_driver = {
.id_table = imon_usb_id_table,
};
-/* to prevent races between open() and disconnect(), probing, etc */
-static DEFINE_MUTEX(driver_lock);
-
/* Module bookkeeping bits */
MODULE_AUTHOR(MOD_AUTHOR);
MODULE_DESCRIPTION(MOD_DESC);
@@ -481,9 +496,11 @@ static void free_imon_context(struct imo
struct device *dev = ictx->dev;
usb_free_urb(ictx->tx_urb);
+ WARN_ON(ictx->dev_present_intf0);
usb_free_urb(ictx->rx_urb_intf0);
+ WARN_ON(ictx->dev_present_intf1);
usb_free_urb(ictx->rx_urb_intf1);
- kfree(ictx);
+ kfree_rcu(ictx, rcu);
dev_dbg(dev, "%s: iMON context freed\n", __func__);
}
@@ -499,9 +516,6 @@ static int display_open(struct inode *in
int subminor;
int retval = 0;
- /* prevent races with disconnect */
- mutex_lock(&driver_lock);
-
subminor = iminor(inode);
interface = usb_find_interface(&imon_driver, subminor);
if (!interface) {
@@ -509,13 +523,16 @@ static int display_open(struct inode *in
retval = -ENODEV;
goto exit;
}
- ictx = usb_get_intfdata(interface);
- if (!ictx) {
+ rcu_read_lock();
+ ictx = usb_get_intfdata(interface);
+ if (!ictx || ictx->disconnected || !refcount_inc_not_zero(&ictx->users)) {
+ rcu_read_unlock();
pr_err("no context found for minor %d\n", subminor);
retval = -ENODEV;
goto exit;
}
+ rcu_read_unlock();
mutex_lock(&ictx->lock);
@@ -533,8 +550,10 @@ static int display_open(struct inode *in
mutex_unlock(&ictx->lock);
+ if (retval && refcount_dec_and_test(&ictx->users))
+ free_imon_context(ictx);
+
exit:
- mutex_unlock(&driver_lock);
return retval;
}
@@ -544,16 +563,9 @@ exit:
*/
static int display_close(struct inode *inode, struct file *file)
{
- struct imon_context *ictx = NULL;
+ struct imon_context *ictx = file->private_data;
int retval = 0;
- ictx = file->private_data;
-
- if (!ictx) {
- pr_err("no context for device\n");
- return -ENODEV;
- }
-
mutex_lock(&ictx->lock);
if (!ictx->display_supported) {
@@ -568,6 +580,8 @@ static int display_close(struct inode *i
}
mutex_unlock(&ictx->lock);
+ if (refcount_dec_and_test(&ictx->users))
+ free_imon_context(ictx);
return retval;
}
@@ -936,15 +950,12 @@ static ssize_t vfd_write(struct file *fi
int offset;
int seq;
int retval = 0;
- struct imon_context *ictx;
+ struct imon_context *ictx = file->private_data;
static const unsigned char vfd_packet6[] = {
0x01, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF };
- ictx = file->private_data;
- if (!ictx) {
- pr_err_ratelimited("no context for device\n");
+ if (ictx->disconnected)
return -ENODEV;
- }
if (mutex_lock_interruptible(&ictx->lock))
return -ERESTARTSYS;
@@ -1021,13 +1032,10 @@ static ssize_t lcd_write(struct file *fi
size_t n_bytes, loff_t *pos)
{
int retval = 0;
- struct imon_context *ictx;
+ struct imon_context *ictx = file->private_data;
- ictx = file->private_data;
- if (!ictx) {
- pr_err_ratelimited("no context for device\n");
+ if (ictx->disconnected)
return -ENODEV;
- }
mutex_lock(&ictx->lock);
@@ -2402,7 +2410,6 @@ static int imon_probe(struct usb_interfa
int ifnum, sysfs_err;
int ret = 0;
struct imon_context *ictx = NULL;
- struct imon_context *first_if_ctx = NULL;
u16 vendor, product;
usbdev = usb_get_dev(interface_to_usbdev(interface));
@@ -2414,17 +2421,12 @@ static int imon_probe(struct usb_interfa
dev_dbg(dev, "%s: found iMON device (%04x:%04x, intf%d)\n",
__func__, vendor, product, ifnum);
- /* prevent races probing devices w/multiple interfaces */
- mutex_lock(&driver_lock);
-
first_if = usb_ifnum_to_if(usbdev, 0);
if (!first_if) {
ret = -ENODEV;
goto fail;
}
- first_if_ctx = usb_get_intfdata(first_if);
-
if (ifnum == 0) {
ictx = imon_init_intf0(interface, id);
if (!ictx) {
@@ -2432,9 +2434,11 @@ static int imon_probe(struct usb_interfa
ret = -ENODEV;
goto fail;
}
+ refcount_set(&ictx->users, 1);
} else {
/* this is the secondary interface on the device */
+ struct imon_context *first_if_ctx = usb_get_intfdata(first_if);
/* fail early if first intf failed to register */
if (!first_if_ctx) {
@@ -2448,14 +2452,13 @@ static int imon_probe(struct usb_interfa
ret = -ENODEV;
goto fail;
}
+ refcount_inc(&ictx->users);
}
usb_set_intfdata(interface, ictx);
if (ifnum == 0) {
- mutex_lock(&ictx->lock);
-
if (product == 0xffdc && ictx->rf_device) {
sysfs_err = sysfs_create_group(&interface->dev.kobj,
&imon_rf_attr_group);
@@ -2466,21 +2469,17 @@ static int imon_probe(struct usb_interfa
if (ictx->display_supported)
imon_init_display(ictx, interface);
-
- mutex_unlock(&ictx->lock);
}
dev_info(dev, "iMON device (%04x:%04x, intf%d) on usb<%d:%d> initialized\n",
vendor, product, ifnum,
usbdev->bus->busnum, usbdev->devnum);
- mutex_unlock(&driver_lock);
usb_put_dev(usbdev);
return 0;
fail:
- mutex_unlock(&driver_lock);
usb_put_dev(usbdev);
dev_err(dev, "unable to register, err %d\n", ret);
@@ -2496,10 +2495,8 @@ static void imon_disconnect(struct usb_i
struct device *dev;
int ifnum;
- /* prevent races with multi-interface device probing and display_open */
- mutex_lock(&driver_lock);
-
ictx = usb_get_intfdata(interface);
+ ictx->disconnected = true;
dev = ictx->dev;
ifnum = interface->cur_altsetting->desc.bInterfaceNumber;
@@ -2540,11 +2537,9 @@ static void imon_disconnect(struct usb_i
}
}
- if (!ictx->dev_present_intf0 && !ictx->dev_present_intf1)
+ if (refcount_dec_and_test(&ictx->users))
free_imon_context(ictx);
- mutex_unlock(&driver_lock);
-
dev_dbg(dev, "%s: iMON device (intf%d) disconnected\n",
__func__, ifnum);
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 009/224] media: imon: grab lock earlier in imon_ir_change_protocol()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 008/224] media: imon: reorganize serialization Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 010/224] media: rc: fix races with imon_disconnect() Greg Kroah-Hartman
` (222 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tetsuo Handa, Sean Young,
Hans Verkuil, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 7019553ab850ce1d3f0e512e16d14ab153f91c04 ]
Move mutex_trylock() in imon_ir_change_protocol() to the beginning,
for memcpy() which modifies ictx->usb_tx_buf should be protected by
ictx->lock.
Also, verify at the beginning of send_packet() that ictx->lock is held
in case send_packet() is by error called from imon_ir_change_protocol()
when mutex_trylock() failed due to concurrent requests.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Stable-dep-of: fa0f61cc1d82 ("media: rc: fix races with imon_disconnect()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/imon.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -598,6 +598,8 @@ static int send_packet(struct imon_conte
int retval = 0;
struct usb_ctrlrequest *control_req = NULL;
+ lockdep_assert_held(&ictx->lock);
+
/* Check if we need to use control or interrupt urb */
if (!ictx->tx_control) {
pipe = usb_sndintpipe(ictx->usbdev_intf0,
@@ -1126,7 +1128,7 @@ static int imon_ir_change_protocol(struc
int retval;
struct imon_context *ictx = rc->priv;
struct device *dev = ictx->dev;
- bool unlock = false;
+ const bool unlock = mutex_trylock(&ictx->lock);
unsigned char ir_proto_packet[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x86 };
@@ -1153,8 +1155,6 @@ static int imon_ir_change_protocol(struc
memcpy(ictx->usb_tx_buf, &ir_proto_packet, sizeof(ir_proto_packet));
- unlock = mutex_trylock(&ictx->lock);
-
retval = send_packet(ictx);
if (retval)
goto out;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 010/224] media: rc: fix races with imon_disconnect()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 009/224] media: imon: grab lock earlier in imon_ir_change_protocol() Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 011/224] USB: serial: option: add SIMCom 8230C compositions Greg Kroah-Hartman
` (221 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f1a69784f6efe748c3bf,
Larshin Sergey, Sean Young, Hans Verkuil, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Larshin Sergey <Sergey.Larshin@kaspersky.com>
[ Upstream commit fa0f61cc1d828178aa921475a9b786e7fbb65ccb ]
Syzbot reports a KASAN issue as below:
BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline]
BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627
Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465
CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
__create_pipe include/linux/usb.h:1945 [inline]
send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627
vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991
vfs_write+0x2d7/0xdd0 fs/read_write.c:576
ksys_write+0x127/0x250 fs/read_write.c:631
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The iMON driver improperly releases the usb_device reference in
imon_disconnect without coordinating with active users of the
device.
Specifically, the fields usbdev_intf0 and usbdev_intf1 are not
protected by the users counter (ictx->users). During probe,
imon_init_intf0 or imon_init_intf1 increments the usb_device
reference count depending on the interface. However, during
disconnect, usb_put_dev is called unconditionally, regardless of
actual usage.
As a result, if vfd_write or other operations are still in
progress after disconnect, this can lead to a use-after-free of
the usb_device pointer.
Thread 1 vfd_write Thread 2 imon_disconnect
...
if
usb_put_dev(ictx->usbdev_intf0)
else
usb_put_dev(ictx->usbdev_intf1)
...
while
send_packet
if
pipe = usb_sndintpipe(
ictx->usbdev_intf0) UAF
else
pipe = usb_sndctrlpipe(
ictx->usbdev_intf0, 0) UAF
Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by
checking ictx->disconnected in all writer paths. Add early return
with -ENODEV in send_packet(), vfd_write(), lcd_write() and
display_open() if the device is no longer present.
Set and read ictx->disconnected under ictx->lock to ensure memory
synchronization. Acquire the lock in imon_disconnect() before setting
the flag to synchronize with any ongoing operations.
Ensure writers exit early and safely after disconnect before the USB
core proceeds with cleanup.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Reported-by: syzbot+f1a69784f6efe748c3bf@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f1a69784f6efe748c3bf
Fixes: 21677cfc562a ("V4L/DVB: ir-core: add imon driver")
Cc: stable@vger.kernel.org
Signed-off-by: Larshin Sergey <Sergey.Larshin@kaspersky.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/imon.c | 27 ++++++++++++++++++++-------
1 file changed, 20 insertions(+), 7 deletions(-)
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -536,7 +536,9 @@ static int display_open(struct inode *in
mutex_lock(&ictx->lock);
- if (!ictx->display_supported) {
+ if (ictx->disconnected) {
+ retval = -ENODEV;
+ } else if (!ictx->display_supported) {
pr_err("display not supported by device\n");
retval = -ENODEV;
} else if (ictx->display_isopen) {
@@ -600,6 +602,9 @@ static int send_packet(struct imon_conte
lockdep_assert_held(&ictx->lock);
+ if (ictx->disconnected)
+ return -ENODEV;
+
/* Check if we need to use control or interrupt urb */
if (!ictx->tx_control) {
pipe = usb_sndintpipe(ictx->usbdev_intf0,
@@ -956,12 +961,14 @@ static ssize_t vfd_write(struct file *fi
static const unsigned char vfd_packet6[] = {
0x01, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF };
- if (ictx->disconnected)
- return -ENODEV;
-
if (mutex_lock_interruptible(&ictx->lock))
return -ERESTARTSYS;
+ if (ictx->disconnected) {
+ retval = -ENODEV;
+ goto exit;
+ }
+
if (!ictx->dev_present_intf0) {
pr_err_ratelimited("no iMON device present\n");
retval = -ENODEV;
@@ -1036,11 +1043,13 @@ static ssize_t lcd_write(struct file *fi
int retval = 0;
struct imon_context *ictx = file->private_data;
- if (ictx->disconnected)
- return -ENODEV;
-
mutex_lock(&ictx->lock);
+ if (ictx->disconnected) {
+ retval = -ENODEV;
+ goto exit;
+ }
+
if (!ictx->display_supported) {
pr_err_ratelimited("no iMON display present\n");
retval = -ENODEV;
@@ -2496,7 +2505,11 @@ static void imon_disconnect(struct usb_i
int ifnum;
ictx = usb_get_intfdata(interface);
+
+ mutex_lock(&ictx->lock);
ictx->disconnected = true;
+ mutex_unlock(&ictx->lock);
+
dev = ictx->dev;
ifnum = interface->cur_altsetting->desc.bInterfaceNumber;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 011/224] USB: serial: option: add SIMCom 8230C compositions
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 010/224] media: rc: fix races with imon_disconnect() Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 012/224] wifi: rtlwifi: rtl8192cu: Dont claim USB ID 07b8:8188 Greg Kroah-Hartman
` (220 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xiaowei Li, Johan Hovold
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaowei Li <xiaowei.li@simcom.com>
commit 0e0ba0ecec3d6e819e0c2348331ff99afe2eb5d5 upstream.
Add support for SIMCom 8230C which is based on Qualcomm SDX35 chip.
USB Device Listings:
0x9071: tty (DM) + tty (NMEA) + tty (AT) + rmnet (QMI mode) + adb
T: Bus=01 Lev=01 Prnt=01 Port=05 Cnt=02 Dev#= 10 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1e0e ProdID=9071 Rev= 5.15
S: Manufacturer=SIMCOM
S: Product=SDXBAAGHA-IDP _SN:D744C4C5
S: SerialNumber=0123456789ABCDEF
C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=86(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x9078: tty (DM) + tty (NMEA) + tty (AT) + ECM + adb
T: Bus=01 Lev=01 Prnt=01 Port=05 Cnt=02 Dev#= 9 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1e0e ProdID=9078 Rev= 5.15
S: Manufacturer=SIMCOM
S: Product=SDXBAAGHA-IDP _SN:D744C4C5
S: SerialNumber=0123456789ABCDEF
C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=06 Prot=00 Driver=cdc_ether
E: Ad=86(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
I:* If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x907b: RNDIS + tty (DM) + tty (NMEA) + tty (AT) + adb
T: Bus=01 Lev=01 Prnt=01 Port=05 Cnt=02 Dev#= 8 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1e0e ProdID=907b Rev= 5.15
S: Manufacturer=SIMCOM
S: Product=SDXBAAGHA-IDP _SN:D744C4C5
S: SerialNumber=0123456789ABCDEF
C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#= 0 IfCount= 2 Cls=ef(misc ) Sub=04 Prot=01
I:* If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Signed-off-by: Xiaowei Li <xiaowei.li@simcom.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2114,6 +2114,12 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9003, 0xff) }, /* Simcom SIM7500/SIM7600 MBIM mode */
{ USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9011, 0xff), /* Simcom SIM7500/SIM7600 RNDIS mode */
.driver_info = RSVD(7) },
+ { USB_DEVICE(0x1e0e, 0x9071), /* Simcom SIM8230 RMNET mode */
+ .driver_info = RSVD(3) | RSVD(4) },
+ { USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9078, 0xff), /* Simcom SIM8230 ECM mode */
+ .driver_info = RSVD(5) },
+ { USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x907b, 0xff), /* Simcom SIM8230 RNDIS mode */
+ .driver_info = RSVD(5) },
{ USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9205, 0xff) }, /* Simcom SIM7070/SIM7080/SIM7090 AT+ECM mode */
{ USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9206, 0xff) }, /* Simcom SIM7070/SIM7080/SIM7090 AT-only mode */
{ USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200),
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 012/224] wifi: rtlwifi: rtl8192cu: Dont claim USB ID 07b8:8188
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 011/224] USB: serial: option: add SIMCom 8230C compositions Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 013/224] dm-integrity: limit MAX_TAG_SIZE to 255 Greg Kroah-Hartman
` (219 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bitterblue Smith, Ping-Ke Shih
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
commit e798f2ac6040f46a04795d7de977341fa9aeabae upstream.
This ID appears to be RTL8188SU, not RTL8188CU. This is the wrong driver
for RTL8188SU. The r8712u driver from staging used to handle this ID.
Closes: https://lore.kernel.org/linux-wireless/ee0acfef-a753-4f90-87df-15f8eaa9c3a8@gmx.de/
Cc: stable@vger.kernel.org
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/2e5e2348-bdb3-44b2-92b2-0231dbf464b0@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtlwifi/rtl8192cu/sw.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/sw.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/sw.c
@@ -297,7 +297,6 @@ static const struct usb_device_id rtl819
{RTL_USB_DEVICE(0x050d, 0x1102, rtl92cu_hal_cfg)}, /*Belkin - Edimax*/
{RTL_USB_DEVICE(0x050d, 0x11f2, rtl92cu_hal_cfg)}, /*Belkin - ISY*/
{RTL_USB_DEVICE(0x06f8, 0xe033, rtl92cu_hal_cfg)}, /*Hercules - Edimax*/
- {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/
{RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/
{RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/
{RTL_USB_DEVICE(0x0846, 0x9043, rtl92cu_hal_cfg)}, /*NG WNA1000Mv2*/
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 013/224] dm-integrity: limit MAX_TAG_SIZE to 255
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 012/224] wifi: rtlwifi: rtl8192cu: Dont claim USB ID 07b8:8188 Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 014/224] perf subcmd: avoid crash in exclude_cmds when excludes is empty Greg Kroah-Hartman
` (218 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
[ Upstream commit 77b8e6fbf9848d651f5cb7508f18ad0971f3ffdb ]
MAX_TAG_SIZE was 0x1a8 and it may be truncated in the "bi->metadata_size
= ic->tag_size" assignment. We need to limit it to 255.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-integrity.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
index 15580ba773e72..38791b7e59ba3 100644
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -116,7 +116,7 @@ struct journal_sector {
commit_id_t commit_id;
};
-#define MAX_TAG_SIZE (JOURNAL_SECTOR_DATA - JOURNAL_MAC_PER_SECTOR - offsetof(struct journal_entry, last_bytes[MAX_SECTORS_PER_BLOCK]))
+#define MAX_TAG_SIZE 255
#define METADATA_PADDING_SECTORS 8
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 014/224] perf subcmd: avoid crash in exclude_cmds when excludes is empty
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 013/224] dm-integrity: limit MAX_TAG_SIZE to 255 Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 015/224] staging: axis-fifo: fix maximum TX packet length check Greg Kroah-Hartman
` (217 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, hupu, Guilherme Amadio, Namhyung Kim,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: hupu <hupu.gm@gmail.com>
[ Upstream commit a5edf3550f4260504b7e0ab3d40d13ffe924b773 ]
When cross-compiling the perf tool for ARM64, `perf help` may crash
with the following assertion failure:
help.c:122: exclude_cmds: Assertion `cmds->names[ci] == NULL' failed.
This happens when the perf binary is not named exactly "perf" or when
multiple "perf-*" binaries exist in the same directory. In such cases,
the `excludes` command list can be empty, which leads to the final
assertion in exclude_cmds() being triggered.
Add a simple guard at the beginning of exclude_cmds() to return early
if excludes->cnt is zero, preventing the crash.
Signed-off-by: hupu <hupu.gm@gmail.com>
Reported-by: Guilherme Amadio <amadio@gentoo.org>
Reviewed-by: Namhyung Kim <namhyung@kernel.org>
Link: https://lore.kernel.org/r/20250909094953.106706-1-amadio@gentoo.org
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/subcmd/help.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/lib/subcmd/help.c b/tools/lib/subcmd/help.c
index 4260c8b4257bd..10f134c64ada1 100644
--- a/tools/lib/subcmd/help.c
+++ b/tools/lib/subcmd/help.c
@@ -72,6 +72,9 @@ void exclude_cmds(struct cmdnames *cmds, struct cmdnames *excludes)
size_t ci, cj, ei;
int cmp;
+ if (!excludes->cnt)
+ return;
+
ci = cj = ei = 0;
while (ci < cmds->cnt && ei < excludes->cnt) {
cmp = strcmp(cmds->names[ci]->name, excludes->names[ei]->name);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 015/224] staging: axis-fifo: fix maximum TX packet length check
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 014/224] perf subcmd: avoid crash in exclude_cmds when excludes is empty Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 016/224] staging: axis-fifo: flush RX FIFO on read errors Greg Kroah-Hartman
` (216 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ovidiu Panait
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
commit 52ff2b840bc723f3be1f096f8017c78e0515858c upstream.
Since commit 2ca34b508774 ("staging: axis-fifo: Correct handling of
tx_fifo_depth for size validation"), write() operations with packets
larger than 'tx_fifo_depth - 4' words are no longer rejected with -EINVAL.
Fortunately, the packets are not actually getting transmitted to hardware,
otherwise they would be raising a 'Transmit Packet Overrun Error'
interrupt, which requires a reset of the TX circuit to recover from.
Instead, the request times out inside wait_event_interruptible_timeout()
and always returns -EAGAIN, since the wake up condition can never be true
for these packets. But still, they unnecessarily block other tasks from
writing to the FIFO and the EAGAIN return code signals userspace to retry
the write() call, even though it will always fail and time out.
According to the AXI4-Stream FIFO reference manual (PG080), the maximum
valid packet length is 'tx_fifo_depth - 4' words, so attempting to send
larger packets is invalid and should not be happening in the first place:
> The maximum packet that can be transmitted is limited by the size of
> the FIFO, which is (C_TX_FIFO_DEPTH–4)*(data interface width/8) bytes.
Therefore, bring back the old behavior and outright reject packets larger
than 'tx_fifo_depth - 4' with -EINVAL. Add a comment to explain why the
check is necessary. The dev_err() message was removed to avoid cluttering
the dmesg log if an invalid packet is received from userspace.
Fixes: 2ca34b508774 ("staging: axis-fifo: Correct handling of tx_fifo_depth for size validation")
Cc: stable@vger.kernel.org
Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
Link: https://lore.kernel.org/r/20250817171350.872105-1-ovidiu.panait.oss@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/axis-fifo/axis-fifo.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/staging/axis-fifo/axis-fifo.c
+++ b/drivers/staging/axis-fifo/axis-fifo.c
@@ -494,11 +494,17 @@ static ssize_t axis_fifo_write(struct fi
return -EINVAL;
}
- if (words_to_write > fifo->tx_fifo_depth) {
- dev_err(fifo->dt_device, "tried to write more words [%u] than slots in the fifo buffer [%u]\n",
- words_to_write, fifo->tx_fifo_depth);
+ /*
+ * In 'Store-and-Forward' mode, the maximum packet that can be
+ * transmitted is limited by the size of the FIFO, which is
+ * (C_TX_FIFO_DEPTH–4)*(data interface width/8) bytes.
+ *
+ * Do not attempt to send a packet larger than 'tx_fifo_depth - 4',
+ * otherwise a 'Transmit Packet Overrun Error' interrupt will be
+ * raised, which requires a reset of the TX circuit to recover.
+ */
+ if (words_to_write > (fifo->tx_fifo_depth - 4))
return -EINVAL;
- }
if (fifo->write_flags & O_NONBLOCK) {
/*
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 016/224] staging: axis-fifo: flush RX FIFO on read errors
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 015/224] staging: axis-fifo: fix maximum TX packet length check Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 017/224] driver core/PM: Set power.no_callbacks along with power.no_pm Greg Kroah-Hartman
` (215 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ovidiu Panait
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
commit 82a051e2553b9e297cba82a975d9c538b882c79e upstream.
Flush stale data from the RX FIFO in case of errors, to avoid reading
old data when new packets arrive.
Commit c6e8d85fafa7 ("staging: axis-fifo: Remove hardware resets for
user errors") removed full FIFO resets from the read error paths, which
fixed potential TX data losses, but introduced this RX issue.
Fixes: c6e8d85fafa7 ("staging: axis-fifo: Remove hardware resets for user errors")
Cc: stable@vger.kernel.org
Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
Link: https://lore.kernel.org/r/20250912101322.1282507-2-ovidiu.panait.oss@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/axis-fifo/axis-fifo.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
--- a/drivers/staging/axis-fifo/axis-fifo.c
+++ b/drivers/staging/axis-fifo/axis-fifo.c
@@ -400,6 +400,7 @@ static ssize_t axis_fifo_read(struct fil
}
bytes_available = ioread32(fifo->base_addr + XLLF_RLR_OFFSET);
+ words_available = bytes_available / sizeof(u32);
if (!bytes_available) {
dev_err(fifo->dt_device, "received a packet of length 0\n");
ret = -EIO;
@@ -410,7 +411,7 @@ static ssize_t axis_fifo_read(struct fil
dev_err(fifo->dt_device, "user read buffer too small (available bytes=%zu user buffer bytes=%zu)\n",
bytes_available, len);
ret = -EINVAL;
- goto end_unlock;
+ goto err_flush_rx;
}
if (bytes_available % sizeof(u32)) {
@@ -419,11 +420,9 @@ static ssize_t axis_fifo_read(struct fil
*/
dev_err(fifo->dt_device, "received a packet that isn't word-aligned\n");
ret = -EIO;
- goto end_unlock;
+ goto err_flush_rx;
}
- words_available = bytes_available / sizeof(u32);
-
/* read data into an intermediate buffer, copying the contents
* to userspace when the buffer is full
*/
@@ -435,18 +434,23 @@ static ssize_t axis_fifo_read(struct fil
tmp_buf[i] = ioread32(fifo->base_addr +
XLLF_RDFD_OFFSET);
}
+ words_available -= copy;
if (copy_to_user(buf + copied * sizeof(u32), tmp_buf,
copy * sizeof(u32))) {
ret = -EFAULT;
- goto end_unlock;
+ goto err_flush_rx;
}
copied += copy;
- words_available -= copy;
}
+ mutex_unlock(&fifo->read_lock);
+
+ return bytes_available;
- ret = bytes_available;
+err_flush_rx:
+ while (words_available--)
+ ioread32(fifo->base_addr + XLLF_RDFD_OFFSET);
end_unlock:
mutex_unlock(&fifo->read_lock);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 017/224] driver core/PM: Set power.no_callbacks along with power.no_pm
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 016/224] staging: axis-fifo: flush RX FIFO on read errors Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 018/224] perf: arm_spe: Prevent overflow in PERF_IDX2OFF() Greg Kroah-Hartman
` (214 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, stable,
Sudeep Holla
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit c2ce2453413d429e302659abc5ace634e873f6f5 upstream.
Devices with power.no_pm set are not expected to need any power
management at all, so modify device_set_pm_not_required() to set
power.no_callbacks for them too in case runtime PM will be enabled
for any of them (which in principle may be done for convenience if
such a device participates in a dependency chain).
Since device_set_pm_not_required() must be called before device_add()
or it would not have any effect, it can update power.no_callbacks
without locking, unlike pm_runtime_no_callbacks() that can be called
after registering the target device.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: stable <stable@kernel.org>
Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
Link: https://lore.kernel.org/r/1950054.tdWV9SEqCh@rafael.j.wysocki
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/device.h | 3 +++
1 file changed, 3 insertions(+)
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -1441,6 +1441,9 @@ static inline bool device_pm_not_require
static inline void device_set_pm_not_required(struct device *dev)
{
dev->power.no_pm = true;
+#ifdef CONFIG_PM
+ dev->power.no_callbacks = true;
+#endif
}
static inline void dev_pm_syscore_device(struct device *dev, bool val)
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 018/224] perf: arm_spe: Prevent overflow in PERF_IDX2OFF()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 017/224] driver core/PM: Set power.no_callbacks along with power.no_pm Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 019/224] x86/vdso: Fix output operand size of RDPID Greg Kroah-Hartman
` (213 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Leo Yan, Will Deacon, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit a29fea30dd93da16652930162b177941abd8c75e ]
Cast nr_pages to unsigned long to avoid overflow when handling large
AUX buffer sizes (>= 2 GiB).
Fixes: d5d9696b0380 ("drivers/perf: Add support for ARMv8.2 Statistical Profiling Extension")
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/perf/arm_spe_pmu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/perf/arm_spe_pmu.c b/drivers/perf/arm_spe_pmu.c
index 079701e8de186..91a6631af5567 100644
--- a/drivers/perf/arm_spe_pmu.c
+++ b/drivers/perf/arm_spe_pmu.c
@@ -75,7 +75,8 @@ struct arm_spe_pmu {
#define to_spe_pmu(p) (container_of(p, struct arm_spe_pmu, pmu))
/* Convert a free-running index from perf into an SPE buffer offset */
-#define PERF_IDX2OFF(idx, buf) ((idx) % ((buf)->nr_pages << PAGE_SHIFT))
+#define PERF_IDX2OFF(idx, buf) \
+ ((idx) % ((unsigned long)(buf)->nr_pages << PAGE_SHIFT))
/* Keep track of our dynamic hotplug state */
static enum cpuhp_state arm_spe_pmu_online;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 019/224] x86/vdso: Fix output operand size of RDPID
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 018/224] perf: arm_spe: Prevent overflow in PERF_IDX2OFF() Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 020/224] regmap: Remove superfluous check for !config in __regmap_init() Greg Kroah-Hartman
` (212 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uros Bizjak, Borislav Petkov (AMD),
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uros Bizjak <ubizjak@gmail.com>
[ Upstream commit ac9c408ed19d535289ca59200dd6a44a6a2d6036 ]
RDPID instruction outputs to a word-sized register (64-bit on x86_64 and
32-bit on x86_32). Use an unsigned long variable to store the correct size.
LSL outputs to 32-bit register, use %k operand prefix to always print the
32-bit name of the register.
Use RDPID insn mnemonic while at it as the minimum binutils version of
2.30 supports it.
[ bp: Merge two patches touching the same function into a single one. ]
Fixes: ffebbaedc861 ("x86/vdso: Introduce helper functions for CPU and node number")
Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250616095315.230620-1-ubizjak@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/segment.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h
index 6669164abadcb..531a0cb93b47b 100644
--- a/arch/x86/include/asm/segment.h
+++ b/arch/x86/include/asm/segment.h
@@ -253,7 +253,7 @@ static inline unsigned long vdso_encode_cpunode(int cpu, unsigned long node)
static inline void vdso_read_cpunode(unsigned *cpu, unsigned *node)
{
- unsigned int p;
+ unsigned long p;
/*
* Load CPU and node number from the GDT. LSL is faster than RDTSCP
@@ -263,10 +263,10 @@ static inline void vdso_read_cpunode(unsigned *cpu, unsigned *node)
*
* If RDPID is available, use it.
*/
- alternative_io ("lsl %[seg],%[p]",
- ".byte 0xf3,0x0f,0xc7,0xf8", /* RDPID %eax/rax */
+ alternative_io ("lsl %[seg],%k[p]",
+ "rdpid %[p]",
X86_FEATURE_RDPID,
- [p] "=a" (p), [seg] "r" (__CPUNODE_SEG));
+ [p] "=r" (p), [seg] "r" (__CPUNODE_SEG));
if (cpu)
*cpu = (p & VDSO_CPUNODE_MASK);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 020/224] regmap: Remove superfluous check for !config in __regmap_init()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 019/224] x86/vdso: Fix output operand size of RDPID Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 021/224] ACPI: processor: idle: Fix memory leak when register cpuidle device failed Greg Kroah-Hartman
` (211 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Mark Brown,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit 5c36b86d2bf68fbcad16169983ef7ee8c537db59 ]
The first thing __regmap_init() do is check if config is non-NULL,
so there is no need to check for this again later.
Fixes: d77e745613680c54 ("regmap: Add bulk read/write callbacks into regmap_config")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/a154d9db0f290dda96b48bd817eb743773e846e1.1755090330.git.geert+renesas@glider.be
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/regmap/regmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
index c453c24afeb8a..5824cfd288125 100644
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -824,7 +824,7 @@ struct regmap *__regmap_init(struct device *dev,
map->read_flag_mask = bus->read_flag_mask;
}
- if (config && config->read && config->write) {
+ if (config->read && config->write) {
map->reg_read = _regmap_bus_read;
/* Bulk read/write */
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 021/224] ACPI: processor: idle: Fix memory leak when register cpuidle device failed
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 020/224] regmap: Remove superfluous check for !config in __regmap_init() Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 022/224] soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS Greg Kroah-Hartman
` (210 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huisong Li, Rafael J. Wysocki,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huisong Li <lihuisong@huawei.com>
[ Upstream commit 11b3de1c03fa9f3b5d17e6d48050bc98b3704420 ]
The cpuidle device's memory is leaked when cpuidle device registration
fails in acpi_processor_power_init(). Free it as appropriate.
Fixes: 3d339dcbb56d ("cpuidle / ACPI : move cpuidle_device field out of the acpi_processor_power structure")
Signed-off-by: Huisong Li <lihuisong@huawei.com>
Link: https://patch.msgid.link/20250728070612.1260859-2-lihuisong@huawei.com
[ rjw: Changed the order of the new statements, added empty line after if () ]
[ rjw: Changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/processor_idle.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
index e6bba26caf3c8..86655d65f3215 100644
--- a/drivers/acpi/processor_idle.c
+++ b/drivers/acpi/processor_idle.c
@@ -1506,6 +1506,9 @@ int acpi_processor_power_init(struct acpi_processor *pr)
if (retval) {
if (acpi_processor_registered == 0)
cpuidle_unregister_driver(&acpi_idle_driver);
+
+ per_cpu(acpi_cpuidle_device, pr->id) = NULL;
+ kfree(dev);
return retval;
}
acpi_processor_registered++;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 022/224] soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 021/224] ACPI: processor: idle: Fix memory leak when register cpuidle device failed Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 023/224] pinctrl: meson-gxl: add missing i2c_d pinmux Greg Kroah-Hartman
` (209 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sneh Mankad, Bjorn Andersson,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sneh Mankad <sneh.mankad@oss.qualcomm.com>
[ Upstream commit f87412d18edb5b8393eb8cb1c2d4a54f90185a21 ]
Unconditionally clear the TCS_AMC_MODE_TRIGGER bit when a
transaction completes. Previously this bit was only cleared when
a wake TCS was borrowed as an AMC TCS but not for dedicated
AMC TCS. Leaving this bit set for AMC TCS and entering deeper low
power modes can generate a false completion IRQ.
Prevent this scenario by always clearing the TCS_AMC_MODE_TRIGGER
bit upon receiving a completion IRQ.
Fixes: 15b3bf61b8d4 ("soc: qcom: rpmh-rsc: Clear active mode configuration for wake TCS")
Signed-off-by: Sneh Mankad <sneh.mankad@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250825-rpmh_rsc_change-v1-1-138202c31bf6@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/rpmh-rsc.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/soc/qcom/rpmh-rsc.c b/drivers/soc/qcom/rpmh-rsc.c
index 8924fcd9f5f59..a89d78afc8970 100644
--- a/drivers/soc/qcom/rpmh-rsc.c
+++ b/drivers/soc/qcom/rpmh-rsc.c
@@ -265,13 +265,10 @@ static irqreturn_t tcs_tx_done(int irq, void *p)
trace_rpmh_tx_done(drv, i, req, err);
- /*
- * If wake tcs was re-purposed for sending active
- * votes, clear AMC trigger & enable modes and
+ /* Clear AMC trigger & enable modes and
* disable interrupt for this TCS
*/
- if (!drv->tcs[ACTIVE_TCS].num_tcs)
- __tcs_set_trigger(drv, i, false);
+ __tcs_set_trigger(drv, i, false);
skip:
/* Reclaim the TCS */
write_tcs_reg(drv, RSC_DRV_CMD_ENABLE, i, 0);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 023/224] pinctrl: meson-gxl: add missing i2c_d pinmux
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 022/224] soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 024/224] blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx Greg Kroah-Hartman
` (208 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Da Xue, Linus Walleij, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Da Xue <da@libre.computer>
[ Upstream commit d8c2a9edd181f0cc4a66eec954b3d8f6a1d954a7 ]
Amlogic GXL has 4 I2C attached to gpio-periphs. I2C_D is on GPIOX_10/11.
Add the relevant func 3 pinmux per the datasheet for S805X/S905X/S905D.
Fixes: 0f15f500ff2c ("pinctrl: meson: Add GXL pinctrl definitions")
Signed-off-by: Da Xue <da@libre.computer>
Link: https://lore.kernel.org/20250821233335.1707559-1-da@libre.computer
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/meson/pinctrl-meson-gxl.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/pinctrl/meson/pinctrl-meson-gxl.c b/drivers/pinctrl/meson/pinctrl-meson-gxl.c
index e8d1f3050487f..2da0f2ab4038e 100644
--- a/drivers/pinctrl/meson/pinctrl-meson-gxl.c
+++ b/drivers/pinctrl/meson/pinctrl-meson-gxl.c
@@ -187,6 +187,9 @@ static const unsigned int i2c_sda_c_pins[] = { GPIODV_28 };
static const unsigned int i2c_sck_c_dv19_pins[] = { GPIODV_19 };
static const unsigned int i2c_sda_c_dv18_pins[] = { GPIODV_18 };
+static const unsigned int i2c_sck_d_pins[] = { GPIOX_11 };
+static const unsigned int i2c_sda_d_pins[] = { GPIOX_10 };
+
static const unsigned int eth_mdio_pins[] = { GPIOZ_0 };
static const unsigned int eth_mdc_pins[] = { GPIOZ_1 };
static const unsigned int eth_clk_rx_clk_pins[] = { GPIOZ_2 };
@@ -400,6 +403,8 @@ static struct meson_pmx_group meson_gxl_periphs_groups[] = {
GPIO_GROUP(GPIO_TEST_N),
/* Bank X */
+ GROUP(i2c_sda_d, 5, 5),
+ GROUP(i2c_sck_d, 5, 4),
GROUP(sdio_d0, 5, 31),
GROUP(sdio_d1, 5, 30),
GROUP(sdio_d2, 5, 29),
@@ -631,6 +636,10 @@ static const char * const i2c_c_groups[] = {
"i2c_sck_c", "i2c_sda_c", "i2c_sda_c_dv18", "i2c_sck_c_dv19",
};
+static const char * const i2c_d_groups[] = {
+ "i2c_sck_d", "i2c_sda_d",
+};
+
static const char * const eth_groups[] = {
"eth_mdio", "eth_mdc", "eth_clk_rx_clk", "eth_rx_dv",
"eth_rxd0", "eth_rxd1", "eth_rxd2", "eth_rxd3",
@@ -751,6 +760,7 @@ static struct meson_pmx_func meson_gxl_periphs_functions[] = {
FUNCTION(i2c_a),
FUNCTION(i2c_b),
FUNCTION(i2c_c),
+ FUNCTION(i2c_d),
FUNCTION(eth),
FUNCTION(pwm_a),
FUNCTION(pwm_b),
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 024/224] blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 023/224] pinctrl: meson-gxl: add missing i2c_d pinmux Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 025/224] block: use int to store blk_stack_limits() return value Greg Kroah-Hartman
` (207 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Nan, Yu Kuai, Jens Axboe,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Nan <linan122@huawei.com>
[ Upstream commit 4c7ef92f6d4d08a27d676e4c348f4e2922cab3ed ]
In __blk_mq_update_nr_hw_queues() the return value of
blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx
fails, later changing the number of hw_queues or removing disk will
trigger the following warning:
kernfs: can not remove 'nr_tags', no directory
WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160
Call Trace:
remove_files.isra.1+0x38/0xb0
sysfs_remove_group+0x4d/0x100
sysfs_remove_groups+0x31/0x60
__kobject_del+0x23/0xf0
kobject_del+0x17/0x40
blk_mq_unregister_hctx+0x5d/0x80
blk_mq_sysfs_unregister_hctxs+0x94/0xd0
blk_mq_update_nr_hw_queues+0x124/0x760
nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]
nullb_device_submit_queues_store+0x92/0x120 [null_blk]
kobjct_del() was called unconditionally even if sysfs creation failed.
Fix it by checkig the kobject creation statusbefore deleting it.
Fixes: 477e19dedc9d ("blk-mq: adjust debugfs and sysfs register when updating nr_hw_queues")
Signed-off-by: Li Nan <linan122@huawei.com>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Link: https://lore.kernel.org/r/20250826084854.1030545-1-linan666@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-mq-sysfs.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c
index 7abd66d1228ad..532afcb672412 100644
--- a/block/blk-mq-sysfs.c
+++ b/block/blk-mq-sysfs.c
@@ -241,9 +241,11 @@ static void blk_mq_unregister_hctx(struct blk_mq_hw_ctx *hctx)
return;
hctx_for_each_ctx(hctx, ctx, i)
- kobject_del(&ctx->kobj);
+ if (ctx->kobj.state_in_sysfs)
+ kobject_del(&ctx->kobj);
- kobject_del(&hctx->kobj);
+ if (hctx->kobj.state_in_sysfs)
+ kobject_del(&hctx->kobj);
}
static int blk_mq_register_hctx(struct blk_mq_hw_ctx *hctx)
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 025/224] block: use int to store blk_stack_limits() return value
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 024/224] blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 026/224] pwm: tiehrpwm: Fix corner case in clock divisor calculation Greg Kroah-Hartman
` (206 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qianfeng Rong, John Garry,
Bart Van Assche, Jens Axboe, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qianfeng Rong <rongqianfeng@vivo.com>
[ Upstream commit b0b4518c992eb5f316c6e40ff186cbb7a5009518 ]
Change the 'ret' variable in blk_stack_limits() from unsigned int to int,
as it needs to store negative value -1.
Storing the negative error codes in unsigned type, or performing equality
comparisons (e.g., ret == -1), doesn't cause an issue at runtime [1] but
can be confusing. Additionally, assigning negative error codes to unsigned
type may trigger a GCC warning when the -Wsign-conversion flag is enabled.
No effect on runtime.
Link: https://lore.kernel.org/all/x3wogjf6vgpkisdhg3abzrx7v7zktmdnfmqeih5kosszmagqfs@oh3qxrgzkikf/ #1
Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Fixes: fe0b393f2c0a ("block: Correct handling of bottom device misaligment")
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lore.kernel.org/r/20250902130930.68317-1-rongqianfeng@vivo.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-settings.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/block/blk-settings.c b/block/blk-settings.c
index 13be635300a85..d4870441a38ac 100644
--- a/block/blk-settings.c
+++ b/block/blk-settings.c
@@ -505,7 +505,8 @@ static unsigned int blk_round_down_sectors(unsigned int sectors, unsigned int lb
int blk_stack_limits(struct queue_limits *t, struct queue_limits *b,
sector_t start)
{
- unsigned int top, bottom, alignment, ret = 0;
+ unsigned int top, bottom, alignment;
+ int ret = 0;
t->max_sectors = min_not_zero(t->max_sectors, b->max_sectors);
t->max_hw_sectors = min_not_zero(t->max_hw_sectors, b->max_hw_sectors);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 026/224] pwm: tiehrpwm: Fix corner case in clock divisor calculation
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 025/224] block: use int to store blk_stack_limits() return value Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 027/224] selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported Greg Kroah-Hartman
` (205 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Uwe Kleine-König, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit 00f83f0e07e44e2f1fb94b223e77ab7b18ee2d7d ]
The function set_prescale_div() is responsible for calculating the clock
divisor settings such that the input clock rate is divided down such that
the required period length is at most 0x10000 clock ticks. If period_cycles
is an integer multiple of 0x10000, the divisor period_cycles / 0x10000 is
good enough. So round up in the calculation of the required divisor and
compare it using >= instead of >.
Fixes: 19891b20e7c2 ("pwm: pwm-tiehrpwm: PWM driver support for EHRPWM")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/85488616d7bfcd9c32717651d0be7e330e761b9c.1754927682.git.u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-tiehrpwm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/pwm/pwm-tiehrpwm.c b/drivers/pwm/pwm-tiehrpwm.c
index 7b4c770ce9d67..7414daef81a35 100644
--- a/drivers/pwm/pwm-tiehrpwm.c
+++ b/drivers/pwm/pwm-tiehrpwm.c
@@ -167,7 +167,7 @@ static int set_prescale_div(unsigned long rqst_prescaler, u16 *prescale_div,
*prescale_div = (1 << clkdiv) *
(hspclkdiv ? (hspclkdiv * 2) : 1);
- if (*prescale_div > rqst_prescaler) {
+ if (*prescale_div >= rqst_prescaler) {
*tb_clk_div = (clkdiv << TBCTL_CLKDIV_SHIFT) |
(hspclkdiv << TBCTL_HSPCLKDIV_SHIFT);
return 0;
@@ -266,7 +266,7 @@ static int ehrpwm_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
pc->period_cycles[pwm->hwpwm] = period_cycles;
/* Configure clock prescaler to support Low frequency PWM wave */
- if (set_prescale_div(period_cycles/PERIOD_MAX, &ps_divval,
+ if (set_prescale_div(DIV_ROUND_UP(period_cycles, PERIOD_MAX), &ps_divval,
&tb_divval)) {
dev_err(chip->dev, "Unsupported values\n");
return -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 027/224] selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 026/224] pwm: tiehrpwm: Fix corner case in clock divisor calculation Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 028/224] bpf: Explicitly check accesses to bpf_sock_addr Greg Kroah-Hartman
` (204 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Akhilesh Patil, Shuah Khan,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhilesh Patil <akhilesh@ee.iitb.ac.in>
[ Upstream commit e8cfc524eaf3c0ed88106177edb6961e202e6716 ]
Check if watchdog device supports WDIOF_KEEPALIVEPING option before
entering keep_alive() ping test loop. Fix watchdog-test silently looping
if ioctl based ping is not supported by the device. Exit from test in
such case instead of getting stuck in loop executing failing keep_alive()
watchdog_info:
identity: m41t93 rtc Watchdog
firmware_version: 0
Support/Status: Set timeout (in seconds)
Support/Status: Watchdog triggers a management or other external alarm not a reboot
Watchdog card disabled.
Watchdog timeout set to 5 seconds.
Watchdog ping rate set to 2 seconds.
Watchdog card enabled.
WDIOC_KEEPALIVE not supported by this device
without this change
Watchdog card disabled.
Watchdog timeout set to 5 seconds.
Watchdog ping rate set to 2 seconds.
Watchdog card enabled.
Watchdog Ticking Away!
(Where test stuck here forver silently)
Updated change log at commit time:
Shuah Khan <skhan@linuxfoundation.org>
Link: https://lore.kernel.org/r/20250914152840.GA3047348@bhairav-test.ee.iitb.ac.in
Fixes: d89d08ffd2c5 ("selftests: watchdog: Fix ioctl SET* error paths to take oneshot exit path")
Signed-off-by: Akhilesh Patil <akhilesh@ee.iitb.ac.in>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/watchdog/watchdog-test.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/tools/testing/selftests/watchdog/watchdog-test.c b/tools/testing/selftests/watchdog/watchdog-test.c
index 09773695d219f..4056706d63f7e 100644
--- a/tools/testing/selftests/watchdog/watchdog-test.c
+++ b/tools/testing/selftests/watchdog/watchdog-test.c
@@ -240,6 +240,12 @@ int main(int argc, char *argv[])
if (oneshot)
goto end;
+ /* Check if WDIOF_KEEPALIVEPING is supported */
+ if (!(info.options & WDIOF_KEEPALIVEPING)) {
+ printf("WDIOC_KEEPALIVE not supported by this device\n");
+ goto end;
+ }
+
printf("Watchdog Ticking Away!\n");
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 028/224] bpf: Explicitly check accesses to bpf_sock_addr
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 027/224] selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 029/224] i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD Greg Kroah-Hartman
` (203 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+136ca59d411f92e821b7,
Paul Chaignon, Daniel Borkmann, Eduard Zingerman, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Chaignon <paul.chaignon@gmail.com>
[ Upstream commit 6fabca2fc94d33cdf7ec102058983b086293395f ]
Syzkaller found a kernel warning on the following sock_addr program:
0: r0 = 0
1: r2 = *(u32 *)(r1 +60)
2: exit
which triggers:
verifier bug: error during ctx access conversion (0)
This is happening because offset 60 in bpf_sock_addr corresponds to an
implicit padding of 4 bytes, right after msg_src_ip4. Access to this
padding isn't rejected in sock_addr_is_valid_access and it thus later
fails to convert the access.
This patch fixes it by explicitly checking the various fields of
bpf_sock_addr in sock_addr_is_valid_access.
I checked the other ctx structures and is_valid_access functions and
didn't find any other similar cases. Other cases of (properly handled)
padding are covered in new tests in a subsequent patch.
Fixes: 1cedee13d25a ("bpf: Hooks for sys_sendmsg")
Reported-by: syzbot+136ca59d411f92e821b7@syzkaller.appspotmail.com
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Closes: https://syzkaller.appspot.com/bug?extid=136ca59d411f92e821b7
Link: https://lore.kernel.org/bpf/b58609d9490649e76e584b0361da0abd3c2c1779.1758094761.git.paul.chaignon@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index fd18497977bdf..2c56c910a0c13 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -7132,13 +7132,17 @@ static bool sock_addr_is_valid_access(int off, int size,
return false;
info->reg_type = PTR_TO_SOCKET;
break;
- default:
- if (type == BPF_READ) {
- if (size != size_default)
- return false;
- } else {
+ case bpf_ctx_range(struct bpf_sock_addr, user_family):
+ case bpf_ctx_range(struct bpf_sock_addr, family):
+ case bpf_ctx_range(struct bpf_sock_addr, type):
+ case bpf_ctx_range(struct bpf_sock_addr, protocol):
+ if (type != BPF_READ)
return false;
- }
+ if (size != size_default)
+ return false;
+ break;
+ default:
+ return false;
}
return true;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 029/224] i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 028/224] bpf: Explicitly check accesses to bpf_sock_addr Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 030/224] i2c: designware: Add disabling clocks when probe fails Greg Kroah-Hartman
` (202 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leilk.Liu, Chen-Yu Tsai,
Wolfram Sang, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leilk.Liu <leilk.liu@mediatek.com>
[ Upstream commit b492183652808e0f389272bf63dc836241b287ff ]
The old IC does not support the I2C_MASTER_WRRD (write-then-read)
function, but the current code’s handling of i2c->auto_restart may
potentially lead to entering the I2C_MASTER_WRRD software flow,
resulting in unexpected bugs.
Instead of repurposing the auto_restart flag, add a separate flag
to signal I2C_MASTER_WRRD operations.
Also fix handling of msgs. If the operation (i2c->op) is
I2C_MASTER_WRRD, then the msgs pointer is incremented by 2.
For all other operations, msgs is simply incremented by 1.
Fixes: b2ed11e224a2 ("I2C: mediatek: Add driver for MediaTek MT8173 I2C controller")
Signed-off-by: Leilk.Liu <leilk.liu@mediatek.com>
Suggested-by: Chen-Yu Tsai <wenst@chromium.org>
Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-mt65xx.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/drivers/i2c/busses/i2c-mt65xx.c b/drivers/i2c/busses/i2c-mt65xx.c
index 5587e7c549c4f..2b56ad08efed1 100644
--- a/drivers/i2c/busses/i2c-mt65xx.c
+++ b/drivers/i2c/busses/i2c-mt65xx.c
@@ -782,6 +782,7 @@ static int mtk_i2c_transfer(struct i2c_adapter *adap,
{
int ret;
int left_num = num;
+ bool write_then_read_en = false;
struct mtk_i2c *i2c = i2c_get_adapdata(adap);
ret = mtk_i2c_clock_enable(i2c);
@@ -795,6 +796,7 @@ static int mtk_i2c_transfer(struct i2c_adapter *adap,
if (!(msgs[0].flags & I2C_M_RD) && (msgs[1].flags & I2C_M_RD) &&
msgs[0].addr == msgs[1].addr) {
i2c->auto_restart = 0;
+ write_then_read_en = true;
}
}
@@ -818,12 +820,10 @@ static int mtk_i2c_transfer(struct i2c_adapter *adap,
else
i2c->op = I2C_MASTER_WR;
- if (!i2c->auto_restart) {
- if (num > 1) {
- /* combined two messages into one transaction */
- i2c->op = I2C_MASTER_WRRD;
- left_num--;
- }
+ if (write_then_read_en) {
+ /* combined two messages into one transaction */
+ i2c->op = I2C_MASTER_WRRD;
+ left_num--;
}
/* always use DMA mode. */
@@ -831,7 +831,10 @@ static int mtk_i2c_transfer(struct i2c_adapter *adap,
if (ret < 0)
goto err_exit;
- msgs++;
+ if (i2c->op == I2C_MASTER_WRRD)
+ msgs += 2;
+ else
+ msgs++;
}
/* the return value is number of executed messages */
ret = num;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 030/224] i2c: designware: Add disabling clocks when probe fails
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 029/224] i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 031/224] drm/radeon/r600_cs: clean up of dead code in r600_cs Greg Kroah-Hartman
` (201 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kohei Ito, Kunihiko Hayashi,
Jarkko Nikula, Wolfram Sang, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
[ Upstream commit c149841b069ccc6e480b00e11f35a57b5d88c7bb ]
After an error occurs during probing state, dw_i2c_plat_pm_cleanup() is
called. However, this function doesn't disable clocks and the clock-enable
count keeps increasing. Should disable these clocks explicitly.
Fixes: 7272194ed391f ("i2c-designware: add minimal support for runtime PM")
Co-developed-by: Kohei Ito <ito.kohei@socionext.com>
Signed-off-by: Kohei Ito <ito.kohei@socionext.com>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Acked-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-designware-platdrv.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/i2c/busses/i2c-designware-platdrv.c b/drivers/i2c/busses/i2c-designware-platdrv.c
index 75313c80f132f..fd5ffe13c7033 100644
--- a/drivers/i2c/busses/i2c-designware-platdrv.c
+++ b/drivers/i2c/busses/i2c-designware-platdrv.c
@@ -414,6 +414,7 @@ static int dw_i2c_plat_probe(struct platform_device *pdev)
exit_probe:
dw_i2c_plat_pm_cleanup(dev);
+ i2c_dw_prepare_clk(dev, false);
exit_reset:
reset_control_assert(dev->rst);
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 031/224] drm/radeon/r600_cs: clean up of dead code in r600_cs
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 030/224] i2c: designware: Add disabling clocks when probe fails Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 032/224] usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup Greg Kroah-Hartman
` (200 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Brahmajit Das,
Alex Deucher, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brahmajit Das <listout@listout.xyz>
[ Upstream commit 260dcf5b06d519bcf27a5dfdb5c626821a55c170 ]
GCC 16 enables -Werror=unused-but-set-variable= which results in build
error with the following message.
drivers/gpu/drm/radeon/r600_cs.c: In function ‘r600_texture_size’:
drivers/gpu/drm/radeon/r600_cs.c:1411:29: error: variable ‘level’ set but not used [-Werror=unused-but-set-variable=]
1411 | unsigned offset, i, level;
| ^~~~~
cc1: all warnings being treated as errors
make[6]: *** [scripts/Makefile.build:287: drivers/gpu/drm/radeon/r600_cs.o] Error 1
level although is set, but in never used in the function
r600_texture_size. Thus resulting in dead code and this error getting
triggered.
Fixes: 60b212f8ddcd ("drm/radeon: overhaul texture checking. (v3)")
Acked-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Brahmajit Das <listout@listout.xyz>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/radeon/r600_cs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c
index a85470213b27f..637a4f2a30af9 100644
--- a/drivers/gpu/drm/radeon/r600_cs.c
+++ b/drivers/gpu/drm/radeon/r600_cs.c
@@ -1411,7 +1411,7 @@ static void r600_texture_size(unsigned nfaces, unsigned blevel, unsigned llevel,
unsigned block_align, unsigned height_align, unsigned base_align,
unsigned *l0_size, unsigned *mipmap_size)
{
- unsigned offset, i, level;
+ unsigned offset, i;
unsigned width, height, depth, size;
unsigned blocksize;
unsigned nbx, nby;
@@ -1423,7 +1423,7 @@ static void r600_texture_size(unsigned nfaces, unsigned blevel, unsigned llevel,
w0 = r600_mip_minify(w0, 0);
h0 = r600_mip_minify(h0, 0);
d0 = r600_mip_minify(d0, 0);
- for(i = 0, offset = 0, level = blevel; i < nlevels; i++, level++) {
+ for (i = 0, offset = 0; i < nlevels; i++) {
width = r600_mip_minify(w0, i);
nbx = r600_fmt_get_nblocksx(format, width);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 032/224] usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 031/224] drm/radeon/r600_cs: clean up of dead code in r600_cs Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 033/224] serial: max310x: Add error checking in probe() Greg Kroah-Hartman
` (199 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 186e8f2bdba551f3ae23396caccd452d985c23e3 ]
The kthread_run() function returns error pointers so the
max3421_hcd->spi_thread pointer can be either error pointers or NULL.
Check for both before dereferencing it.
Fixes: 05dfa5c9bc37 ("usb: host: max3421-hcd: fix "spi_rd8" uses dynamic stack allocation warning")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/aJTMVAPtRe5H6jug@stanley.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/max3421-hcd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/host/max3421-hcd.c b/drivers/usb/host/max3421-hcd.c
index 5a21777197e95..cfdbe90f867e0 100644
--- a/drivers/usb/host/max3421-hcd.c
+++ b/drivers/usb/host/max3421-hcd.c
@@ -1925,7 +1925,7 @@ max3421_probe(struct spi_device *spi)
if (hcd) {
kfree(max3421_hcd->tx);
kfree(max3421_hcd->rx);
- if (max3421_hcd->spi_thread)
+ if (!IS_ERR_OR_NULL(max3421_hcd->spi_thread))
kthread_stop(max3421_hcd->spi_thread);
usb_put_hcd(hcd);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 033/224] serial: max310x: Add error checking in probe()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 032/224] usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup Greg Kroah-Hartman
@ 2025-10-27 18:32 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 034/224] scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Greg Kroah-Hartman
` (198 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 672a37ba8af1f2ebcedeb94aea2cdd047f805f30 ]
Check if devm_i2c_new_dummy_device() fails.
Fixes: 2e1f2d9a9bdb ("serial: max310x: implement I2C support")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/aJTMPZiKqeXSE-KM@stanley.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/max310x.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c
index 363b68555fe62..4ef2762347f62 100644
--- a/drivers/tty/serial/max310x.c
+++ b/drivers/tty/serial/max310x.c
@@ -1660,6 +1660,8 @@ static int max310x_i2c_probe(struct i2c_client *client)
port_client = devm_i2c_new_dummy_device(&client->dev,
client->adapter,
port_addr);
+ if (IS_ERR(port_client))
+ return PTR_ERR(port_client);
regmaps[i] = devm_regmap_init_i2c(port_client, ®cfg_i2c);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 034/224] scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2025-10-27 18:32 ` [PATCH 5.4 033/224] serial: max310x: Add error checking in probe() Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 035/224] scsi: myrs: Fix dma_alloc_coherent() error check Greg Kroah-Hartman
` (197 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Igor Pylypiv, Niklas Cassel,
Damien Le Moal, Martin K. Petersen, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
[ Upstream commit 251be2f6037fb7ab399f68cd7428ff274133d693 ]
Since commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when
device is gone") UBSAN reports:
UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17
index 28 is out of range for type 'pm8001_phy [16]'
on rmmod when using an expander.
For a direct attached device, attached_phy contains the local phy id.
For a device behind an expander, attached_phy contains the remote phy
id, not the local phy id.
I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for a
device behind an expander, attached_phy can be much larger than
pm8001_ha->chip->n_phy (depending on the amount of phys of the
expander).
E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the
ports has an expander connected. The expander has 31 phys with phy ids
0-30.
The pm8001_ha->phy array only contains the phys of the HBA. It does not
contain the phys of the expander. Thus, it is wrong to use attached_phy
to index the pm8001_ha->phy array for a device behind an expander.
Thus, we can only clear phy_attached for devices that are directly
attached.
Fixes: f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when device is gone")
Reviewed-by: Igor Pylypiv <ipylypiv@google.com>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Link: https://lore.kernel.org/r/20250814173215.1765055-14-cassel@kernel.org
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Tested-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/pm8001/pm8001_sas.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c
index 1215fc36862da..45b1af5a8d748 100644
--- a/drivers/scsi/pm8001/pm8001_sas.c
+++ b/drivers/scsi/pm8001/pm8001_sas.c
@@ -875,6 +875,7 @@ static void pm8001_dev_gone_notify(struct domain_device *dev)
unsigned long flags = 0;
struct pm8001_hba_info *pm8001_ha;
struct pm8001_device *pm8001_dev = dev->lldd_dev;
+ struct domain_device *parent_dev = dev->parent;
pm8001_ha = pm8001_find_ha_by_dev(dev);
spin_lock_irqsave(&pm8001_ha->lock, flags);
@@ -893,7 +894,13 @@ static void pm8001_dev_gone_notify(struct domain_device *dev)
spin_lock_irqsave(&pm8001_ha->lock, flags);
}
PM8001_CHIP_DISP->dereg_dev_req(pm8001_ha, device_id);
- pm8001_ha->phy[pm8001_dev->attached_phy].phy_attached = 0;
+
+ /*
+ * The phy array only contains local phys. Thus, we cannot clear
+ * phy_attached for a device behind an expander.
+ */
+ if (!(parent_dev && dev_is_expander(parent_dev->dev_type)))
+ pm8001_ha->phy[pm8001_dev->attached_phy].phy_attached = 0;
pm8001_free_dev(pm8001_dev);
} else {
PM8001_DISC_DBG(pm8001_ha,
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 035/224] scsi: myrs: Fix dma_alloc_coherent() error check
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 034/224] scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 036/224] media: rj54n1cb0c: Fix memleak in rj54n1_probe() Greg Kroah-Hartman
` (196 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Martin K. Petersen,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit edb35b1ffc686fd9b5a91902f034eb9f4d2c9f6b ]
Check for NULL return value with dma_alloc_coherent(), because DMA
address is not always set by dma_alloc_coherent() on failure.
Fixes: 77266186397c ("scsi: myrs: Add Mylex RAID controller (SCSI interface)")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://lore.kernel.org/r/20250725083112.43975-2-fourier.thomas@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/myrs.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/myrs.c b/drivers/scsi/myrs.c
index bf0546fc555f2..04740f623a12e 100644
--- a/drivers/scsi/myrs.c
+++ b/drivers/scsi/myrs.c
@@ -499,14 +499,14 @@ static bool myrs_enable_mmio_mbox(struct myrs_hba *cs,
/* Temporary dma mapping, used only in the scope of this function */
mbox = dma_alloc_coherent(&pdev->dev, sizeof(union myrs_cmd_mbox),
&mbox_addr, GFP_KERNEL);
- if (dma_mapping_error(&pdev->dev, mbox_addr))
+ if (!mbox)
return false;
/* These are the base addresses for the command memory mailbox array */
cs->cmd_mbox_size = MYRS_MAX_CMD_MBOX * sizeof(union myrs_cmd_mbox);
cmd_mbox = dma_alloc_coherent(&pdev->dev, cs->cmd_mbox_size,
&cs->cmd_mbox_addr, GFP_KERNEL);
- if (dma_mapping_error(&pdev->dev, cs->cmd_mbox_addr)) {
+ if (!cmd_mbox) {
dev_err(&pdev->dev, "Failed to map command mailbox\n");
goto out_free;
}
@@ -521,7 +521,7 @@ static bool myrs_enable_mmio_mbox(struct myrs_hba *cs,
cs->stat_mbox_size = MYRS_MAX_STAT_MBOX * sizeof(struct myrs_stat_mbox);
stat_mbox = dma_alloc_coherent(&pdev->dev, cs->stat_mbox_size,
&cs->stat_mbox_addr, GFP_KERNEL);
- if (dma_mapping_error(&pdev->dev, cs->stat_mbox_addr)) {
+ if (!stat_mbox) {
dev_err(&pdev->dev, "Failed to map status mailbox\n");
goto out_free;
}
@@ -534,7 +534,7 @@ static bool myrs_enable_mmio_mbox(struct myrs_hba *cs,
cs->fwstat_buf = dma_alloc_coherent(&pdev->dev,
sizeof(struct myrs_fwstat),
&cs->fwstat_addr, GFP_KERNEL);
- if (dma_mapping_error(&pdev->dev, cs->fwstat_addr)) {
+ if (!cs->fwstat_buf) {
dev_err(&pdev->dev, "Failed to map firmware health buffer\n");
cs->fwstat_buf = NULL;
goto out_free;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 036/224] media: rj54n1cb0c: Fix memleak in rj54n1_probe()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 035/224] scsi: myrs: Fix dma_alloc_coherent() error check Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 037/224] ALSA: lx_core: use int type to store negative error codes Greg Kroah-Hartman
` (195 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Shurong, Jacopo Mondi,
Sakari Ailus, Hans Verkuil, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Shurong <zhang_shurong@foxmail.com>
[ Upstream commit fda55673ecdabf25f5ecc61b5ab17239257ac252 ]
rj54n1_probe() won't clean all the allocated resources in fail
path, which may causes the memleaks. Add v4l2_ctrl_handler_free() to
prevent memleak.
Fixes: f187352dcd45 ("media: i2c: Copy rj54n1cb0c soc_camera sensor driver")
Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
Reviewed-by: Jacopo Mondi <jacopo.mondi@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/rj54n1cb0c.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/media/i2c/rj54n1cb0c.c b/drivers/media/i2c/rj54n1cb0c.c
index 4cc51e0018744..b35b3e4286861 100644
--- a/drivers/media/i2c/rj54n1cb0c.c
+++ b/drivers/media/i2c/rj54n1cb0c.c
@@ -1332,10 +1332,13 @@ static int rj54n1_probe(struct i2c_client *client,
V4L2_CID_GAIN, 0, 127, 1, 66);
v4l2_ctrl_new_std(&rj54n1->hdl, &rj54n1_ctrl_ops,
V4L2_CID_AUTO_WHITE_BALANCE, 0, 1, 1, 1);
- rj54n1->subdev.ctrl_handler = &rj54n1->hdl;
- if (rj54n1->hdl.error)
- return rj54n1->hdl.error;
+ if (rj54n1->hdl.error) {
+ ret = rj54n1->hdl.error;
+ goto err_free_ctrl;
+ }
+
+ rj54n1->subdev.ctrl_handler = &rj54n1->hdl;
rj54n1->clk_div = clk_div;
rj54n1->rect.left = RJ54N1_COLUMN_SKIP;
rj54n1->rect.top = RJ54N1_ROW_SKIP;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 037/224] ALSA: lx_core: use int type to store negative error codes
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 036/224] media: rj54n1cb0c: Fix memleak in rj54n1_probe() Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 038/224] wifi: mwifiex: send world regulatory domain to driver Greg Kroah-Hartman
` (194 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qianfeng Rong, Takashi Iwai,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qianfeng Rong <rongqianfeng@vivo.com>
[ Upstream commit 4ef353d546cda466fc39b7daca558d7bcec21c09 ]
Change the 'ret' variable from u16 to int to store negative error codes or
zero returned by lx_message_send_atomic().
Storing the negative error codes in unsigned type, doesn't cause an issue
at runtime but it's ugly as pants. Additionally, assigning negative error
codes to unsigned type may trigger a GCC warning when the -Wsign-conversion
flag is enabled.
No effect on runtime.
Fixes: 02bec4904508 ("ALSA: lx6464es - driver for the digigram lx6464es interface")
Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
Link: https://patch.msgid.link/20250828081312.393148-1-rongqianfeng@vivo.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/lx6464es/lx_core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/pci/lx6464es/lx_core.c b/sound/pci/lx6464es/lx_core.c
index 00975e86473c5..6cf7572779d41 100644
--- a/sound/pci/lx6464es/lx_core.c
+++ b/sound/pci/lx6464es/lx_core.c
@@ -316,7 +316,7 @@ static int lx_message_send_atomic(struct lx6464es *chip, struct lx_rmh *rmh)
/* low-level dsp access */
int lx_dsp_get_version(struct lx6464es *chip, u32 *rdsp_version)
{
- u16 ret;
+ int ret;
mutex_lock(&chip->msg_lock);
@@ -330,10 +330,10 @@ int lx_dsp_get_version(struct lx6464es *chip, u32 *rdsp_version)
int lx_dsp_get_clock_frequency(struct lx6464es *chip, u32 *rfreq)
{
- u16 ret = 0;
u32 freq_raw = 0;
u32 freq = 0;
u32 frequency = 0;
+ int ret;
mutex_lock(&chip->msg_lock);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 038/224] wifi: mwifiex: send world regulatory domain to driver
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 037/224] ALSA: lx_core: use int type to store negative error codes Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 039/224] PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation Greg Kroah-Hartman
` (193 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Kerkmann, Jeff Chen,
Johannes Berg, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Kerkmann <s.kerkmann@pengutronix.de>
[ Upstream commit 56819d00bc2ebaa6308913c28680da5d896852b8 ]
The world regulatory domain is a restrictive subset of channel
configurations which allows legal operation of the adapter all over the
world. Changing to this domain should not be prevented.
Fixes: dd4a9ac05c8e1 ("mwifiex: send regulatory domain info to firmware only if alpha2 changed") changed
Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
Reviewed-by: Jeff Chen <jeff.chen_1@nxp.con>
Link: https://patch.msgid.link/20250804-fix-mwifiex-regulatory-domain-v1-1-e4715c770c4d@pengutronix.de
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/cfg80211.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
index 40e10f6e3dbf8..9f9826b94ad40 100644
--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
@@ -667,10 +667,9 @@ static void mwifiex_reg_notifier(struct wiphy *wiphy,
return;
}
- /* Don't send world or same regdom info to firmware */
- if (strncmp(request->alpha2, "00", 2) &&
- strncmp(request->alpha2, adapter->country_code,
- sizeof(request->alpha2))) {
+ /* Don't send same regdom info to firmware */
+ if (strncmp(request->alpha2, adapter->country_code,
+ sizeof(request->alpha2)) != 0) {
memcpy(adapter->country_code, request->alpha2,
sizeof(request->alpha2));
mwifiex_send_domain_info_cmd_fw(wiphy);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 039/224] PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 038/224] wifi: mwifiex: send world regulatory domain to driver Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 040/224] tcp: fix __tcp_close() to only send RST when required Greg Kroah-Hartman
` (192 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Manivannan Sadhasivam,
Bjorn Helgaas, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit e1a8805e5d263453ad76a4f50ab3b1c18ea07560 ]
Fix incorrect argument order in devm_kcalloc() when allocating port->phys.
The original call used sizeof(phy) as the number of elements and
port->lanes as the element size, which is reversed. While this happens to
produce the correct total allocation size with current pointer size and
lane counts, the argument order is wrong.
Fixes: 6fe7c187e026 ("PCI: tegra: Support per-lane PHYs")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
[mani: added Fixes tag]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/20250819150436.3105973-1-alok.a.tiwari@oracle.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/pci-tegra.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/controller/pci-tegra.c b/drivers/pci/controller/pci-tegra.c
index 74c0ddd433815..9e3588d568ce4 100644
--- a/drivers/pci/controller/pci-tegra.c
+++ b/drivers/pci/controller/pci-tegra.c
@@ -1394,7 +1394,7 @@ static int tegra_pcie_port_get_phys(struct tegra_pcie_port *port)
unsigned int i;
int err;
- port->phys = devm_kcalloc(dev, sizeof(phy), port->lanes, GFP_KERNEL);
+ port->phys = devm_kcalloc(dev, port->lanes, sizeof(phy), GFP_KERNEL);
if (!port->phys)
return -ENOMEM;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 040/224] tcp: fix __tcp_close() to only send RST when required
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 039/224] PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 041/224] usb: phy: twl6030: Fix incorrect type for ret Greg Kroah-Hartman
` (191 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Neal Cardwell,
Kuniyuki Iwashima, Jason Xing, Jakub Kicinski, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 5f9238530970f2993b23dd67fdaffc552a2d2e98 ]
If the receive queue contains payload that was already
received, __tcp_close() can send an unexpected RST.
Refine the code to take tp->copied_seq into account,
as we already do in tcp recvmsg().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
Link: https://patch.msgid.link/20250903084720.1168904-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index cc0efcb4a553c..a0a5590573b03 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2359,8 +2359,8 @@ bool tcp_check_oom(struct sock *sk, int shift)
void __tcp_close(struct sock *sk, long timeout)
{
+ bool data_was_unread = false;
struct sk_buff *skb;
- int data_was_unread = 0;
int state;
WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK);
@@ -2379,11 +2379,12 @@ void __tcp_close(struct sock *sk, long timeout)
* reader process may not have drained the data yet!
*/
while ((skb = __skb_dequeue(&sk->sk_receive_queue)) != NULL) {
- u32 len = TCP_SKB_CB(skb)->end_seq - TCP_SKB_CB(skb)->seq;
+ u32 end_seq = TCP_SKB_CB(skb)->end_seq;
if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)
- len--;
- data_was_unread += len;
+ end_seq--;
+ if (after(end_seq, tcp_sk(sk)->copied_seq))
+ data_was_unread = true;
__kfree_skb(skb);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 041/224] usb: phy: twl6030: Fix incorrect type for ret
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 040/224] tcp: fix __tcp_close() to only send RST when required Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 042/224] usb: gadget: configfs: Correctly set use_os_string at bind Greg Kroah-Hartman
` (190 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xichao Zhao, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xichao Zhao <zhao.xichao@vivo.com>
[ Upstream commit b570b346ddd727c4b41743a6a2f49e7217c5317f ]
In the twl6030_usb_probe(), the variable ret is declared as
a u32 type. However, since ret may receive -ENODEV when accepting
the return value of omap_usb2_set_comparator().Therefore, its type
should be changed to int.
Fixes: 0e98de67bacba ("usb: otg: make twl6030_usb as a comparator driver to omap_usb2")
Signed-off-by: Xichao Zhao <zhao.xichao@vivo.com>
Link: https://lore.kernel.org/r/20250822092224.30645-1-zhao.xichao@vivo.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/phy/phy-twl6030-usb.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/usb/phy/phy-twl6030-usb.c b/drivers/usb/phy/phy-twl6030-usb.c
index 9337c30f0743b..607c3f18356a4 100644
--- a/drivers/usb/phy/phy-twl6030-usb.c
+++ b/drivers/usb/phy/phy-twl6030-usb.c
@@ -328,9 +328,8 @@ static int twl6030_set_vbus(struct phy_companion *comparator, bool enabled)
static int twl6030_usb_probe(struct platform_device *pdev)
{
- u32 ret;
struct twl6030_usb *twl;
- int status, err;
+ int status, err, ret;
struct device_node *np = pdev->dev.of_node;
struct device *dev = &pdev->dev;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 042/224] usb: gadget: configfs: Correctly set use_os_string at bind
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 041/224] usb: phy: twl6030: Fix incorrect type for ret Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 043/224] misc: genwqe: Fix incorrect cmd field being reported in error Greg Kroah-Hartman
` (189 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, William Wu, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: William Wu <william.wu@rock-chips.com>
[ Upstream commit e271cc0d25015f4be6c88bd7731444644eb352c2 ]
Once the use_os_string flag is set to true for some functions
(e.g. adb/mtp) which need to response the OS string, and then
if we re-bind the ConfigFS gadget to use the other functions
(e.g. hid) which should not to response the OS string, however,
because the use_os_string flag is still true, so the usb gadget
response the OS string descriptor incorrectly, this can cause
the USB device to be unrecognizable on the Windows system.
An example of this as follows:
echo 1 > os_desc/use
ln -s functions/ffs.adb configs/b.1/function0
start adbd
echo "<udc device>" > UDC #succeed
stop adbd
rm configs/b.1/function0
echo 0 > os_desc/use
ln -s functions/hid.gs0 configs/b.1/function0
echo "<udc device>" > UDC #fail to connect on Windows
This patch sets the use_os_string flag to false at bind if
the functions not support OS Descriptors.
Signed-off-by: William Wu <william.wu@rock-chips.com>
Fixes: 87213d388e92 ("usb: gadget: configfs: OS String support")
Link: https://lore.kernel.org/r/1755833769-25434-1-git-send-email-william.wu@rock-chips.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/configfs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
index 476a22728e8d1..d2be874af7d3c 100644
--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -1327,6 +1327,8 @@ static int configfs_composite_bind(struct usb_gadget *gadget,
cdev->use_os_string = true;
cdev->b_vendor_code = gi->b_vendor_code;
memcpy(cdev->qw_sign, gi->qw_sign, OS_STRING_QW_SIGN_LEN);
+ } else {
+ cdev->use_os_string = false;
}
if (gadget_is_otg(gadget) && !otg_desc[0]) {
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 043/224] misc: genwqe: Fix incorrect cmd field being reported in error
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 042/224] usb: gadget: configfs: Correctly set use_os_string at bind Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 044/224] pps: fix warning in pps_register_cdev when register device fail Greg Kroah-Hartman
` (188 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Colin Ian King, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.i.king@gmail.com>
[ Upstream commit 6b26053819dccc664120e07c56f107fb6f72f3fa ]
There is a dev_err message that is reporting the value of
cmd->asiv_length when it should be reporting cmd->asv_length
instead. Fix this.
Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Link: https://lore.kernel.org/r/20250902113712.2624743-1-colin.i.king@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/genwqe/card_ddcb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/genwqe/card_ddcb.c b/drivers/misc/genwqe/card_ddcb.c
index 026c6ca245408..e53bdd5f04eaa 100644
--- a/drivers/misc/genwqe/card_ddcb.c
+++ b/drivers/misc/genwqe/card_ddcb.c
@@ -918,7 +918,7 @@ int __genwqe_execute_raw_ddcb(struct genwqe_dev *cd,
}
if (cmd->asv_length > DDCB_ASV_LENGTH) {
dev_err(&pci_dev->dev, "[%s] err: wrong asv_length of %d\n",
- __func__, cmd->asiv_length);
+ __func__, cmd->asv_length);
return -EINVAL;
}
rc = __genwqe_enqueue_ddcb(cd, req, f_flags);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 044/224] pps: fix warning in pps_register_cdev when register device fail
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 043/224] misc: genwqe: Fix incorrect cmd field being reported in error Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 045/224] ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping Greg Kroah-Hartman
` (187 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wang Liang, Calvin Owens,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Liang <wangliang74@huawei.com>
[ Upstream commit b0531cdba5029f897da5156815e3bdafe1e9b88d ]
Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error
handling in __video_register_device()"), the release hook should be set
before device_register(). Otherwise, when device_register() return error
and put_device() try to callback the release function, the below warning
may happen.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567
Modules linked in:
CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE
RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567
Call Trace:
<TASK>
kobject_cleanup+0x136/0x410 lib/kobject.c:689
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0xe9/0x130 lib/kobject.c:737
put_device+0x24/0x30 drivers/base/core.c:3797
pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402
pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108
pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57
tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432
tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563
tiocsetd drivers/tty/tty_io.c:2429 [inline]
tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl fs/ioctl.c:584 [inline]
__x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Before commit c79a39dc8d06 ("pps: Fix a use-after-free"),
pps_register_cdev() call device_create() to create pps->dev, which will
init dev->release to device_create_release(). Now the comment is outdated,
just remove it.
Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed
in pps_register_source() to avoid a double free in the failure case.
Link: https://lore.kernel.org/all/20250827065010.3208525-1-wangliang74@huawei.com/
Fixes: c79a39dc8d06 ("pps: Fix a use-after-free")
Signed-off-by: Wang Liang <wangliang74@huawei.com>
Reviewed-By: Calvin Owens <calvin@wbinvd.org>
Link: https://lore.kernel.org/r/20250830075023.3498174-1-wangliang74@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pps/kapi.c | 5 +----
drivers/pps/pps.c | 5 ++---
2 files changed, 3 insertions(+), 7 deletions(-)
diff --git a/drivers/pps/kapi.c b/drivers/pps/kapi.c
index 92d1b62ea239d..e9389876229ea 100644
--- a/drivers/pps/kapi.c
+++ b/drivers/pps/kapi.c
@@ -109,16 +109,13 @@ struct pps_device *pps_register_source(struct pps_source_info *info,
if (err < 0) {
pr_err("%s: unable to create char device\n",
info->name);
- goto kfree_pps;
+ goto pps_register_source_exit;
}
dev_dbg(&pps->dev, "new PPS source %s\n", info->name);
return pps;
-kfree_pps:
- kfree(pps);
-
pps_register_source_exit:
pr_err("%s: unable to register source\n", info->name);
diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c
index ea966fc67d287..dbeb67ffebf33 100644
--- a/drivers/pps/pps.c
+++ b/drivers/pps/pps.c
@@ -375,6 +375,7 @@ int pps_register_cdev(struct pps_device *pps)
pps->info.name);
err = -EBUSY;
}
+ kfree(pps);
goto out_unlock;
}
pps->id = err;
@@ -384,13 +385,11 @@ int pps_register_cdev(struct pps_device *pps)
pps->dev.devt = MKDEV(pps_major, pps->id);
dev_set_drvdata(&pps->dev, pps);
dev_set_name(&pps->dev, "pps%d", pps->id);
+ pps->dev.release = pps_device_destruct;
err = device_register(&pps->dev);
if (err)
goto free_idr;
- /* Override the release function with our own */
- pps->dev.release = pps_device_destruct;
-
pr_debug("source %s got cdev (%d:%d)\n", pps->info.name, pps_major,
pps->id);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 045/224] ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 044/224] pps: fix warning in pps_register_cdev when register device fail Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 046/224] ASoC: Intel: bytcr_rt5640: " Greg Kroah-Hartman
` (186 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Mark Brown,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit b20eb0e8de383116f1e1470d74da2a3c83c4e345 ]
When an invalid value is passed via quirk option, currently
bytcht_es8316 driver just ignores and leaves as is, which may lead to
unepxected results like OOB access.
This patch adds the sanity check and corrects the input mapping to the
certain default value if an invalid value is passed.
Fixes: 249d2fc9e55c ("ASoC: Intel: bytcht_es8316: Set card long_name based on quirks")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Message-ID: <20250902171826.27329-2-tiwai@suse.de>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/boards/bytcht_es8316.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/sound/soc/intel/boards/bytcht_es8316.c b/sound/soc/intel/boards/bytcht_es8316.c
index 57d6d0b48068c..006e489e7e890 100644
--- a/sound/soc/intel/boards/bytcht_es8316.c
+++ b/sound/soc/intel/boards/bytcht_es8316.c
@@ -46,7 +46,8 @@ enum {
BYT_CHT_ES8316_INTMIC_IN2_MAP,
};
-#define BYT_CHT_ES8316_MAP(quirk) ((quirk) & GENMASK(3, 0))
+#define BYT_CHT_ES8316_MAP_MASK GENMASK(3, 0)
+#define BYT_CHT_ES8316_MAP(quirk) ((quirk) & BYT_CHT_ES8316_MAP_MASK)
#define BYT_CHT_ES8316_SSP0 BIT(16)
#define BYT_CHT_ES8316_MONO_SPEAKER BIT(17)
#define BYT_CHT_ES8316_JD_INVERTED BIT(18)
@@ -59,10 +60,23 @@ MODULE_PARM_DESC(quirk, "Board-specific quirk override");
static void log_quirks(struct device *dev)
{
- if (BYT_CHT_ES8316_MAP(quirk) == BYT_CHT_ES8316_INTMIC_IN1_MAP)
+ int map;
+
+ map = BYT_CHT_ES8316_MAP(quirk);
+ switch (map) {
+ case BYT_CHT_ES8316_INTMIC_IN1_MAP:
dev_info(dev, "quirk IN1_MAP enabled");
- if (BYT_CHT_ES8316_MAP(quirk) == BYT_CHT_ES8316_INTMIC_IN2_MAP)
+ break;
+ case BYT_CHT_ES8316_INTMIC_IN2_MAP:
dev_info(dev, "quirk IN2_MAP enabled");
+ break;
+ default:
+ dev_warn_once(dev, "quirk sets invalid input map: 0x%x, default to INTMIC_IN1_MAP\n", map);
+ quirk &= ~BYT_CHT_ES8316_MAP_MASK;
+ quirk |= BYT_CHT_ES8316_INTMIC_IN1_MAP;
+ break;
+ }
+
if (quirk & BYT_CHT_ES8316_SSP0)
dev_info(dev, "quirk SSP0 enabled");
if (quirk & BYT_CHT_ES8316_MONO_SPEAKER)
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 046/224] ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 045/224] ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 047/224] ASoC: Intel: bytcr_rt5651: " Greg Kroah-Hartman
` (185 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Mark Brown,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit fba404e4b4af4f4f747bb0e41e9fff7d03c7bcc0 ]
When an invalid value is passed via quirk option, currently
bytcr_rt5640 driver only shows an error message but leaves as is.
This may lead to unepxected results like OOB access.
This patch corrects the input mapping to the certain default value if
an invalid value is passed.
Fixes: 063422ca2a9d ("ASoC: Intel: bytcr_rt5640: Set card long_name based on quirks")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Message-ID: <20250902171826.27329-3-tiwai@suse.de>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/boards/bytcr_rt5640.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
index 5a8e86ba29004..88e84415d5a4b 100644
--- a/sound/soc/intel/boards/bytcr_rt5640.c
+++ b/sound/soc/intel/boards/bytcr_rt5640.c
@@ -60,7 +60,8 @@ enum {
BYT_RT5640_OVCD_SF_1P5 = (RT5640_OVCD_SF_1P5 << 13),
};
-#define BYT_RT5640_MAP(quirk) ((quirk) & GENMASK(3, 0))
+#define BYT_RT5640_MAP_MASK GENMASK(3, 0)
+#define BYT_RT5640_MAP(quirk) ((quirk) & BYT_RT5640_MAP_MASK)
#define BYT_RT5640_JDSRC(quirk) (((quirk) & GENMASK(7, 4)) >> 4)
#define BYT_RT5640_OVCD_TH(quirk) (((quirk) & GENMASK(12, 8)) >> 8)
#define BYT_RT5640_OVCD_SF(quirk) (((quirk) & GENMASK(14, 13)) >> 13)
@@ -118,7 +119,9 @@ static void log_quirks(struct device *dev)
dev_info(dev, "quirk IN3_MAP enabled\n");
break;
default:
- dev_err(dev, "quirk map 0x%x is not supported, microphone input will not work\n", map);
+ dev_warn_once(dev, "quirk sets invalid input map: 0x%x, default to DMIC1_MAP\n", map);
+ byt_rt5640_quirk &= ~BYT_RT5640_MAP_MASK;
+ byt_rt5640_quirk |= BYT_RT5640_DMIC1_MAP;
break;
}
if (BYT_RT5640_JDSRC(byt_rt5640_quirk)) {
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 047/224] ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 046/224] ASoC: Intel: bytcr_rt5640: " Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 048/224] iio: consumers: Fix offset handling in iio_convert_raw_to_processed() Greg Kroah-Hartman
` (184 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Mark Brown,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 4336efb59ef364e691ef829a73d9dbd4d5ed7c7b ]
When an invalid value is passed via quirk option, currently
bytcr_rt5640 driver just ignores and leaves as is, which may lead to
unepxected results like OOB access.
This patch adds the sanity check and corrects the input mapping to the
certain default value if an invalid value is passed.
Fixes: 64484ccee7af ("ASoC: Intel: bytcr_rt5651: Set card long_name based on quirks")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Message-ID: <20250902171826.27329-4-tiwai@suse.de>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/boards/bytcr_rt5651.c | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/sound/soc/intel/boards/bytcr_rt5651.c b/sound/soc/intel/boards/bytcr_rt5651.c
index 0c1c8628b9917..6a5098efdaf2b 100644
--- a/sound/soc/intel/boards/bytcr_rt5651.c
+++ b/sound/soc/intel/boards/bytcr_rt5651.c
@@ -58,7 +58,8 @@ enum {
BYT_RT5651_OVCD_SF_1P5 = (RT5651_OVCD_SF_1P5 << 13),
};
-#define BYT_RT5651_MAP(quirk) ((quirk) & GENMASK(3, 0))
+#define BYT_RT5651_MAP_MASK GENMASK(3, 0)
+#define BYT_RT5651_MAP(quirk) ((quirk) & BYT_RT5651_MAP_MASK)
#define BYT_RT5651_JDSRC(quirk) (((quirk) & GENMASK(7, 4)) >> 4)
#define BYT_RT5651_OVCD_TH(quirk) (((quirk) & GENMASK(12, 8)) >> 8)
#define BYT_RT5651_OVCD_SF(quirk) (((quirk) & GENMASK(14, 13)) >> 13)
@@ -99,14 +100,29 @@ MODULE_PARM_DESC(quirk, "Board-specific quirk override");
static void log_quirks(struct device *dev)
{
- if (BYT_RT5651_MAP(byt_rt5651_quirk) == BYT_RT5651_DMIC_MAP)
+ int map;
+
+ map = BYT_RT5651_MAP(byt_rt5651_quirk);
+ switch (map) {
+ case BYT_RT5651_DMIC_MAP:
dev_info(dev, "quirk DMIC_MAP enabled");
- if (BYT_RT5651_MAP(byt_rt5651_quirk) == BYT_RT5651_IN1_MAP)
+ break;
+ case BYT_RT5651_IN1_MAP:
dev_info(dev, "quirk IN1_MAP enabled");
- if (BYT_RT5651_MAP(byt_rt5651_quirk) == BYT_RT5651_IN2_MAP)
+ break;
+ case BYT_RT5651_IN2_MAP:
dev_info(dev, "quirk IN2_MAP enabled");
- if (BYT_RT5651_MAP(byt_rt5651_quirk) == BYT_RT5651_IN1_IN2_MAP)
+ break;
+ case BYT_RT5651_IN1_IN2_MAP:
dev_info(dev, "quirk IN1_IN2_MAP enabled");
+ break;
+ default:
+ dev_warn_once(dev, "quirk sets invalid input map: 0x%x, default to DMIC_MAP\n", map);
+ byt_rt5651_quirk &= ~BYT_RT5651_MAP_MASK;
+ byt_rt5651_quirk |= BYT_RT5651_DMIC_MAP;
+ break;
+ }
+
if (BYT_RT5651_JDSRC(byt_rt5651_quirk)) {
dev_info(dev, "quirk realtek,jack-detect-source %ld\n",
BYT_RT5651_JDSRC(byt_rt5651_quirk));
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 048/224] iio: consumers: Fix offset handling in iio_convert_raw_to_processed()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 047/224] ASoC: Intel: bytcr_rt5651: " Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 049/224] netfilter: ipset: Remove unused htable_bits in macro ahash_region Greg Kroah-Hartman
` (183 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liam Beguin, Andy Shevchenko,
Hans de Goede, Jonathan Cameron, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hansg@kernel.org>
[ Upstream commit 33f5c69c4daff39c010b3ea6da8ebab285f4277b ]
Fix iio_convert_raw_to_processed() offset handling for channels without
a scale attribute.
The offset has been applied to the raw64 value not to the original raw
value. Use the raw64 value so that the offset is taken into account.
Fixes: 14b457fdde38 ("iio: inkern: apply consumer scale when no channel scale is available")
Cc: Liam Beguin <liambeguin@gmail.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Hans de Goede <hansg@kernel.org>
Link: https://patch.msgid.link/20250831104825.15097-3-hansg@kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/inkern.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c
index 6374d50915557..6bdd175df021d 100644
--- a/drivers/iio/inkern.c
+++ b/drivers/iio/inkern.c
@@ -627,7 +627,7 @@ static int iio_convert_raw_to_processed_unlocked(struct iio_channel *chan,
* If no channel scaling is available apply consumer scale to
* raw value and return.
*/
- *processed = raw * scale;
+ *processed = raw64 * scale;
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 049/224] netfilter: ipset: Remove unused htable_bits in macro ahash_region
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 048/224] iio: consumers: Fix offset handling in iio_convert_raw_to_processed() Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 050/224] watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog Greg Kroah-Hartman
` (182 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhen Ni, Phil Sutter,
Florian Westphal, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhen Ni <zhen.ni@easystack.cn>
[ Upstream commit ba941796d7cd1e81f51eed145dad1b47240ff420 ]
Since the ahash_region() macro was redefined to calculate the region
index solely from HTABLE_REGION_BITS, the htable_bits parameter became
unused.
Remove the unused htable_bits argument and its call sites, simplifying
the code without changing semantics.
Fixes: 8478a729c046 ("netfilter: ipset: fix region locking in hash types")
Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
Reviewed-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/ipset/ip_set_hash_gen.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 297631f9717bc..0dcba0a87283d 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -87,7 +87,7 @@ struct hbucket {
: jhash_size((htable_bits) - HTABLE_REGION_BITS))
#define ahash_sizeof_regions(htable_bits) \
(ahash_numof_locks(htable_bits) * sizeof(struct ip_set_region))
-#define ahash_region(n, htable_bits) \
+#define ahash_region(n) \
((n) / jhash_size(HTABLE_REGION_BITS))
#define ahash_bucket_start(h, htable_bits) \
((htable_bits) < HTABLE_REGION_BITS ? 0 \
@@ -716,7 +716,7 @@ mtype_resize(struct ip_set *set, bool retried)
#endif
key = HKEY(data, h->initval, htable_bits);
m = __ipset_dereference(hbucket(t, key));
- nr = ahash_region(key, htable_bits);
+ nr = ahash_region(key);
if (!m) {
m = kzalloc(sizeof(*m) +
AHASH_INIT_SIZE * dsize,
@@ -866,7 +866,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
rcu_read_lock_bh();
t = rcu_dereference_bh(h->table);
key = HKEY(value, h->initval, t->htable_bits);
- r = ahash_region(key, t->htable_bits);
+ r = ahash_region(key);
atomic_inc(&t->uref);
elements = t->hregion[r].elements;
maxelem = t->maxelem;
@@ -1059,7 +1059,7 @@ mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext,
rcu_read_lock_bh();
t = rcu_dereference_bh(h->table);
key = HKEY(value, h->initval, t->htable_bits);
- r = ahash_region(key, t->htable_bits);
+ r = ahash_region(key);
atomic_inc(&t->uref);
rcu_read_unlock_bh();
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 050/224] watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 049/224] netfilter: ipset: Remove unused htable_bits in macro ahash_region Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 051/224] drivers/base/node: handle error properly in register_one_node() Greg Kroah-Hartman
` (181 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Guenter Roeck,
Wim Van Sebroeck, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@csgroup.eu>
[ Upstream commit 7dfd80f70ef00d871df5af7c391133f7ba61ad9b ]
When the watchdog gets enabled with this driver, it leaves enough time
for the core watchdog subsystem to start pinging it. But when the
watchdog is already started by hardware or by the boot loader, little
time remains before it fires and it happens that the core watchdog
subsystem doesn't have time to start pinging it.
Until commit 19ce9490aa84 ("watchdog: mpc8xxx: use the core worker
function") pinging was managed by the driver itself and the watchdog
was immediately pinged by setting the timer expiry to 0.
So restore similar behaviour by pinging it when enabling it so that
if it was already enabled the watchdog timer counter is reloaded.
Fixes: 19ce9490aa84 ("watchdog: mpc8xxx: use the core worker function")
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/mpc8xxx_wdt.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/watchdog/mpc8xxx_wdt.c b/drivers/watchdog/mpc8xxx_wdt.c
index 3fc457bc16db3..18349ec0c1010 100644
--- a/drivers/watchdog/mpc8xxx_wdt.c
+++ b/drivers/watchdog/mpc8xxx_wdt.c
@@ -100,6 +100,8 @@ static int mpc8xxx_wdt_start(struct watchdog_device *w)
ddata->swtc = tmp >> 16;
set_bit(WDOG_HW_RUNNING, &ddata->wdd.status);
+ mpc8xxx_wdt_keepalive(ddata);
+
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 051/224] drivers/base/node: handle error properly in register_one_node()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 050/224] watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 052/224] wifi: mt76: fix potential memory leak in mt76_wmac_probe() Greg Kroah-Hartman
` (180 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Donet Tom, David Hildenbrand,
Alison Schofield, Danilo Krummrich, Dave Jiang,
Hiroyouki Kamezawa, Joanthan Cameron, Oscar Salvador,
Ritesh Harjani (IBM), Yury Norov (NVIDIA), Zi Yan, Andrew Morton,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Donet Tom <donettom@linux.ibm.com>
[ Upstream commit 786eb990cfb78aab94eb74fb32a030e14723a620 ]
If register_node() returns an error, it is not handled correctly.
The function will proceed further and try to register CPUs under the
node, which is not correct.
So, in this patch, if register_node() returns an error, we return
immediately from the function.
Link: https://lkml.kernel.org/r/20250822084845.19219-1-donettom@linux.ibm.com
Fixes: 76b67ed9dce6 ("[PATCH] node hotplug: register cpu: remove node struct")
Signed-off-by: Donet Tom <donettom@linux.ibm.com>
Acked-by: David Hildenbrand <david@redhat.com>
Cc: Alison Schofield <alison.schofield@intel.com>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: Dave Jiang <dave.jiang@intel.com>
Cc: Donet Tom <donettom@linux.ibm.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Hiroyouki Kamezawa <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Joanthan Cameron <Jonathan.Cameron@huawei.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: "Ritesh Harjani (IBM)" <ritesh.list@gmail.com>
Cc: Yury Norov (NVIDIA) <yury.norov@gmail.com>
Cc: Zi Yan <ziy@nvidia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/node.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/base/node.c b/drivers/base/node.c
index 666eb55c0774e..cb1bbe3068ab6 100644
--- a/drivers/base/node.c
+++ b/drivers/base/node.c
@@ -938,6 +938,11 @@ int __register_one_node(int nid)
return -ENOMEM;
error = register_node(node_devices[nid], nid);
+ if (error) {
+ node_devices[nid] = NULL;
+ kfree(node);
+ return error;
+ }
/* link cpu under this node */
for_each_present_cpu(cpu) {
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 052/224] wifi: mt76: fix potential memory leak in mt76_wmac_probe()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 051/224] drivers/base/node: handle error properly in register_one_node() Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 053/224] RDMA/core: Resolve MAC of next-hop device without ARP support Greg Kroah-Hartman
` (179 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Jiri Slaby,
Felix Fietkau, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <abdun.nihaal@gmail.com>
[ Upstream commit 42754b7de2b1a2cf116c5e3f1e8e78392f4ed700 ]
In mt76_wmac_probe(), when the mt76_alloc_device() call succeeds, memory
is allocated for both struct ieee80211_hw and a workqueue. However, on
the error path, the workqueue is not freed. Fix that by calling
mt76_free_device() on the error path.
Fixes: c8846e101502 ("mt76: add driver for MT7603E and MT7628/7688")
Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Link: https://patch.msgid.link/20250709145532.41246-1-abdun.nihaal@gmail.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7603/soc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7603/soc.c b/drivers/net/wireless/mediatek/mt76/mt7603/soc.c
index 68efb300c0d88..8c3603f113894 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7603/soc.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7603/soc.c
@@ -48,7 +48,7 @@ mt76_wmac_probe(struct platform_device *pdev)
return 0;
error:
- ieee80211_free_hw(mt76_hw(dev));
+ mt76_free_device(mdev);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 053/224] RDMA/core: Resolve MAC of next-hop device without ARP support
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 052/224] wifi: mt76: fix potential memory leak in mt76_wmac_probe() Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 054/224] IB/sa: Fix sa_local_svc_timeout_ms read race Greg Kroah-Hartman
` (178 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Parav Pandit, Vlad Dumitrescu,
Edward Srouji, Leon Romanovsky, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Parav Pandit <parav@nvidia.com>
[ Upstream commit 200651b9b8aadfbbec852f0e5d042d9abe75e2ab ]
Currently, if the next-hop netdevice does not support ARP resolution,
the destination MAC address is silently set to zero without reporting
an error. This leads to incorrect behavior and may result in packet
transmission failures.
Fix this by deferring MAC resolution to the IP stack via neighbour
lookup, allowing proper resolution or error reporting as appropriate.
Fixes: 7025fcd36bd6 ("IB: address translation to map IP toIB addresses (GIDs)")
Signed-off-by: Parav Pandit <parav@nvidia.com>
Reviewed-by: Vlad Dumitrescu <vdumitrescu@nvidia.com>
Signed-off-by: Edward Srouji <edwards@nvidia.com>
Link: https://patch.msgid.link/20250916111103.84069-3-edwards@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/addr.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
index c9e63c692b6e8..48de2285922f8 100644
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -459,14 +459,10 @@ static int addr_resolve_neigh(const struct dst_entry *dst,
{
int ret = 0;
- if (ndev_flags & IFF_LOOPBACK) {
+ if (ndev_flags & IFF_LOOPBACK)
memcpy(addr->dst_dev_addr, addr->src_dev_addr, MAX_ADDR_LEN);
- } else {
- if (!(ndev_flags & IFF_NOARP)) {
- /* If the device doesn't do ARP internally */
- ret = fetch_ha(dst, addr, dst_in, seq);
- }
- }
+ else
+ ret = fetch_ha(dst, addr, dst_in, seq);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 054/224] IB/sa: Fix sa_local_svc_timeout_ms read race
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 053/224] RDMA/core: Resolve MAC of next-hop device without ARP support Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 055/224] wifi: ath10k: avoid unnecessary wait for service ready message Greg Kroah-Hartman
` (177 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vlad Dumitrescu, Mark Zhang,
Edward Srouji, Leon Romanovsky, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vlad Dumitrescu <vdumitrescu@nvidia.com>
[ Upstream commit 1428cd764cd708d53a072a2f208d87014bfe05bc ]
When computing the delta, the sa_local_svc_timeout_ms is read without
ib_nl_request_lock held. Though unlikely in practice, this can cause
a race condition if multiple local service threads are managing the
timeout.
Fixes: 2ca546b92a02 ("IB/sa: Route SA pathrecord query through netlink")
Signed-off-by: Vlad Dumitrescu <vdumitrescu@nvidia.com>
Reviewed-by: Mark Zhang <markzhang@nvidia.com>
Signed-off-by: Edward Srouji <edwards@nvidia.com>
Link: https://patch.msgid.link/20250916163112.98414-1-edwards@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/sa_query.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/core/sa_query.c b/drivers/infiniband/core/sa_query.c
index 11ab6390eda4d..b05df8694a4a5 100644
--- a/drivers/infiniband/core/sa_query.c
+++ b/drivers/infiniband/core/sa_query.c
@@ -1036,6 +1036,8 @@ int ib_nl_handle_set_timeout(struct sk_buff *skb,
if (timeout > IB_SA_LOCAL_SVC_TIMEOUT_MAX)
timeout = IB_SA_LOCAL_SVC_TIMEOUT_MAX;
+ spin_lock_irqsave(&ib_nl_request_lock, flags);
+
delta = timeout - sa_local_svc_timeout_ms;
if (delta < 0)
abs_delta = -delta;
@@ -1043,7 +1045,6 @@ int ib_nl_handle_set_timeout(struct sk_buff *skb,
abs_delta = delta;
if (delta != 0) {
- spin_lock_irqsave(&ib_nl_request_lock, flags);
sa_local_svc_timeout_ms = timeout;
list_for_each_entry(query, &ib_nl_request_list, list) {
if (delta < 0 && abs_delta > query->timeout)
@@ -1061,9 +1062,10 @@ int ib_nl_handle_set_timeout(struct sk_buff *skb,
if (delay)
mod_delayed_work(ib_nl_wq, &ib_nl_timed_work,
(unsigned long)delay);
- spin_unlock_irqrestore(&ib_nl_request_lock, flags);
}
+ spin_unlock_irqrestore(&ib_nl_request_lock, flags);
+
settimeout_out:
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 055/224] wifi: ath10k: avoid unnecessary wait for service ready message
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 054/224] IB/sa: Fix sa_local_svc_timeout_ms read race Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:46 ` Jeff Johnson
2025-10-27 18:33 ` [PATCH 5.4 056/224] sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC Greg Kroah-Hartman
` (176 subsequent siblings)
231 siblings, 1 reply; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Menzel, Baochen Qiang,
Vasanthakumar Thiagarajan, Jeff Johnson, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
[ Upstream commit 51a73f1b2e56b0324b4a3bb8cebc4221b5be4c7a ]
Commit e57b7d62a1b2 ("wifi: ath10k: poll service ready message before
failing") works around the failure in waiting for the service ready
message by active polling. Note the polling is triggered after initial
wait timeout, which means that the wait-till-timeout can not be avoided
even the message is ready.
A possible fix is to do polling once before wait as well, however this
can not handle the race that the message arrives right after polling.
So the solution is to do periodic polling until timeout.
Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00309-QCARMSWPZ-1
Fixes: e57b7d62a1b2 ("wifi: ath10k: poll service ready message before failing")
Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
Closes: https://lore.kernel.org/all/97a15967-5518-4731-a8ff-d43ff7f437b0@molgen.mpg.de
Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Link: https://patch.msgid.link/20250811-ath10k-avoid-unnecessary-wait-v1-1-db2deb87c39b@oss.qualcomm.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/wmi.c | 39 +++++++++++++--------------
1 file changed, 19 insertions(+), 20 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
index ed6316c41cb78..0123d93323114 100644
--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -1720,33 +1720,32 @@ void ath10k_wmi_put_wmi_channel(struct wmi_channel *ch,
int ath10k_wmi_wait_for_service_ready(struct ath10k *ar)
{
+ unsigned long timeout = jiffies + WMI_SERVICE_READY_TIMEOUT_HZ;
unsigned long time_left, i;
- time_left = wait_for_completion_timeout(&ar->wmi.service_ready,
- WMI_SERVICE_READY_TIMEOUT_HZ);
- if (!time_left) {
- /* Sometimes the PCI HIF doesn't receive interrupt
- * for the service ready message even if the buffer
- * was completed. PCIe sniffer shows that it's
- * because the corresponding CE ring doesn't fires
- * it. Workaround here by polling CE rings once.
- */
- ath10k_warn(ar, "failed to receive service ready completion, polling..\n");
-
+ /* Sometimes the PCI HIF doesn't receive interrupt
+ * for the service ready message even if the buffer
+ * was completed. PCIe sniffer shows that it's
+ * because the corresponding CE ring doesn't fires
+ * it. Workaround here by polling CE rings. Since
+ * the message could arrive at any time, continue
+ * polling until timeout.
+ */
+ do {
for (i = 0; i < CE_COUNT; i++)
ath10k_hif_send_complete_check(ar, i, 1);
+ /* The 100 ms granularity is a tradeoff considering scheduler
+ * overhead and response latency
+ */
time_left = wait_for_completion_timeout(&ar->wmi.service_ready,
- WMI_SERVICE_READY_TIMEOUT_HZ);
- if (!time_left) {
- ath10k_warn(ar, "polling timed out\n");
- return -ETIMEDOUT;
- }
-
- ath10k_warn(ar, "service ready completion received, continuing normally\n");
- }
+ msecs_to_jiffies(100));
+ if (time_left)
+ return 0;
+ } while (time_before(jiffies, timeout));
- return 0;
+ ath10k_warn(ar, "failed to receive service ready completion\n");
+ return -ETIMEDOUT;
}
int ath10k_wmi_wait_for_unified_ready(struct ath10k *ar)
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 056/224] sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 055/224] wifi: ath10k: avoid unnecessary wait for service ready message Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 057/224] sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Greg Kroah-Hartman
` (175 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Karcher, Andreas Larsson,
Sasha Levin, John Paul Adrian Glaubitz, René Rebe,
Jonathan 'theJPster' Pallant
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
[ Upstream commit 4fba1713001195e59cfc001ff1f2837dab877efb ]
The referenced commit introduced exception handlers on user-space memory
references in copy_from_user and copy_to_user. These handlers return from
the respective function and calculate the remaining bytes left to copy
using the current register contents. This commit fixes a couple of bad
calculations. This will fix the return value of copy_from_user and
copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.
Fixes: cb736fdbb208 ("sparc64: Convert U1copy_{from,to}_user to accurate exception reporting.")
Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> # on QEMU 10.0.3
Tested-by: René Rebe <rene@exactcode.com> # on Ultra 5 UltraSparc IIi
Tested-by: Jonathan 'theJPster' Pallant <kernel@thejpster.org.uk> # on Sun Netra T1
Signed-off-by: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
Reviewed-by: Andreas Larsson <andreas@gaisler.com>
Link: https://lore.kernel.org/r/20250905-memcpy_series-v4-1-1ca72dda195b@mkarcher.dialup.fu-berlin.de
Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/sparc/lib/U1memcpy.S | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/arch/sparc/lib/U1memcpy.S b/arch/sparc/lib/U1memcpy.S
index a6f4ee3918977..021b94a383d13 100644
--- a/arch/sparc/lib/U1memcpy.S
+++ b/arch/sparc/lib/U1memcpy.S
@@ -164,17 +164,18 @@ ENTRY(U1_gs_40_fp)
retl
add %o0, %o2, %o0
ENDPROC(U1_gs_40_fp)
-ENTRY(U1_g3_0_fp)
- VISExitHalf
- retl
- add %g3, %o2, %o0
-ENDPROC(U1_g3_0_fp)
ENTRY(U1_g3_8_fp)
VISExitHalf
add %g3, 8, %g3
retl
add %g3, %o2, %o0
ENDPROC(U1_g3_8_fp)
+ENTRY(U1_g3_16_fp)
+ VISExitHalf
+ add %g3, 16, %g3
+ retl
+ add %g3, %o2, %o0
+ENDPROC(U1_g3_16_fp)
ENTRY(U1_o2_0_fp)
VISExitHalf
retl
@@ -547,18 +548,18 @@ FUNC_NAME: /* %o0=dst, %o1=src, %o2=len */
62: FINISH_VISCHUNK(o0, f44, f46)
63: UNEVEN_VISCHUNK_LAST(o0, f46, f0)
-93: EX_LD_FP(LOAD(ldd, %o1, %f2), U1_g3_0_fp)
+93: EX_LD_FP(LOAD(ldd, %o1, %f2), U1_g3_8_fp)
add %o1, 8, %o1
subcc %g3, 8, %g3
faligndata %f0, %f2, %f8
- EX_ST_FP(STORE(std, %f8, %o0), U1_g3_8_fp)
+ EX_ST_FP(STORE(std, %f8, %o0), U1_g3_16_fp)
bl,pn %xcc, 95f
add %o0, 8, %o0
- EX_LD_FP(LOAD(ldd, %o1, %f0), U1_g3_0_fp)
+ EX_LD_FP(LOAD(ldd, %o1, %f0), U1_g3_8_fp)
add %o1, 8, %o1
subcc %g3, 8, %g3
faligndata %f2, %f0, %f8
- EX_ST_FP(STORE(std, %f8, %o0), U1_g3_8_fp)
+ EX_ST_FP(STORE(std, %f8, %o0), U1_g3_16_fp)
bge,pt %xcc, 93b
add %o0, 8, %o0
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 057/224] sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 056/224] sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 058/224] sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara Greg Kroah-Hartman
` (174 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anthony Yznaga, Michael Karcher,
Andreas Larsson, Sasha Levin, John Paul Adrian Glaubitz,
René Rebe
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
[ Upstream commit 47b49c06eb62504075f0f2e2227aee2e2c2a58b3 ]
Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios
enabled resulted from copy_from_user() returning impossibly large values
greater than the size to be copied. This lead to __copy_from_iter()
returning impossible values instead of the actual number of bytes it was
able to copy.
The BUG_ON has been reported in
https://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de
The referenced commit introduced exception handlers on user-space memory
references in copy_from_user and copy_to_user. These handlers return from
the respective function and calculate the remaining bytes left to copy
using the current register contents. The exception handlers expect that
%o2 has already been masked during the bulk copy loop, but the masking was
performed after that loop. This will fix the return value of copy_from_user
and copy_to_user in the faulting case. The behaviour of memcpy stays
unchanged.
Fixes: ee841d0aff64 ("sparc64: Convert U3copy_{from,to}_user to accurate exception reporting.")
Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> # on Sun Netra 240
Reviewed-by: Anthony Yznaga <anthony.yznaga@oracle.com>
Tested-by: René Rebe <rene@exactcode.com> # on UltraSparc III+ and UltraSparc IIIi
Signed-off-by: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
Reviewed-by: Andreas Larsson <andreas@gaisler.com>
Link: https://lore.kernel.org/r/20250905-memcpy_series-v4-2-1ca72dda195b@mkarcher.dialup.fu-berlin.de
Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/sparc/lib/U3memcpy.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/sparc/lib/U3memcpy.S b/arch/sparc/lib/U3memcpy.S
index 9248d59c734ce..bace3a18f836f 100644
--- a/arch/sparc/lib/U3memcpy.S
+++ b/arch/sparc/lib/U3memcpy.S
@@ -267,6 +267,7 @@ FUNC_NAME: /* %o0=dst, %o1=src, %o2=len */
faligndata %f10, %f12, %f26
EX_LD_FP(LOAD(ldd, %o1 + 0x040, %f0), U3_retl_o2)
+ and %o2, 0x3f, %o2
subcc GLOBAL_SPARE, 0x80, GLOBAL_SPARE
add %o1, 0x40, %o1
bgu,pt %XCC, 1f
@@ -336,7 +337,6 @@ FUNC_NAME: /* %o0=dst, %o1=src, %o2=len */
* Also notice how this code is careful not to perform a
* load past the end of the src buffer.
*/
- and %o2, 0x3f, %o2
andcc %o2, 0x38, %g2
be,pn %XCC, 2f
subcc %g2, 0x8, %g2
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 058/224] sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 057/224] sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 059/224] sparc: fix accurate exception reporting in copy_to_user for Niagara 4 Greg Kroah-Hartman
` (173 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Karcher, Andreas Larsson,
Sasha Levin, John Paul Adrian Glaubitz, Magnus Lindholm,
Ethan Hawke, Ken Link
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
[ Upstream commit 0b67c8fc10b13a9090340c5f8a37d308f4e1571c ]
The referenced commit introduced exception handlers on user-space memory
references in copy_from_user and copy_to_user. These handlers return from
the respective function and calculate the remaining bytes left to copy
using the current register contents. This commit fixes a couple of bad
calculations and a broken epilogue in the exception handlers. This will
prevent crashes and ensure correct return values of copy_from_user and
copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.
Fixes: 7ae3aaf53f16 ("sparc64: Convert NGcopy_{from,to}_user to accurate exception reporting.")
Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> # on SPARC T4 with modified kernel to use Niagara 1 code
Tested-by: Magnus Lindholm <linmag7@gmail.com> # on Sun Fire T2000
Signed-off-by: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
Tested-by: Ethan Hawke <ehawk@ember.systems> # on Sun Fire T2000
Tested-by: Ken Link <iissmart@numberzero.org> # on Sun Fire T1000
Reviewed-by: Andreas Larsson <andreas@gaisler.com>
Link: https://lore.kernel.org/r/20250905-memcpy_series-v4-3-1ca72dda195b@mkarcher.dialup.fu-berlin.de
Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/sparc/lib/NGmemcpy.S | 29 ++++++++++++++++++-----------
1 file changed, 18 insertions(+), 11 deletions(-)
diff --git a/arch/sparc/lib/NGmemcpy.S b/arch/sparc/lib/NGmemcpy.S
index 8e4d22a6ba0b2..846a8c4ea394f 100644
--- a/arch/sparc/lib/NGmemcpy.S
+++ b/arch/sparc/lib/NGmemcpy.S
@@ -80,8 +80,8 @@
#ifndef EX_RETVAL
#define EX_RETVAL(x) x
__restore_asi:
- ret
wr %g0, ASI_AIUS, %asi
+ ret
restore
ENTRY(NG_ret_i2_plus_i4_plus_1)
ba,pt %xcc, __restore_asi
@@ -126,15 +126,16 @@ ENTRY(NG_ret_i2_plus_g1_minus_56)
ba,pt %xcc, __restore_asi
add %i2, %g1, %i0
ENDPROC(NG_ret_i2_plus_g1_minus_56)
-ENTRY(NG_ret_i2_plus_i4)
+ENTRY(NG_ret_i2_plus_i4_plus_16)
+ add %i4, 16, %i4
ba,pt %xcc, __restore_asi
add %i2, %i4, %i0
-ENDPROC(NG_ret_i2_plus_i4)
-ENTRY(NG_ret_i2_plus_i4_minus_8)
- sub %i4, 8, %i4
+ENDPROC(NG_ret_i2_plus_i4_plus_16)
+ENTRY(NG_ret_i2_plus_i4_plus_8)
+ add %i4, 8, %i4
ba,pt %xcc, __restore_asi
add %i2, %i4, %i0
-ENDPROC(NG_ret_i2_plus_i4_minus_8)
+ENDPROC(NG_ret_i2_plus_i4_plus_8)
ENTRY(NG_ret_i2_plus_8)
ba,pt %xcc, __restore_asi
add %i2, 8, %i0
@@ -161,6 +162,12 @@ ENTRY(NG_ret_i2_and_7_plus_i4)
ba,pt %xcc, __restore_asi
add %i2, %i4, %i0
ENDPROC(NG_ret_i2_and_7_plus_i4)
+ENTRY(NG_ret_i2_and_7_plus_i4_plus_8)
+ and %i2, 7, %i2
+ add %i4, 8, %i4
+ ba,pt %xcc, __restore_asi
+ add %i2, %i4, %i0
+ENDPROC(NG_ret_i2_and_7_plus_i4)
#endif
.align 64
@@ -406,13 +413,13 @@ FUNC_NAME: /* %i0=dst, %i1=src, %i2=len */
andn %i2, 0xf, %i4
and %i2, 0xf, %i2
1: subcc %i4, 0x10, %i4
- EX_LD(LOAD(ldx, %i1, %o4), NG_ret_i2_plus_i4)
+ EX_LD(LOAD(ldx, %i1, %o4), NG_ret_i2_plus_i4_plus_16)
add %i1, 0x08, %i1
- EX_LD(LOAD(ldx, %i1, %g1), NG_ret_i2_plus_i4)
+ EX_LD(LOAD(ldx, %i1, %g1), NG_ret_i2_plus_i4_plus_16)
sub %i1, 0x08, %i1
- EX_ST(STORE(stx, %o4, %i1 + %i3), NG_ret_i2_plus_i4)
+ EX_ST(STORE(stx, %o4, %i1 + %i3), NG_ret_i2_plus_i4_plus_16)
add %i1, 0x8, %i1
- EX_ST(STORE(stx, %g1, %i1 + %i3), NG_ret_i2_plus_i4_minus_8)
+ EX_ST(STORE(stx, %g1, %i1 + %i3), NG_ret_i2_plus_i4_plus_8)
bgu,pt %XCC, 1b
add %i1, 0x8, %i1
73: andcc %i2, 0x8, %g0
@@ -469,7 +476,7 @@ FUNC_NAME: /* %i0=dst, %i1=src, %i2=len */
subcc %i4, 0x8, %i4
srlx %g3, %i3, %i5
or %i5, %g2, %i5
- EX_ST(STORE(stx, %i5, %o0), NG_ret_i2_and_7_plus_i4)
+ EX_ST(STORE(stx, %i5, %o0), NG_ret_i2_and_7_plus_i4_plus_8)
add %o0, 0x8, %o0
bgu,pt %icc, 1b
sllx %g3, %g1, %g2
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 059/224] sparc: fix accurate exception reporting in copy_to_user for Niagara 4
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 058/224] sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 060/224] sparc: fix accurate exception reporting in copy_{from,to}_user for M7 Greg Kroah-Hartman
` (172 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Karcher, Andreas Larsson,
Sasha Levin, John Paul Adrian Glaubitz
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
[ Upstream commit 5a746c1a2c7980de6c888b6373299f751ad7790b ]
The referenced commit introduced exception handlers on user-space memory
references in copy_from_user and copy_to_user. These handlers return from
the respective function and calculate the remaining bytes left to copy
using the current register contents. This commit fixes a bad calculation.
This will fix the return value of copy_to_user in a specific faulting case.
The behaviour of memcpy stays unchanged.
Fixes: 957077048009 ("sparc64: Convert NG4copy_{from,to}_user to accurate exception reporting.")
Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> # on Oracle SPARC T4-1
Signed-off-by: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
Reviewed-by: Andreas Larsson <andreas@gaisler.com>
Link: https://lore.kernel.org/r/20250905-memcpy_series-v4-4-1ca72dda195b@mkarcher.dialup.fu-berlin.de
Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/sparc/lib/NG4memcpy.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/sparc/lib/NG4memcpy.S b/arch/sparc/lib/NG4memcpy.S
index 7ad58ebe0d009..df0ec1bd19489 100644
--- a/arch/sparc/lib/NG4memcpy.S
+++ b/arch/sparc/lib/NG4memcpy.S
@@ -281,7 +281,7 @@ FUNC_NAME: /* %o0=dst, %o1=src, %o2=len */
subcc %o5, 0x20, %o5
EX_ST(STORE(stx, %g1, %o0 + 0x00), memcpy_retl_o2_plus_o5_plus_32)
EX_ST(STORE(stx, %g2, %o0 + 0x08), memcpy_retl_o2_plus_o5_plus_24)
- EX_ST(STORE(stx, GLOBAL_SPARE, %o0 + 0x10), memcpy_retl_o2_plus_o5_plus_24)
+ EX_ST(STORE(stx, GLOBAL_SPARE, %o0 + 0x10), memcpy_retl_o2_plus_o5_plus_16)
EX_ST(STORE(stx, %o4, %o0 + 0x18), memcpy_retl_o2_plus_o5_plus_8)
bne,pt %icc, 1b
add %o0, 0x20, %o0
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 060/224] sparc: fix accurate exception reporting in copy_{from,to}_user for M7
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 059/224] sparc: fix accurate exception reporting in copy_to_user for Niagara 4 Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 061/224] remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice Greg Kroah-Hartman
` (171 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Karcher, Andreas Larsson,
Sasha Levin, John Paul Adrian Glaubitz, Tony Rodriguez
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
[ Upstream commit 936fb512752af349fc30ccbe0afe14a2ae6d7159 ]
The referenced commit introduced exception handlers on user-space memory
references in copy_from_user and copy_to_user. These handlers return from
the respective function and calculate the remaining bytes left to copy
using the current register contents. This commit fixes a couple of bad
calculations. This will fix the return value of copy_from_user and
copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.
Fixes: 34060b8fffa7 ("arch/sparc: Add accurate exception reporting in M7memcpy")
Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> # on Oracle SPARC S7
Tested-by: Tony Rodriguez <unixpro1970@gmail.com> # S7, see https://lore.kernel.org/r/98564e2e68df2dda0e00c67a75c7f7dfedb33c7e.camel@physik.fu-berlin.de
Signed-off-by: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
Reviewed-by: Andreas Larsson <andreas@gaisler.com>
Link: https://lore.kernel.org/r/20250905-memcpy_series-v4-5-1ca72dda195b@mkarcher.dialup.fu-berlin.de
Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/sparc/lib/M7memcpy.S | 20 ++++++++++----------
arch/sparc/lib/Memcpy_utils.S | 9 +++++++++
2 files changed, 19 insertions(+), 10 deletions(-)
diff --git a/arch/sparc/lib/M7memcpy.S b/arch/sparc/lib/M7memcpy.S
index cbd42ea7c3f7c..99357bfa8e82a 100644
--- a/arch/sparc/lib/M7memcpy.S
+++ b/arch/sparc/lib/M7memcpy.S
@@ -696,16 +696,16 @@ FUNC_NAME:
EX_LD_FP(LOAD(ldd, %o4+40, %f26), memcpy_retl_o2_plus_o5_plus_40)
faligndata %f24, %f26, %f10
EX_ST_FP(STORE(std, %f6, %o0+24), memcpy_retl_o2_plus_o5_plus_40)
- EX_LD_FP(LOAD(ldd, %o4+48, %f28), memcpy_retl_o2_plus_o5_plus_40)
+ EX_LD_FP(LOAD(ldd, %o4+48, %f28), memcpy_retl_o2_plus_o5_plus_32)
faligndata %f26, %f28, %f12
- EX_ST_FP(STORE(std, %f8, %o0+32), memcpy_retl_o2_plus_o5_plus_40)
+ EX_ST_FP(STORE(std, %f8, %o0+32), memcpy_retl_o2_plus_o5_plus_32)
add %o4, 64, %o4
- EX_LD_FP(LOAD(ldd, %o4-8, %f30), memcpy_retl_o2_plus_o5_plus_40)
+ EX_LD_FP(LOAD(ldd, %o4-8, %f30), memcpy_retl_o2_plus_o5_plus_24)
faligndata %f28, %f30, %f14
- EX_ST_FP(STORE(std, %f10, %o0+40), memcpy_retl_o2_plus_o5_plus_40)
- EX_ST_FP(STORE(std, %f12, %o0+48), memcpy_retl_o2_plus_o5_plus_40)
+ EX_ST_FP(STORE(std, %f10, %o0+40), memcpy_retl_o2_plus_o5_plus_24)
+ EX_ST_FP(STORE(std, %f12, %o0+48), memcpy_retl_o2_plus_o5_plus_16)
add %o0, 64, %o0
- EX_ST_FP(STORE(std, %f14, %o0-8), memcpy_retl_o2_plus_o5_plus_40)
+ EX_ST_FP(STORE(std, %f14, %o0-8), memcpy_retl_o2_plus_o5_plus_8)
fsrc2 %f30, %f14
bgu,pt %xcc, .Lunalign_sloop
prefetch [%o4 + (8 * BLOCK_SIZE)], 20
@@ -728,7 +728,7 @@ FUNC_NAME:
add %o4, 8, %o4
faligndata %f0, %f2, %f16
subcc %o5, 8, %o5
- EX_ST_FP(STORE(std, %f16, %o0), memcpy_retl_o2_plus_o5)
+ EX_ST_FP(STORE(std, %f16, %o0), memcpy_retl_o2_plus_o5_plus_8)
fsrc2 %f2, %f0
bgu,pt %xcc, .Lunalign_by8
add %o0, 8, %o0
@@ -772,7 +772,7 @@ FUNC_NAME:
subcc %o5, 0x20, %o5
EX_ST(STORE(stx, %o3, %o0 + 0x00), memcpy_retl_o2_plus_o5_plus_32)
EX_ST(STORE(stx, %g2, %o0 + 0x08), memcpy_retl_o2_plus_o5_plus_24)
- EX_ST(STORE(stx, %g7, %o0 + 0x10), memcpy_retl_o2_plus_o5_plus_24)
+ EX_ST(STORE(stx, %g7, %o0 + 0x10), memcpy_retl_o2_plus_o5_plus_16)
EX_ST(STORE(stx, %o4, %o0 + 0x18), memcpy_retl_o2_plus_o5_plus_8)
bne,pt %xcc, 1b
add %o0, 0x20, %o0
@@ -804,12 +804,12 @@ FUNC_NAME:
brz,pt %o3, 2f
sub %o2, %o3, %o2
-1: EX_LD(LOAD(ldub, %o1 + 0x00, %g2), memcpy_retl_o2_plus_g1)
+1: EX_LD(LOAD(ldub, %o1 + 0x00, %g2), memcpy_retl_o2_plus_o3)
add %o1, 1, %o1
subcc %o3, 1, %o3
add %o0, 1, %o0
bne,pt %xcc, 1b
- EX_ST(STORE(stb, %g2, %o0 - 0x01), memcpy_retl_o2_plus_g1_plus_1)
+ EX_ST(STORE(stb, %g2, %o0 - 0x01), memcpy_retl_o2_plus_o3_plus_1)
2:
and %o1, 0x7, %o3
brz,pn %o3, .Lmedium_noprefetch_cp
diff --git a/arch/sparc/lib/Memcpy_utils.S b/arch/sparc/lib/Memcpy_utils.S
index 64fbac28b3db1..207343367bb2d 100644
--- a/arch/sparc/lib/Memcpy_utils.S
+++ b/arch/sparc/lib/Memcpy_utils.S
@@ -137,6 +137,15 @@ ENTRY(memcpy_retl_o2_plus_63_8)
ba,pt %xcc, __restore_asi
add %o2, 8, %o0
ENDPROC(memcpy_retl_o2_plus_63_8)
+ENTRY(memcpy_retl_o2_plus_o3)
+ ba,pt %xcc, __restore_asi
+ add %o2, %o3, %o0
+ENDPROC(memcpy_retl_o2_plus_o3)
+ENTRY(memcpy_retl_o2_plus_o3_plus_1)
+ add %o3, 1, %o3
+ ba,pt %xcc, __restore_asi
+ add %o2, %o3, %o0
+ENDPROC(memcpy_retl_o2_plus_o3_plus_1)
ENTRY(memcpy_retl_o2_plus_o5)
ba,pt %xcc, __restore_asi
add %o2, %o5, %o0
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 061/224] remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 060/224] sparc: fix accurate exception reporting in copy_{from,to}_user for M7 Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 062/224] NFSv4.1: fix backchannel max_resp_sz verification check Greg Kroah-Hartman
` (170 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Stephan Gerhold,
Bjorn Andersson, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
[ Upstream commit 110be46f5afe27b66caa2d12473a84cd397b1925 ]
enable_irq() and disable_irq() are reference counted, so we must make sure
that each enable_irq() is always paired with a single disable_irq(). If we
call disable_irq() twice followed by just a single enable_irq(), the IRQ
will remain disabled forever.
For the error handling path in qcom_q6v5_wait_for_start(), disable_irq()
will end up being called twice, because disable_irq() also happens in
qcom_q6v5_unprepare() when rolling back the call to qcom_q6v5_prepare().
Fix this by dropping disable_irq() in qcom_q6v5_wait_for_start(). Since
qcom_q6v5_prepare() is the function that calls enable_irq(), it makes more
sense to have the rollback handled always by qcom_q6v5_unprepare().
Fixes: 3b415c8fb263 ("remoteproc: q6v5: Extract common resource handling")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Link: https://lore.kernel.org/r/20250820-rproc-qcom-q6v5-fixes-v2-1-910b1a3aff71@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_q6v5.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/remoteproc/qcom_q6v5.c b/drivers/remoteproc/qcom_q6v5.c
index eaeb6aee6da5c..9c9beeb3bcd74 100644
--- a/drivers/remoteproc/qcom_q6v5.c
+++ b/drivers/remoteproc/qcom_q6v5.c
@@ -113,9 +113,6 @@ int qcom_q6v5_wait_for_start(struct qcom_q6v5 *q6v5, int timeout)
int ret;
ret = wait_for_completion_timeout(&q6v5->start_done, timeout);
- if (!ret)
- disable_irq(q6v5->handover_irq);
-
return !ret ? -ETIMEDOUT : 0;
}
EXPORT_SYMBOL_GPL(qcom_q6v5_wait_for_start);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 062/224] NFSv4.1: fix backchannel max_resp_sz verification check
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 061/224] remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 063/224] ipvs: Defer ip_vs_ftp unregister during netns cleanup Greg Kroah-Hartman
` (169 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anthony Iliopoulos,
Benjamin Coddington, Anna Schumaker, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anthony Iliopoulos <ailiop@suse.com>
[ Upstream commit 191512355e520dfc45c8bc3b56d4de59c3ade33e ]
When the client max_resp_sz is larger than what the server encodes in
its reply, the nfs4_verify_back_channel_attrs() check fails and this
causes nfs4_proc_create_session() to fail, in cases where the client
page size is larger than that of the server and the server does not want
to negotiate upwards.
While this is not a problem with the linux nfs server that will reflect
the proposed value in its reply irrespective of the local page size,
other nfs server implementations may insist on their own max_resp_sz
value, which could be smaller.
Fix this by accepting smaller max_resp_sz values from the server, as
this does not violate the protocol. The server is allowed to decrease
but not increase proposed the size, and as such values smaller than the
client-proposed ones are valid.
Fixes: 43c2e885be25 ("nfs4: fix channel attribute sanity-checks")
Signed-off-by: Anthony Iliopoulos <ailiop@suse.com>
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs4proc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index f511087d5e1c2..44770bb9017d5 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -8686,7 +8686,7 @@ static int nfs4_verify_back_channel_attrs(struct nfs41_create_session_args *args
goto out;
if (rcvd->max_rqst_sz > sent->max_rqst_sz)
return -EINVAL;
- if (rcvd->max_resp_sz < sent->max_resp_sz)
+ if (rcvd->max_resp_sz > sent->max_resp_sz)
return -EINVAL;
if (rcvd->max_resp_sz_cached > sent->max_resp_sz_cached)
return -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 063/224] ipvs: Defer ip_vs_ftp unregister during netns cleanup
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 062/224] NFSv4.1: fix backchannel max_resp_sz verification check Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 064/224] scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() Greg Kroah-Hartman
` (168 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julian Anastasov, Slavin Liu,
Florian Westphal, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Slavin Liu <slavin452@gmail.com>
[ Upstream commit 134121bfd99a06d44ef5ba15a9beb075297c0821 ]
On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp
before connections with valid cp->app pointers are flushed, leading to a
use-after-free.
Fix this by introducing a global `exiting_module` flag, set to true in
ip_vs_ftp_exit() before unregistering the pernet subsystem. In
__ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns
cleanup (when exiting_module is false) and defer it to
__ip_vs_cleanup_batch(), which unregisters all apps after all connections
are flushed. If called during module exit, unregister ip_vs_ftp
immediately.
Fixes: 61b1ab4583e2 ("IPVS: netns, add basic init per netns.")
Suggested-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Slavin Liu <slavin452@gmail.com>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/ipvs/ip_vs_ftp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
index cf925906f59b6..67d0d4f1f0db1 100644
--- a/net/netfilter/ipvs/ip_vs_ftp.c
+++ b/net/netfilter/ipvs/ip_vs_ftp.c
@@ -53,6 +53,7 @@ enum {
IP_VS_FTP_EPSV,
};
+static bool exiting_module;
/*
* List of ports (up to IP_VS_APP_MAX_PORTS) to be handled by helper
* First port is set to the default port.
@@ -607,7 +608,7 @@ static void __ip_vs_ftp_exit(struct net *net)
{
struct netns_ipvs *ipvs = net_ipvs(net);
- if (!ipvs)
+ if (!ipvs || !exiting_module)
return;
unregister_ip_vs_app(ipvs, &ip_vs_ftp);
@@ -629,6 +630,7 @@ static int __init ip_vs_ftp_init(void)
*/
static void __exit ip_vs_ftp_exit(void)
{
+ exiting_module = true;
unregister_pernet_subsys(&ip_vs_ftp_ops);
/* rcu_barrier() is called by netns */
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 064/224] scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 063/224] ipvs: Defer ip_vs_ftp unregister during netns cleanup Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 065/224] usb: vhci-hcd: Prevent suspending virtually attached devices Greg Kroah-Hartman
` (167 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjan Kumar, Martin K. Petersen,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
[ Upstream commit 1703fe4f8ae50d1fb6449854e1fcaed1053e3a14 ]
During mpt3sas_transport_port_remove(), messages were logged with
dev_printk() against &mpt3sas_port->port->dev. At this point the SAS
transport device may already be partially unregistered or freed, leading
to a crash when accessing its struct device.
Using ioc_info(), which logs via the PCI device (ioc->pdev->dev),
guaranteed to remain valid until driver removal.
[83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI
[83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary)
[83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024
[83428.295799] RIP: 0010:__dev_printk+0x1f/0x70
[83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff
[83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206
[83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32
[83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845
[83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8
[83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000
[83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30
[83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000
[83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0
[83428.295844] PKRU: 55555554
[83428.295846] Call Trace:
[83428.295848] <TASK>
[83428.295850] _dev_printk+0x5c/0x80
[83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas]
[83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas]
[83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas]
[83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas]
[83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas]
[83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas]
[83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas]
[83428.295957] pci_device_remove+0x3b/0xb0
[83428.295962] device_release_driver_internal+0x193/0x200
[83428.295968] driver_detach+0x44/0x90
[83428.295971] bus_remove_driver+0x69/0xf0
[83428.295975] pci_unregister_driver+0x2a/0xb0
[83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas]
[83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310
[83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.296000] ? __x64_sys_getdents64+0x9a/0x110
[83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.296009] ? syscall_trace_enter+0xf6/0x1b0
[83428.296014] do_syscall_64+0x7b/0x2c0
[83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5
[83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS")
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpt3sas/mpt3sas_transport.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c
index ebe78ec42da8b..a355471cf079b 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_transport.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c
@@ -812,11 +812,9 @@ mpt3sas_transport_port_remove(struct MPT3SAS_ADAPTER *ioc, u64 sas_address,
list_for_each_entry_safe(mpt3sas_phy, next_phy,
&mpt3sas_port->phy_list, port_siblings) {
if ((ioc->logging_level & MPT_DEBUG_TRANSPORT))
- dev_printk(KERN_INFO, &mpt3sas_port->port->dev,
- "remove: sas_addr(0x%016llx), phy(%d)\n",
- (unsigned long long)
- mpt3sas_port->remote_identify.sas_address,
- mpt3sas_phy->phy_id);
+ ioc_info(ioc, "remove: sas_addr(0x%016llx), phy(%d)\n",
+ (unsigned long long) mpt3sas_port->remote_identify.sas_address,
+ mpt3sas_phy->phy_id);
mpt3sas_phy->phy_belongs_to_port = 0;
if (!ioc->remove_host)
sas_port_delete_phy(mpt3sas_port->port,
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 065/224] usb: vhci-hcd: Prevent suspending virtually attached devices
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 064/224] scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 066/224] RDMA/siw: Always report immediate post SQ errors Greg Kroah-Hartman
` (166 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cristian Ciocaltea, Shuah Khan,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
[ Upstream commit e40b984b6c4ce3f80814f39f86f87b2a48f2e662 ]
The VHCI platform driver aims to forbid entering system suspend when at
least one of the virtual USB ports are bound to an active USB/IP
connection.
However, in some cases, the detection logic doesn't work reliably, i.e.
when all devices attached to the virtual root hub have been already
suspended, leading to a broken suspend state, with unrecoverable resume.
Ensure the virtually attached devices do not enter suspend by setting
the syscore PM flag. Note this is currently limited to the client side
only, since the server side doesn't implement system suspend prevention.
Fixes: 04679b3489e0 ("Staging: USB/IP: add client driver")
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://lore.kernel.org/r/20250902-vhci-hcd-suspend-fix-v3-1-864e4e833559@collabora.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/usbip/vhci_hcd.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index ee8fa558e3edd..d31b7e5895ce8 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -765,6 +765,17 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
ctrlreq->wValue, vdev->rhport);
vdev->udev = usb_get_dev(urb->dev);
+ /*
+ * NOTE: A similar operation has been done via
+ * USB_REQ_GET_DESCRIPTOR handler below, which is
+ * supposed to always precede USB_REQ_SET_ADDRESS.
+ *
+ * It's not entirely clear if operating on a different
+ * usb_device instance here is a real possibility,
+ * otherwise this call and vdev->udev assignment above
+ * should be dropped.
+ */
+ dev_pm_syscore_device(&vdev->udev->dev, true);
usb_put_dev(old);
spin_lock(&vdev->ud.lock);
@@ -785,6 +796,17 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
"Not yet?:Get_Descriptor to device 0 (get max pipe size)\n");
vdev->udev = usb_get_dev(urb->dev);
+ /*
+ * Set syscore PM flag for the virtually attached
+ * devices to ensure they will not enter suspend on
+ * the client side.
+ *
+ * Note this doesn't have any impact on the physical
+ * devices attached to the host system on the server
+ * side, hence there is no need to undo the operation
+ * on disconnect.
+ */
+ dev_pm_syscore_device(&vdev->udev->dev, true);
usb_put_dev(old);
goto out;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 066/224] RDMA/siw: Always report immediate post SQ errors
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 065/224] usb: vhci-hcd: Prevent suspending virtually attached devices Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 067/224] net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast Greg Kroah-Hartman
` (165 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Metzmacher, Bernard Metzler,
Jason Gunthorpe, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernard Metzler <bernard.metzler@linux.dev>
[ Upstream commit fdd0fe94d68649322e391c5c27dd9f436b4e955e ]
In siw_post_send(), any immediate error encountered during processing of
the work request list must be reported to the caller, even if previous
work requests in that list were just accepted and added to the send queue.
Not reporting those errors confuses the caller, which would wait
indefinitely for the failing and potentially subsequently aborted work
requests completion.
This fixes a case where immediate errors were overwritten by subsequent
code in siw_post_send().
Fixes: 303ae1cdfdf7 ("rdma/siw: application interface")
Link: https://patch.msgid.link/r/20250923144536.103825-1-bernard.metzler@linux.dev
Suggested-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Bernard Metzler <bernard.metzler@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/sw/siw/siw_verbs.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/drivers/infiniband/sw/siw/siw_verbs.c b/drivers/infiniband/sw/siw/siw_verbs.c
index 236f9efaa75ce..b5a845985ba4c 100644
--- a/drivers/infiniband/sw/siw/siw_verbs.c
+++ b/drivers/infiniband/sw/siw/siw_verbs.c
@@ -779,7 +779,7 @@ int siw_post_send(struct ib_qp *base_qp, const struct ib_send_wr *wr,
struct siw_wqe *wqe = tx_wqe(qp);
unsigned long flags;
- int rv = 0;
+ int rv = 0, imm_err = 0;
if (wr && !qp->kernel_verbs) {
siw_dbg_qp(qp, "wr must be empty for user mapped sq\n");
@@ -965,9 +965,17 @@ int siw_post_send(struct ib_qp *base_qp, const struct ib_send_wr *wr,
* Send directly if SQ processing is not in progress.
* Eventual immediate errors (rv < 0) do not affect the involved
* RI resources (Verbs, 8.3.1) and thus do not prevent from SQ
- * processing, if new work is already pending. But rv must be passed
- * to caller.
+ * processing, if new work is already pending. But rv and pointer
+ * to failed work request must be passed to caller.
*/
+ if (unlikely(rv < 0)) {
+ /*
+ * Immediate error
+ */
+ siw_dbg_qp(qp, "Immediate error %d\n", rv);
+ imm_err = rv;
+ *bad_wr = wr;
+ }
if (wqe->wr_status != SIW_WR_IDLE) {
spin_unlock_irqrestore(&qp->sq_lock, flags);
goto skip_direct_sending;
@@ -992,15 +1000,10 @@ int siw_post_send(struct ib_qp *base_qp, const struct ib_send_wr *wr,
up_read(&qp->state_lock);
- if (rv >= 0)
- return 0;
- /*
- * Immediate error
- */
- siw_dbg_qp(qp, "error %d\n", rv);
+ if (unlikely(imm_err))
+ return imm_err;
- *bad_wr = wr;
- return rv;
+ return (rv >= 0) ? 0 : rv;
}
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 067/224] net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 066/224] RDMA/siw: Always report immediate post SQ errors Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 068/224] ocfs2: fix double free in user_cluster_connect() Greg Kroah-Hartman
` (164 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Pecio, I Viswanath,
Jakub Kicinski, Sasha Levin, syzbot+78cae3f37c62ad092caa
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: I Viswanath <viswanathiyyappan@gmail.com>
[ Upstream commit 958baf5eaee394e5fd976979b0791a875f14a179 ]
syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.
This is the sequence of events that leads to the warning:
rtl8150_start_xmit() {
netif_stop_queue();
usb_submit_urb(dev->tx_urb);
}
rtl8150_set_multicast() {
netif_stop_queue();
netif_wake_queue(); <-- wakes up TX queue before URB is done
}
rtl8150_start_xmit() {
netif_stop_queue();
usb_submit_urb(dev->tx_urb); <-- double submission
}
rtl8150_set_multicast being the ndo_set_rx_mode callback should not be
calling netif_stop_queue and notif_start_queue as these handle
TX queue synchronization.
The net core function dev_set_rx_mode handles the synchronization
for rtl8150_set_multicast making it safe to remove these locks.
Reported-and-tested-by: syzbot+78cae3f37c62ad092caa@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=78cae3f37c62ad092caa
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Tested-by: Michal Pecio <michal.pecio@gmail.com>
Signed-off-by: I Viswanath <viswanathiyyappan@gmail.com>
Link: https://patch.msgid.link/20250924134350.264597-1-viswanathiyyappan@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/rtl8150.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index 3829b7eb3fc90..1df289e7c1304 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -684,7 +684,6 @@ static void rtl8150_set_multicast(struct net_device *netdev)
rtl8150_t *dev = netdev_priv(netdev);
u16 rx_creg = 0x9e;
- netif_stop_queue(netdev);
if (netdev->flags & IFF_PROMISC) {
rx_creg |= 0x0001;
dev_info(&netdev->dev, "%s: promiscuous mode\n", netdev->name);
@@ -698,7 +697,6 @@ static void rtl8150_set_multicast(struct net_device *netdev)
rx_creg &= 0x00fc;
}
async_set_registers(dev, RCR, sizeof(rx_creg), rx_creg);
- netif_wake_queue(netdev);
}
static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 068/224] ocfs2: fix double free in user_cluster_connect()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 067/224] net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 069/224] drivers/base/node: fix double free in register_one_node() Greg Kroah-Hartman
` (163 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Joseph Qi,
Goldwyn Rodrigues, Mark Fasheh, Joel Becker, Junxiao Bi,
Changwei Ge, Jun Piao, Andrew Morton, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 8f45f089337d924db24397f55697cda0e6960516 ]
user_cluster_disconnect() frees "conn->cc_private" which is "lc" but then
the error handling frees "lc" a second time. Set "lc" to NULL on this
path to avoid a double free.
Link: https://lkml.kernel.org/r/aNKDz_7JF7aycZ0k@stanley.mountain
Fixes: c994c2ebdbbc ("ocfs2: use the new DLM operation callbacks while requesting new lockspace")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: Goldwyn Rodrigues <rgoldwyn@suse.de>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/stack_user.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/ocfs2/stack_user.c b/fs/ocfs2/stack_user.c
index 7397064c3f359..c7a0625954c60 100644
--- a/fs/ocfs2/stack_user.c
+++ b/fs/ocfs2/stack_user.c
@@ -1032,6 +1032,7 @@ static int user_cluster_connect(struct ocfs2_cluster_connection *conn)
printk(KERN_ERR "ocfs2: Could not determine"
" locking version\n");
user_cluster_disconnect(conn);
+ lc = NULL;
goto out;
}
wait_event(lc->oc_wait, (atomic_read(&lc->oc_this_node) > 0));
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 069/224] drivers/base/node: fix double free in register_one_node()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 068/224] ocfs2: fix double free in user_cluster_connect() Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 070/224] nfp: fix RSS hash key size when RSS is not supported Greg Kroah-Hartman
` (162 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Donet Tom, David Hildenbrand,
Oscar Salvador, Alison Schofield, Chris Mason, Danilo Krummrich,
Dave Jiang, Hiroyouki Kamezawa, Joanthan Cameron,
Ritesh Harjani (IBM), Yury Norov (NVIDIA), Zi Yan, Andrew Morton,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Donet Tom <donettom@linux.ibm.com>
[ Upstream commit 0efdedfa537eb534c251a5b4794caaf72cc55869 ]
When device_register() fails in register_node(), it calls
put_device(&node->dev). This triggers node_device_release(), which calls
kfree(to_node(dev)), thereby freeing the entire node structure.
As a result, when register_node() returns an error, the node memory has
already been freed. Calling kfree(node) again in register_one_node()
leads to a double free.
This patch removes the redundant kfree(node) from register_one_node() to
prevent the double free.
Link: https://lkml.kernel.org/r/20250918054144.58980-1-donettom@linux.ibm.com
Fixes: 786eb990cfb7 ("drivers/base/node: handle error properly in register_one_node()")
Signed-off-by: Donet Tom <donettom@linux.ibm.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Oscar Salvador <osalvador@suse.de>
Cc: Alison Schofield <alison.schofield@intel.com>
Cc: Chris Mason <clm@meta.com>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: Dave Jiang <dave.jiang@intel.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Hiroyouki Kamezawa <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Joanthan Cameron <Jonathan.Cameron@huawei.com>
Cc: "Ritesh Harjani (IBM)" <ritesh.list@gmail.com>
Cc: Yury Norov (NVIDIA) <yury.norov@gmail.com>
Cc: Zi Yan <ziy@nvidia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/node.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/base/node.c b/drivers/base/node.c
index cb1bbe3068ab6..83b13a295bbe6 100644
--- a/drivers/base/node.c
+++ b/drivers/base/node.c
@@ -940,7 +940,6 @@ int __register_one_node(int nid)
error = register_node(node_devices[nid], nid);
if (error) {
node_devices[nid] = NULL;
- kfree(node);
return error;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 070/224] nfp: fix RSS hash key size when RSS is not supported
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 069/224] drivers/base/node: fix double free in register_one_node() Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 071/224] net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable Greg Kroah-Hartman
` (161 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kohei Enju, Jakub Kicinski,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <enjuk@amazon.com>
[ Upstream commit 8425161ac1204d2185e0a10f5ae652bae75d2451 ]
The nfp_net_get_rxfh_key_size() function returns -EOPNOTSUPP when
devices don't support RSS, and callers treat the negative value as a
large positive value since the return type is u32.
Return 0 when devices don't support RSS, aligning with the ethtool
interface .get_rxfh_key_size() that requires returning 0 in such cases.
Fixes: 9ff304bfaf58 ("nfp: add support for reporting CRC32 hash function")
Signed-off-by: Kohei Enju <enjuk@amazon.com>
Link: https://patch.msgid.link/20250929054230.68120-1-enjuk@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
index ff88103571819..6e1707ef391dd 100644
--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
+++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
@@ -914,7 +914,7 @@ static u32 nfp_net_get_rxfh_key_size(struct net_device *netdev)
struct nfp_net *nn = netdev_priv(netdev);
if (!(nn->cap & NFP_NET_CFG_CTRL_RSS_ANY))
- return -EOPNOTSUPP;
+ return 0;
return nfp_net_rss_key_sz(nn);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 071/224] net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 070/224] nfp: fix RSS hash key size when RSS is not supported Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 072/224] Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set" Greg Kroah-Hartman
` (160 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kohei Enju, Jakub Kicinski,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <enjuk@amazon.com>
[ Upstream commit f017156aea60db8720e47591ed1e041993381ad2 ]
In EC2 instances where the RSS hash key is not configurable, ethtool
shows bogus RSS hash key since ena_get_rxfh_key_size() unconditionally
returns ENA_HASH_KEY_SIZE.
Commit 6a4f7dc82d1e ("net: ena: rss: do not allocate key when not
supported") added proper handling for devices that don't support RSS
hash key configuration, but ena_get_rxfh_key_size() has been unchanged.
When the RSS hash key is not configurable, return 0 instead of
ENA_HASH_KEY_SIZE to clarify getting the value is not supported.
Tested on m5 instance families.
Without patch:
# ethtool -x ens5 | grep -A 1 "RSS hash key"
RSS hash key:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
With patch:
# ethtool -x ens5 | grep -A 1 "RSS hash key"
RSS hash key:
Operation not supported
Fixes: 6a4f7dc82d1e ("net: ena: rss: do not allocate key when not supported")
Signed-off-by: Kohei Enju <enjuk@amazon.com>
Link: https://patch.msgid.link/20250929050247.51680-1-enjuk@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amazon/ena/ena_ethtool.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/amazon/ena/ena_ethtool.c b/drivers/net/ethernet/amazon/ena/ena_ethtool.c
index ae631b8770fc1..5f037e9db023a 100644
--- a/drivers/net/ethernet/amazon/ena/ena_ethtool.c
+++ b/drivers/net/ethernet/amazon/ena/ena_ethtool.c
@@ -633,7 +633,10 @@ static u32 ena_get_rxfh_indir_size(struct net_device *netdev)
static u32 ena_get_rxfh_key_size(struct net_device *netdev)
{
- return ENA_HASH_KEY_SIZE;
+ struct ena_adapter *adapter = netdev_priv(netdev);
+ struct ena_rss *rss = &adapter->ena_dev->rss;
+
+ return rss->hash_key ? ENA_HASH_KEY_SIZE : 0;
}
static int ena_indirection_table_get(struct ena_adapter *adapter, u32 *indir)
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 072/224] Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set"
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 071/224] net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 073/224] Squashfs: fix uninit-value in squashfs_get_parent Greg Kroah-Hartman
` (159 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Tariq Toukan,
Paolo Abeni, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 6f5dacf88a32b3fd8b52c8ea781bf188c42aaa95 ]
This reverts commit ceddedc969f0532b7c62ca971ee50d519d2bc0cb.
Commit in question breaks the mapping of PGs to pools for some SKUs.
Specifically multi-host NICs seem to be shipped with a custom buffer
configuration which maps the lossy PG to pool 4. But the bad commit
overrides this with pool 0 which does not have sufficient buffer space
reserved. Resulting in ~40% packet loss. The commit also breaks BMC /
OOB connection completely (100% packet loss).
Revert, similarly to commit 3fbfe251cc9f ("Revert "net/mlx5e: Update and
set Xon/Xoff upon port speed set""). The breakage is exactly the same,
the only difference is that quoted commit would break the NIC immediately
on boot, and the currently reverted commit only when MTU is changed.
Note: "good" kernels do not restore the configuration, so downgrade isn't
enough to recover machines. A NIC power cycle seems to be necessary to
return to a healthy state (or overriding the relevant registers using
a custom patch).
Fixes: ceddedc969f0 ("net/mlx5e: Update and set Xon/Xoff upon MTU set")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20250929181529.1848157-1-kuba@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h | 12 ----------
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 17 ---------------
2 files changed, 1 insertion(+), 28 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h
@@ -64,23 +64,11 @@ struct mlx5e_port_buffer {
struct mlx5e_bufferx_reg buffer[MLX5E_MAX_BUFFER];
};
-#ifdef CONFIG_MLX5_CORE_EN_DCB
int mlx5e_port_manual_buffer_config(struct mlx5e_priv *priv,
u32 change, unsigned int mtu,
struct ieee_pfc *pfc,
u32 *buffer_size,
u8 *prio2buffer);
-#else
-static inline int
-mlx5e_port_manual_buffer_config(struct mlx5e_priv *priv,
- u32 change, unsigned int mtu,
- void *pfc,
- u32 *buffer_size,
- u8 *prio2buffer)
-{
- return 0;
-}
-#endif
int mlx5e_port_query_buffer(struct mlx5e_priv *priv,
struct mlx5e_port_buffer *port_buffer);
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -42,7 +42,6 @@
#include "eswitch.h"
#include "en.h"
#include "en/txrx.h"
-#include "en/port_buffer.h"
#include "en_tc.h"
#include "en_rep.h"
#include "en_accel/ipsec.h"
@@ -2895,11 +2894,9 @@ int mlx5e_set_dev_port_mtu(struct mlx5e_
struct mlx5e_params *params = &priv->channels.params;
struct net_device *netdev = priv->netdev;
struct mlx5_core_dev *mdev = priv->mdev;
- u16 mtu, prev_mtu;
+ u16 mtu;
int err;
- mlx5e_query_mtu(mdev, params, &prev_mtu);
-
err = mlx5e_set_mtu(mdev, params, params->sw_mtu);
if (err)
return err;
@@ -2909,18 +2906,6 @@ int mlx5e_set_dev_port_mtu(struct mlx5e_
netdev_warn(netdev, "%s: VPort MTU %d is different than netdev mtu %d\n",
__func__, mtu, params->sw_mtu);
- if (mtu != prev_mtu && MLX5_BUFFER_SUPPORTED(mdev)) {
- err = mlx5e_port_manual_buffer_config(priv, 0, mtu,
- NULL, NULL, NULL);
- if (err) {
- netdev_warn(netdev, "%s: Failed to set Xon/Xoff values with MTU %d (err %d), setting back to previous MTU %d\n",
- __func__, mtu, err, prev_mtu);
-
- mlx5e_set_mtu(mdev, params, prev_mtu);
- return err;
- }
- }
-
params->sw_mtu = mtu;
return 0;
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 073/224] Squashfs: fix uninit-value in squashfs_get_parent
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 072/224] Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set" Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 074/224] uio_hv_generic: Let userspace take care of interrupt mask Greg Kroah-Hartman
` (158 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phillip Lougher,
syzbot+157bdef5cf596ad0da2c, Andrew Morton
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phillip Lougher <phillip@squashfs.org.uk>
commit 74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf upstream.
Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug.
This is caused by open_by_handle_at() being called with a file handle
containing an invalid parent inode number. In particular the inode number
is that of a symbolic link, rather than a directory.
Squashfs_get_parent() gets called with that symbolic link inode, and
accesses the parent member field.
unsigned int parent_ino = squashfs_i(inode)->parent;
Because non-directory inodes in Squashfs do not have a parent value, this
is uninitialised, and this causes an uninitialised value access.
The fix is to initialise parent with the invalid inode 0, which will cause
an EINVAL error to be returned.
Regular inodes used to share the parent field with the block_list_start
field. This is removed in this commit to enable the parent field to
contain the invalid inode number 0.
Link: https://lkml.kernel.org/r/20250918233308.293861-1-phillip@squashfs.org.uk
Fixes: 122601408d20 ("Squashfs: export operations")
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Reported-by: syzbot+157bdef5cf596ad0da2c@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68cc2431.050a0220.139b6.0001.GAE@google.com/
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/squashfs/inode.c | 7 +++++++
fs/squashfs/squashfs_fs_i.h | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)
--- a/fs/squashfs/inode.c
+++ b/fs/squashfs/inode.c
@@ -165,6 +165,7 @@ int squashfs_read_inode(struct inode *in
squashfs_i(inode)->start = le32_to_cpu(sqsh_ino->start_block);
squashfs_i(inode)->block_list_start = block;
squashfs_i(inode)->offset = offset;
+ squashfs_i(inode)->parent = 0;
inode->i_data.a_ops = &squashfs_aops;
TRACE("File inode %x:%x, start_block %llx, block_list_start "
@@ -212,6 +213,7 @@ int squashfs_read_inode(struct inode *in
squashfs_i(inode)->start = le64_to_cpu(sqsh_ino->start_block);
squashfs_i(inode)->block_list_start = block;
squashfs_i(inode)->offset = offset;
+ squashfs_i(inode)->parent = 0;
inode->i_data.a_ops = &squashfs_aops;
TRACE("File inode %x:%x, start_block %llx, block_list_start "
@@ -292,6 +294,7 @@ int squashfs_read_inode(struct inode *in
inode->i_mode |= S_IFLNK;
squashfs_i(inode)->start = block;
squashfs_i(inode)->offset = offset;
+ squashfs_i(inode)->parent = 0;
if (type == SQUASHFS_LSYMLINK_TYPE) {
__le32 xattr;
@@ -329,6 +332,7 @@ int squashfs_read_inode(struct inode *in
set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
rdev = le32_to_cpu(sqsh_ino->rdev);
init_special_inode(inode, inode->i_mode, new_decode_dev(rdev));
+ squashfs_i(inode)->parent = 0;
TRACE("Device inode %x:%x, rdev %x\n",
SQUASHFS_INODE_BLK(ino), offset, rdev);
@@ -353,6 +357,7 @@ int squashfs_read_inode(struct inode *in
set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
rdev = le32_to_cpu(sqsh_ino->rdev);
init_special_inode(inode, inode->i_mode, new_decode_dev(rdev));
+ squashfs_i(inode)->parent = 0;
TRACE("Device inode %x:%x, rdev %x\n",
SQUASHFS_INODE_BLK(ino), offset, rdev);
@@ -373,6 +378,7 @@ int squashfs_read_inode(struct inode *in
inode->i_mode |= S_IFSOCK;
set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
init_special_inode(inode, inode->i_mode, 0);
+ squashfs_i(inode)->parent = 0;
break;
}
case SQUASHFS_LFIFO_TYPE:
@@ -392,6 +398,7 @@ int squashfs_read_inode(struct inode *in
inode->i_op = &squashfs_inode_ops;
set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
init_special_inode(inode, inode->i_mode, 0);
+ squashfs_i(inode)->parent = 0;
break;
}
default:
--- a/fs/squashfs/squashfs_fs_i.h
+++ b/fs/squashfs/squashfs_fs_i.h
@@ -16,6 +16,7 @@ struct squashfs_inode_info {
u64 xattr;
unsigned int xattr_size;
int xattr_count;
+ int parent;
union {
struct {
u64 fragment_block;
@@ -27,7 +28,6 @@ struct squashfs_inode_info {
u64 dir_idx_start;
int dir_idx_offset;
int dir_idx_cnt;
- int parent;
};
};
struct inode vfs_inode;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 074/224] uio_hv_generic: Let userspace take care of interrupt mask
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 073/224] Squashfs: fix uninit-value in squashfs_get_parent Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 075/224] mm: hugetlb: avoid soft lockup when mprotect to large memory area Greg Kroah-Hartman
` (157 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Starks, Naman Jain,
Michael Kelley, Long Li, Tianyu Lan
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naman Jain <namjain@linux.microsoft.com>
commit b15b7d2a1b09ef5428a8db260251897405a19496 upstream.
Remove the logic to set interrupt mask by default in uio_hv_generic
driver as the interrupt mask value is supposed to be controlled
completely by the user space. If the mask bit gets changed
by the driver, concurrently with user mode operating on the ring,
the mask bit may be set when it is supposed to be clear, and the
user-mode driver will miss an interrupt which will cause a hang.
For eg- when the driver sets inbound ring buffer interrupt mask to 1,
the host does not interrupt the guest on the UIO VMBus channel.
However, setting the mask does not prevent the host from putting a
message in the inbound ring buffer. So let’s assume that happens,
the host puts a message into the ring buffer but does not interrupt.
Subsequently, the user space code in the guest sets the inbound ring
buffer interrupt mask to 0, saying “Hey, I’m ready for interrupts”.
User space code then calls pread() to wait for an interrupt.
Then one of two things happens:
* The host never sends another message. So the pread() waits forever.
* The host does send another message. But because there’s already a
message in the ring buffer, it doesn’t generate an interrupt.
This is the correct behavior, because the host should only send an
interrupt when the inbound ring buffer transitions from empty to
not-empty. Adding an additional message to a ring buffer that is not
empty is not supposed to generate an interrupt on the guest.
Since the guest is waiting in pread() and not removing messages from
the ring buffer, the pread() waits forever.
This could be easily reproduced in hv_fcopy_uio_daemon if we delay
setting interrupt mask to 0.
Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1,
there’s a race condition. Once user space empties the inbound ring
buffer, but before user space sets interrupt_mask to 0, the host could
put another message in the ring buffer but it wouldn’t interrupt.
Then the next pread() would hang.
Fix these by removing all instances where interrupt_mask is changed,
while keeping the one in set_event() unchanged to enable userspace
control the interrupt mask by writing 0/1 to /dev/uioX.
Fixes: 95096f2fbd10 ("uio-hv-generic: new userspace i/o driver for VMBus")
Suggested-by: John Starks <jostarks@microsoft.com>
Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
Cc: stable@vger.kernel.org
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Reviewed-by: Long Li <longli@microsoft.com>
Reviewed-by: Tianyu Lan <tiala@microsoft.com>
Tested-by: Tianyu Lan <tiala@microsoft.com>
Link: https://lore.kernel.org/r/20250828044200.492030-1-namjain@linux.microsoft.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/uio/uio_hv_generic.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
--- a/drivers/uio/uio_hv_generic.c
+++ b/drivers/uio/uio_hv_generic.c
@@ -96,7 +96,6 @@ static void hv_uio_channel_cb(void *cont
struct hv_device *hv_dev = chan->device_obj;
struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev);
- chan->inbound.ring_buffer->interrupt_mask = 1;
virt_mb();
uio_event_notify(&pdata->info);
@@ -173,8 +172,6 @@ hv_uio_new_channel(struct vmbus_channel
return;
}
- /* Disable interrupts on sub channel */
- new_sc->inbound.ring_buffer->interrupt_mask = 1;
set_channel_read_mode(new_sc, HV_CALL_ISR);
ret = sysfs_create_bin_file(&new_sc->kobj, &ring_buffer_bin_attr);
@@ -218,9 +215,7 @@ hv_uio_open(struct uio_info *info, struc
ret = vmbus_connect_ring(dev->channel,
hv_uio_channel_cb, dev->channel);
- if (ret == 0)
- dev->channel->inbound.ring_buffer->interrupt_mask = 1;
- else
+ if (ret)
atomic_dec(&pdata->refcnt);
return ret;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 075/224] mm: hugetlb: avoid soft lockup when mprotect to large memory area
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 074/224] uio_hv_generic: Let userspace take care of interrupt mask Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 076/224] Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Greg Kroah-Hartman
` (156 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Shi, Carl Worth,
Christoph Lameter (Ampere), Catalin Marinas, David Hildenbrand,
Oscar Salvador, Anshuman Khandual, Dev Jain, Muchun Song,
Will Deacon, Andrew Morton
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Shi <yang@os.amperecomputing.com>
commit f52ce0ea90c83a28904c7cc203a70e6434adfecb upstream.
When calling mprotect() to a large hugetlb memory area in our customer's
workload (~300GB hugetlb memory), soft lockup was observed:
watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916]
CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7
Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025
pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mte_clear_page_tags+0x14/0x24
lr : mte_sync_tags+0x1c0/0x240
sp : ffff80003150bb80
x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000
x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458
x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000
x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000
x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000
Call trace:
mte_clear_page_tags+0x14/0x24
set_huge_pte_at+0x25c/0x280
hugetlb_change_protection+0x220/0x430
change_protection+0x5c/0x8c
mprotect_fixup+0x10c/0x294
do_mprotect_pkey.constprop.0+0x2e0/0x3d4
__arm64_sys_mprotect+0x24/0x44
invoke_syscall+0x50/0x160
el0_svc_common+0x48/0x144
do_el0_svc+0x30/0xe0
el0_svc+0x30/0xf0
el0t_64_sync_handler+0xc4/0x148
el0t_64_sync+0x1a4/0x1a8
Soft lockup is not triggered with THP or base page because there is
cond_resched() called for each PMD size.
Although the soft lockup was triggered by MTE, it should be not MTE
specific. The other processing which takes long time in the loop may
trigger soft lockup too.
So add cond_resched() for hugetlb to avoid soft lockup.
Link: https://lkml.kernel.org/r/20250929202402.1663290-1-yang@os.amperecomputing.com
Fixes: 8f860591ffb2 ("[PATCH] Enable mprotect on huge pages")
Signed-off-by: Yang Shi <yang@os.amperecomputing.com>
Tested-by: Carl Worth <carl@os.amperecomputing.com>
Reviewed-by: Christoph Lameter (Ampere) <cl@gentwo.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Oscar Salvador <osalvador@suse.de>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Will Deacon <will@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hugetlb.c | 2 ++
1 file changed, 2 insertions(+)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4703,6 +4703,8 @@ unsigned long hugetlb_change_protection(
pages++;
}
spin_unlock(ptl);
+
+ cond_resched();
}
/*
* Must flush TLB before releasing i_mmap_rwsem: x86's huge_pmd_unshare
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 076/224] Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 075/224] mm: hugetlb: avoid soft lockup when mprotect to large memory area Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 077/224] pinctrl: check the return value of pinmux_ops::get_function_name() Greg Kroah-Hartman
` (155 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhen Ni, Dmitry Torokhov
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhen Ni <zhen.ni@easystack.cn>
commit d3366a04770eea807f2826cbdb96934dd8c9bf79 upstream.
Struct ff_effect_compat is embedded twice inside
uinput_ff_upload_compat, contains internal padding. In particular, there
is a hole after struct ff_replay to satisfy alignment requirements for
the following union member. Without clearing the structure,
copy_to_user() may leak stack data to userspace.
Initialize ff_up_compat to zero before filling valid fields.
Fixes: 2d56f3a32c0e ("Input: refactor evdev 32bit compat to be shareable with uinput")
Cc: stable@vger.kernel.org
Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
Link: https://lore.kernel.org/r/20250928063737.74590-1-zhen.ni@easystack.cn
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/misc/uinput.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -740,6 +740,7 @@ static int uinput_ff_upload_to_user(char
if (in_compat_syscall()) {
struct uinput_ff_upload_compat ff_up_compat;
+ memset(&ff_up_compat, 0, sizeof(ff_up_compat));
ff_up_compat.request_id = ff_up->request_id;
ff_up_compat.retval = ff_up->retval;
/*
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 077/224] pinctrl: check the return value of pinmux_ops::get_function_name()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 076/224] Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 078/224] clocksource/drivers/clps711x: Fix resource leaks in error paths Greg Kroah-Hartman
` (154 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Bartosz Golaszewski,
Linus Walleij
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
commit 4002ee98c022d671ecc1e4a84029e9ae7d8a5603 upstream.
While the API contract in docs doesn't specify it explicitly, the
generic implementation of the get_function_name() callback from struct
pinmux_ops - pinmux_generic_get_function_name() - can fail and return
NULL. This is already checked in pinmux_check_ops() so add a similar
check in pinmux_func_name_to_selector() instead of passing the returned
pointer right down to strcmp() where the NULL can get dereferenced. This
is normal operation when adding new pinfunctions.
Cc: stable@vger.kernel.org
Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/pinmux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pinctrl/pinmux.c
+++ b/drivers/pinctrl/pinmux.c
@@ -324,7 +324,7 @@ static int pinmux_func_name_to_selector(
while (selector < nfuncs) {
const char *fname = ops->get_function_name(pctldev, selector);
- if (!strcmp(function, fname))
+ if (fname && !strcmp(function, fname))
return selector;
selector++;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 078/224] clocksource/drivers/clps711x: Fix resource leaks in error paths
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 077/224] pinctrl: check the return value of pinmux_ops::get_function_name() Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 079/224] iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE Greg Kroah-Hartman
` (153 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhen Ni, Daniel Lezcano
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhen Ni <zhen.ni@easystack.cn>
commit cd32e596f02fc981674573402c1138f616df1728 upstream.
The current implementation of clps711x_timer_init() has multiple error
paths that directly return without releasing the base I/O memory mapped
via of_iomap(). Fix of_iomap leaks in error paths.
Fixes: 04410efbb6bc ("clocksource/drivers/clps711x: Convert init function to return error")
Fixes: 2a6a8e2d9004 ("clocksource/drivers/clps711x: Remove board support")
Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250814123324.1516495-1-zhen.ni@easystack.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clocksource/clps711x-timer.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
--- a/drivers/clocksource/clps711x-timer.c
+++ b/drivers/clocksource/clps711x-timer.c
@@ -78,24 +78,33 @@ static int __init clps711x_timer_init(st
unsigned int irq = irq_of_parse_and_map(np, 0);
struct clk *clock = of_clk_get(np, 0);
void __iomem *base = of_iomap(np, 0);
+ int ret = 0;
if (!base)
return -ENOMEM;
- if (!irq)
- return -EINVAL;
- if (IS_ERR(clock))
- return PTR_ERR(clock);
+ if (!irq) {
+ ret = -EINVAL;
+ goto unmap_io;
+ }
+ if (IS_ERR(clock)) {
+ ret = PTR_ERR(clock);
+ goto unmap_io;
+ }
switch (of_alias_get_id(np, "timer")) {
case CLPS711X_CLKSRC_CLOCKSOURCE:
clps711x_clksrc_init(clock, base);
break;
case CLPS711X_CLKSRC_CLOCKEVENT:
- return _clps711x_clkevt_init(clock, base, irq);
+ ret = _clps711x_clkevt_init(clock, base, irq);
+ break;
default:
- return -EINVAL;
+ ret = -EINVAL;
+ break;
}
- return 0;
+unmap_io:
+ iounmap(base);
+ return ret;
}
TIMER_OF_DECLARE(clps711x, "cirrus,ep7209-timer", clps711x_timer_init);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 079/224] iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 078/224] clocksource/drivers/clps711x: Fix resource leaks in error paths Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 080/224] perf util: Fix compression checks returning -1 as bool Greg Kroah-Hartman
` (152 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Hennerich, Nuno Sá,
Stable, Jonathan Cameron
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Hennerich <michael.hennerich@analog.com>
commit 1d8fdabe19267338f29b58f968499e5b55e6a3b6 upstream.
The clk div bits (2 bits wide) do not start in bit 16 but in bit 15. Fix it
accordingly.
Fixes: e31166f0fd48 ("iio: frequency: New driver for Analog Devices ADF4350/ADF4351 Wideband Synthesizers")
Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Link: https://patch.msgid.link/20250829-adf4350-fix-v2-2-0bf543ba797d@analog.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/iio/frequency/adf4350.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/linux/iio/frequency/adf4350.h
+++ b/include/linux/iio/frequency/adf4350.h
@@ -51,7 +51,7 @@
/* REG3 Bit Definitions */
#define ADF4350_REG3_12BIT_CLKDIV(x) ((x) << 3)
-#define ADF4350_REG3_12BIT_CLKDIV_MODE(x) ((x) << 16)
+#define ADF4350_REG3_12BIT_CLKDIV_MODE(x) ((x) << 15)
#define ADF4350_REG3_12BIT_CSR_EN (1 << 18)
#define ADF4351_REG3_CHARGE_CANCELLATION_EN (1 << 21)
#define ADF4351_REG3_ANTI_BACKLASH_3ns_EN (1 << 22)
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 080/224] perf util: Fix compression checks returning -1 as bool
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 079/224] iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 081/224] rtc: x1205: Fix Xicor X1205 vendor prefix Greg Kroah-Hartman
` (151 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Yunseong Kim,
Adrian Hunter, Alexander Shishkin, Jiri Olsa, Kan Liang,
Namhyung Kim, Stephen Brennan, Arnaldo Carvalho de Melo,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yunseong Kim <ysk@kzalloc.com>
[ Upstream commit 43fa1141e2c1af79c91aaa4df03e436c415a6fc3 ]
The lzma_is_compressed and gzip_is_compressed functions are declared
to return a "bool" type, but in case of an error (e.g., file open
failure), they incorrectly returned -1.
A bool type is a boolean value that is either true or false.
Returning -1 for a bool return type can lead to unexpected behavior
and may violate strict type-checking in some compilers.
Fix the return value to be false in error cases, ensuring the function
adheres to its declared return type improves for preventing potential
bugs related to type mismatch.
Fixes: 4b57fd44b61beb51 ("perf tools: Add lzma_is_compressed function")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Yunseong Kim <ysk@kzalloc.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Stephen Brennan <stephen.s.brennan@oracle.com>
Link: https://lore.kernel.org/r/20250822162506.316844-3-ysk@kzalloc.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/lzma.c | 2 +-
tools/perf/util/zlib.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/lzma.c b/tools/perf/util/lzma.c
index 51424cdc3b682..aa9a0ebc1f937 100644
--- a/tools/perf/util/lzma.c
+++ b/tools/perf/util/lzma.c
@@ -115,7 +115,7 @@ bool lzma_is_compressed(const char *input)
ssize_t rc;
if (fd < 0)
- return -1;
+ return false;
rc = read(fd, buf, sizeof(buf));
close(fd);
diff --git a/tools/perf/util/zlib.c b/tools/perf/util/zlib.c
index 78d2297c1b674..1f7c065230599 100644
--- a/tools/perf/util/zlib.c
+++ b/tools/perf/util/zlib.c
@@ -88,7 +88,7 @@ bool gzip_is_compressed(const char *input)
ssize_t rc;
if (fd < 0)
- return -1;
+ return false;
rc = read(fd, buf, sizeof(buf));
close(fd);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 081/224] rtc: x1205: Fix Xicor X1205 vendor prefix
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 080/224] perf util: Fix compression checks returning -1 as bool Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 082/224] perf session: Fix handling when buffer exceeds 2 GiB Greg Kroah-Hartman
` (150 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rob Herring (Arm), Linus Walleij,
Alexandre Belloni, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Herring (Arm) <robh@kernel.org>
[ Upstream commit 606d19ee37de3a72f1b6e95a4ea544f6f20dbb46 ]
The vendor for the X1205 RTC is not Xircom, but Xicor which was acquired
by Intersil. Since the I2C subsystem drops the vendor prefix for driver
matching, the vendor prefix hasn't mattered.
Fixes: 6875404fdb44 ("rtc: x1205: Add DT probing support")
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20250821215703.869628-2-robh@kernel.org
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-x1205.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/rtc/rtc-x1205.c b/drivers/rtc/rtc-x1205.c
index d1d5a44d9122a..3b3aaa7d8283c 100644
--- a/drivers/rtc/rtc-x1205.c
+++ b/drivers/rtc/rtc-x1205.c
@@ -671,7 +671,7 @@ static const struct i2c_device_id x1205_id[] = {
MODULE_DEVICE_TABLE(i2c, x1205_id);
static const struct of_device_id x1205_dt_ids[] = {
- { .compatible = "xircom,x1205", },
+ { .compatible = "xicor,x1205", },
{},
};
MODULE_DEVICE_TABLE(of, x1205_dt_ids);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 082/224] perf session: Fix handling when buffer exceeds 2 GiB
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 081/224] rtc: x1205: Fix Xicor X1205 vendor prefix Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 083/224] clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate() Greg Kroah-Hartman
` (149 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tamas Zsoldos, Leo Yan, Namhyung Kim,
Adrian Hunter, Ian Rogers, Jiri Olsa, Arnaldo Carvalho de Melo,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit c17dda8013495d8132c976cbf349be9949d0fbd1 ]
If a user specifies an AUX buffer larger than 2 GiB, the returned size
may exceed 0x80000000. Since the err variable is defined as a signed
32-bit integer, such a value overflows and becomes negative.
As a result, the perf record command reports an error:
0x146e8 [0x30]: failed to process type: 71 [Unknown error 183711232]
Change the type of the err variable to a signed 64-bit integer to
accommodate large buffer sizes correctly.
Fixes: d5652d865ea734a1 ("perf session: Add ability to skip 4GiB or more")
Reported-by: Tamas Zsoldos <tamas.zsoldos@arm.com>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/r/20250808-perf_fix_big_buffer_size-v1-1-45f45444a9a4@arm.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/session.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
index 01e15b445cb58..cd60a878752f2 100644
--- a/tools/perf/util/session.c
+++ b/tools/perf/util/session.c
@@ -1504,7 +1504,7 @@ static s64 perf_session__process_user_event(struct perf_session *session,
struct perf_tool *tool = session->tool;
struct perf_sample sample = { .time = 0, };
int fd = perf_data__fd(session->data);
- int err;
+ s64 err;
if (event->header.type != PERF_RECORD_COMPRESSED ||
tool->compressed == perf_session__process_compressed_event_stub)
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 083/224] clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 082/224] perf session: Fix handling when buffer exceeds 2 GiB Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 084/224] clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver Greg Kroah-Hartman
` (148 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Brian Masney, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Masney <bmasney@redhat.com>
[ Upstream commit b46a3d323a5b7942e65025254c13801d0f475f02 ]
The round_rate() clk ops is deprecated, so migrate this driver from
round_rate() to determine_rate() using the Coccinelle semantic patch
on the cover letter of this series.
Signed-off-by: Brian Masney <bmasney@redhat.com>
Stable-dep-of: 1624dead9a4d ("clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/nxp/clk-lpc18xx-cgu.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/drivers/clk/nxp/clk-lpc18xx-cgu.c b/drivers/clk/nxp/clk-lpc18xx-cgu.c
index 8b686da5577b3..44e07a3c253b9 100644
--- a/drivers/clk/nxp/clk-lpc18xx-cgu.c
+++ b/drivers/clk/nxp/clk-lpc18xx-cgu.c
@@ -374,23 +374,25 @@ static unsigned long lpc18xx_pll0_recalc_rate(struct clk_hw *hw,
return 0;
}
-static long lpc18xx_pll0_round_rate(struct clk_hw *hw, unsigned long rate,
- unsigned long *prate)
+static int lpc18xx_pll0_determine_rate(struct clk_hw *hw,
+ struct clk_rate_request *req)
{
unsigned long m;
- if (*prate < rate) {
+ if (req->best_parent_rate < req->rate) {
pr_warn("%s: pll dividers not supported\n", __func__);
return -EINVAL;
}
- m = DIV_ROUND_UP_ULL(*prate, rate * 2);
+ m = DIV_ROUND_UP_ULL(req->best_parent_rate, req->rate * 2);
if (m <= 0 && m > LPC18XX_PLL0_MSEL_MAX) {
- pr_warn("%s: unable to support rate %lu\n", __func__, rate);
+ pr_warn("%s: unable to support rate %lu\n", __func__, req->rate);
return -EINVAL;
}
- return 2 * *prate * m;
+ req->rate = 2 * req->best_parent_rate * m;
+
+ return 0;
}
static int lpc18xx_pll0_set_rate(struct clk_hw *hw, unsigned long rate,
@@ -447,7 +449,7 @@ static int lpc18xx_pll0_set_rate(struct clk_hw *hw, unsigned long rate,
static const struct clk_ops lpc18xx_pll0_ops = {
.recalc_rate = lpc18xx_pll0_recalc_rate,
- .round_rate = lpc18xx_pll0_round_rate,
+ .determine_rate = lpc18xx_pll0_determine_rate,
.set_rate = lpc18xx_pll0_set_rate,
};
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 084/224] clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 083/224] clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate() Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 085/224] scsi: libsas: Add sas_task_find_rq() Greg Kroah-Hartman
` (147 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Stephen Boyd,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 1624dead9a4d288a594fdf19735ebfe4bb567cb8 ]
The conditional check for the PLL0 multiplier 'm' used a logical AND
instead of OR, making the range check ineffective. This patch replaces
&& with || to correctly reject invalid values of 'm' that are either
less than or equal to 0 or greater than LPC18XX_PLL0_MSEL_MAX.
This ensures proper bounds checking during clk rate setting and rounding.
Fixes: b04e0b8fd544 ("clk: add lpc18xx cgu clk driver")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
[sboyd@kernel.org: 'm' is unsigned so remove < condition]
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/nxp/clk-lpc18xx-cgu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/nxp/clk-lpc18xx-cgu.c b/drivers/clk/nxp/clk-lpc18xx-cgu.c
index 44e07a3c253b9..ab8741fe57c99 100644
--- a/drivers/clk/nxp/clk-lpc18xx-cgu.c
+++ b/drivers/clk/nxp/clk-lpc18xx-cgu.c
@@ -385,7 +385,7 @@ static int lpc18xx_pll0_determine_rate(struct clk_hw *hw,
}
m = DIV_ROUND_UP_ULL(req->best_parent_rate, req->rate * 2);
- if (m <= 0 && m > LPC18XX_PLL0_MSEL_MAX) {
+ if (m == 0 || m > LPC18XX_PLL0_MSEL_MAX) {
pr_warn("%s: unable to support rate %lu\n", __func__, req->rate);
return -EINVAL;
}
@@ -408,7 +408,7 @@ static int lpc18xx_pll0_set_rate(struct clk_hw *hw, unsigned long rate,
}
m = DIV_ROUND_UP_ULL(parent_rate, rate * 2);
- if (m <= 0 && m > LPC18XX_PLL0_MSEL_MAX) {
+ if (m == 0 || m > LPC18XX_PLL0_MSEL_MAX) {
pr_warn("%s: unable to support rate %lu\n", __func__, rate);
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 085/224] scsi: libsas: Add sas_task_find_rq()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 084/224] clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 086/224] scsi: mvsas: Delete mvs_tag_init() Greg Kroah-Hartman
` (146 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Garry, Jack Wang, Jason Yan,
Hannes Reinecke, Martin K. Petersen, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Garry <john.garry@huawei.com>
[ Upstream commit a9ee3f840646e2ec419c734e592ffe997195435e ]
blk-mq already provides a unique tag per request. Some libsas LLDDs - like
hisi_sas - already use this tag as the unique per-I/O HW tag.
Add a common function to provide the request associated with a sas_task for
all libsas LLDDs.
Signed-off-by: John Garry <john.garry@huawei.com>
Link: https://lore.kernel.org/r/1666091763-11023-2-git-send-email-john.garry@huawei.com
Reviewed-by: Jack Wang <jinpu.wang@ionos.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Stable-dep-of: 60cd16a3b743 ("scsi: mvsas: Fix use-after-free bugs in mvs_work_queue")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/scsi/libsas.h | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/include/scsi/libsas.h b/include/scsi/libsas.h
index 4e2d61e8fb1ed..8461fad88a119 100644
--- a/include/scsi/libsas.h
+++ b/include/scsi/libsas.h
@@ -620,6 +620,24 @@ extern struct sas_task *sas_alloc_task(gfp_t flags);
extern struct sas_task *sas_alloc_slow_task(gfp_t flags);
extern void sas_free_task(struct sas_task *task);
+static inline struct request *sas_task_find_rq(struct sas_task *task)
+{
+ struct scsi_cmnd *scmd;
+
+ if (task->task_proto & SAS_PROTOCOL_STP_ALL) {
+ struct ata_queued_cmd *qc = task->uldd_task;
+
+ scmd = qc ? qc->scsicmd : NULL;
+ } else {
+ scmd = task->uldd_task;
+ }
+
+ if (!scmd)
+ return NULL;
+
+ return scsi_cmd_to_rq(scmd);
+}
+
struct sas_domain_function_template {
/* The class calls these to notify the LLDD of an event. */
void (*lldd_port_formed)(struct asd_sas_phy *);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 086/224] scsi: mvsas: Delete mvs_tag_init()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 085/224] scsi: libsas: Add sas_task_find_rq() Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 087/224] scsi: mvsas: Use sas_task_find_rq() for tagging Greg Kroah-Hartman
` (145 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Garry, Damien Le Moal,
Hannes Reinecke, Martin K. Petersen, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Garry <john.garry@huawei.com>
[ Upstream commit ffc9f9bf3f14876d019f67ef17d41138802529a8 ]
All mvs_tag_init() does is zero the tag bitmap, but this is already done
with the kzalloc() call to alloc the tags, so delete this unneeded
function.
Signed-off-by: John Garry <john.garry@huawei.com>
Link: https://lore.kernel.org/r/1666091763-11023-7-git-send-email-john.garry@huawei.com
Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Stable-dep-of: 60cd16a3b743 ("scsi: mvsas: Fix use-after-free bugs in mvs_work_queue")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mvsas/mv_init.c | 2 --
drivers/scsi/mvsas/mv_sas.c | 7 -------
drivers/scsi/mvsas/mv_sas.h | 1 -
3 files changed, 10 deletions(-)
diff --git a/drivers/scsi/mvsas/mv_init.c b/drivers/scsi/mvsas/mv_init.c
index 0c5e2c6105867..7622de9d7d8ba 100644
--- a/drivers/scsi/mvsas/mv_init.c
+++ b/drivers/scsi/mvsas/mv_init.c
@@ -286,8 +286,6 @@ static int mvs_alloc(struct mvs_info *mvi, struct Scsi_Host *shost)
}
mvi->tags_num = slot_nr;
- /* Initialize tags */
- mvs_tag_init(mvi);
return 0;
err_out:
return 1;
diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c
index 68caeaf9e6369..377b931f46dcf 100644
--- a/drivers/scsi/mvsas/mv_sas.c
+++ b/drivers/scsi/mvsas/mv_sas.c
@@ -51,13 +51,6 @@ inline int mvs_tag_alloc(struct mvs_info *mvi, u32 *tag_out)
return 0;
}
-void mvs_tag_init(struct mvs_info *mvi)
-{
- int i;
- for (i = 0; i < mvi->tags_num; ++i)
- mvs_tag_clear(mvi, i);
-}
-
static struct mvs_info *mvs_find_dev_mvi(struct domain_device *dev)
{
unsigned long i = 0, j = 0, hi = 0;
diff --git a/drivers/scsi/mvsas/mv_sas.h b/drivers/scsi/mvsas/mv_sas.h
index 519edc796691a..6689481779343 100644
--- a/drivers/scsi/mvsas/mv_sas.h
+++ b/drivers/scsi/mvsas/mv_sas.h
@@ -428,7 +428,6 @@ void mvs_tag_clear(struct mvs_info *mvi, u32 tag);
void mvs_tag_free(struct mvs_info *mvi, u32 tag);
void mvs_tag_set(struct mvs_info *mvi, unsigned int tag);
int mvs_tag_alloc(struct mvs_info *mvi, u32 *tag_out);
-void mvs_tag_init(struct mvs_info *mvi);
void mvs_iounmap(void __iomem *regs);
int mvs_ioremap(struct mvs_info *mvi, int bar, int bar_ex);
void mvs_phys_reset(struct mvs_info *mvi, u32 phy_mask, int hard);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 087/224] scsi: mvsas: Use sas_task_find_rq() for tagging
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 086/224] scsi: mvsas: Delete mvs_tag_init() Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 088/224] scsi: mvsas: Fix use-after-free bugs in mvs_work_queue Greg Kroah-Hartman
` (144 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Garry, Martin K. Petersen,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Garry <john.garry@huawei.com>
[ Upstream commit 2acf97f199f9eba8321390325519e9b6bff60108 ]
The request associated with a SCSI command coming from the block layer has
a unique tag, so use that when possible for getting a slot.
Unfortunately we don't support reserved commands in the SCSI midlayer yet.
As such, SMP tasks - as an example - will not have a request associated, so
in the interim continue to manage those tags for that type of sas_task
internally.
We reserve an arbitrary 4 tags for these internal tags. Indeed, we already
decrement MVS_RSVD_SLOTS by 2 for the shost can_queue when flag
MVF_FLAG_SOC is set. This change was made in commit 20b09c2992fe ("[SCSI]
mvsas: add support for 94xx; layout change; bug fixes"), but what those 2
slots are used for is not obvious.
Also make the tag management functions static, where possible.
Signed-off-by: John Garry <john.garry@huawei.com>
Link: https://lore.kernel.org/r/1666091763-11023-8-git-send-email-john.garry@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Stable-dep-of: 60cd16a3b743 ("scsi: mvsas: Fix use-after-free bugs in mvs_work_queue")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mvsas/mv_defs.h | 1 +
drivers/scsi/mvsas/mv_init.c | 9 +++++----
drivers/scsi/mvsas/mv_sas.c | 35 ++++++++++++++++++++++-------------
drivers/scsi/mvsas/mv_sas.h | 7 +------
4 files changed, 29 insertions(+), 23 deletions(-)
diff --git a/drivers/scsi/mvsas/mv_defs.h b/drivers/scsi/mvsas/mv_defs.h
index 199ab49aa047f..3ec1c7546cdb4 100644
--- a/drivers/scsi/mvsas/mv_defs.h
+++ b/drivers/scsi/mvsas/mv_defs.h
@@ -40,6 +40,7 @@ enum driver_configuration {
MVS_ATA_CMD_SZ = 96, /* SATA command table buffer size */
MVS_OAF_SZ = 64, /* Open address frame buffer size */
MVS_QUEUE_SIZE = 64, /* Support Queue depth */
+ MVS_RSVD_SLOTS = 4,
MVS_SOC_CAN_QUEUE = MVS_SOC_SLOTS - 2,
};
diff --git a/drivers/scsi/mvsas/mv_init.c b/drivers/scsi/mvsas/mv_init.c
index 7622de9d7d8ba..264f32065ea7a 100644
--- a/drivers/scsi/mvsas/mv_init.c
+++ b/drivers/scsi/mvsas/mv_init.c
@@ -139,7 +139,7 @@ static void mvs_free(struct mvs_info *mvi)
scsi_host_put(mvi->shost);
list_for_each_entry(mwq, &mvi->wq_list, entry)
cancel_delayed_work(&mwq->work_q);
- kfree(mvi->tags);
+ kfree(mvi->rsvd_tags);
kfree(mvi);
}
@@ -284,7 +284,6 @@ static int mvs_alloc(struct mvs_info *mvi, struct Scsi_Host *shost)
printk(KERN_DEBUG "failed to create dma pool %s.\n", pool_name);
goto err_out;
}
- mvi->tags_num = slot_nr;
return 0;
err_out:
@@ -368,8 +367,8 @@ static struct mvs_info *mvs_pci_alloc(struct pci_dev *pdev,
mvi->sas = sha;
mvi->shost = shost;
- mvi->tags = kzalloc(MVS_CHIP_SLOT_SZ>>3, GFP_KERNEL);
- if (!mvi->tags)
+ mvi->rsvd_tags = bitmap_zalloc(MVS_RSVD_SLOTS, GFP_KERNEL);
+ if (!mvi->rsvd_tags)
goto err_out;
if (MVS_CHIP_DISP->chip_ioremap(mvi))
@@ -470,6 +469,8 @@ static void mvs_post_sas_ha_init(struct Scsi_Host *shost,
else
can_queue = MVS_CHIP_SLOT_SZ;
+ can_queue -= MVS_RSVD_SLOTS;
+
shost->sg_tablesize = min_t(u16, SG_ALL, MVS_MAX_SG);
shost->can_queue = can_queue;
mvi->shost->cmd_per_lun = MVS_QUEUE_SIZE;
diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c
index 377b931f46dcf..393a8ee551e4d 100644
--- a/drivers/scsi/mvsas/mv_sas.c
+++ b/drivers/scsi/mvsas/mv_sas.c
@@ -20,31 +20,34 @@ static int mvs_find_tag(struct mvs_info *mvi, struct sas_task *task, u32 *tag)
return 0;
}
-void mvs_tag_clear(struct mvs_info *mvi, u32 tag)
+static void mvs_tag_clear(struct mvs_info *mvi, u32 tag)
{
- void *bitmap = mvi->tags;
+ void *bitmap = mvi->rsvd_tags;
clear_bit(tag, bitmap);
}
-void mvs_tag_free(struct mvs_info *mvi, u32 tag)
+static void mvs_tag_free(struct mvs_info *mvi, u32 tag)
{
+ if (tag >= MVS_RSVD_SLOTS)
+ return;
+
mvs_tag_clear(mvi, tag);
}
-void mvs_tag_set(struct mvs_info *mvi, unsigned int tag)
+static void mvs_tag_set(struct mvs_info *mvi, unsigned int tag)
{
- void *bitmap = mvi->tags;
+ void *bitmap = mvi->rsvd_tags;
set_bit(tag, bitmap);
}
-inline int mvs_tag_alloc(struct mvs_info *mvi, u32 *tag_out)
+static int mvs_tag_alloc(struct mvs_info *mvi, u32 *tag_out)
{
unsigned int index, tag;
- void *bitmap = mvi->tags;
+ void *bitmap = mvi->rsvd_tags;
- index = find_first_zero_bit(bitmap, mvi->tags_num);
+ index = find_first_zero_bit(bitmap, MVS_RSVD_SLOTS);
tag = index;
- if (tag >= mvi->tags_num)
+ if (tag >= MVS_RSVD_SLOTS)
return -SAS_QUEUE_FULL;
mvs_tag_set(mvi, tag);
*tag_out = tag;
@@ -693,6 +696,7 @@ static int mvs_task_prep(struct sas_task *task, struct mvs_info *mvi, int is_tmf
struct mvs_task_exec_info tei;
struct mvs_slot_info *slot;
u32 tag = 0xdeadbeef, n_elem = 0;
+ struct request *rq;
int rc = 0;
if (!dev->port) {
@@ -757,9 +761,14 @@ static int mvs_task_prep(struct sas_task *task, struct mvs_info *mvi, int is_tmf
n_elem = task->num_scatter;
}
- rc = mvs_tag_alloc(mvi, &tag);
- if (rc)
- goto err_out;
+ rq = sas_task_find_rq(task);
+ if (rq) {
+ tag = rq->tag + MVS_RSVD_SLOTS;
+ } else {
+ rc = mvs_tag_alloc(mvi, &tag);
+ if (rc)
+ goto err_out;
+ }
slot = &mvi->slot_info[tag];
@@ -862,7 +871,7 @@ int mvs_queue_command(struct sas_task *task, gfp_t gfp_flags)
static void mvs_slot_free(struct mvs_info *mvi, u32 rx_desc)
{
u32 slot_idx = rx_desc & RXQ_SLOT_MASK;
- mvs_tag_clear(mvi, slot_idx);
+ mvs_tag_free(mvi, slot_idx);
}
static void mvs_slot_task_free(struct mvs_info *mvi, struct sas_task *task,
diff --git a/drivers/scsi/mvsas/mv_sas.h b/drivers/scsi/mvsas/mv_sas.h
index 6689481779343..42caca5bb874a 100644
--- a/drivers/scsi/mvsas/mv_sas.h
+++ b/drivers/scsi/mvsas/mv_sas.h
@@ -370,8 +370,7 @@ struct mvs_info {
u32 chip_id;
const struct mvs_chip_info *chip;
- int tags_num;
- unsigned long *tags;
+ unsigned long *rsvd_tags;
/* further per-slot information */
struct mvs_phy phy[MVS_MAX_PHYS];
struct mvs_port port[MVS_MAX_PHYS];
@@ -424,10 +423,6 @@ struct mvs_task_exec_info {
/******************** function prototype *********************/
void mvs_get_sas_addr(void *buf, u32 buflen);
-void mvs_tag_clear(struct mvs_info *mvi, u32 tag);
-void mvs_tag_free(struct mvs_info *mvi, u32 tag);
-void mvs_tag_set(struct mvs_info *mvi, unsigned int tag);
-int mvs_tag_alloc(struct mvs_info *mvi, u32 *tag_out);
void mvs_iounmap(void __iomem *regs);
int mvs_ioremap(struct mvs_info *mvi, int bar, int bar_ex);
void mvs_phys_reset(struct mvs_info *mvi, u32 phy_mask, int hard);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 088/224] scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 087/224] scsi: mvsas: Use sas_task_find_rq() for tagging Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 089/224] net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter() Greg Kroah-Hartman
` (143 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Martin K. Petersen,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
[ Upstream commit 60cd16a3b7439ccb699d0bf533799eeb894fd217 ]
During the detaching of Marvell's SAS/SATA controller, the original code
calls cancel_delayed_work() in mvs_free() to cancel the delayed work
item mwq->work_q. However, if mwq->work_q is already running, the
cancel_delayed_work() may fail to cancel it. This can lead to
use-after-free scenarios where mvs_free() frees the mvs_info while
mvs_work_queue() is still executing and attempts to access the
already-freed mvs_info.
A typical race condition is illustrated below:
CPU 0 (remove) | CPU 1 (delayed work callback)
mvs_pci_remove() |
mvs_free() | mvs_work_queue()
cancel_delayed_work() |
kfree(mvi) |
| mvi-> // UAF
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the delayed work item is properly canceled and any executing
delayed work item completes before the mvs_info is deallocated.
This bug was found by static analysis.
Fixes: 20b09c2992fe ("[SCSI] mvsas: add support for 94xx; layout change; bug fixes")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mvsas/mv_init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/mvsas/mv_init.c b/drivers/scsi/mvsas/mv_init.c
index 264f32065ea7a..d0a6639c3542d 100644
--- a/drivers/scsi/mvsas/mv_init.c
+++ b/drivers/scsi/mvsas/mv_init.c
@@ -138,7 +138,7 @@ static void mvs_free(struct mvs_info *mvi)
if (mvi->shost)
scsi_host_put(mvi->shost);
list_for_each_entry(mwq, &mvi->wq_list, entry)
- cancel_delayed_work(&mwq->work_q);
+ cancel_delayed_work_sync(&mwq->work_q);
kfree(mvi->rsvd_tags);
kfree(mvi);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 089/224] net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 088/224] scsi: mvsas: Fix use-after-free bugs in mvs_work_queue Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 090/224] drm/vmwgfx: Fix Use-after-free in validation Greg Kroah-Hartman
` (142 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Tariq Toukan,
Jakub Kicinski, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 4f0d91ba72811fd5dd577bcdccd7fed649aae62c ]
Print "entry->mac" before freeing "entry". The "entry" pointer is
freed with kfree_rcu() so it's unlikely that we would trigger this
in real life, but it's safer to re-order it.
Fixes: cc5387f7346a ("net/mlx4_en: Add unicast MAC filtering")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/aNvMHX4g8RksFFvV@stanley.mountain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
index 91334229c1205..545658afb4f5c 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
@@ -1175,9 +1175,9 @@ static void mlx4_en_do_uc_filter(struct mlx4_en_priv *priv,
mlx4_unregister_mac(mdev->dev, priv->port, mac);
hlist_del_rcu(&entry->hlist);
- kfree_rcu(entry, rcu);
en_dbg(DRV, priv, "Removed MAC %pM on port:%d\n",
entry->mac, priv->port);
+ kfree_rcu(entry, rcu);
++removed;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 090/224] drm/vmwgfx: Fix Use-after-free in validation
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 089/224] net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter() Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 091/224] net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() Greg Kroah-Hartman
` (141 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuzey Arda Bulut, Ian Forbes,
Zack Rusin, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Forbes <ian.forbes@broadcom.com>
[ Upstream commit dfe1323ab3c8a4dd5625ebfdba44dc47df84512a ]
Nodes stored in the validation duplicates hashtable come from an arena
allocator that is cleared at the end of vmw_execbuf_process. All nodes
are expected to be cleared in vmw_validation_drop_ht but this node escaped
because its resource was destroyed prematurely.
Fixes: 64ad2abfe9a6 ("drm/vmwgfx: Adapt validation code for reference-free lookups")
Reported-by: Kuzey Arda Bulut <kuzeyardabulut@gmail.com>
Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
Reviewed-by: Zack Rusin <zack.rusin@broadcom.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Link: https://lore.kernel.org/r/20250926195427.1405237-1-ian.forbes@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_validation.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c b/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
index f611b2290a1b9..a18b9bb0631c2 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_validation.c
@@ -339,8 +339,10 @@ int vmw_validation_add_resource(struct vmw_validation_context *ctx,
}
}
node->res = vmw_resource_reference_unless_doomed(res);
- if (!node->res)
+ if (!node->res) {
+ hash_del_rcu(&node->hash.head);
return -ESRCH;
+ }
node->first_usage = 1;
if (!res->dev_priv->has_mob) {
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 091/224] net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 090/224] drm/vmwgfx: Fix Use-after-free in validation Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 092/224] tcp: Dont call reqsk_fastopen_remove() in tcp_conn_request() Greg Kroah-Hartman
` (140 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandr Sapozhnikov, Xin Long,
Jakub Kicinski, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandr Sapozhnikov <alsp705@gmail.com>
[ Upstream commit 2f3119686ef50319490ccaec81a575973da98815 ]
If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0
and sctp_ulpevent_make_authkey() returns 0, then the variable
ai_ev remains zero and the zero will be dereferenced
in the sctp_ulpevent_free() function.
Signed-off-by: Alexandr Sapozhnikov <alsp705@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Fixes: 30f6ebf65bc4 ("sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT")
Link: https://patch.msgid.link/20251002091448.11-1-alsp705@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/sm_statefuns.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 6b613569372a0..9c714a6c93076 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -873,7 +873,8 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
return SCTP_DISPOSITION_CONSUME;
nomem_authev:
- sctp_ulpevent_free(ai_ev);
+ if (ai_ev)
+ sctp_ulpevent_free(ai_ev);
nomem_aiev:
sctp_ulpevent_free(ev);
nomem_ev:
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 092/224] tcp: Dont call reqsk_fastopen_remove() in tcp_conn_request().
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 091/224] net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 093/224] net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe Greg Kroah-Hartman
` (139 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzkaller, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 2e7cbbbe3d61c63606994b7ff73c72537afe2e1c ]
syzbot reported the splat below in tcp_conn_request(). [0]
If a listener is close()d while a TFO socket is being processed in
tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk
and calls inet_child_forget(), which calls tcp_disconnect() for the
TFO socket.
After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),
where reqsk_put() is called due to !reqsk->sk.
Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the
last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the
drop_and_free label causes the refcount underflow for the listener
and double-free of the reqsk.
Let's remove reqsk_fastopen_remove() in tcp_conn_request().
Note that other callers make sure tp->fastopen_rsk is not NULL.
[0]:
refcount_t: underflow; use-after-free.
WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)
Modules linked in:
CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:refcount_warn_saturate (lib/refcount.c:28)
Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6
RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246
RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900
RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280
RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280
R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100
R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8
FS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0
Call Trace:
<IRQ>
tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)
tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)
tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)
tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)
ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)
ip6_input (net/ipv6/ip6_input.c:500)
ipv6_rcv (net/ipv6/ip6_input.c:311)
__netif_receive_skb (net/core/dev.c:6104)
process_backlog (net/core/dev.c:6456)
__napi_poll (net/core/dev.c:7506)
net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)
handle_softirqs (kernel/softirq.c:579)
do_softirq (kernel/softirq.c:480)
</IRQ>
Fixes: 45c8a6cc2bcd ("tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20251001233755.1340927-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_input.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 9d65e684e626c..541f9a89b4902 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6800,7 +6800,6 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
&foc, TCP_SYNACK_FASTOPEN);
/* Add the child socket directly into the accept queue */
if (!inet_csk_reqsk_queue_add(sk, req, fastopen_sk)) {
- reqsk_fastopen_remove(fastopen_sk, req, false);
bh_unlock_sock(fastopen_sk);
sock_put(fastopen_sk);
goto drop_and_free;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 093/224] net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 092/224] tcp: Dont call reqsk_fastopen_remove() in tcp_conn_request() Greg Kroah-Hartman
@ 2025-10-27 18:33 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 094/224] tools build: Align warning options with perf Greg Kroah-Hartman
` (138 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erick Karanja, Jakub Kicinski,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erick Karanja <karanja99erick@gmail.com>
[ Upstream commit 521405cb54cd2812bbb6dedd5afc14bca1e7e98a ]
Add missing of_node_put call to release device node tbi obtained
via for_each_child_of_node.
Fixes: afae5ad78b342 ("net/fsl_pq_mdio: streamline probing of MDIO nodes")
Signed-off-by: Erick Karanja <karanja99erick@gmail.com>
Link: https://patch.msgid.link/20251002174617.960521-1-karanja99erick@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fsl_pq_mdio.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/freescale/fsl_pq_mdio.c b/drivers/net/ethernet/freescale/fsl_pq_mdio.c
index c6481bd612390..565a8bfe5692a 100644
--- a/drivers/net/ethernet/freescale/fsl_pq_mdio.c
+++ b/drivers/net/ethernet/freescale/fsl_pq_mdio.c
@@ -482,10 +482,12 @@ static int fsl_pq_mdio_probe(struct platform_device *pdev)
"missing 'reg' property in node %pOF\n",
tbi);
err = -EBUSY;
+ of_node_put(tbi);
goto error;
}
set_tbipa(*prop, pdev,
data->get_tbipa, priv->map, &res);
+ of_node_put(tbi);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 094/224] tools build: Align warning options with perf
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2025-10-27 18:33 ` [PATCH 5.4 093/224] net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 095/224] mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call Greg Kroah-Hartman
` (137 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Ian Rogers, Palmer Dabbelt,
Albert Ou, Alexandre Ghiti, Nick Desaulniers, Justin Stitt,
Bill Wendling, Adrian Hunter, Arnaldo Carvalho de Melo, Jiri Olsa,
Namhyung Kim, Nathan Chancellor, James Clark, linux-riscv, llvm,
Paul Walmsley, linux-kernel, linux-perf-users,
Arnaldo Carvalho de Melo, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 53d067feb8c4f16d1f24ce3f4df4450bb18c555f ]
The feature test programs are built without enabling '-Wall -Werror'
options. As a result, a feature may appear to be available, but later
building in perf can fail with stricter checks.
Make the feature test program use the same warning options as perf.
Fixes: 1925459b4d92 ("tools build: Fix feature Makefile issues with 'O='")
Signed-off-by: Leo Yan <leo.yan@arm.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Link: https://lore.kernel.org/r/20251006-perf_build_android_ndk-v3-1-4305590795b2@arm.com
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: Alexandre Ghiti <alex@ghiti.fr>
Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Bill Wendling <morbo@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: James Clark <james.clark@linaro.org>
Cc: linux-riscv@lists.infradead.org
Cc: llvm@lists.linux.dev
Cc: Paul Walmsley <paul.walmsley@sifive.com>
Cc: linux-kernel@vger.kernel.org
Cc: linux-perf-users@vger.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/build/feature/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/build/feature/Makefile b/tools/build/feature/Makefile
index 8104e505efde6..f5b7b1489e1fc 100644
--- a/tools/build/feature/Makefile
+++ b/tools/build/feature/Makefile
@@ -258,10 +258,10 @@ $(OUTPUT)test-sync-compare-and-swap.bin:
$(BUILD)
$(OUTPUT)test-compile-32.bin:
- $(CC) -m32 -o $@ test-compile.c
+ $(CC) -m32 -Wall -Werror -o $@ test-compile.c
$(OUTPUT)test-compile-x32.bin:
- $(CC) -mx32 -o $@ test-compile.c
+ $(CC) -mx32 -Wall -Werror -o $@ test-compile.c
$(OUTPUT)test-zlib.bin:
$(BUILD) -lz
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 095/224] mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 094/224] tools build: Align warning options with perf Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 096/224] mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes Greg Kroah-Hartman
` (136 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harini T, Peng Fan, Jassi Brar,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harini T <harini.t@amd.com>
[ Upstream commit 341867f730d3d3bb54491ee64e8b1a0c446656e7 ]
The controller is registered using the device-managed function
'devm_mbox_controller_register()'. As documented in mailbox.c, this
ensures the devres framework automatically calls
mbox_controller_unregister() when device_unregister() is invoked, making
the explicit call unnecessary.
Remove redundant mbox_controller_unregister() call as
device_unregister() handles controller cleanup.
Fixes: 4981b82ba2ff ("mailbox: ZynqMP IPI mailbox controller")
Signed-off-by: Harini T <harini.t@amd.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/zynqmp-ipi-mailbox.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/mailbox/zynqmp-ipi-mailbox.c b/drivers/mailbox/zynqmp-ipi-mailbox.c
index bb7bb17386475..8395f4013b111 100644
--- a/drivers/mailbox/zynqmp-ipi-mailbox.c
+++ b/drivers/mailbox/zynqmp-ipi-mailbox.c
@@ -619,7 +619,6 @@ static void zynqmp_ipi_free_mboxes(struct zynqmp_ipi_pdata *pdata)
for (; i >= 0; i--) {
ipi_mbox = &pdata->ipi_mboxes[i];
if (ipi_mbox->dev.parent) {
- mbox_controller_unregister(&ipi_mbox->mbox);
if (device_is_registered(&ipi_mbox->dev))
device_unregister(&ipi_mbox->dev);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 096/224] mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 095/224] mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 097/224] crypto: essiv - Check ssize for decryption and in-place encryption Greg Kroah-Hartman
` (135 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harini T, Peng Fan, Jassi Brar,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harini T <harini.t@amd.com>
[ Upstream commit 019e3f4550fc7d319a7fd03eff487255f8e8aecd ]
The ipi_mbox->dev.parent check is unreliable proxy for registration
status as it fails to protect against probe failures that occur after
the parent is assigned but before device_register() completes.
device_is_registered() is the canonical and robust method to verify the
registration status.
Remove ipi_mbox->dev.parent check in zynqmp_ipi_free_mboxes().
Fixes: 4981b82ba2ff ("mailbox: ZynqMP IPI mailbox controller")
Signed-off-by: Harini T <harini.t@amd.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/zynqmp-ipi-mailbox.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/mailbox/zynqmp-ipi-mailbox.c b/drivers/mailbox/zynqmp-ipi-mailbox.c
index 8395f4013b111..dcabf38859ec5 100644
--- a/drivers/mailbox/zynqmp-ipi-mailbox.c
+++ b/drivers/mailbox/zynqmp-ipi-mailbox.c
@@ -618,10 +618,8 @@ static void zynqmp_ipi_free_mboxes(struct zynqmp_ipi_pdata *pdata)
i = pdata->num_mboxes;
for (; i >= 0; i--) {
ipi_mbox = &pdata->ipi_mboxes[i];
- if (ipi_mbox->dev.parent) {
- if (device_is_registered(&ipi_mbox->dev))
- device_unregister(&ipi_mbox->dev);
- }
+ if (device_is_registered(&ipi_mbox->dev))
+ device_unregister(&ipi_mbox->dev);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 097/224] crypto: essiv - Check ssize for decryption and in-place encryption
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 096/224] mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 098/224] tpm, tpm_tis: Claim locality before writing interrupt registers Greg Kroah-Hartman
` (134 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muhammad Alifa Ramdhan, Herbert Xu,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 6bb73db6948c2de23e407fe1b7ef94bf02b7529f ]
Move the ssize check to the start in essiv_aead_crypt so that
it's also checked for decryption and in-place encryption.
Reported-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
Fixes: be1eb7f78aa8 ("crypto: essiv - create wrapper template for ESSIV generation")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/essiv.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/crypto/essiv.c b/crypto/essiv.c
index aa6b89e91ac80..8a74cc34ac50a 100644
--- a/crypto/essiv.c
+++ b/crypto/essiv.c
@@ -203,9 +203,14 @@ static int essiv_aead_crypt(struct aead_request *req, bool enc)
const struct essiv_tfm_ctx *tctx = crypto_aead_ctx(tfm);
struct essiv_aead_request_ctx *rctx = aead_request_ctx(req);
struct aead_request *subreq = &rctx->aead_req;
+ int ivsize = crypto_aead_ivsize(tfm);
+ int ssize = req->assoclen - ivsize;
struct scatterlist *src = req->src;
int err;
+ if (ssize < 0)
+ return -EINVAL;
+
crypto_cipher_encrypt_one(tctx->essiv_cipher, req->iv, req->iv);
/*
@@ -215,19 +220,12 @@ static int essiv_aead_crypt(struct aead_request *req, bool enc)
*/
rctx->assoc = NULL;
if (req->src == req->dst || !enc) {
- scatterwalk_map_and_copy(req->iv, req->dst,
- req->assoclen - crypto_aead_ivsize(tfm),
- crypto_aead_ivsize(tfm), 1);
+ scatterwalk_map_and_copy(req->iv, req->dst, ssize, ivsize, 1);
} else {
u8 *iv = (u8 *)aead_request_ctx(req) + tctx->ivoffset;
- int ivsize = crypto_aead_ivsize(tfm);
- int ssize = req->assoclen - ivsize;
struct scatterlist *sg;
int nents;
- if (ssize < 0)
- return -EINVAL;
-
nents = sg_nents_for_len(req->src, ssize);
if (nents < 0)
return -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 098/224] tpm, tpm_tis: Claim locality before writing interrupt registers
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 097/224] crypto: essiv - Check ssize for decryption and in-place encryption Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 099/224] tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single Greg Kroah-Hartman
` (133 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lino Sanfilippo, Jarkko Sakkinen,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lino Sanfilippo <l.sanfilippo@kunbus.com>
[ Upstream commit 15d7aa4e46eba87242a320f39773aa16faddadee ]
In tpm_tis_probe_single_irq() interrupt registers TPM_INT_VECTOR,
TPM_INT_STATUS and TPM_INT_ENABLE are modified to setup the interrupts.
Currently these modifications are done without holding a locality thus they
have no effect. Fix this by claiming the (default) locality before the
registers are written.
Since now tpm_tis_gen_interrupt() is called with the locality already
claimed remove locality request and release from this function.
Signed-off-by: Lino Sanfilippo <l.sanfilippo@kunbus.com>
Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Stable-dep-of: 8a81236f2cb0 ("tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/tpm/tpm_tis_core.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
index a084f732c1804..60f4b8b9c6f14 100644
--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -633,16 +633,10 @@ static void tpm_tis_gen_interrupt(struct tpm_chip *chip)
cap_t cap;
int ret;
- ret = request_locality(chip, 0);
- if (ret < 0)
- return;
-
if (chip->flags & TPM_CHIP_FLAG_TPM2)
ret = tpm2_get_tpm_pt(chip, 0x100, &cap2, desc);
else
ret = tpm1_getcap(chip, TPM_CAP_PROP_TIS_TIMEOUT, &cap, desc, 0);
-
- release_locality(chip, 0);
}
/* Register the IRQ and issue a command that will cause an interrupt. If an
@@ -665,10 +659,16 @@ static int tpm_tis_probe_irq_single(struct tpm_chip *chip, u32 intmask,
}
priv->irq = irq;
+ rc = request_locality(chip, 0);
+ if (rc < 0)
+ return rc;
+
rc = tpm_tis_read8(priv, TPM_INT_VECTOR(priv->locality),
&original_int_vec);
- if (rc < 0)
+ if (rc < 0) {
+ release_locality(chip, priv->locality);
return rc;
+ }
rc = tpm_tis_write8(priv, TPM_INT_VECTOR(priv->locality), irq);
if (rc < 0)
@@ -702,10 +702,12 @@ static int tpm_tis_probe_irq_single(struct tpm_chip *chip, u32 intmask,
if (!(chip->flags & TPM_CHIP_FLAG_IRQ)) {
tpm_tis_write8(priv, original_int_vec,
TPM_INT_VECTOR(priv->locality));
- return -1;
+ rc = -1;
}
- return 0;
+ release_locality(chip, priv->locality);
+
+ return rc;
}
/* Try to find the IRQ the TPM is using. This is for legacy x86 systems that
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 099/224] tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 098/224] tpm, tpm_tis: Claim locality before writing interrupt registers Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 100/224] ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT Greg Kroah-Hartman
` (132 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gunnar Kudrjavets, Justinien Bouron,
Jarkko Sakkinen, Paul Menzel, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gunnar Kudrjavets <gunnarku@amazon.com>
[ Upstream commit 8a81236f2cb0882c7ea6c621ce357f7f3f601fe5 ]
The tpm_tis_write8() call specifies arguments in wrong order. Should be
(data, addr, value) not (data, value, addr). The initial correct order
was changed during the major refactoring when the code was split.
Fixes: 41a5e1cf1fe1 ("tpm/tpm_tis: Split tpm_tis driver into a core and TCG TIS compliant phy")
Signed-off-by: Gunnar Kudrjavets <gunnarku@amazon.com>
Reviewed-by: Justinien Bouron <jbouron@amazon.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/tpm/tpm_tis_core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
index 60f4b8b9c6f14..b538db3052b77 100644
--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -700,8 +700,8 @@ static int tpm_tis_probe_irq_single(struct tpm_chip *chip, u32 intmask,
* will call disable_irq which undoes all of the above.
*/
if (!(chip->flags & TPM_CHIP_FLAG_IRQ)) {
- tpm_tis_write8(priv, original_int_vec,
- TPM_INT_VECTOR(priv->locality));
+ tpm_tis_write8(priv, TPM_INT_VECTOR(priv->locality),
+ original_int_vec);
rc = -1;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 100/224] ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 099/224] tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 101/224] ACPI: debug: fix signedness issues in read/write helpers Greg Kroah-Hartman
` (131 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Tang, Mika Westerberg,
Rafael J. Wysocki
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Tang <danielzgtg.opensource@gmail.com>
commit 4aac453deca0d9c61df18d968f8864c3ae7d3d8d upstream.
Previously, after `rmmod acpi_tad`, `modprobe acpi_tad` would fail
with this dmesg:
sysfs: cannot create duplicate filename '/devices/platform/ACPI000E:00/time'
Call Trace:
<TASK>
dump_stack_lvl+0x6c/0x90
dump_stack+0x10/0x20
sysfs_warn_dup+0x8b/0xa0
sysfs_add_file_mode_ns+0x122/0x130
internal_create_group+0x1dd/0x4c0
sysfs_create_group+0x13/0x20
acpi_tad_probe+0x147/0x1f0 [acpi_tad]
platform_probe+0x42/0xb0
</TASK>
acpi-tad ACPI000E:00: probe with driver acpi-tad failed with error -17
Fixes: 3230b2b3c1ab ("ACPI: TAD: Add low-level support for real time capability")
Signed-off-by: Daniel Tang <danielzgtg.opensource@gmail.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Link: https://patch.msgid.link/2881298.hMirdbgypa@daniel-desktop3
Cc: 5.2+ <stable@vger.kernel.org> # 5.2+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/acpi_tad.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/acpi/acpi_tad.c
+++ b/drivers/acpi/acpi_tad.c
@@ -563,6 +563,9 @@ static int acpi_tad_remove(struct platfo
pm_runtime_get_sync(dev);
+ if (dd->capabilities & ACPI_TAD_RT)
+ sysfs_remove_group(&dev->kobj, &acpi_tad_time_attr_group);
+
if (dd->capabilities & ACPI_TAD_DC_WAKE)
sysfs_remove_group(&dev->kobj, &acpi_tad_dc_attr_group);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 101/224] ACPI: debug: fix signedness issues in read/write helpers
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 100/224] ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 102/224] arm64: dts: qcom: msm8916: Add missing MDSS reset Greg Kroah-Hartman
` (130 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amir Mohammad Jahangirzad,
Rafael J. Wysocki
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
commit 496f9372eae14775e0524e83e952814691fe850a upstream.
In the ACPI debugger interface, the helper functions for read and write
operations use "int" as the length parameter data type. When a large
"size_t count" is passed from the file operations, this cast to "int"
results in truncation and a negative value due to signed integer
representation.
Logically, this negative number propagates to the min() calculation,
where it is selected over the positive buffer space value, leading to
unexpected behavior. Subsequently, when this negative value is used in
copy_to_user() or copy_from_user(), it is interpreted as a large positive
value due to the unsigned nature of the size parameter in these functions,
causing the copy operations to attempt handling sizes far beyond the
intended buffer limits.
Address the issue by:
- Changing the length parameters in acpi_aml_read_user() and
acpi_aml_write_user() from "int" to "size_t", aligning with the
expected unsigned size semantics.
- Updating return types and local variables in acpi_aml_read() and
acpi_aml_write() to "ssize_t" for consistency with kernel file
operation conventions.
- Using "size_t" for the "n" variable to ensure calculations remain
unsigned.
- Using min_t() for circ_count_to_end() and circ_space_to_end() to
ensure type-safe comparisons and prevent integer overflow.
Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
Link: https://patch.msgid.link/20250923013113.20615-1-a.jahangirzad@gmail.com
[ rjw: Changelog tweaks, local variable definitions ordering adjustments ]
Fixes: 8cfb0cdf07e2 ("ACPI / debugger: Add IO interface to access debugger functionalities")
Cc: 4.5+ <stable@vger.kernel.org> # 4.5+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/acpi_dbg.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
--- a/drivers/acpi/acpi_dbg.c
+++ b/drivers/acpi/acpi_dbg.c
@@ -576,11 +576,11 @@ static int acpi_aml_release(struct inode
return 0;
}
-static int acpi_aml_read_user(char __user *buf, int len)
+static ssize_t acpi_aml_read_user(char __user *buf, size_t len)
{
- int ret;
struct circ_buf *crc = &acpi_aml_io.out_crc;
- int n;
+ ssize_t ret;
+ size_t n;
char *p;
ret = acpi_aml_lock_read(crc, ACPI_AML_OUT_USER);
@@ -589,7 +589,7 @@ static int acpi_aml_read_user(char __use
/* sync head before removing logs */
smp_rmb();
p = &crc->buf[crc->tail];
- n = min(len, circ_count_to_end(crc));
+ n = min_t(size_t, len, circ_count_to_end(crc));
if (copy_to_user(buf, p, n)) {
ret = -EFAULT;
goto out;
@@ -606,8 +606,8 @@ out:
static ssize_t acpi_aml_read(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
- int ret = 0;
- int size = 0;
+ ssize_t ret = 0;
+ ssize_t size = 0;
if (!count)
return 0;
@@ -646,11 +646,11 @@ again:
return size > 0 ? size : ret;
}
-static int acpi_aml_write_user(const char __user *buf, int len)
+static ssize_t acpi_aml_write_user(const char __user *buf, size_t len)
{
- int ret;
struct circ_buf *crc = &acpi_aml_io.in_crc;
- int n;
+ ssize_t ret;
+ size_t n;
char *p;
ret = acpi_aml_lock_write(crc, ACPI_AML_IN_USER);
@@ -659,7 +659,7 @@ static int acpi_aml_write_user(const cha
/* sync tail before inserting cmds */
smp_mb();
p = &crc->buf[crc->head];
- n = min(len, circ_space_to_end(crc));
+ n = min_t(size_t, len, circ_space_to_end(crc));
if (copy_from_user(p, buf, n)) {
ret = -EFAULT;
goto out;
@@ -670,14 +670,14 @@ static int acpi_aml_write_user(const cha
ret = n;
out:
acpi_aml_unlock_fifo(ACPI_AML_IN_USER, ret >= 0);
- return n;
+ return ret;
}
static ssize_t acpi_aml_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- int ret = 0;
- int size = 0;
+ ssize_t ret = 0;
+ ssize_t size = 0;
if (!count)
return 0;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 102/224] arm64: dts: qcom: msm8916: Add missing MDSS reset
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 101/224] ACPI: debug: fix signedness issues in read/write helpers Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 103/224] xen/manage: Fix suspend error path Greg Kroah-Hartman
` (129 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Dmitry Baryshkov,
Konrad Dybcio, Bjorn Andersson
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
commit 99b78773c2ae55dcc01025f94eae8ce9700ae985 upstream.
On most MSM8916 devices (aside from the DragonBoard 410c), the bootloader
already initializes the display to show the boot splash screen. In this
situation, MDSS is already configured and left running when starting Linux.
To avoid side effects from the bootloader configuration, the MDSS reset can
be specified in the device tree to start again with a clean hardware state.
The reset for MDSS is currently missing in msm8916.dtsi, which causes
errors when the MDSS driver tries to re-initialize the registers:
dsi_err_worker: status=6
dsi_err_worker: status=6
dsi_err_worker: status=6
...
It turns out that we have always indirectly worked around this by building
the MDSS driver as a module. Before v6.17, the power domain was temporarily
turned off until the module was loaded, long enough to clear the register
contents. In v6.17, power domains are not turned off during boot until
sync_state() happens, so this is no longer working. Even before v6.17 this
resulted in broken behavior, but notably only when the MDSS driver was
built-in instead of a module.
Cc: stable@vger.kernel.org
Fixes: 305410ffd1b2 ("arm64: dts: msm8916: Add display support")
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250915-msm8916-resets-v1-1-a5c705df0c45@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi
@@ -1599,6 +1599,8 @@
hexagon_smp2p_in: slave-kernel {
qcom,entry-name = "slave-kernel";
+ resets = <&gcc GCC_MDSS_BCR>;
+
interrupt-controller;
#interrupt-cells = <2>;
};
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 103/224] xen/manage: Fix suspend error path
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 102/224] arm64: dts: qcom: msm8916: Add missing MDSS reset Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 104/224] firmware: meson_sm: fix device leak at probe Greg Kroah-Hartman
` (128 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner,
Rafael J. Wysocki (Intel), Juergen Gross
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit f770c3d858687252f1270265ba152d5c622e793f upstream.
The device power management API has the following asymmetry:
* dpm_suspend_start() does not clean up on failure
(it requires a call to dpm_resume_end())
* dpm_suspend_end() does clean up on failure
(it does not require a call to dpm_resume_start())
The asymmetry was introduced by commit d8f3de0d2412 ("Suspend-related
patches for 2.6.27") in June 2008: It removed a call to device_resume()
from device_suspend() (which was later renamed to dpm_suspend_start()).
When Xen began using the device power management API in May 2008 with
commit 0e91398f2a5d ("xen: implement save/restore"), the asymmetry did
not yet exist. But since it was introduced, a call to dpm_resume_end()
is missing in the error path of dpm_suspend_start(). Fix it.
Fixes: d8f3de0d2412 ("Suspend-related patches for 2.6.27")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v2.6.27
Reviewed-by: "Rafael J. Wysocki (Intel)" <rafael@kernel.org>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <22453676d1ddcebbe81641bb68ddf587fee7e21e.1756990799.git.lukas@wunner.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/manage.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/xen/manage.c
+++ b/drivers/xen/manage.c
@@ -116,7 +116,7 @@ static void do_suspend(void)
err = dpm_suspend_start(PMSG_FREEZE);
if (err) {
pr_err("%s: dpm_suspend_start %d\n", __func__, err);
- goto out_thaw;
+ goto out_resume_end;
}
printk(KERN_DEBUG "suspending xenstore...\n");
@@ -156,6 +156,7 @@ out_resume:
else
xs_suspend_cancel();
+out_resume_end:
dpm_resume_end(si.cancelled ? PMSG_THAW : PMSG_RESTORE);
out_thaw:
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 104/224] firmware: meson_sm: fix device leak at probe
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 103/224] xen/manage: Fix suspend error path Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 105/224] media: i2c: mt9v111: fix incorrect type for ret Greg Kroah-Hartman
` (127 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carlo Caione, Johan Hovold,
Martin Blumenstingl, Neil Armstrong
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 8ece3173f87df03935906d0c612c2aeda9db92ca upstream.
Make sure to drop the reference to the secure monitor device taken by
of_find_device_by_node() when looking up its driver data on behalf of
other drivers (e.g. during probe).
Note that holding a reference to the platform device does not prevent
its driver data from going away so there is no point in keeping the
reference after the helper returns.
Fixes: 8cde3c2153e8 ("firmware: meson_sm: Rework driver as a proper platform driver")
Cc: stable@vger.kernel.org # 5.5
Cc: Carlo Caione <ccaione@baylibre.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Link: https://lore.kernel.org/r/20250725074019.8765-1-johan@kernel.org
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/meson/meson_sm.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/firmware/meson/meson_sm.c
+++ b/drivers/firmware/meson/meson_sm.c
@@ -223,11 +223,16 @@ EXPORT_SYMBOL(meson_sm_call_write);
struct meson_sm_firmware *meson_sm_get(struct device_node *sm_node)
{
struct platform_device *pdev = of_find_device_by_node(sm_node);
+ struct meson_sm_firmware *fw;
if (!pdev)
return NULL;
- return platform_get_drvdata(pdev);
+ fw = platform_get_drvdata(pdev);
+
+ put_device(&pdev->dev);
+
+ return fw;
}
EXPORT_SYMBOL_GPL(meson_sm_get);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 105/224] media: i2c: mt9v111: fix incorrect type for ret
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 104/224] firmware: meson_sm: fix device leak at probe Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 106/224] drm/nouveau: fix bad ret code in nouveau_bo_move_prep Greg Kroah-Hartman
` (126 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qianfeng Rong, Jacopo Mondi,
Sakari Ailus, Hans Verkuil
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qianfeng Rong <rongqianfeng@vivo.com>
commit bacd713145443dce7764bb2967d30832a95e5ec8 upstream.
Change "ret" from unsigned int to int type in mt9v111_calc_frame_rate()
to store negative error codes or zero returned by __mt9v111_hw_reset()
and other functions.
Storing the negative error codes in unsigned type, doesn't cause an issue
at runtime but it's ugly as pants.
No effect on runtime.
Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
Fixes: aab7ed1c3927 ("media: i2c: Add driver for Aptina MT9V111")
Cc: stable@vger.kernel.org
Reviewed-by: Jacopo Mondi <jacopo.mondi@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/mt9v111.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/i2c/mt9v111.c
+++ b/drivers/media/i2c/mt9v111.c
@@ -534,8 +534,8 @@ static int mt9v111_calc_frame_rate(struc
static int mt9v111_hw_config(struct mt9v111_dev *mt9v111)
{
struct i2c_client *c = mt9v111->client;
- unsigned int ret;
u16 outfmtctrl2;
+ int ret;
/* Force device reset. */
ret = __mt9v111_hw_reset(mt9v111);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 106/224] drm/nouveau: fix bad ret code in nouveau_bo_move_prep
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 105/224] media: i2c: mt9v111: fix incorrect type for ret Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 107/224] cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() Greg Kroah-Hartman
` (125 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Petr Vorel, Shuhao Fu,
Danilo Krummrich
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuhao Fu <sfual@cse.ust.hk>
commit e4bea919584ff292c9156cf7d641a2ab3cbe27b0 upstream.
In `nouveau_bo_move_prep`, if `nouveau_mem_map` fails, an error code
should be returned. Currently, it returns zero even if vmm addr is not
correctly mapped.
Cc: stable@vger.kernel.org
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
Fixes: 9ce523cc3bf2 ("drm/nouveau: separate buffer object backing memory from nvkm structures")
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nouveau_bo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/nouveau/nouveau_bo.c
+++ b/drivers/gpu/drm/nouveau/nouveau_bo.c
@@ -1122,7 +1122,7 @@ done:
nvif_vmm_put(vmm, &old_mem->vma[1]);
nvif_vmm_put(vmm, &old_mem->vma[0]);
}
- return 0;
+ return ret;
}
static int
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 107/224] cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 106/224] drm/nouveau: fix bad ret code in nouveau_bo_move_prep Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 108/224] crypto: atmel - Fix dma_unmap_sg() direction Greg Kroah-Hartman
` (124 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Zihuan Zhang
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 69e5d50fcf4093fb3f9f41c4f931f12c2ca8c467 upstream.
The cpufreq_cpu_put() call in update_qos_request() takes place too early
because the latter subsequently calls freq_qos_update_request() that
indirectly accesses the policy object in question through the QoS request
object passed to it.
Fortunately, update_qos_request() is called under intel_pstate_driver_lock,
so this issue does not matter for changing the intel_pstate operation
mode, but it theoretically can cause a crash to occur on CPU device hot
removal (which currently can only happen in virt, but it is formally
supported nevertheless).
Address this issue by modifying update_qos_request() to drop the
reference to the policy later.
Fixes: da5c504c7aae ("cpufreq: intel_pstate: Implement QoS supported freq constraints")
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Zihuan Zhang <zhangzihuan@kylinos.cn>
Link: https://patch.msgid.link/2255671.irdbgypaU6@rafael.j.wysocki
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/intel_pstate.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -1092,10 +1092,10 @@ static void update_qos_request(enum freq
continue;
req = policy->driver_data;
- cpufreq_cpu_put(policy);
-
- if (!req)
+ if (!req) {
+ cpufreq_cpu_put(policy);
continue;
+ }
if (hwp_active)
intel_pstate_get_hwp_max(i, &turbo_max, &max_state);
@@ -1114,6 +1114,8 @@ static void update_qos_request(enum freq
if (freq_qos_update_request(req, freq) < 0)
pr_warn("Failed to update freq constraint: CPU%d\n", i);
+
+ cpufreq_cpu_put(policy);
}
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 108/224] crypto: atmel - Fix dma_unmap_sg() direction
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 107/224] cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 109/224] iio: dac: ad5360: use int type to store negative error codes Greg Kroah-Hartman
` (123 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Herbert Xu
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit f5d643156ef62216955c119216d2f3815bd51cb1 upstream.
It seems like everywhere in this file, dd->in_sg is mapped with
DMA_TO_DEVICE and dd->out_sg is mapped with DMA_FROM_DEVICE.
Fixes: 13802005d8f2 ("crypto: atmel - add Atmel DES/TDES driver")
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/atmel-tdes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/atmel-tdes.c
+++ b/drivers/crypto/atmel-tdes.c
@@ -565,7 +565,7 @@ static int atmel_tdes_crypt_start(struct
if (err && (dd->flags & TDES_FLAGS_FAST)) {
dma_unmap_sg(dd->dev, dd->in_sg, 1, DMA_TO_DEVICE);
- dma_unmap_sg(dd->dev, dd->out_sg, 1, DMA_TO_DEVICE);
+ dma_unmap_sg(dd->dev, dd->out_sg, 1, DMA_FROM_DEVICE);
}
return err;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 109/224] iio: dac: ad5360: use int type to store negative error codes
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 108/224] crypto: atmel - Fix dma_unmap_sg() direction Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 110/224] iio: dac: ad5421: " Greg Kroah-Hartman
` (122 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qianfeng Rong, Andy Shevchenko,
Stable, Jonathan Cameron
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qianfeng Rong <rongqianfeng@vivo.com>
commit f9381ece76de999a2065d5b4fdd87fa17883978c upstream.
Change the 'ret' variable in ad5360_update_ctrl() from unsigned int to
int, as it needs to store either negative error codes or zero returned
by ad5360_write_unlocked().
Fixes: a3e2940c24d3 ("staging:iio:dac: Add AD5360 driver")
Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Link: https://patch.msgid.link/20250901135726.17601-2-rongqianfeng@vivo.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5360.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/dac/ad5360.c
+++ b/drivers/iio/dac/ad5360.c
@@ -259,7 +259,7 @@ static int ad5360_update_ctrl(struct iio
unsigned int clr)
{
struct ad5360_state *st = iio_priv(indio_dev);
- unsigned int ret;
+ int ret;
mutex_lock(&indio_dev->mlock);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 110/224] iio: dac: ad5421: use int type to store negative error codes
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 109/224] iio: dac: ad5360: use int type to store negative error codes Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 111/224] iio: frequency: adf4350: Fix prescaler usage Greg Kroah-Hartman
` (121 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qianfeng Rong, Andy Shevchenko,
Stable, Jonathan Cameron
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qianfeng Rong <rongqianfeng@vivo.com>
commit 3379c900320954d768ed9903691fb2520926bbe3 upstream.
Change the 'ret' variable in ad5421_update_ctrl() from unsigned int to
int, as it needs to store either negative error codes or zero returned
by ad5421_write_unlocked().
Fixes: 5691b23489db ("staging:iio:dac: Add AD5421 driver")
Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Link: https://patch.msgid.link/20250901135726.17601-3-rongqianfeng@vivo.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5421.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/dac/ad5421.c
+++ b/drivers/iio/dac/ad5421.c
@@ -183,7 +183,7 @@ static int ad5421_update_ctrl(struct iio
unsigned int clr)
{
struct ad5421_state *st = iio_priv(indio_dev);
- unsigned int ret;
+ int ret;
mutex_lock(&indio_dev->mlock);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 111/224] iio: frequency: adf4350: Fix prescaler usage.
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 110/224] iio: dac: ad5421: " Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 112/224] lib/genalloc: fix device leak in of_gen_pool_get() Greg Kroah-Hartman
` (120 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Hennerich, Nuno Sá,
Andy Shevchenko, Stable, Jonathan Cameron
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Hennerich <michael.hennerich@analog.com>
commit 33d7ecbf69aa7dd4145e3b77962bcb8759eede3d upstream.
The ADF4350/1 features a programmable dual-modulus prescaler of 4/5 or 8/9.
When set to 4/5, the maximum RF frequency allowed is 3 GHz.
Therefore, when operating the ADF4351 above 3 GHz, this must be set to 8/9.
In this context not the RF output frequency is meant
- it's the VCO frequency.
Therefore move the prescaler selection after we derived the VCO frequency
from the desired RF output frequency.
This BUG may have caused PLL lock instabilities when operating the VCO at
the very high range close to 4.4 GHz.
Fixes: e31166f0fd48 ("iio: frequency: New driver for Analog Devices ADF4350/ADF4351 Wideband Synthesizers")
Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Link: https://patch.msgid.link/20250829-adf4350-fix-v2-1-0bf543ba797d@analog.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/frequency/adf4350.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
--- a/drivers/iio/frequency/adf4350.c
+++ b/drivers/iio/frequency/adf4350.c
@@ -137,6 +137,19 @@ static int adf4350_set_freq(struct adf43
if (freq > ADF4350_MAX_OUT_FREQ || freq < st->min_out_freq)
return -EINVAL;
+ st->r4_rf_div_sel = 0;
+
+ /*
+ * !\TODO: The below computation is making sure we get a power of 2
+ * shift (st->r4_rf_div_sel) so that freq becomes higher or equal to
+ * ADF4350_MIN_VCO_FREQ. This might be simplified with fls()/fls_long()
+ * and friends.
+ */
+ while (freq < ADF4350_MIN_VCO_FREQ) {
+ freq <<= 1;
+ st->r4_rf_div_sel++;
+ }
+
if (freq > ADF4350_MAX_FREQ_45_PRESC) {
prescaler = ADF4350_REG1_PRESCALER;
mdiv = 75;
@@ -145,13 +158,6 @@ static int adf4350_set_freq(struct adf43
mdiv = 23;
}
- st->r4_rf_div_sel = 0;
-
- while (freq < ADF4350_MIN_VCO_FREQ) {
- freq <<= 1;
- st->r4_rf_div_sel++;
- }
-
/*
* Allow a predefined reference division factor
* if not set, compute our own
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 112/224] lib/genalloc: fix device leak in of_gen_pool_get()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 111/224] iio: frequency: adf4350: Fix prescaler usage Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 113/224] parisc: dont reference obsolete termio struct for TC* constants Greg Kroah-Hartman
` (119 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Philipp Zabel,
Vladimir Zapolskiy, Andrew Morton
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 1260cbcffa608219fc9188a6cbe9c45a300ef8b5 upstream.
Make sure to drop the reference taken when looking up the genpool platform
device in of_gen_pool_get() before returning the pool.
Note that holding a reference to a device does typically not prevent its
devres managed resources from being released so there is no point in
keeping the reference.
Link: https://lkml.kernel.org/r/20250924080207.18006-1-johan@kernel.org
Fixes: 9375db07adea ("genalloc: add devres support, allow to find a managed pool by device")
Signed-off-by: Johan Hovold <johan@kernel.org>
Cc: Philipp Zabel <p.zabel@pengutronix.de>
Cc: Vladimir Zapolskiy <vz@mleia.com>
Cc: <stable@vger.kernel.org> [3.10+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/genalloc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/lib/genalloc.c
+++ b/lib/genalloc.c
@@ -892,8 +892,11 @@ struct gen_pool *of_gen_pool_get(struct
if (!name)
name = np_pool->name;
}
- if (pdev)
+ if (pdev) {
pool = gen_pool_get(&pdev->dev, name);
+ put_device(&pdev->dev);
+ }
+
of_node_put(np_pool);
return pool;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 113/224] parisc: dont reference obsolete termio struct for TC* constants
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 112/224] lib/genalloc: fix device leak in of_gen_pool_get() Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 114/224] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() Greg Kroah-Hartman
` (118 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sam James, Helge Deller,
Stian Halseth
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam James <sam@gentoo.org>
commit 8ec5a066f88f89bd52094ba18792b34c49dcd55a upstream.
Similar in nature to ab107276607af90b13a5994997e19b7b9731e251. glibc-2.42
drops the legacy termio struct, but the ioctls.h header still defines some
TC* constants in terms of termio (via sizeof). Hardcode the values instead.
This fixes building Python for example, which falls over like:
./Modules/termios.c:1119:16: error: invalid application of 'sizeof' to incomplete type 'struct termio'
Link: https://bugs.gentoo.org/961769
Link: https://bugs.gentoo.org/962600
Co-authored-by: Stian Halseth <stian@itx.no>
Cc: stable@vger.kernel.org
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/include/uapi/asm/ioctls.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/parisc/include/uapi/asm/ioctls.h
+++ b/arch/parisc/include/uapi/asm/ioctls.h
@@ -10,10 +10,10 @@
#define TCSETS _IOW('T', 17, struct termios) /* TCSETATTR */
#define TCSETSW _IOW('T', 18, struct termios) /* TCSETATTRD */
#define TCSETSF _IOW('T', 19, struct termios) /* TCSETATTRF */
-#define TCGETA _IOR('T', 1, struct termio)
-#define TCSETA _IOW('T', 2, struct termio)
-#define TCSETAW _IOW('T', 3, struct termio)
-#define TCSETAF _IOW('T', 4, struct termio)
+#define TCGETA 0x40125401
+#define TCSETA 0x80125402
+#define TCSETAW 0x80125403
+#define TCSETAF 0x80125404
#define TCSBRK _IO('T', 5)
#define TCXONC _IO('T', 6)
#define TCFLSH _IO('T', 7)
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 114/224] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 113/224] parisc: dont reference obsolete termio struct for TC* constants Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 115/224] sctp: Fix MAC comparison to be constant-time Greg Kroah-Hartman
` (117 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Don Brace,
Martin K. Petersen
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit b81296591c567b12d3873b05a37b975707959b94 upstream.
Replace kmalloc() followed by copy_from_user() with memdup_user() to fix
a memory leak that occurs when copy_from_user(buff[sg_used],,) fails and
the 'cleanup1:' path does not free the memory for 'buff[sg_used]'. Using
memdup_user() avoids this by freeing the memory internally.
Since memdup_user() already allocates memory, use kzalloc() in the else
branch instead of manually zeroing 'buff[sg_used]' using memset(0).
Cc: stable@vger.kernel.org
Fixes: edd163687ea5 ("[SCSI] hpsa: add driver for HP Smart Array controllers.")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Acked-by: Don Brace <don.brace@microchip.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/hpsa.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -6508,18 +6508,21 @@ static int hpsa_big_passthru_ioctl(struc
while (left) {
sz = (left > ioc->malloc_size) ? ioc->malloc_size : left;
buff_size[sg_used] = sz;
- buff[sg_used] = kmalloc(sz, GFP_KERNEL);
- if (buff[sg_used] == NULL) {
- status = -ENOMEM;
- goto cleanup1;
- }
+
if (ioc->Request.Type.Direction & XFER_WRITE) {
- if (copy_from_user(buff[sg_used], data_ptr, sz)) {
- status = -EFAULT;
+ buff[sg_used] = memdup_user(data_ptr, sz);
+ if (IS_ERR(buff[sg_used])) {
+ status = PTR_ERR(buff[sg_used]);
+ goto cleanup1;
+ }
+ } else {
+ buff[sg_used] = kzalloc(sz, GFP_KERNEL);
+ if (!buff[sg_used]) {
+ status = -ENOMEM;
goto cleanup1;
}
- } else
- memset(buff[sg_used], 0, sz);
+ }
+
left -= sz;
data_ptr += sz;
sg_used++;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 115/224] sctp: Fix MAC comparison to be constant-time
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 114/224] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 116/224] sparc64: fix hugetlb for sun4u Greg Kroah-Hartman
` (116 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Jakub Kicinski
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit dd91c79e4f58fbe2898dac84858033700e0e99fb upstream.
To prevent timing attacks, MACs need to be compared in constant time.
Use the appropriate helper function for this.
Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Link: https://patch.msgid.link/20250818205426.30222-3-ebiggers@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/sm_make_chunk.c | 3 ++-
net/sctp/sm_statefuns.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -31,6 +31,7 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <crypto/hash.h>
+#include <crypto/algapi.h>
#include <linux/types.h>
#include <linux/kernel.h>
#include <linux/ip.h>
@@ -1758,7 +1759,7 @@ struct sctp_association *sctp_unpack_coo
}
}
- if (memcmp(digest, cookie->signature, SCTP_SIGNATURE_SIZE)) {
+ if (crypto_memneq(digest, cookie->signature, SCTP_SIGNATURE_SIZE)) {
*error = -SCTP_IERROR_BAD_SIG;
goto fail;
}
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -30,6 +30,7 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <crypto/algapi.h>
#include <linux/types.h>
#include <linux/kernel.h>
#include <linux/ip.h>
@@ -4303,7 +4304,7 @@ static enum sctp_ierror sctp_sf_authenti
sh_key, GFP_ATOMIC);
/* Discard the packet if the digests do not match */
- if (memcmp(save_digest, digest, sig_len)) {
+ if (crypto_memneq(save_digest, digest, sig_len)) {
kfree(save_digest);
return SCTP_IERROR_BAD_SIG;
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 116/224] sparc64: fix hugetlb for sun4u
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 115/224] sctp: Fix MAC comparison to be constant-time Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 117/224] sparc: fix error handling in scan_one_device() Greg Kroah-Hartman
` (115 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anthony Yznaga,
John Paul Adrian Glaubitz, Andreas Larsson
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anthony Yznaga <anthony.yznaga@oracle.com>
commit 6fd44a481b3c6111e4801cec964627791d0f3ec5 upstream.
An attempt to exercise sparc hugetlb code in a sun4u-based guest
running under qemu results in the guest hanging due to being stuck
in a trap loop. This is due to invalid hugetlb TTEs being installed
that do not have the expected _PAGE_PMD_HUGE and page size bits set.
Although the breakage has gone apparently unnoticed for several years,
fix it now so there is the option to exercise sparc hugetlb code under
qemu. This can be useful because sun4v support in qemu does not support
linux guests currently and sun4v-based hardware resources may not be
readily available.
Fix tested with a 6.15.2 and 6.16-rc6 kernels by running libhugetlbfs
tests on a qemu guest running Debian 13.
Fixes: c7d9f77d33a7 ("sparc64: Multi-page size support")
Cc: stable@vger.kernel.org
Signed-off-by: Anthony Yznaga <anthony.yznaga@oracle.com>
Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Reviewed-by: Andreas Larsson <andreas@gaisler.com>
Link: https://lore.kernel.org/r/20250716012446.10357-1-anthony.yznaga@oracle.com
Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/sparc/mm/hugetlbpage.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
--- a/arch/sparc/mm/hugetlbpage.c
+++ b/arch/sparc/mm/hugetlbpage.c
@@ -134,6 +134,26 @@ hugetlb_get_unmapped_area(struct file *f
static pte_t sun4u_hugepage_shift_to_tte(pte_t entry, unsigned int shift)
{
+ unsigned long hugepage_size = _PAGE_SZ4MB_4U;
+
+ pte_val(entry) = pte_val(entry) & ~_PAGE_SZALL_4U;
+
+ switch (shift) {
+ case HPAGE_256MB_SHIFT:
+ hugepage_size = _PAGE_SZ256MB_4U;
+ pte_val(entry) |= _PAGE_PMD_HUGE;
+ break;
+ case HPAGE_SHIFT:
+ pte_val(entry) |= _PAGE_PMD_HUGE;
+ break;
+ case HPAGE_64K_SHIFT:
+ hugepage_size = _PAGE_SZ64K_4U;
+ break;
+ default:
+ WARN_ONCE(1, "unsupported hugepage shift=%u\n", shift);
+ }
+
+ pte_val(entry) = pte_val(entry) | hugepage_size;
return entry;
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 117/224] sparc: fix error handling in scan_one_device()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 116/224] sparc64: fix hugetlb for sun4u Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 118/224] mtd: rawnand: fsmc: Default to autodetect buswidth Greg Kroah-Hartman
` (114 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Andreas Larsson
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 302c04110f0ce70d25add2496b521132548cd408 upstream.
Once of_device_register() failed, we should call put_device() to
decrement reference count for cleanup. Or it could cause memory leak.
So fix this by calling put_device(), then the name can be freed in
kobject_cleanup().
Calling path: of_device_register() -> of_device_add() -> device_add().
As comment of device_add() says, 'if device_add() succeeds, you should
call device_del() when you want to get rid of it. If device_add() has
not succeeded, use only put_device() to drop the reference count'.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: cf44bbc26cf1 ("[SPARC]: Beginnings of generic of_device framework.")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Reviewed-by: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/sparc/kernel/of_device_32.c | 1 +
arch/sparc/kernel/of_device_64.c | 1 +
2 files changed, 2 insertions(+)
--- a/arch/sparc/kernel/of_device_32.c
+++ b/arch/sparc/kernel/of_device_32.c
@@ -387,6 +387,7 @@ static struct platform_device * __init s
if (of_device_register(op)) {
printk("%pOF: Could not register of device.\n", dp);
+ put_device(&op->dev);
kfree(op);
op = NULL;
}
--- a/arch/sparc/kernel/of_device_64.c
+++ b/arch/sparc/kernel/of_device_64.c
@@ -680,6 +680,7 @@ static struct platform_device * __init s
if (of_device_register(op)) {
printk("%pOF: Could not register of device.\n", dp);
+ put_device(&op->dev);
kfree(op);
op = NULL;
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 118/224] mtd: rawnand: fsmc: Default to autodetect buswidth
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 117/224] sparc: fix error handling in scan_one_device() Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 119/224] mmc: core: SPI mode remove cmd7 Greg Kroah-Hartman
` (113 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Linus Walleij, Miquel Raynal
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit b8df622cf7f6808c85764e681847150ed6d85f3d upstream.
If you don't specify buswidth 2 (16 bits) in the device
tree, FSMC doesn't even probe anymore:
fsmc-nand 10100000.flash: FSMC device partno 090,
manufacturer 80, revision 00, config 00
nand: device found, Manufacturer ID: 0x20, Chip ID: 0xb1
nand: ST Micro 10100000.flash
nand: bus width 8 instead of 16 bits
nand: No NAND device found
fsmc-nand 10100000.flash: probe with driver fsmc-nand failed
with error -22
With this patch to use autodetection unless buswidth is
specified, the device is properly detected again:
fsmc-nand 10100000.flash: FSMC device partno 090,
manufacturer 80, revision 00, config 00
nand: device found, Manufacturer ID: 0x20, Chip ID: 0xb1
nand: ST Micro NAND 128MiB 1,8V 16-bit
nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
fsmc-nand 10100000.flash: Using 1-bit HW ECC scheme
Scanning device for bad blocks
I don't know where or how this happened, I think some change
in the nand core.
Cc: stable@vger.kernel.org
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/fsmc_nand.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/mtd/nand/raw/fsmc_nand.c
+++ b/drivers/mtd/nand/raw/fsmc_nand.c
@@ -861,10 +861,14 @@ static int fsmc_nand_probe_config_dt(str
if (!of_property_read_u32(np, "bank-width", &val)) {
if (val == 2) {
nand->options |= NAND_BUSWIDTH_16;
- } else if (val != 1) {
+ } else if (val == 1) {
+ nand->options |= NAND_BUSWIDTH_AUTO;
+ } else {
dev_err(&pdev->dev, "invalid bank-width %u\n", val);
return -EINVAL;
}
+ } else {
+ nand->options |= NAND_BUSWIDTH_AUTO;
}
if (of_get_property(np, "nand-skip-bbtscan", NULL))
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 119/224] mmc: core: SPI mode remove cmd7
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 118/224] mtd: rawnand: fsmc: Default to autodetect buswidth Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 120/224] rtc: interface: Ensure alarm irq is enabled when UIE is enabled Greg Kroah-Hartman
` (112 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rex Chen, Ulf Hansson
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rex Chen <rex.chen_1@nxp.com>
commit fec40f44afdabcbc4a7748e4278f30737b54bb1a upstream.
SPI mode doesn't support cmd7, so remove it in mmc_sdio_alive() and
confirm if sdio is active by checking CCCR register value is available
or not.
Signed-off-by: Rex Chen <rex.chen_1@nxp.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250728082230.1037917-2-rex.chen_1@nxp.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/sdio.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/mmc/core/sdio.c
+++ b/drivers/mmc/core/sdio.c
@@ -868,7 +868,11 @@ static void mmc_sdio_remove(struct mmc_h
*/
static int mmc_sdio_alive(struct mmc_host *host)
{
- return mmc_select_card(host->card);
+ if (!mmc_host_is_spi(host))
+ return mmc_select_card(host->card);
+ else
+ return mmc_io_rw_direct(host->card, 0, 0, SDIO_CCCR_CCCR, 0,
+ NULL);
}
/*
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 120/224] rtc: interface: Ensure alarm irq is enabled when UIE is enabled
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 119/224] mmc: core: SPI mode remove cmd7 Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 121/224] rtc: interface: Fix long-standing race when setting alarm Greg Kroah-Hartman
` (111 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Esben Haabendal, Alexandre Belloni
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Esben Haabendal <esben@geanix.com>
commit 9db26d5855d0374d4652487bfb5aacf40821c469 upstream.
When setting a normal alarm, user-space is responsible for using
RTC_AIE_ON/RTC_AIE_OFF to control if alarm irq should be enabled.
But when RTC_UIE_ON is used, interrupts must be enabled so that the
requested irq events are generated.
When RTC_UIE_OFF is used, alarm irq is disabled if there are no other
alarms queued, so this commit brings symmetry to that.
Signed-off-by: Esben Haabendal <esben@geanix.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250516-rtc-uie-irq-fixes-v2-5-3de8e530a39e@geanix.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rtc/interface.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/rtc/interface.c
+++ b/drivers/rtc/interface.c
@@ -577,6 +577,10 @@ int rtc_update_irq_enable(struct rtc_dev
rtc->uie_rtctimer.node.expires = ktime_add(now, onesec);
rtc->uie_rtctimer.period = ktime_set(1, 0);
err = rtc_timer_enqueue(rtc, &rtc->uie_rtctimer);
+ if (!err && rtc->ops && rtc->ops->alarm_irq_enable)
+ err = rtc->ops->alarm_irq_enable(rtc->dev.parent, 1);
+ if (err)
+ goto out;
} else {
rtc_timer_remove(rtc, &rtc->uie_rtctimer);
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 121/224] rtc: interface: Fix long-standing race when setting alarm
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 120/224] rtc: interface: Ensure alarm irq is enabled when UIE is enabled Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 122/224] rseq/selftests: Use weak symbol reference, not definition, to link with glibc Greg Kroah-Hartman
` (110 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Esben Haabendal, Alexandre Belloni
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Esben Haabendal <esben@geanix.com>
commit 795cda8338eab036013314dbc0b04aae728880ab upstream.
As described in the old comment dating back to
commit 6610e0893b8b ("RTC: Rework RTC code to use timerqueue for events")
from 2010, we have been living with a race window when setting alarm
with an expiry in the near future (i.e. next second).
With 1 second resolution, it can happen that the second ticks after the
check for the timer having expired, but before the alarm is actually set.
When this happen, no alarm IRQ is generated, at least not with some RTC
chips (isl12022 is an example of this).
With UIE RTC timer being implemented on top of alarm irq, being re-armed
every second, UIE will occasionally fail to work, as an alarm irq lost
due to this race will stop the re-arming loop.
For now, I have limited the additional expiry check to only be done for
alarms set to next seconds. I expect it should be good enough, although I
don't know if we can now for sure that systems with loads could end up
causing the same problems for alarms set 2 seconds or even longer in the
future.
I haven't been able to reproduce the problem with this check in place.
Cc: stable@vger.kernel.org
Signed-off-by: Esben Haabendal <esben@geanix.com>
Link: https://lore.kernel.org/r/20250516-rtc-uie-irq-fixes-v2-1-3de8e530a39e@geanix.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rtc/interface.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
--- a/drivers/rtc/interface.c
+++ b/drivers/rtc/interface.c
@@ -442,6 +442,29 @@ static int __rtc_set_alarm(struct rtc_de
else
err = rtc->ops->set_alarm(rtc->dev.parent, alarm);
+ /*
+ * Check for potential race described above. If the waiting for next
+ * second, and the second just ticked since the check above, either
+ *
+ * 1) It ticked after the alarm was set, and an alarm irq should be
+ * generated.
+ *
+ * 2) It ticked before the alarm was set, and alarm irq most likely will
+ * not be generated.
+ *
+ * While we cannot easily check for which of these two scenarios we
+ * are in, we can return -ETIME to signal that the timer has already
+ * expired, which is true in both cases.
+ */
+ if ((scheduled - now) <= 1) {
+ err = __rtc_read_time(rtc, &tm);
+ if (err)
+ return err;
+ now = rtc_tm_to_time64(&tm);
+ if (scheduled <= now)
+ return -ETIME;
+ }
+
trace_rtc_set_alarm(rtc_tm_to_time64(&alarm->time), err);
return err;
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 122/224] rseq/selftests: Use weak symbol reference, not definition, to link with glibc
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 121/224] rtc: interface: Fix long-standing race when setting alarm Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 123/224] PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV Greg Kroah-Hartman
` (109 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, Florian Weimer,
Sean Christopherson, Mathieu Desnoyers
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit a001cd248ab244633c5fabe4f7c707e13fc1d1cc upstream.
Add "extern" to the glibc-defined weak rseq symbols to convert the rseq
selftest's usage from weak symbol definitions to weak symbol _references_.
Effectively re-defining the glibc symbols wreaks havoc when building with
-fno-common, e.g. generates segfaults when running multi-threaded programs,
as dynamically linked applications end up with multiple versions of the
symbols.
Building with -fcommon, which until recently has the been the default for
GCC and clang, papers over the bug by allowing the linker to resolve the
weak/tentative definition to glibc's "real" definition.
Note, the symbol itself (or rather its address), not the value of the
symbol, is set to 0/NULL for unresolved weak symbol references, as the
symbol doesn't exist and thus can't have a value. Check for a NULL rseq
size pointer to handle the scenario where the test is statically linked
against a libc that doesn't support rseq in any capacity.
Fixes: 3bcbc20942db ("selftests/rseq: Play nice with binaries statically linked against glibc 2.35+")
Reported-by: Thomas Gleixner <tglx@linutronix.de>
Suggested-by: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/all/87frdoybk4.ffs@tglx
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/rseq/rseq.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/tools/testing/selftests/rseq/rseq.c
+++ b/tools/testing/selftests/rseq/rseq.c
@@ -38,9 +38,9 @@
* Define weak versions to play nice with binaries that are statically linked
* against a libc that doesn't support registering its own rseq.
*/
-__weak ptrdiff_t __rseq_offset;
-__weak unsigned int __rseq_size;
-__weak unsigned int __rseq_flags;
+extern __weak ptrdiff_t __rseq_offset;
+extern __weak unsigned int __rseq_size;
+extern __weak unsigned int __rseq_flags;
static const ptrdiff_t *libc_rseq_offset_p = &__rseq_offset;
static const unsigned int *libc_rseq_size_p = &__rseq_size;
@@ -124,7 +124,7 @@ void rseq_init(void)
* libc not having registered a restartable sequence. Try to find the
* symbols if that's the case.
*/
- if (!*libc_rseq_size_p) {
+ if (!libc_rseq_size_p || !*libc_rseq_size_p) {
libc_rseq_offset_p = dlsym(RTLD_NEXT, "__rseq_offset");
libc_rseq_size_p = dlsym(RTLD_NEXT, "__rseq_size");
libc_rseq_flags_p = dlsym(RTLD_NEXT, "__rseq_flags");
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 123/224] PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 122/224] rseq/selftests: Use weak symbol reference, not definition, to link with glibc Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 124/224] PCI/AER: Fix missing uevent on recovery when a reset is requested Greg Kroah-Hartman
` (108 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Schnelle, Bjorn Helgaas,
Benjamin Block, Farhan Ali, Julian Ruess
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Schnelle <schnelle@linux.ibm.com>
commit 05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 upstream.
Before disabling SR-IOV via config space accesses to the parent PF,
sriov_disable() first removes the PCI devices representing the VFs.
Since commit 9d16947b7583 ("PCI: Add global pci_lock_rescan_remove()")
such removal operations are serialized against concurrent remove and
rescan using the pci_rescan_remove_lock. No such locking was ever added
in sriov_disable() however. In particular when commit 18f9e9d150fc
("PCI/IOV: Factor out sriov_add_vfs()") factored out the PCI device
removal into sriov_del_vfs() there was still no locking around the
pci_iov_remove_virtfn() calls.
On s390 the lack of serialization in sriov_disable() may cause double
remove and list corruption with the below (amended) trace being observed:
PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56)
GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001
00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480
0000000000000001 0000000000000000 0000000000000000 0000000180692828
00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8
#0 [3800313fb20] device_del at c9158ad5c
#1 [3800313fb88] pci_remove_bus_device at c915105ba
#2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198
#3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0
#4 [3800313fc60] zpci_bus_remove_device at c90fb6104
#5 [3800313fca0] __zpci_event_availability at c90fb3dca
#6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2
#7 [3800313fd60] crw_collect_info at c91905822
#8 [3800313fe10] kthread at c90feb390
#9 [3800313fe68] __ret_from_fork at c90f6aa64
#10 [3800313fe98] ret_from_fork at c9194f3f2.
This is because in addition to sriov_disable() removing the VFs, the
platform also generates hot-unplug events for the VFs. This being the
reverse operation to the hotplug events generated by sriov_enable() and
handled via pdev->no_vf_scan. And while the event processing takes
pci_rescan_remove_lock and checks whether the struct pci_dev still exists,
the lack of synchronization makes this checking racy.
Other races may also be possible of course though given that this lack of
locking persisted so long observable races seem very rare. Even on s390 the
list corruption was only observed with certain devices since the platform
events are only triggered by config accesses after the removal, so as long
as the removal finished synchronously they would not race. Either way the
locking is missing so fix this by adding it to the sriov_del_vfs() helper.
Just like PCI rescan-remove, locking is also missing in sriov_add_vfs()
including for the error case where pci_stop_and_remove_bus_device() is
called without the PCI rescan-remove lock being held. Even in the non-error
case, adding new PCI devices and buses should be serialized via the PCI
rescan-remove lock. Add the necessary locking.
Fixes: 18f9e9d150fc ("PCI/IOV: Factor out sriov_add_vfs()")
Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
Reviewed-by: Julian Ruess <julianr@linux.ibm.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250826-pci_fix_sriov_disable-v1-1-2d0bc938f2a3@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/iov.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/pci/iov.c
+++ b/drivers/pci/iov.c
@@ -431,15 +431,18 @@ static int sriov_add_vfs(struct pci_dev
if (dev->no_vf_scan)
return 0;
+ pci_lock_rescan_remove();
for (i = 0; i < num_vfs; i++) {
rc = pci_iov_add_virtfn(dev, i);
if (rc)
goto failed;
}
+ pci_unlock_rescan_remove();
return 0;
failed:
while (i--)
pci_iov_remove_virtfn(dev, i);
+ pci_unlock_rescan_remove();
return rc;
}
@@ -562,8 +565,10 @@ static void sriov_del_vfs(struct pci_dev
if (dev->no_vf_scan)
return;
+ pci_lock_rescan_remove();
for (i = 0; i < iov->num_VFs; i++)
pci_iov_remove_virtfn(dev, i);
+ pci_unlock_rescan_remove();
}
static void sriov_disable(struct pci_dev *dev)
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 124/224] PCI/AER: Fix missing uevent on recovery when a reset is requested
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 123/224] PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 125/224] PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit Greg Kroah-Hartman
` (107 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Schnelle, Bjorn Helgaas,
Lukas Wunner
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Schnelle <schnelle@linux.ibm.com>
commit bbf7d0468d0da71d76cc6ec9bc8a224325d07b6b upstream.
Since commit 7b42d97e99d3 ("PCI/ERR: Always report current recovery
status for udev") AER uses the result of error_detected() as parameter
to pci_uevent_ers(). As pci_uevent_ers() however does not handle
PCI_ERS_RESULT_NEED_RESET this results in a missing uevent for the
beginning of recovery if drivers request a reset. Fix this by treating
PCI_ERS_RESULT_NEED_RESET as beginning recovery.
Fixes: 7b42d97e99d3 ("PCI/ERR: Always report current recovery status for udev")
Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250807-add_err_uevents-v5-1-adf85b0620b0@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci-driver.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -1603,6 +1603,7 @@ void pci_uevent_ers(struct pci_dev *pdev
switch (err_type) {
case PCI_ERS_RESULT_NONE:
case PCI_ERS_RESULT_CAN_RECOVER:
+ case PCI_ERS_RESULT_NEED_RESET:
envp[idx++] = "ERROR_EVENT=BEGIN_RECOVERY";
envp[idx++] = "DEVICE_ONLINE=0";
break;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 125/224] PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 124/224] PCI/AER: Fix missing uevent on recovery when a reset is requested Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 126/224] x86/umip: Check that the instruction opcode is at least two bytes Greg Kroah-Hartman
` (106 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Slaby, Siddharth Vadapalli,
Manivannan Sadhasivam
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siddharth Vadapalli <s-vadapalli@ti.com>
commit e51d05f523e43ce5d2bad957943a2b14f68078cd upstream.
Commit under Fixes introduced the IRQ handler for "ks-pcie-error-irq".
The interrupt is acquired using "request_irq()" but is never freed if
the driver exits due to an error. Although the section in the driver that
invokes "request_irq()" has moved around over time, the issue hasn't been
addressed until now.
Fix this by using "devm_request_irq()" which automatically frees the
interrupt if the driver exits.
Fixes: 025dd3daeda7 ("PCI: keystone: Add error IRQ handler")
Reported-by: Jiri Slaby <jirislaby@kernel.org>
Closes: https://lore.kernel.org/r/3d3a4b52-e343-42f3-9d69-94c259812143@kernel.org
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250912100802.3136121-2-s-vadapalli@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/dwc/pci-keystone.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/pci/controller/dwc/pci-keystone.c
+++ b/drivers/pci/controller/dwc/pci-keystone.c
@@ -1294,8 +1294,8 @@ static int ks_pcie_probe(struct platform
return irq;
}
- ret = request_irq(irq, ks_pcie_err_irq_handler, IRQF_SHARED,
- "ks-pcie-error-irq", ks_pcie);
+ ret = devm_request_irq(dev, irq, ks_pcie_err_irq_handler, IRQF_SHARED,
+ "ks-pcie-error-irq", ks_pcie);
if (ret < 0) {
dev_err(dev, "failed to request error IRQ %d\n",
irq);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 126/224] x86/umip: Check that the instruction opcode is at least two bytes
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 125/224] PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 127/224] x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases) Greg Kroah-Hartman
` (105 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Snyder, Sean Christopherson,
Borislav Petkov (AMD), Peter Zijlstra (Intel)
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 32278c677947ae2f042c9535674a7fff9a245dd3 upstream.
When checking for a potential UMIP violation on #GP, verify the decoder found
at least two opcode bytes to avoid false positives when the kernel encounters
an unknown instruction that starts with 0f. Because the array of opcode.bytes
is zero-initialized by insn_init(), peeking at bytes[1] will misinterpret
garbage as a potential SLDT or STR instruction, and can incorrectly trigger
emulation.
E.g. if a VPALIGNR instruction
62 83 c5 05 0f 08 ff vpalignr xmm17{k5},xmm23,XMMWORD PTR [r8],0xff
hits a #GP, the kernel emulates it as STR and squashes the #GP (and corrupts
the userspace code stream).
Arguably the check should look for exactly two bytes, but no three byte
opcodes use '0f 00 xx' or '0f 01 xx' as an escape, i.e. it should be
impossible to get a false positive if the first two opcode bytes match '0f 00'
or '0f 01'. Go with a more conservative check with respect to the existing
code to minimize the chances of breaking userspace, e.g. due to decoder
weirdness.
Analyzed by Nick Bray <ncbray@google.com>.
Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions")
Reported-by: Dan Snyder <dansnyder@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/umip.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/umip.c
+++ b/arch/x86/kernel/umip.c
@@ -155,8 +155,8 @@ static int identify_insn(struct insn *in
if (!insn->modrm.nbytes)
return -EINVAL;
- /* All the instructions of interest start with 0x0f. */
- if (insn->opcode.bytes[0] != 0xf)
+ /* The instructions of interest have 2-byte opcodes: 0F 00 or 0F 01. */
+ if (insn->opcode.nbytes < 2 || insn->opcode.bytes[0] != 0xf)
return -EINVAL;
if (insn->opcode.bytes[1] == 0x1) {
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 127/224] x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases)
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 126/224] x86/umip: Check that the instruction opcode is at least two bytes Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 128/224] nfsd: nfserr_jukebox in nlm_fopen should lead to a retry Greg Kroah-Hartman
` (104 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Christopherson,
Borislav Petkov (AMD), Peter Zijlstra (Intel)
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 27b1fd62012dfe9d3eb8ecde344d7aa673695ecf upstream.
Filter out the register forms of 0F 01 when determining whether or not to
emulate in response to a potential UMIP violation #GP, as SGDT and SIDT only
accept memory operands. The register variants of 0F 01 are used to encode
instructions for things like VMX and SGX, i.e. not checking the Mod field
would cause the kernel to incorrectly emulate on #GP, e.g. due to a CPL
violation on VMLAUNCH.
Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions")
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/umip.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/arch/x86/kernel/umip.c
+++ b/arch/x86/kernel/umip.c
@@ -162,8 +162,19 @@ static int identify_insn(struct insn *in
if (insn->opcode.bytes[1] == 0x1) {
switch (X86_MODRM_REG(insn->modrm.value)) {
case 0:
+ /* The reg form of 0F 01 /0 encodes VMX instructions. */
+ if (X86_MODRM_MOD(insn->modrm.value) == 3)
+ return -EINVAL;
+
return UMIP_INST_SGDT;
case 1:
+ /*
+ * The reg form of 0F 01 /1 encodes MONITOR/MWAIT,
+ * STAC/CLAC, and ENCLS.
+ */
+ if (X86_MODRM_MOD(insn->modrm.value) == 3)
+ return -EINVAL;
+
return UMIP_INST_SIDT;
case 4:
return UMIP_INST_SMSW;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 128/224] nfsd: nfserr_jukebox in nlm_fopen should lead to a retry
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 127/224] x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases) Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 129/224] ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch() Greg Kroah-Hartman
` (103 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Olga Kornievskaia, Chuck Lever
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Olga Kornievskaia <okorniev@redhat.com>
commit a082e4b4d08a4a0e656d90c2c05da85f23e6d0c9 upstream.
When v3 NLM request finds a conflicting delegation, it triggers
a delegation recall and nfsd_open fails with EAGAIN. nfsd_open
then translates EAGAIN into nfserr_jukebox. In nlm_fopen, instead
of returning nlm_failed for when there is a conflicting delegation,
drop this NLM request so that the client retries. Once delegation
is recalled and if a local lock is claimed, a retry would lead to
nfsd returning a nlm_lck_blocked error or a successful nlm lock.
Fixes: d343fce148a4 ("[PATCH] knfsd: Allow lockd to drop replies as appropriate")
Cc: stable@vger.kernel.org # v6.6
Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/lockd.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/fs/nfsd/lockd.c
+++ b/fs/nfsd/lockd.c
@@ -44,6 +44,21 @@ nlm_fopen(struct svc_rqst *rqstp, struct
switch (nfserr) {
case nfs_ok:
return 0;
+ case nfserr_jukebox:
+ /* this error can indicate a presence of a conflicting
+ * delegation to an NLM lock request. Options are:
+ * (1) For now, drop this request and make the client
+ * retry. When delegation is returned, client's lock retry
+ * will complete.
+ * (2) NLM4_DENIED as per "spec" signals to the client
+ * that the lock is unavailable now but client can retry.
+ * Linux client implementation does not. It treats
+ * NLM4_DENIED same as NLM4_FAILED and errors the request.
+ * (3) For the future, treat this as blocked lock and try
+ * to callback when the delegation is returned but might
+ * not have a proper lock request to block on.
+ */
+ fallthrough;
case nfserr_dropit:
return nlm_drop_reply;
case nfserr_stale:
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 129/224] ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 128/224] nfsd: nfserr_jukebox in nlm_fopen should lead to a retry Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 130/224] ext4: correctly handle queries for metadata mappings Greg Kroah-Hartman
` (102 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongjian Sun, Zhang Yi,
Jan Kara, Baokun Li, Theodore Tso
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongjian Sun <sunyongjian1@huawei.com>
commit 9d80eaa1a1d37539224982b76c9ceeee736510b9 upstream.
After running a stress test combined with fault injection,
we performed fsck -a followed by fsck -fn on the filesystem
image. During the second pass, fsck -fn reported:
Inode 131512, end of extent exceeds allowed value
(logical block 405, physical block 1180540, len 2)
This inode was not in the orphan list. Analysis revealed the
following call chain that leads to the inconsistency:
ext4_da_write_end()
//does not update i_disksize
ext4_punch_hole()
//truncate folio, keep size
ext4_page_mkwrite()
ext4_block_page_mkwrite()
ext4_block_write_begin()
ext4_get_block()
//insert written extent without update i_disksize
journal commit
echo 1 > /sys/block/xxx/device/delete
da-write path updates i_size but does not update i_disksize. Then
ext4_punch_hole truncates the da-folio yet still leaves i_disksize
unchanged(in the ext4_update_disksize_before_punch function, the
condition offset + len < size is met). Then ext4_page_mkwrite sees
ext4_nonda_switch return 1 and takes the nodioread_nolock path, the
folio about to be written has just been punched out, and it’s offset
sits beyond the current i_disksize. This may result in a written
extent being inserted, but again does not update i_disksize. If the
journal gets committed and then the block device is yanked, we might
run into this. It should be noted that replacing ext4_punch_hole with
ext4_zero_range in the call sequence may also trigger this issue, as
neither will update i_disksize under these circumstances.
To fix this, we can modify ext4_update_disksize_before_punch to
increase i_disksize to min(i_size, offset + len) when both i_size and
(offset + len) are greater than i_disksize.
Cc: stable@kernel.org
Signed-off-by: Yongjian Sun <sunyongjian1@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Message-ID: <20250911133024.1841027-1-sunyongjian@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4247,7 +4247,11 @@ int ext4_can_truncate(struct inode *inod
* We have to make sure i_disksize gets properly updated before we truncate
* page cache due to hole punching or zero range. Otherwise i_disksize update
* can get lost as it may have been postponed to submission of writeback but
- * that will never happen after we truncate page cache.
+ * that will never happen if we remove the folio containing i_size from the
+ * page cache. Also if we punch hole within i_size but above i_disksize,
+ * following ext4_page_mkwrite() may mistakenly allocate written blocks over
+ * the hole and thus introduce allocated blocks beyond i_disksize which is
+ * not allowed (e2fsck would complain in case of crash).
*/
int ext4_update_disksize_before_punch(struct inode *inode, loff_t offset,
loff_t len)
@@ -4256,9 +4260,11 @@ int ext4_update_disksize_before_punch(st
loff_t size = i_size_read(inode);
WARN_ON(!inode_is_locked(inode));
- if (offset > size || offset + len < size)
+ if (offset > size)
return 0;
+ if (offset + len < size)
+ size = offset + len;
if (EXT4_I(inode)->i_disksize >= size)
return 0;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 130/224] ext4: correctly handle queries for metadata mappings
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 129/224] ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch() Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 131/224] ext4: guard against EA inode refcount underflow in xattr update Greg Kroah-Hartman
` (101 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ritesh Harjani (IBM), stable,
Ojaswin Mujoo, Theodore Tso
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
commit 46c22a8bb4cb03211da1100d7ee4a2005bf77c70 upstream.
Currently, our handling of metadata is _ambiguous_ in some scenarios,
that is, we end up returning unknown if the range only covers the
mapping partially.
For example, in the following case:
$ xfs_io -c fsmap -d
0: 254:16 [0..7]: static fs metadata 8
1: 254:16 [8..15]: special 102:1 8
2: 254:16 [16..5127]: special 102:2 5112
3: 254:16 [5128..5255]: special 102:3 128
4: 254:16 [5256..5383]: special 102:4 128
5: 254:16 [5384..70919]: inodes 65536
6: 254:16 [70920..70967]: unknown 48
...
$ xfs_io -c fsmap -d 24 33
0: 254:16 [24..39]: unknown 16 <--- incomplete reporting
$ xfs_io -c fsmap -d 24 33 (With patch)
0: 254:16 [16..5127]: special 102:2 5112
This is because earlier in ext4_getfsmap_meta_helper, we end up ignoring
any extent that starts before our queried range, but overlaps it. While
the man page [1] is a bit ambiguous on this, this fix makes the output
make more sense since we are anyways returning an "unknown" extent. This
is also consistent to how XFS does it:
$ xfs_io -c fsmap -d
...
6: 254:16 [104..127]: free space 24
7: 254:16 [128..191]: inodes 64
...
$ xfs_io -c fsmap -d 137 150
0: 254:16 [128..191]: inodes 64 <-- full extent returned
[1] https://man7.org/linux/man-pages/man2/ioctl_getfsmap.2.html
Reported-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Message-ID: <023f37e35ee280cd9baac0296cbadcbe10995cab.1757058211.git.ojaswin@linux.ibm.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fsmap.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/fs/ext4/fsmap.c
+++ b/fs/ext4/fsmap.c
@@ -74,7 +74,8 @@ static int ext4_getfsmap_dev_compare(con
static bool ext4_getfsmap_rec_before_low_key(struct ext4_getfsmap_info *info,
struct ext4_fsmap *rec)
{
- return rec->fmr_physical < info->gfi_low.fmr_physical;
+ return rec->fmr_physical + rec->fmr_length <=
+ info->gfi_low.fmr_physical;
}
/*
@@ -200,15 +201,18 @@ static int ext4_getfsmap_meta_helper(str
ext4_group_first_block_no(sb, agno));
fs_end = fs_start + EXT4_C2B(sbi, len);
- /* Return relevant extents from the meta_list */
+ /*
+ * Return relevant extents from the meta_list. We emit all extents that
+ * partially/fully overlap with the query range
+ */
list_for_each_entry_safe(p, tmp, &info->gfi_meta_list, fmr_list) {
- if (p->fmr_physical < info->gfi_next_fsblk) {
+ if (p->fmr_physical + p->fmr_length <= info->gfi_next_fsblk) {
list_del(&p->fmr_list);
kfree(p);
continue;
}
- if (p->fmr_physical <= fs_start ||
- p->fmr_physical + p->fmr_length <= fs_end) {
+ if (p->fmr_physical <= fs_end &&
+ p->fmr_physical + p->fmr_length > fs_start) {
/* Emit the retained free extent record if present */
if (info->gfi_lastfree.fmr_owner) {
error = ext4_getfsmap_helper(sb, info,
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 131/224] ext4: guard against EA inode refcount underflow in xattr update
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 130/224] ext4: correctly handle queries for metadata mappings Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 132/224] net/9p: fix double req put in p9_fd_cancelled Greg Kroah-Hartman
` (100 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+0be4f339a8218d2a5bb1, stable,
Albin Babu Varghese, Ahmet Eray Karadag, Theodore Tso
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahmet Eray Karadag <eraykrdg1@gmail.com>
commit 57295e835408d8d425bef58da5253465db3d6888 upstream.
syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA
inode refcount that is already <= 0 and then applies ref_change (often
-1). That lets the refcount underflow and we proceed with a bogus value,
triggering errors like:
EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1
EXT4-fs warning: ea_inode dec ref err=-117
Make the invariant explicit: if the current refcount is non-positive,
treat this as on-disk corruption, emit ext4_error_inode(), and fail the
operation with -EFSCORRUPTED instead of updating the refcount. Delete the
WARN_ONCE() as negative refcounts are now impossible; keep error reporting
in ext4_error_inode().
This prevents the underflow and the follow-on orphan/cleanup churn.
Reported-by: syzbot+0be4f339a8218d2a5bb1@syzkaller.appspotmail.com
Fixes: https://syzbot.org/bug?extid=0be4f339a8218d2a5bb1
Cc: stable@kernel.org
Co-developed-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com>
Message-ID: <20250920021342.45575-1-eraykrdg1@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1030,7 +1030,7 @@ static int ext4_xattr_inode_update_ref(h
int ref_change)
{
struct ext4_iloc iloc;
- s64 ref_count;
+ u64 ref_count;
int ret;
inode_lock_nested(ea_inode, I_MUTEX_XATTR);
@@ -1040,13 +1040,17 @@ static int ext4_xattr_inode_update_ref(h
goto out;
ref_count = ext4_xattr_inode_get_ref(ea_inode);
+ if ((ref_count == 0 && ref_change < 0) || (ref_count == U64_MAX && ref_change > 0)) {
+ ext4_error_inode(ea_inode, __func__, __LINE__, 0,
+ "EA inode %lu ref wraparound: ref_count=%lld ref_change=%d",
+ ea_inode->i_ino, ref_count, ref_change);
+ ret = -EFSCORRUPTED;
+ goto out;
+ }
ref_count += ref_change;
ext4_xattr_inode_set_ref(ea_inode, ref_count);
if (ref_change > 0) {
- WARN_ONCE(ref_count <= 0, "EA inode %lu ref_count=%lld",
- ea_inode->i_ino, ref_count);
-
if (ref_count == 1) {
WARN_ONCE(ea_inode->i_nlink, "EA inode %lu i_nlink=%u",
ea_inode->i_ino, ea_inode->i_nlink);
@@ -1055,9 +1059,6 @@ static int ext4_xattr_inode_update_ref(h
ext4_orphan_del(handle, ea_inode);
}
} else {
- WARN_ONCE(ref_count < 0, "EA inode %lu ref_count=%lld",
- ea_inode->i_ino, ref_count);
-
if (ref_count == 0) {
WARN_ONCE(ea_inode->i_nlink != 1,
"EA inode %lu i_nlink=%u",
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 132/224] net/9p: fix double req put in p9_fd_cancelled
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 131/224] ext4: guard against EA inode refcount underflow in xattr update Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 133/224] KVM: x86: Dont (re)check L1 intercepts when completing userspace I/O Greg Kroah-Hartman
` (99 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nalivayko Sergey, Dominique Martinet,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nalivayko Sergey <Sergey.Nalivayko@kaspersky.com>
[ Upstream commit 674b56aa57f9379854cb6798c3bbcef7e7b51ab7 ]
Syzkaller reports a KASAN issue as below:
general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]
CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:__list_del include/linux/list.h:114 [inline]
RIP: 0010:__list_del_entry include/linux/list.h:137 [inline]
RIP: 0010:list_del include/linux/list.h:148 [inline]
RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734
Call Trace:
<TASK>
p9_client_flush+0x351/0x440 net/9p/client.c:614
p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734
p9_client_version net/9p/client.c:920 [inline]
p9_client_create+0xb51/0x1240 net/9p/client.c:1027
v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408
v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126
legacy_get_tree+0x108/0x220 fs/fs_context.c:632
vfs_get_tree+0x8e/0x300 fs/super.c:1573
do_new_mount fs/namespace.c:3056 [inline]
path_mount+0x6a6/0x1e90 fs/namespace.c:3386
do_mount fs/namespace.c:3399 [inline]
__do_sys_mount fs/namespace.c:3607 [inline]
__se_sys_mount fs/namespace.c:3584 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:3584
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
This happens because of a race condition between:
- The 9p client sending an invalid flush request and later cleaning it up;
- The 9p client in p9_read_work() canceled all pending requests.
Thread 1 Thread 2
...
p9_client_create()
...
p9_fd_create()
...
p9_conn_create()
...
// start Thread 2
INIT_WORK(&m->rq, p9_read_work);
p9_read_work()
...
p9_client_rpc()
...
...
p9_conn_cancel()
...
spin_lock(&m->req_lock);
...
p9_fd_cancelled()
...
...
spin_unlock(&m->req_lock);
// status rewrite
p9_client_cb(m->client, req, REQ_STATUS_ERROR)
// first remove
list_del(&req->req_list);
...
spin_lock(&m->req_lock)
...
// second remove
list_del(&req->req_list);
spin_unlock(&m->req_lock)
...
Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list in
p9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystem
client where the req_list could be deleted simultaneously by both
p9_read_work and p9_fd_cancelled functions, but for the case where req->status
equals REQ_STATUS_RCVD.
Update the check for req->status in p9_fd_cancelled to skip processing not
just received requests, but anything that is not SENT, as whatever
changed the state from SENT also removed the request from its list.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: afd8d6541155 ("9P: Add cancelled() to the transport functions.")
Cc: stable@vger.kernel.org
Signed-off-by: Nalivayko Sergey <Sergey.Nalivayko@kaspersky.com>
Message-ID: <20250715154815.3501030-1-Sergey.Nalivayko@kaspersky.com>
[updated the check from status == RECV || status == ERROR to status != SENT]
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
[ replaced m->req_lock with client->lock ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/9p/trans_fd.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -711,10 +711,10 @@ static int p9_fd_cancelled(struct p9_cli
p9_debug(P9_DEBUG_TRANS, "client %p req %p\n", client, req);
spin_lock(&client->lock);
- /* Ignore cancelled request if message has been received
- * before lock.
- */
- if (req->status == REQ_STATUS_RCVD) {
+ /* Ignore cancelled request if status changed since the request was
+ * processed in p9_client_flush()
+ */
+ if (req->status != REQ_STATUS_SENT) {
spin_unlock(&client->lock);
return 0;
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 133/224] KVM: x86: Dont (re)check L1 intercepts when completing userspace I/O
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 132/224] net/9p: fix double req put in p9_fd_cancelled Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 134/224] fs: udf: fix OOB read in lengthAllocDescs handling Greg Kroah-Hartman
` (98 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+cc2032ba16cc2018ca25,
Jim Mattson, Sean Christopherson, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
[ Upstream commit e750f85391286a4c8100275516973324b621a269 ]
When completing emulation of instruction that generated a userspace exit
for I/O, don't recheck L1 intercepts as KVM has already finished that
phase of instruction execution, i.e. has already committed to allowing L2
to perform I/O. If L1 (or host userspace) modifies the I/O permission
bitmaps during the exit to userspace, KVM will treat the access as being
intercepted despite already having emulated the I/O access.
Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.
Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the
intended "recipient") can reach the code in question. gp_interception()'s
use is mutually exclusive with is_guest_mode(), and
complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with
EMULTYPE_SKIP.
The bad behavior was detected by a syzkaller program that toggles port I/O
interception during the userspace I/O exit, ultimately resulting in a WARN
on vcpu->arch.pio.count being non-zero due to KVM no completing emulation
of the I/O instruction.
WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm]
Modules linked in: kvm_intel kvm irqbypass
CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm]
PKRU: 55555554
Call Trace:
<TASK>
kvm_fast_pio+0xd6/0x1d0 [kvm]
vmx_handle_exit+0x149/0x610 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm]
kvm_vcpu_ioctl+0x244/0x8c0 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0x5d/0xc60
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
Reported-by: syzbot+cc2032ba16cc2018ca25@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68790db4.a00a0220.3af5df.0020.GAE@google.com
Fixes: 8a76d7f25f8f ("KVM: x86: Add x86 callback for intercept check")
Cc: stable@vger.kernel.org
Cc: Jim Mattson <jmattson@google.com>
Link: https://lore.kernel.org/r/20250715190638.1899116-1-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[ is_guest_mode() was open coded ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/kvm_emulate.h | 2 +-
arch/x86/kvm/emulate.c | 10 ++++------
arch/x86/kvm/x86.c | 9 ++++++++-
3 files changed, 13 insertions(+), 8 deletions(-)
--- a/arch/x86/include/asm/kvm_emulate.h
+++ b/arch/x86/include/asm/kvm_emulate.h
@@ -448,7 +448,7 @@ bool x86_page_table_writing_insn(struct
#define EMULATION_RESTART 1
#define EMULATION_INTERCEPTED 2
void init_decode_cache(struct x86_emulate_ctxt *ctxt);
-int x86_emulate_insn(struct x86_emulate_ctxt *ctxt);
+int x86_emulate_insn(struct x86_emulate_ctxt *ctxt, bool check_intercepts);
int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
u16 tss_selector, int idt_index, int reason,
bool has_error_code, u32 error_code);
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -5605,12 +5605,11 @@ void init_decode_cache(struct x86_emulat
ctxt->mem_read.end = 0;
}
-int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
+int x86_emulate_insn(struct x86_emulate_ctxt *ctxt, bool check_intercepts)
{
const struct x86_emulate_ops *ops = ctxt->ops;
int rc = X86EMUL_CONTINUE;
int saved_dst_type = ctxt->dst.type;
- unsigned emul_flags;
ctxt->mem_read.pos = 0;
@@ -5625,7 +5624,6 @@ int x86_emulate_insn(struct x86_emulate_
goto done;
}
- emul_flags = ctxt->ops->get_hflags(ctxt);
if (unlikely(ctxt->d &
(No64|Undefined|Sse|Mmx|Intercept|CheckPerm|Priv|Prot|String))) {
if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
@@ -5659,7 +5657,7 @@ int x86_emulate_insn(struct x86_emulate_
fetch_possible_mmx_operand(ctxt, &ctxt->dst);
}
- if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && ctxt->intercept) {
+ if (unlikely(check_intercepts) && ctxt->intercept) {
rc = emulator_check_intercept(ctxt, ctxt->intercept,
X86_ICPT_PRE_EXCEPT);
if (rc != X86EMUL_CONTINUE)
@@ -5688,7 +5686,7 @@ int x86_emulate_insn(struct x86_emulate_
goto done;
}
- if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
+ if (unlikely(check_intercepts) && (ctxt->d & Intercept)) {
rc = emulator_check_intercept(ctxt, ctxt->intercept,
X86_ICPT_POST_EXCEPT);
if (rc != X86EMUL_CONTINUE)
@@ -5742,7 +5740,7 @@ int x86_emulate_insn(struct x86_emulate_
special_insn:
- if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
+ if (unlikely(check_intercepts) && (ctxt->d & Intercept)) {
rc = emulator_check_intercept(ctxt, ctxt->intercept,
X86_ICPT_POST_MEMACCESS);
if (rc != X86EMUL_CONTINUE)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6855,7 +6855,14 @@ restart:
/* Save the faulting GPA (cr2) in the address field */
ctxt->exception.address = cr2_or_gpa;
- r = x86_emulate_insn(ctxt);
+ /*
+ * Check L1's instruction intercepts when emulating instructions for
+ * L2, unless KVM is re-emulating a previously decoded instruction,
+ * e.g. to complete userspace I/O, in which case KVM has already
+ * checked the intercepts.
+ */
+ r = x86_emulate_insn(ctxt, is_guest_mode(vcpu) &&
+ !(emulation_type & EMULTYPE_NO_DECODE));
if (r == EMULATION_INTERCEPTED)
return 1;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 134/224] fs: udf: fix OOB read in lengthAllocDescs handling
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 133/224] KVM: x86: Dont (re)check L1 intercepts when completing userspace I/O Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 135/224] mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() Greg Kroah-Hartman
` (97 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8743fca924afed42f93e,
Larshin Sergey, Jan Kara, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Larshin Sergey <Sergey.Larshin@kaspersky.com>
[ Upstream commit 3bd5e45c2ce30e239d596becd5db720f7eb83c99 ]
When parsing Allocation Extent Descriptor, lengthAllocDescs comes from
on-disk data and must be validated against the block size. Crafted or
corrupted images may set lengthAllocDescs so that the total descriptor
length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,
leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and
trigger a KASAN use-after-free read.
BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261
udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179
extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46
udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106
udf_release_file+0xc1/0x120 fs/udf/file.c:185
__fput+0x23f/0x880 fs/file_table.c:431
task_work_run+0x24f/0x310 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xa2f/0x28e0 kernel/exit.c:939
do_group_exit+0x207/0x2c0 kernel/exit.c:1088
__do_sys_exit_group kernel/exit.c:1099 [inline]
__se_sys_exit_group kernel/exit.c:1097 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Validate the computed total length against epos->bh->b_size.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Reported-by: syzbot+8743fca924afed42f93e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Larshin Sergey <Sergey.Larshin@kaspersky.com>
Link: https://patch.msgid.link/20250922131358.745579-1-Sergey.Larshin@kaspersky.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/inode.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -2202,6 +2202,9 @@ int8_t udf_current_aext(struct inode *in
if (check_add_overflow(sizeof(struct allocExtDesc),
le32_to_cpu(header->lengthAllocDescs), &alen))
return -1;
+
+ if (alen > epos->bh->b_size)
+ return -1;
}
switch (iinfo->i_alloc_type) {
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 135/224] mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 134/224] fs: udf: fix OOB read in lengthAllocDescs handling Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 136/224] media: mc: Clear minor number before put device Greg Kroah-Hartman
` (96 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Linus Walleij,
Lee Jones, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
[ Upstream commit 1efbee6852f1ff698a9981bd731308dd027189fb ]
Commit 974cc7b93441 ("mfd: vexpress: Define the device as MFD cells")
removed the return value check from the call to gpiochip_add_data() (or
rather gpiochip_add() back then and later converted to devres) with no
explanation. This function however can still fail, so check the return
value and bail-out if it does.
Cc: stable@vger.kernel.org
Fixes: 974cc7b93441 ("mfd: vexpress: Define the device as MFD cells")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20250811-gpio-mmio-mfd-conv-v1-1-68c5c958cf80@linaro.org
Signed-off-by: Lee Jones <lee@kernel.org>
[ Use non-devm variants ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/vexpress-sysreg.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/mfd/vexpress-sysreg.c
+++ b/drivers/mfd/vexpress-sysreg.c
@@ -160,6 +160,7 @@ static int vexpress_sysreg_probe(struct
struct gpio_chip *mmc_gpio_chip;
int master;
u32 dt_hbi;
+ int ret;
mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
if (!mem)
@@ -195,7 +196,10 @@ static int vexpress_sysreg_probe(struct
bgpio_init(mmc_gpio_chip, &pdev->dev, 0x4, base + SYS_MCI,
NULL, NULL, NULL, NULL, 0);
mmc_gpio_chip->ngpio = 2;
- gpiochip_add_data(mmc_gpio_chip, NULL);
+
+ ret = gpiochip_add_data(mmc_gpio_chip, NULL);
+ if (ret)
+ return ret;
return mfd_add_devices(&pdev->dev, PLATFORM_DEVID_AUTO,
vexpress_sysreg_cells,
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 136/224] media: mc: Clear minor number before put device
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 135/224] mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 137/224] Squashfs: add additional inode sanity checking Greg Kroah-Hartman
` (95 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+031d0cfd7c362817963f,
Edward Adam Davis, Sakari Ailus, Hans Verkuil, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit 8cfc8cec1b4da88a47c243a11f384baefd092a50 ]
The device minor should not be cleared after the device is released.
Fixes: 9e14868dc952 ("media: mc: Clear minor number reservation at unregistration time")
Cc: stable@vger.kernel.org
Reported-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=031d0cfd7c362817963f
Tested-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[ moved clear_bit from media_devnode_release callback to media_devnode_unregister before put_device ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/mc/mc-devnode.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/drivers/media/mc/mc-devnode.c
+++ b/drivers/media/mc/mc-devnode.c
@@ -50,11 +50,6 @@ static void media_devnode_release(struct
{
struct media_devnode *devnode = to_media_devnode(cd);
- mutex_lock(&media_devnode_lock);
- /* Mark device node number as free */
- clear_bit(devnode->minor, media_devnode_nums);
- mutex_unlock(&media_devnode_lock);
-
/* Release media_devnode and perform other cleanups as needed. */
if (devnode->release)
devnode->release(devnode);
@@ -283,6 +278,7 @@ void media_devnode_unregister(struct med
/* Delete the cdev on this minor as well */
cdev_device_del(&devnode->cdev, &devnode->dev);
devnode->media_dev = NULL;
+ clear_bit(devnode->minor, media_devnode_nums);
mutex_unlock(&media_devnode_lock);
put_device(&devnode->dev);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 137/224] Squashfs: add additional inode sanity checking
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 136/224] media: mc: Clear minor number before put device Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 138/224] Squashfs: reject negative file sizes in squashfs_read_inode() Greg Kroah-Hartman
` (94 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phillip Lougher, Andrew Morton,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phillip Lougher <phillip@squashfs.org.uk>
[ Upstream commit 9ee94bfbe930a1b39df53fa2d7b31141b780eb5a ]
Patch series "Squashfs: performance improvement and a sanity check".
This patchset adds an additional sanity check when reading regular file
inodes, and adds support for SEEK_DATA/SEEK_HOLE lseek() whence values.
This patch (of 2):
Add an additional sanity check when reading regular file inodes.
A regular file if the file size is an exact multiple of the filesystem
block size cannot have a fragment. This is because by definition a
fragment block stores tailends which are not a whole block in size.
Link: https://lkml.kernel.org/r/20250923220652.568416-1-phillip@squashfs.org.uk
Link: https://lkml.kernel.org/r/20250923220652.568416-2-phillip@squashfs.org.uk
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 9f1c14c1de1b ("Squashfs: reject negative file sizes in squashfs_read_inode()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/squashfs/inode.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
--- a/fs/squashfs/inode.c
+++ b/fs/squashfs/inode.c
@@ -140,8 +140,17 @@ int squashfs_read_inode(struct inode *in
if (err < 0)
goto failed_read;
+ inode->i_size = le32_to_cpu(sqsh_ino->file_size);
frag = le32_to_cpu(sqsh_ino->fragment);
if (frag != SQUASHFS_INVALID_FRAG) {
+ /*
+ * the file cannot have a fragment (tailend) and have a
+ * file size a multiple of the block size
+ */
+ if ((inode->i_size & (msblk->block_size - 1)) == 0) {
+ err = -EINVAL;
+ goto failed_read;
+ }
frag_offset = le32_to_cpu(sqsh_ino->offset);
frag_size = squashfs_frag_lookup(sb, frag, &frag_blk);
if (frag_size < 0) {
@@ -155,7 +164,6 @@ int squashfs_read_inode(struct inode *in
}
set_nlink(inode, 1);
- inode->i_size = le32_to_cpu(sqsh_ino->file_size);
inode->i_fop = &generic_ro_fops;
inode->i_mode |= S_IFREG;
inode->i_blocks = ((inode->i_size - 1) >> 9) + 1;
@@ -184,8 +192,17 @@ int squashfs_read_inode(struct inode *in
if (err < 0)
goto failed_read;
+ inode->i_size = le64_to_cpu(sqsh_ino->file_size);
frag = le32_to_cpu(sqsh_ino->fragment);
if (frag != SQUASHFS_INVALID_FRAG) {
+ /*
+ * the file cannot have a fragment (tailend) and have a
+ * file size a multiple of the block size
+ */
+ if ((inode->i_size & (msblk->block_size - 1)) == 0) {
+ err = -EINVAL;
+ goto failed_read;
+ }
frag_offset = le32_to_cpu(sqsh_ino->offset);
frag_size = squashfs_frag_lookup(sb, frag, &frag_blk);
if (frag_size < 0) {
@@ -200,7 +217,6 @@ int squashfs_read_inode(struct inode *in
xattr_id = le32_to_cpu(sqsh_ino->xattr);
set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
- inode->i_size = le64_to_cpu(sqsh_ino->file_size);
inode->i_op = &squashfs_inode_ops;
inode->i_fop = &generic_ro_fops;
inode->i_mode |= S_IFREG;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 138/224] Squashfs: reject negative file sizes in squashfs_read_inode()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 137/224] Squashfs: add additional inode sanity checking Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 139/224] mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register value Greg Kroah-Hartman
` (93 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phillip Lougher,
syzbot+f754e01116421e9754b9, Amir Goldstein, Andrew Morton,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phillip Lougher <phillip@squashfs.org.uk>
[ Upstream commit 9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b ]
Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs.
This warning is ultimately caused because the underlying Squashfs file
system returns a file with a negative file size.
This commit checks for a negative file size and returns EINVAL.
[phillip@squashfs.org.uk: only need to check 64 bit quantity]
Link: https://lkml.kernel.org/r/20250926222305.110103-1-phillip@squashfs.org.uk
Link: https://lkml.kernel.org/r/20250926215935.107233-1-phillip@squashfs.org.uk
Fixes: 6545b246a2c8 ("Squashfs: inode operations")
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Reported-by: syzbot+f754e01116421e9754b9@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68d580e5.a00a0220.303701.0019.GAE@google.com/
Cc: Amir Goldstein <amir73il@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/squashfs/inode.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/squashfs/inode.c
+++ b/fs/squashfs/inode.c
@@ -193,6 +193,10 @@ int squashfs_read_inode(struct inode *in
goto failed_read;
inode->i_size = le64_to_cpu(sqsh_ino->file_size);
+ if (inode->i_size < 0) {
+ err = -EINVAL;
+ goto failed_read;
+ }
frag = le32_to_cpu(sqsh_ino->fragment);
if (frag != SQUASHFS_INVALID_FRAG) {
/*
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 139/224] mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register value
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 138/224] Squashfs: reject negative file sizes in squashfs_read_inode() Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 140/224] mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type Greg Kroah-Hartman
` (92 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Andy Shevchenko,
Lee Jones, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit 70e997e0107e5ed85c1a3ef2adfccbe351c29d71 ]
The max_register = 128 setting in the regmap config is not valid.
The Intel Dollar Cove TI PMIC has an eeprom unlock register at address 0x88
and a number of EEPROM registers at 0xF?. Increase max_register to 0xff so
that these registers can be accessed.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Link: https://lore.kernel.org/r/20241208150028.325349-1-hdegoede@redhat.com
Signed-off-by: Lee Jones <lee@kernel.org>
Stable-dep-of: 64e0d839c589 ("mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/intel_soc_pmic_chtdc_ti.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mfd/intel_soc_pmic_chtdc_ti.c
+++ b/drivers/mfd/intel_soc_pmic_chtdc_ti.c
@@ -81,7 +81,7 @@ static struct mfd_cell chtdc_ti_dev[] =
static const struct regmap_config chtdc_ti_regmap_config = {
.reg_bits = 8,
.val_bits = 8,
- .max_register = 128,
+ .max_register = 0xff,
.cache_type = REGCACHE_NONE,
};
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 140/224] mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 139/224] mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register value Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 141/224] mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag Greg Kroah-Hartman
` (91 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Hans de Goede,
Lee Jones, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 9eb99c08508714906db078b5efbe075329a3fb06 ]
REGCACHE_NONE is the default type of the cache when not provided.
Drop unneeded explicit assignment to it.
Note, it's defined to 0, and if ever be redefined, it will break
literally a lot of the drivers, so it very unlikely to happen.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20250129152823.1802273-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Lee Jones <lee@kernel.org>
Stable-dep-of: 64e0d839c589 ("mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/intel_soc_pmic_chtdc_ti.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/mfd/intel_soc_pmic_chtdc_ti.c
+++ b/drivers/mfd/intel_soc_pmic_chtdc_ti.c
@@ -82,7 +82,6 @@ static const struct regmap_config chtdc_
.reg_bits = 8,
.val_bits = 8,
.max_register = 0xff,
- .cache_type = REGCACHE_NONE,
};
static const struct regmap_irq chtdc_ti_irqs[] = {
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 141/224] mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 140/224] mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 142/224] dm: fix NULL pointer dereference in __dm_suspend() Greg Kroah-Hartman
` (90 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Hans de Goede,
Lee Jones, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hansg@kernel.org>
[ Upstream commit 64e0d839c589f4f2ecd2e3e5bdb5cee6ba6bade9 ]
Testing has shown that reading multiple registers at once (for 10-bit
ADC values) does not work. Set the use_single_read regmap_config flag
to make regmap split these for us.
This should fix temperature opregion accesses done by
drivers/acpi/pmic/intel_pmic_chtdc_ti.c and is also necessary for
the upcoming drivers for the ADC and battery MFD cells.
Fixes: 6bac0606fdba ("mfd: Add support for Cherry Trail Dollar Cove TI PMIC")
Cc: stable@vger.kernel.org
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Hans de Goede <hansg@kernel.org>
Link: https://lore.kernel.org/r/20250804133240.312383-1-hansg@kernel.org
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/intel_soc_pmic_chtdc_ti.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/mfd/intel_soc_pmic_chtdc_ti.c
+++ b/drivers/mfd/intel_soc_pmic_chtdc_ti.c
@@ -82,6 +82,8 @@ static const struct regmap_config chtdc_
.reg_bits = 8,
.val_bits = 8,
.max_register = 0xff,
+ /* The hardware does not support reading multiple registers at once */
+ .use_single_read = true,
};
static const struct regmap_irq chtdc_ti_irqs[] = {
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 142/224] dm: fix NULL pointer dereference in __dm_suspend()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 141/224] mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 143/224] tracing: Fix race condition in kprobe initialization causing NULL pointer dereference Greg Kroah-Hartman
` (89 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zheng Qixing, Mikulas Patocka,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Qixing <zhengqixing@huawei.com>
[ Upstream commit 8d33a030c566e1f105cd5bf27f37940b6367f3be ]
There is a race condition between dm device suspend and table load that
can lead to null pointer dereference. The issue occurs when suspend is
invoked before table load completes:
BUG: kernel NULL pointer dereference, address: 0000000000000054
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50
Call Trace:
<TASK>
blk_mq_quiesce_queue+0x2c/0x50
dm_stop_queue+0xd/0x20
__dm_suspend+0x130/0x330
dm_suspend+0x11a/0x180
dev_suspend+0x27e/0x560
ctl_ioctl+0x4cf/0x850
dm_ctl_ioctl+0xd/0x20
vfs_ioctl+0x1d/0x50
__se_sys_ioctl+0x9b/0xc0
__x64_sys_ioctl+0x19/0x30
x64_sys_call+0x2c4a/0x4620
do_syscall_64+0x9e/0x1b0
The issue can be triggered as below:
T1 T2
dm_suspend table_load
__dm_suspend dm_setup_md_queue
dm_mq_init_request_queue
blk_mq_init_allocated_queue
=> q->mq_ops = set->ops; (1)
dm_stop_queue / dm_wait_for_completion
=> q->tag_set NULL pointer! (2)
=> q->tag_set = set; (3)
Fix this by checking if a valid table (map) exists before performing
request-based suspend and waiting for target I/O. When map is NULL,
skip these table-dependent suspend steps.
Even when map is NULL, no I/O can reach any target because there is
no table loaded; I/O submitted in this state will fail early in the
DM layer. Skipping the table-dependent suspend logic in this case
is safe and avoids NULL pointer dereferences.
Fixes: c4576aed8d85 ("dm: fix request-based dm's use of dm_wait_for_completion")
Cc: stable@vger.kernel.org
Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
[ omitted DMF_QUEUE_STOPPED flag setting and braces absent in 5.15 ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -2595,7 +2595,7 @@ static int __dm_suspend(struct mapped_de
{
bool do_lockfs = suspend_flags & DM_SUSPEND_LOCKFS_FLAG;
bool noflush = suspend_flags & DM_SUSPEND_NOFLUSH_FLAG;
- int r;
+ int r = 0;
lockdep_assert_held(&md->suspend_lock);
@@ -2648,7 +2648,7 @@ static int __dm_suspend(struct mapped_de
* Stop md->queue before flushing md->wq in case request-based
* dm defers requests to md->wq from md->queue.
*/
- if (dm_request_based(md))
+ if (map && dm_request_based(md))
dm_stop_queue(md->queue);
flush_workqueue(md->wq);
@@ -2658,7 +2658,8 @@ static int __dm_suspend(struct mapped_de
* We call dm_wait_for_completion to wait for all existing requests
* to finish.
*/
- r = dm_wait_for_completion(md, task_state);
+ if (map)
+ r = dm_wait_for_completion(md, task_state);
if (!r)
set_bit(dmf_suspended_flag, &md->flags);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 143/224] tracing: Fix race condition in kprobe initialization causing NULL pointer dereference
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 142/224] dm: fix NULL pointer dereference in __dm_suspend() Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 144/224] minixfs: Verify inode mode when loading from disk Greg Kroah-Hartman
` (88 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Chen, Masami Hiramatsu (Google),
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuan Chen <chenyuan@kylinos.cn>
[ Upstream commit 9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f ]
There is a critical race condition in kprobe initialization that can lead to
NULL pointer dereference and kernel crash.
[1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000
...
[1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO)
[1135630.269239] pc : kprobe_perf_func+0x30/0x260
[1135630.277643] lr : kprobe_dispatcher+0x44/0x60
[1135630.286041] sp : ffffaeff4977fa40
[1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400
[1135630.302837] x27: 0000000000000000 x26: 0000000000000000
[1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528
[1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50
[1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50
[1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000
[1135630.349985] x17: 0000000000000000 x16: 0000000000000000
[1135630.359285] x15: 0000000000000000 x14: 0000000000000000
[1135630.368445] x13: 0000000000000000 x12: 0000000000000000
[1135630.377473] x11: 0000000000000000 x10: 0000000000000000
[1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000
[1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000
[1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000
[1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006
[1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000
[1135630.429410] Call trace:
[1135630.434828] kprobe_perf_func+0x30/0x260
[1135630.441661] kprobe_dispatcher+0x44/0x60
[1135630.448396] aggr_pre_handler+0x70/0xc8
[1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0
[1135630.462435] brk_handler+0xbc/0xd8
[1135630.468437] do_debug_exception+0x84/0x138
[1135630.475074] el1_dbg+0x18/0x8c
[1135630.480582] security_file_permission+0x0/0xd0
[1135630.487426] vfs_write+0x70/0x1c0
[1135630.493059] ksys_write+0x5c/0xc8
[1135630.498638] __arm64_sys_write+0x24/0x30
[1135630.504821] el0_svc_common+0x78/0x130
[1135630.510838] el0_svc_handler+0x38/0x78
[1135630.516834] el0_svc+0x8/0x1b0
kernel/trace/trace_kprobe.c: 1308
0xffff3df8995039ec <kprobe_perf_func+0x2c>: ldr x21, [x24,#120]
include/linux/compiler.h: 294
0xffff3df8995039f0 <kprobe_perf_func+0x30>: ldr x1, [x21,x0]
kernel/trace/trace_kprobe.c
1308: head = this_cpu_ptr(call->perf_events);
1309: if (hlist_empty(head))
1310: return 0;
crash> struct trace_event_call -o
struct trace_event_call {
...
[120] struct hlist_head *perf_events; //(call->perf_event)
...
}
crash> struct trace_event_call ffffaf015340e528
struct trace_event_call {
...
perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0
...
}
Race Condition Analysis:
The race occurs between kprobe activation and perf_events initialization:
CPU0 CPU1
==== ====
perf_kprobe_init
perf_trace_event_init
tp_event->perf_events = list;(1)
tp_event->class->reg (2)← KPROBE ACTIVE
Debug exception triggers
...
kprobe_dispatcher
kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE)
head = this_cpu_ptr(call->perf_events)(3)
(perf_events is still NULL)
Problem:
1. CPU0 executes (1) assigning tp_event->perf_events = list
2. CPU0 executes (2) enabling kprobe functionality via class->reg()
3. CPU1 triggers and reaches kprobe_dispatcher
4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed)
5. CPU1 calls kprobe_perf_func() and crashes at (3) because
call->perf_events is still NULL
CPU1 sees that kprobe functionality is enabled but does not see that
perf_events has been assigned.
Add pairing read and write memory barriers to guarantee that if CPU1
sees that kprobe functionality is enabled, it must also see that
perf_events has been assigned.
Link: https://lore.kernel.org/all/20251001022025.44626-1-chenyuan_fl@163.com/
Fixes: 50d780560785 ("tracing/kprobes: Add probe handler dispatcher to support perf and ftrace concurrent use")
Cc: stable@vger.kernel.org
Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
[ Dropped ftrace changes + context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_kprobe.c | 11 +++++++----
kernel/trace/trace_probe.h | 9 +++++++--
kernel/trace/trace_uprobe.c | 12 ++++++++----
3 files changed, 22 insertions(+), 10 deletions(-)
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -1585,14 +1585,15 @@ static int kprobe_register(struct trace_
static int kprobe_dispatcher(struct kprobe *kp, struct pt_regs *regs)
{
struct trace_kprobe *tk = container_of(kp, struct trace_kprobe, rp.kp);
+ unsigned int flags = trace_probe_load_flag(&tk->tp);
int ret = 0;
raw_cpu_inc(*tk->nhit);
- if (trace_probe_test_flag(&tk->tp, TP_FLAG_TRACE))
+ if (flags & TP_FLAG_TRACE)
kprobe_trace_func(tk, regs);
#ifdef CONFIG_PERF_EVENTS
- if (trace_probe_test_flag(&tk->tp, TP_FLAG_PROFILE))
+ if (flags & TP_FLAG_PROFILE)
ret = kprobe_perf_func(tk, regs);
#endif
return ret;
@@ -1603,13 +1604,15 @@ static int
kretprobe_dispatcher(struct kretprobe_instance *ri, struct pt_regs *regs)
{
struct trace_kprobe *tk = container_of(ri->rp, struct trace_kprobe, rp);
+ unsigned int flags;
raw_cpu_inc(*tk->nhit);
- if (trace_probe_test_flag(&tk->tp, TP_FLAG_TRACE))
+ flags = trace_probe_load_flag(&tk->tp);
+ if (flags & TP_FLAG_TRACE)
kretprobe_trace_func(tk, ri, regs);
#ifdef CONFIG_PERF_EVENTS
- if (trace_probe_test_flag(&tk->tp, TP_FLAG_PROFILE))
+ if (flags & TP_FLAG_PROFILE)
kretprobe_perf_func(tk, ri, regs);
#endif
return 0; /* We don't tweek kernel, so just return 0 */
--- a/kernel/trace/trace_probe.h
+++ b/kernel/trace/trace_probe.h
@@ -252,16 +252,21 @@ struct event_file_link {
struct list_head list;
};
+static inline unsigned int trace_probe_load_flag(struct trace_probe *tp)
+{
+ return smp_load_acquire(&tp->event->flags);
+}
+
static inline bool trace_probe_test_flag(struct trace_probe *tp,
unsigned int flag)
{
- return !!(tp->event->flags & flag);
+ return !!(trace_probe_load_flag(tp) & flag);
}
static inline void trace_probe_set_flag(struct trace_probe *tp,
unsigned int flag)
{
- tp->event->flags |= flag;
+ smp_store_release(&tp->event->flags, tp->event->flags | flag);
}
static inline void trace_probe_clear_flag(struct trace_probe *tp,
--- a/kernel/trace/trace_uprobe.c
+++ b/kernel/trace/trace_uprobe.c
@@ -1465,6 +1465,7 @@ static int uprobe_dispatcher(struct upro
struct uprobe_dispatch_data udd;
struct uprobe_cpu_buffer *ucb;
int dsize, esize;
+ unsigned int flags;
int ret = 0;
@@ -1485,11 +1486,12 @@ static int uprobe_dispatcher(struct upro
ucb = uprobe_buffer_get();
store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize);
- if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE))
+ flags = trace_probe_load_flag(&tu->tp);
+ if (flags & TP_FLAG_TRACE)
ret |= uprobe_trace_func(tu, regs, ucb, dsize);
#ifdef CONFIG_PERF_EVENTS
- if (trace_probe_test_flag(&tu->tp, TP_FLAG_PROFILE))
+ if (flags & TP_FLAG_PROFILE)
ret |= uprobe_perf_func(tu, regs, ucb, dsize);
#endif
uprobe_buffer_put(ucb);
@@ -1503,6 +1505,7 @@ static int uretprobe_dispatcher(struct u
struct uprobe_dispatch_data udd;
struct uprobe_cpu_buffer *ucb;
int dsize, esize;
+ unsigned int flags;
tu = container_of(con, struct trace_uprobe, consumer);
@@ -1520,11 +1523,12 @@ static int uretprobe_dispatcher(struct u
ucb = uprobe_buffer_get();
store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize);
- if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE))
+ flags = trace_probe_load_flag(&tu->tp);
+ if (flags & TP_FLAG_TRACE)
uretprobe_trace_func(tu, func, regs, ucb, dsize);
#ifdef CONFIG_PERF_EVENTS
- if (trace_probe_test_flag(&tu->tp, TP_FLAG_PROFILE))
+ if (flags & TP_FLAG_PROFILE)
uretprobe_perf_func(tu, func, regs, ucb, dsize);
#endif
uprobe_buffer_put(ucb);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 144/224] minixfs: Verify inode mode when loading from disk
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 143/224] tracing: Fix race condition in kprobe initialization causing NULL pointer dereference Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 145/224] pid: Add a judgment for ns null in pid_nr_ns Greg Kroah-Hartman
` (87 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Tetsuo Handa,
Christian Brauner, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 73861970938ad1323eb02bbbc87f6fbd1e5bacca ]
The inode mode loaded from corrupted disk can be invalid. Do like what
commit 0a9e74051313 ("isofs: Verify inode mode when loading from disk")
does.
Reported-by: syzbot <syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Link: https://lore.kernel.org/ec982681-84b8-4624-94fa-8af15b77cbd2@I-love.SAKURA.ne.jp
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/minix/inode.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index 3fffc709afd43..c026706aec0cc 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -470,8 +470,14 @@ void minix_set_inode(struct inode *inode, dev_t rdev)
inode->i_op = &minix_symlink_inode_operations;
inode_nohighmem(inode);
inode->i_mapping->a_ops = &minix_aops;
- } else
+ } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) ||
+ S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
init_special_inode(inode, inode->i_mode, rdev);
+ } else {
+ printk(KERN_DEBUG "MINIX-fs: Invalid file type 0%04o for inode %lu.\n",
+ inode->i_mode, inode->i_ino);
+ make_bad_inode(inode);
+ }
}
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 145/224] pid: Add a judgment for ns null in pid_nr_ns
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 144/224] minixfs: Verify inode mode when loading from disk Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 146/224] fs: Add initramfs_options to set initramfs mount options Greg Kroah-Hartman
` (86 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, gaoxiang17, Baoquan He,
Christian Brauner, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: gaoxiang17 <gaoxiang17@xiaomi.com>
[ Upstream commit 006568ab4c5ca2309ceb36fa553e390b4aa9c0c7 ]
__task_pid_nr_ns
ns = task_active_pid_ns(current);
pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);
if (pid && ns->level <= pid->level) {
Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns.
For example:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058
Mem abort info:
ESR = 0x0000000096000007
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x07: level 3 translation fault
Data abort info:
ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000
[0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000
pstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : __task_pid_nr_ns+0x74/0xd0
lr : __task_pid_nr_ns+0x24/0xd0
sp : ffffffc08001bd10
x29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001
x26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31
x23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0
x20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000
x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc
x14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800
x11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001
x8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449
x5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc
x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0
Call trace:
__task_pid_nr_ns+0x74/0xd0
...
__handle_irq_event_percpu+0xd4/0x284
handle_irq_event+0x48/0xb0
handle_fasteoi_irq+0x160/0x2d8
generic_handle_domain_irq+0x44/0x60
gic_handle_irq+0x4c/0x114
call_on_irq_stack+0x3c/0x74
do_interrupt_handler+0x4c/0x84
el1_interrupt+0x34/0x58
el1h_64_irq_handler+0x18/0x24
el1h_64_irq+0x68/0x6c
account_kernel_stack+0x60/0x144
exit_task_stack_account+0x1c/0x80
do_exit+0x7e4/0xaf8
...
get_signal+0x7bc/0x8d8
do_notify_resume+0x128/0x828
el0_svc+0x6c/0x70
el0t_64_sync_handler+0x68/0xbc
el0t_64_sync+0x1a8/0x1ac
Code: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69)
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Oops: Fatal exception in interrupt
Signed-off-by: gaoxiang17 <gaoxiang17@xiaomi.com>
Link: https://lore.kernel.org/20250802022123.3536934-1-gxxa03070307@gmail.com
Reviewed-by: Baoquan He <bhe@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/pid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/pid.c b/kernel/pid.c
index 0a9f2e4372176..3a7b71258047f 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -407,7 +407,7 @@ pid_t pid_nr_ns(struct pid *pid, struct pid_namespace *ns)
struct upid *upid;
pid_t nr = 0;
- if (pid && ns->level <= pid->level) {
+ if (pid && ns && ns->level <= pid->level) {
upid = &pid->numbers[ns->level];
if (upid->ns == ns)
nr = upid->nr;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 146/224] fs: Add initramfs_options to set initramfs mount options
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 145/224] pid: Add a judgment for ns null in pid_nr_ns Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 147/224] cramfs: Verify inode mode when loading from disk Greg Kroah-Hartman
` (85 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lichen Liu, Rob Landley,
Christian Brauner, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lichen Liu <lichliu@redhat.com>
[ Upstream commit 278033a225e13ec21900f0a92b8351658f5377f2 ]
When CONFIG_TMPFS is enabled, the initial root filesystem is a tmpfs.
By default, a tmpfs mount is limited to using 50% of the available RAM
for its content. This can be problematic in memory-constrained
environments, particularly during a kdump capture.
In a kdump scenario, the capture kernel boots with a limited amount of
memory specified by the 'crashkernel' parameter. If the initramfs is
large, it may fail to unpack into the tmpfs rootfs due to insufficient
space. This is because to get X MB of usable space in tmpfs, 2*X MB of
memory must be available for the mount. This leads to an OOM failure
during the early boot process, preventing a successful crash dump.
This patch introduces a new kernel command-line parameter,
initramfs_options, which allows passing specific mount options directly
to the rootfs when it is first mounted. This gives users control over
the rootfs behavior.
For example, a user can now specify initramfs_options=size=75% to allow
the tmpfs to use up to 75% of the available memory. This can
significantly reduce the memory pressure for kdump.
Consider a practical example:
To unpack a 48MB initramfs, the tmpfs needs 48MB of usable space. With
the default 50% limit, this requires a memory pool of 96MB to be
available for the tmpfs mount. The total memory requirement is therefore
approximately: 16MB (vmlinuz) + 48MB (loaded initramfs) + 48MB (unpacked
kernel) + 96MB (for tmpfs) + 12MB (runtime overhead) ≈ 220MB.
By using initramfs_options=size=75%, the memory pool required for the
48MB tmpfs is reduced to 48MB / 0.75 = 64MB. This reduces the total
memory requirement by 32MB (96MB - 64MB), allowing the kdump to succeed
with a smaller crashkernel size, such as 192MB.
An alternative approach of reusing the existing rootflags parameter was
considered. However, a new, dedicated initramfs_options parameter was
chosen to avoid altering the current behavior of rootflags (which
applies to the final root filesystem) and to prevent any potential
regressions.
Also add documentation for the new kernel parameter "initramfs_options"
This approach is inspired by prior discussions and patches on the topic.
Ref: https://www.lightofdawn.org/blog/?viewDetailed=00128
Ref: https://landley.net/notes-2015.html#01-01-2015
Ref: https://lkml.org/lkml/2021/6/29/783
Ref: https://www.kernel.org/doc/html/latest/filesystems/ramfs-rootfs-initramfs.html#what-is-rootfs
Signed-off-by: Lichen Liu <lichliu@redhat.com>
Link: https://lore.kernel.org/20250815121459.3391223-1-lichliu@redhat.com
Tested-by: Rob Landley <rob@landley.net>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/admin-guide/kernel-parameters.txt | 3 +++
fs/namespace.c | 11 ++++++++++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 9975dcab99c35..5c2594d7c9ac9 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -4409,6 +4409,9 @@
rootflags= [KNL] Set root filesystem mount option string
+ initramfs_options= [KNL]
+ Specify mount options for for the initramfs mount.
+
rootfstype= [KNL] Set root filesystem type
rootwait [KNL] Wait (indefinitely) for root device to show up.
diff --git a/fs/namespace.c b/fs/namespace.c
index c87f847c959d9..3c6f0586ae218 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -62,6 +62,15 @@ static int __init set_mphash_entries(char *str)
}
__setup("mphash_entries=", set_mphash_entries);
+static char * __initdata initramfs_options;
+static int __init initramfs_options_setup(char *str)
+{
+ initramfs_options = str;
+ return 1;
+}
+
+__setup("initramfs_options=", initramfs_options_setup);
+
static u64 event;
static DEFINE_IDA(mnt_id_ida);
static DEFINE_IDA(mnt_group_ida);
@@ -3829,7 +3838,7 @@ static void __init init_mount_tree(void)
struct mnt_namespace *ns;
struct path root;
- mnt = vfs_kern_mount(&rootfs_fs_type, 0, "rootfs", NULL);
+ mnt = vfs_kern_mount(&rootfs_fs_type, 0, "rootfs", initramfs_options);
if (IS_ERR(mnt))
panic("Can't create rootfs");
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 147/224] cramfs: Verify inode mode when loading from disk
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 146/224] fs: Add initramfs_options to set initramfs mount options Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 148/224] xen/events: Cleanup find_virq() return codes Greg Kroah-Hartman
` (84 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Tetsuo Handa, Nicolas Pitre,
Christian Brauner, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 7f9d34b0a7cb93d678ee7207f0634dbf79e47fe5 ]
The inode mode loaded from corrupted disk can be invalid. Do like what
commit 0a9e74051313 ("isofs: Verify inode mode when loading from disk")
does.
Reported-by: syzbot <syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Link: https://lore.kernel.org/429b3ef1-13de-4310-9a8e-c2dc9a36234a@I-love.SAKURA.ne.jp
Acked-by: Nicolas Pitre <nico@fluxnic.net>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cramfs/inode.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
index 2f04024c3588e..82c45ca453216 100644
--- a/fs/cramfs/inode.c
+++ b/fs/cramfs/inode.c
@@ -117,9 +117,18 @@ static struct inode *get_cramfs_inode(struct super_block *sb,
inode_nohighmem(inode);
inode->i_data.a_ops = &cramfs_aops;
break;
- default:
+ case S_IFCHR:
+ case S_IFBLK:
+ case S_IFIFO:
+ case S_IFSOCK:
init_special_inode(inode, cramfs_inode->mode,
old_decode_dev(cramfs_inode->size));
+ break;
+ default:
+ printk(KERN_DEBUG "CRAMFS: Invalid file type 0%04o for inode %lu.\n",
+ inode->i_mode, inode->i_ino);
+ iget_failed(inode);
+ return ERR_PTR(-EIO);
}
inode->i_mode = cramfs_inode->mode;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 148/224] xen/events: Cleanup find_virq() return codes
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 147/224] cramfs: Verify inode mode when loading from disk Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 149/224] media: cx18: Add missing check after DMA map Greg Kroah-Hartman
` (83 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Andryuk, Jan Beulich,
Juergen Gross, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Andryuk <jason.andryuk@amd.com>
[ Upstream commit 08df2d7dd4ab2db8a172d824cda7872d5eca460a ]
rc is overwritten by the evtchn_status hypercall in each iteration, so
the return value will be whatever the last iteration is. This could
incorrectly return success even if the event channel was not found.
Change to an explicit -ENOENT for an un-found virq and return 0 on a
successful match.
Fixes: 62cc5fc7b2e0 ("xen/pv-on-hvm kexec: rebind virqs to existing eventchannel ports")
Cc: stable@vger.kernel.org
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250828003604.8949-2-jason.andryuk@amd.com>
[ converted evtchn pointer output parameter to direct port return value ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/events/events_base.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -1210,10 +1210,12 @@ EXPORT_SYMBOL_GPL(bind_interdomain_evtch
static int find_virq(unsigned int virq, unsigned int cpu)
{
struct evtchn_status status;
- int port, rc = -ENOENT;
+ int port;
memset(&status, 0, sizeof(status));
for (port = 0; port < xen_evtchn_max_channels(); port++) {
+ int rc;
+
status.dom = DOMID_SELF;
status.port = port;
rc = HYPERVISOR_event_channel_op(EVTCHNOP_status, &status);
@@ -1221,12 +1223,10 @@ static int find_virq(unsigned int virq,
continue;
if (status.status != EVTCHNSTAT_virq)
continue;
- if (status.u.virq == virq && status.vcpu == xen_vcpu_nr(cpu)) {
- rc = port;
- break;
- }
+ if (status.u.virq == virq && status.vcpu == xen_vcpu_nr(cpu))
+ return port;
}
- return rc;
+ return -ENOENT;
}
/**
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 149/224] media: cx18: Add missing check after DMA map
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 148/224] xen/events: Cleanup find_virq() return codes Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 150/224] pwm: berlin: Fix wrong register in suspend/resume Greg Kroah-Hartman
` (82 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Hans Verkuil,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 23b53639a793477326fd57ed103823a8ab63084f ]
The DMA map functions can fail and should be tested for errors.
If the mapping fails, dealloc buffers, and return.
Fixes: 1c1e45d17b66 ("V4L/DVB (7786): cx18: new driver for the Conexant CX23418 MPEG encoder chip")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[ removed pci_map_single() replaced by dma_map_single() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/pci/cx18/cx18-queue.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/media/pci/cx18/cx18-queue.c
+++ b/drivers/media/pci/cx18/cx18-queue.c
@@ -379,14 +379,22 @@ int cx18_stream_alloc(struct cx18_stream
break;
}
+ buf->dma_handle = dma_map_single(&s->cx->pci_dev->dev,
+ buf->buf, s->buf_size,
+ s->dma);
+ if (dma_mapping_error(&s->cx->pci_dev->dev, buf->dma_handle)) {
+ kfree(buf->buf);
+ kfree(mdl);
+ kfree(buf);
+ break;
+ }
+
INIT_LIST_HEAD(&mdl->list);
INIT_LIST_HEAD(&mdl->buf_list);
mdl->id = s->mdl_base_idx; /* a somewhat safe value */
cx18_enqueue(s, mdl, &s->q_idle);
INIT_LIST_HEAD(&buf->list);
- buf->dma_handle = pci_map_single(s->cx->pci_dev,
- buf->buf, s->buf_size, s->dma);
cx18_buf_sync_for_cpu(s, buf);
list_add_tail(&buf->list, &s->buf_pool);
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 150/224] pwm: berlin: Fix wrong register in suspend/resume
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 149/224] media: cx18: Add missing check after DMA map Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 151/224] btrfs: avoid potential out-of-bounds in btrfs_encode_fh() Greg Kroah-Hartman
` (81 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jisheng Zhang, Uwe Kleine-König
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jisheng Zhang <jszhang@kernel.org>
commit 3a4b9d027e4061766f618292df91760ea64a1fcc upstream.
The 'enable' register should be BERLIN_PWM_EN rather than
BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there
will be cpu exception then kernel panic during suspend/resume.
Fixes: bbf0722c1c66 ("pwm: berlin: Add suspend/resume support")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Link: https://lore.kernel.org/r/20250819114224.31825-1-jszhang@kernel.org
Cc: stable@vger.kernel.org
[ukleinek: backport to 5.10]
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pwm/pwm-berlin.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/pwm/pwm-berlin.c
+++ b/drivers/pwm/pwm-berlin.c
@@ -249,7 +249,7 @@ static int berlin_pwm_suspend(struct dev
if (!channel)
continue;
- channel->enable = berlin_pwm_readl(pwm, i, BERLIN_PWM_ENABLE);
+ channel->enable = berlin_pwm_readl(pwm, i, BERLIN_PWM_EN);
channel->ctrl = berlin_pwm_readl(pwm, i, BERLIN_PWM_CONTROL);
channel->duty = berlin_pwm_readl(pwm, i, BERLIN_PWM_DUTY);
channel->tcnt = berlin_pwm_readl(pwm, i, BERLIN_PWM_TCNT);
@@ -280,7 +280,7 @@ static int berlin_pwm_resume(struct devi
berlin_pwm_writel(pwm, i, channel->ctrl, BERLIN_PWM_CONTROL);
berlin_pwm_writel(pwm, i, channel->duty, BERLIN_PWM_DUTY);
berlin_pwm_writel(pwm, i, channel->tcnt, BERLIN_PWM_TCNT);
- berlin_pwm_writel(pwm, i, channel->enable, BERLIN_PWM_ENABLE);
+ berlin_pwm_writel(pwm, i, channel->enable, BERLIN_PWM_EN);
}
return 0;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 151/224] btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 150/224] pwm: berlin: Fix wrong register in suspend/resume Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 152/224] drm/exynos: exynos7_drm_decon: remove ctx->suspended Greg Kroah-Hartman
` (80 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anderson Nascimento, David Sterba,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anderson Nascimento <anderson@allelesecurity.com>
[ Upstream commit dff4f9ff5d7f289e4545cc936362e01ed3252742 ]
The function btrfs_encode_fh() does not properly account for the three
cases it handles.
Before writing to the file handle (fh), the function only returns to the
user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or
BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).
However, when a parent exists and the root ID of the parent and the
inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT
(10 dwords, 40 bytes).
If *max_len is not large enough, this write goes out of bounds because
BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than
BTRFS_FID_SIZE_CONNECTABLE originally returned.
This results in an 8-byte out-of-bounds write at
fid->parent_root_objectid = parent_root_id.
A previous attempt to fix this issue was made but was lost.
https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/
Although this issue does not seem to be easily triggerable, it is a
potential memory corruption bug that should be fixed. This patch
resolves the issue by ensuring the function returns the appropriate size
for all three cases and validates that *max_len is large enough before
writing any data.
Fixes: be6e8dc0ba84 ("NFS support for btrfs - v3")
CC: stable@vger.kernel.org # 3.0+
Signed-off-by: Anderson Nascimento <anderson@allelesecurity.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ replaced btrfs_root_id() calls with direct ->root->root_key.objectid access ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/export.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/fs/btrfs/export.c
+++ b/fs/btrfs/export.c
@@ -22,7 +22,11 @@ static int btrfs_encode_fh(struct inode
int type;
if (parent && (len < BTRFS_FID_SIZE_CONNECTABLE)) {
- *max_len = BTRFS_FID_SIZE_CONNECTABLE;
+ if (BTRFS_I(inode)->root->root_key.objectid !=
+ BTRFS_I(parent)->root->root_key.objectid)
+ *max_len = BTRFS_FID_SIZE_CONNECTABLE_ROOT;
+ else
+ *max_len = BTRFS_FID_SIZE_CONNECTABLE;
return FILEID_INVALID;
} else if (len < BTRFS_FID_SIZE_NON_CONNECTABLE) {
*max_len = BTRFS_FID_SIZE_NON_CONNECTABLE;
@@ -44,6 +48,8 @@ static int btrfs_encode_fh(struct inode
parent_root_id = BTRFS_I(parent)->root->root_key.objectid;
if (parent_root_id != fid->root_objectid) {
+ if (*max_len < BTRFS_FID_SIZE_CONNECTABLE_ROOT)
+ return FILEID_INVALID;
fid->parent_root_objectid = parent_root_id;
len = BTRFS_FID_SIZE_CONNECTABLE_ROOT;
type = FILEID_BTRFS_WITH_PARENT_ROOT;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 152/224] drm/exynos: exynos7_drm_decon: remove ctx->suspended
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 151/224] btrfs: avoid potential out-of-bounds in btrfs_encode_fh() Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 153/224] media: rc: Directly use ida_free() Greg Kroah-Hartman
` (79 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Inki Dae, Kaustabh Chakraborty,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kaustabh Chakraborty <kauschluss@disroot.org>
[ Upstream commit e1361a4f1be9cb69a662c6d7b5ce218007d6e82b ]
Condition guards are found to be redundant, as the call flow is properly
managed now, as also observed in the Exynos5433 DECON driver. Since
state checking is no longer necessary, remove it.
This also fixes an issue which prevented decon_commit() from
decon_atomic_enable() due to an incorrect state change setting.
Fixes: 96976c3d9aff ("drm/exynos: Add DECON driver")
Cc: stable@vger.kernel.org
Suggested-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/exynos/exynos7_drm_decon.c | 36 -----------------------------
1 file changed, 36 deletions(-)
--- a/drivers/gpu/drm/exynos/exynos7_drm_decon.c
+++ b/drivers/gpu/drm/exynos/exynos7_drm_decon.c
@@ -51,7 +51,6 @@ struct decon_context {
void __iomem *regs;
unsigned long irq_flags;
bool i80_if;
- bool suspended;
wait_queue_head_t wait_vsync_queue;
atomic_t wait_vsync_event;
@@ -85,9 +84,6 @@ static void decon_wait_for_vblank(struct
{
struct decon_context *ctx = crtc->ctx;
- if (ctx->suspended)
- return;
-
atomic_set(&ctx->wait_vsync_event, 1);
/*
@@ -155,9 +151,6 @@ static void decon_commit(struct exynos_d
struct drm_display_mode *mode = &crtc->base.state->adjusted_mode;
u32 val, clkdiv;
- if (ctx->suspended)
- return;
-
/* nothing to do if we haven't set the mode yet */
if (mode->htotal == 0 || mode->vtotal == 0)
return;
@@ -219,9 +212,6 @@ static int decon_enable_vblank(struct ex
struct decon_context *ctx = crtc->ctx;
u32 val;
- if (ctx->suspended)
- return -EPERM;
-
if (!test_and_set_bit(0, &ctx->irq_flags)) {
val = readl(ctx->regs + VIDINTCON0);
@@ -244,9 +234,6 @@ static void decon_disable_vblank(struct
struct decon_context *ctx = crtc->ctx;
u32 val;
- if (ctx->suspended)
- return;
-
if (test_and_clear_bit(0, &ctx->irq_flags)) {
val = readl(ctx->regs + VIDINTCON0);
@@ -369,9 +356,6 @@ static void decon_atomic_begin(struct ex
struct decon_context *ctx = crtc->ctx;
int i;
- if (ctx->suspended)
- return;
-
for (i = 0; i < WINDOWS_NR; i++)
decon_shadow_protect_win(ctx, i, true);
}
@@ -391,9 +375,6 @@ static void decon_update_plane(struct ex
unsigned int cpp = fb->format->cpp[0];
unsigned int pitch = fb->pitches[0];
- if (ctx->suspended)
- return;
-
/*
* SHADOWCON/PRTCON register is used for enabling timing.
*
@@ -481,9 +462,6 @@ static void decon_disable_plane(struct e
unsigned int win = plane->index;
u32 val;
- if (ctx->suspended)
- return;
-
/* protect windows */
decon_shadow_protect_win(ctx, win, true);
@@ -502,9 +480,6 @@ static void decon_atomic_flush(struct ex
struct decon_context *ctx = crtc->ctx;
int i;
- if (ctx->suspended)
- return;
-
for (i = 0; i < WINDOWS_NR; i++)
decon_shadow_protect_win(ctx, i, false);
exynos_crtc_handle_event(crtc);
@@ -531,9 +506,6 @@ static void decon_enable(struct exynos_d
{
struct decon_context *ctx = crtc->ctx;
- if (!ctx->suspended)
- return;
-
pm_runtime_get_sync(ctx->dev);
decon_init(ctx);
@@ -543,8 +515,6 @@ static void decon_enable(struct exynos_d
decon_enable_vblank(ctx->crtc);
decon_commit(ctx->crtc);
-
- ctx->suspended = false;
}
static void decon_disable(struct exynos_drm_crtc *crtc)
@@ -552,9 +522,6 @@ static void decon_disable(struct exynos_
struct decon_context *ctx = crtc->ctx;
int i;
- if (ctx->suspended)
- return;
-
/*
* We need to make sure that all windows are disabled before we
* suspend that connector. Otherwise we might try to scan from
@@ -564,8 +531,6 @@ static void decon_disable(struct exynos_
decon_disable_plane(crtc, &ctx->planes[i]);
pm_runtime_put_sync(ctx->dev);
-
- ctx->suspended = true;
}
static const struct exynos_drm_crtc_ops decon_crtc_ops = {
@@ -687,7 +652,6 @@ static int decon_probe(struct platform_d
return -ENOMEM;
ctx->dev = dev;
- ctx->suspended = true;
i80_if_timings = of_get_child_by_name(dev->of_node, "i80-if-timings");
if (i80_if_timings)
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 153/224] media: rc: Directly use ida_free()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 152/224] drm/exynos: exynos7_drm_decon: remove ctx->suspended Greg Kroah-Hartman
@ 2025-10-27 18:34 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 154/224] media: lirc: Fix error handling in lirc_register() Greg Kroah-Hartman
` (78 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, keliu, Sean Young,
Mauro Carvalho Chehab, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: keliu <liuke94@huawei.com>
[ Upstream commit cd54ff938091d890edf78e6555ec30c63dcd2eb5 ]
Use ida_alloc() and ida_free() instead of the deprecated
ida_simple_get() and ida_simple_remove().
Signed-off-by: keliu <liuke94@huawei.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Stable-dep-of: 4f4098c57e13 ("media: lirc: Fix error handling in lirc_register()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/lirc_dev.c | 6 +++---
drivers/media/rc/rc-main.c | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/media/rc/lirc_dev.c
+++ b/drivers/media/rc/lirc_dev.c
@@ -746,7 +746,7 @@ int ir_lirc_register(struct rc_dev *dev)
const char *rx_type, *tx_type;
int err, minor;
- minor = ida_simple_get(&lirc_ida, 0, RC_DEV_MAX, GFP_KERNEL);
+ minor = ida_alloc_max(&lirc_ida, RC_DEV_MAX - 1, GFP_KERNEL);
if (minor < 0)
return minor;
@@ -791,7 +791,7 @@ int ir_lirc_register(struct rc_dev *dev)
return 0;
out_ida:
- ida_simple_remove(&lirc_ida, minor);
+ ida_free(&lirc_ida, minor);
return err;
}
@@ -809,7 +809,7 @@ void ir_lirc_unregister(struct rc_dev *d
spin_unlock_irqrestore(&dev->lirc_fh_lock, flags);
cdev_device_del(&dev->lirc_cdev, &dev->lirc_dev);
- ida_simple_remove(&lirc_ida, MINOR(dev->lirc_dev.devt));
+ ida_free(&lirc_ida, MINOR(dev->lirc_dev.devt));
}
int __init lirc_dev_init(void)
--- a/drivers/media/rc/rc-main.c
+++ b/drivers/media/rc/rc-main.c
@@ -1861,7 +1861,7 @@ int rc_register_device(struct rc_dev *de
if (!dev)
return -EINVAL;
- minor = ida_simple_get(&rc_ida, 0, RC_DEV_MAX, GFP_KERNEL);
+ minor = ida_alloc_max(&rc_ida, RC_DEV_MAX - 1, GFP_KERNEL);
if (minor < 0)
return minor;
@@ -1944,7 +1944,7 @@ out_rx_free:
out_raw:
ir_raw_event_free(dev);
out_minor:
- ida_simple_remove(&rc_ida, minor);
+ ida_free(&rc_ida, minor);
return rc;
}
EXPORT_SYMBOL_GPL(rc_register_device);
@@ -2004,7 +2004,7 @@ void rc_unregister_device(struct rc_dev
device_del(&dev->dev);
- ida_simple_remove(&rc_ida, dev->minor);
+ ida_free(&rc_ida, dev->minor);
if (!dev->managed_alloc)
rc_free_device(dev);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 154/224] media: lirc: Fix error handling in lirc_register()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2025-10-27 18:34 ` [PATCH 5.4 153/224] media: rc: Directly use ida_free() Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 155/224] xen/events: Update virq_to_irq on migration Greg Kroah-Hartman
` (77 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Ke, Sean Young, Hans Verkuil,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
[ Upstream commit 4f4098c57e139ad972154077fb45c3e3141555dd ]
When cdev_device_add() failed, calling put_device() to explicitly
release dev->lirc_dev. Otherwise, it could cause the fault of the
reference count.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: a6ddd4fecbb0 ("media: lirc: remove last remnants of lirc kapi")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/lirc_dev.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/media/rc/lirc_dev.c
+++ b/drivers/media/rc/lirc_dev.c
@@ -762,11 +762,11 @@ int ir_lirc_register(struct rc_dev *dev)
cdev_init(&dev->lirc_cdev, &lirc_fops);
+ get_device(&dev->dev);
+
err = cdev_device_add(&dev->lirc_cdev, &dev->lirc_dev);
if (err)
- goto out_ida;
-
- get_device(&dev->dev);
+ goto out_put_device;
switch (dev->driver_type) {
case RC_DRIVER_SCANCODE:
@@ -790,7 +790,8 @@ int ir_lirc_register(struct rc_dev *dev)
return 0;
-out_ida:
+out_put_device:
+ put_device(&dev->lirc_dev);
ida_free(&lirc_ida, minor);
return err;
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 155/224] xen/events: Update virq_to_irq on migration
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 154/224] media: lirc: Fix error handling in lirc_register() Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 156/224] media: pci/ivtv: switch from pci_ to dma_ API Greg Kroah-Hartman
` (76 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Andryuk, Juergen Gross,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Andryuk <jason.andryuk@amd.com>
[ Upstream commit 3fcc8e146935415d69ffabb5df40ecf50e106131 ]
VIRQs come in 3 flavors, per-VPU, per-domain, and global, and the VIRQs
are tracked in per-cpu virq_to_irq arrays.
Per-domain and global VIRQs must be bound on CPU 0, and
bind_virq_to_irq() sets the per_cpu virq_to_irq at registration time
Later, the interrupt can migrate, and info->cpu is updated. When
calling __unbind_from_irq(), the per-cpu virq_to_irq is cleared for a
different cpu. If bind_virq_to_irq() is called again with CPU 0, the
stale irq is returned. There won't be any irq_info for the irq, so
things break.
Make xen_rebind_evtchn_to_cpu() update the per_cpu virq_to_irq mappings
to keep them update to date with the current cpu. This ensures the
correct virq_to_irq is cleared in __unbind_from_irq().
Fixes: e46cdb66c8fc ("xen: event channels")
Cc: stable@vger.kernel.org
Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250828003604.8949-4-jason.andryuk@amd.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/events/events_base.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -1717,9 +1717,20 @@ static int xen_rebind_evtchn_to_cpu(stru
* virq or IPI channel, which don't actually need to be rebound. Ignore
* it, but don't do the xenlinux-level rebind in that case.
*/
- if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_vcpu, &bind_vcpu) >= 0)
+ if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_vcpu, &bind_vcpu) >= 0) {
+ int old_cpu = info->cpu;
+
bind_evtchn_to_cpu(evtchn, tcpu);
+ if (info->type == IRQT_VIRQ) {
+ int virq = info->u.virq;
+ int irq = per_cpu(virq_to_irq, old_cpu)[virq];
+
+ per_cpu(virq_to_irq, old_cpu)[virq] = -1;
+ per_cpu(virq_to_irq, tcpu)[virq] = irq;
+ }
+ }
+
do_unmask(info, EVT_MASK_REASON_TEMPORARY);
return 0;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 156/224] media: pci/ivtv: switch from pci_ to dma_ API
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 155/224] xen/events: Update virq_to_irq on migration Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 157/224] media: pci: ivtv: Add missing check after DMA map Greg Kroah-Hartman
` (75 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Hans Verkuil,
Mauro Carvalho Chehab, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 1932dc2f4cf6ac23e48e5fcc24d21adbe35691d1 ]
The wrappers in include/linux/pci-dma-compat.h should go away.
The patch has been generated with the coccinelle script below.
It has been compile tested.
No memory allocation in involved in this patch, so no GFP_ tweak is needed.
@@ @@
- PCI_DMA_BIDIRECTIONAL
+ DMA_BIDIRECTIONAL
@@ @@
- PCI_DMA_TODEVICE
+ DMA_TO_DEVICE
@@ @@
- PCI_DMA_FROMDEVICE
+ DMA_FROM_DEVICE
@@ @@
- PCI_DMA_NONE
+ DMA_NONE
@@
expression e1, e2, e3;
@@
- pci_alloc_consistent(e1, e2, e3)
+ dma_alloc_coherent(&e1->dev, e2, e3, GFP_)
@@
expression e1, e2, e3;
@@
- pci_zalloc_consistent(e1, e2, e3)
+ dma_alloc_coherent(&e1->dev, e2, e3, GFP_)
@@
expression e1, e2, e3, e4;
@@
- pci_free_consistent(e1, e2, e3, e4)
+ dma_free_coherent(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_map_single(e1, e2, e3, e4)
+ dma_map_single(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_unmap_single(e1, e2, e3, e4)
+ dma_unmap_single(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4, e5;
@@
- pci_map_page(e1, e2, e3, e4, e5)
+ dma_map_page(&e1->dev, e2, e3, e4, e5)
@@
expression e1, e2, e3, e4;
@@
- pci_unmap_page(e1, e2, e3, e4)
+ dma_unmap_page(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_map_sg(e1, e2, e3, e4)
+ dma_map_sg(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_unmap_sg(e1, e2, e3, e4)
+ dma_unmap_sg(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_dma_sync_single_for_cpu(e1, e2, e3, e4)
+ dma_sync_single_for_cpu(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_dma_sync_single_for_device(e1, e2, e3, e4)
+ dma_sync_single_for_device(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_dma_sync_sg_for_cpu(e1, e2, e3, e4)
+ dma_sync_sg_for_cpu(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_dma_sync_sg_for_device(e1, e2, e3, e4)
+ dma_sync_sg_for_device(&e1->dev, e2, e3, e4)
@@
expression e1, e2;
@@
- pci_dma_mapping_error(e1, e2)
+ dma_mapping_error(&e1->dev, e2)
@@
expression e1, e2;
@@
- pci_set_dma_mask(e1, e2)
+ dma_set_mask(&e1->dev, e2)
@@
expression e1, e2;
@@
- pci_set_consistent_dma_mask(e1, e2)
+ dma_set_coherent_mask(&e1->dev, e2)
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Stable-dep-of: 1069a4fe637d ("media: pci: ivtv: Add missing check after DMA map")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
drivers/media/pci/ivtv/ivtv-queue.c | 18 ++++++++++--------
drivers/media/pci/ivtv/ivtv-streams.c | 22 +++++++++++-----------
drivers/media/pci/ivtv/ivtv-udma.c | 19 ++++++++++++-------
drivers/media/pci/ivtv/ivtv-yuv.c | 10 +++++++---
5 files changed, 41 insertions(+), 30 deletions(-)
--- a/drivers/media/pci/ivtv/ivtv-driver.c
+++ b/drivers/media/pci/ivtv/ivtv-driver.c
@@ -843,7 +843,7 @@ static int ivtv_setup_pci(struct ivtv *i
IVTV_ERR("Can't enable device!\n");
return -EIO;
}
- if (pci_set_dma_mask(pdev, DMA_BIT_MASK(32))) {
+ if (dma_set_mask(&pdev->dev, DMA_BIT_MASK(32))) {
IVTV_ERR("No suitable DMA available.\n");
return -EIO;
}
--- a/drivers/media/pci/ivtv/ivtv-queue.c
+++ b/drivers/media/pci/ivtv/ivtv-queue.c
@@ -188,7 +188,7 @@ int ivtv_stream_alloc(struct ivtv_stream
return 0;
IVTV_DEBUG_INFO("Allocate %s%s stream: %d x %d buffers (%dkB total)\n",
- s->dma != PCI_DMA_NONE ? "DMA " : "",
+ s->dma != DMA_NONE ? "DMA " : "",
s->name, s->buffers, s->buf_size, s->buffers * s->buf_size / 1024);
s->sg_pending = kzalloc(SGsize, GFP_KERNEL|__GFP_NOWARN);
@@ -218,8 +218,9 @@ int ivtv_stream_alloc(struct ivtv_stream
return -ENOMEM;
}
if (ivtv_might_use_dma(s)) {
- s->sg_handle = pci_map_single(itv->pdev, s->sg_dma,
- sizeof(struct ivtv_sg_element), PCI_DMA_TODEVICE);
+ s->sg_handle = dma_map_single(&itv->pdev->dev, s->sg_dma,
+ sizeof(struct ivtv_sg_element),
+ DMA_TO_DEVICE);
ivtv_stream_sync_for_cpu(s);
}
@@ -237,7 +238,7 @@ int ivtv_stream_alloc(struct ivtv_stream
}
INIT_LIST_HEAD(&buf->list);
if (ivtv_might_use_dma(s)) {
- buf->dma_handle = pci_map_single(s->itv->pdev,
+ buf->dma_handle = dma_map_single(&s->itv->pdev->dev,
buf->buf, s->buf_size + 256, s->dma);
ivtv_buf_sync_for_cpu(s, buf);
}
@@ -260,8 +261,8 @@ void ivtv_stream_free(struct ivtv_stream
/* empty q_free */
while ((buf = ivtv_dequeue(s, &s->q_free))) {
if (ivtv_might_use_dma(s))
- pci_unmap_single(s->itv->pdev, buf->dma_handle,
- s->buf_size + 256, s->dma);
+ dma_unmap_single(&s->itv->pdev->dev, buf->dma_handle,
+ s->buf_size + 256, s->dma);
kfree(buf->buf);
kfree(buf);
}
@@ -269,8 +270,9 @@ void ivtv_stream_free(struct ivtv_stream
/* Free SG Array/Lists */
if (s->sg_dma != NULL) {
if (s->sg_handle != IVTV_DMA_UNMAPPED) {
- pci_unmap_single(s->itv->pdev, s->sg_handle,
- sizeof(struct ivtv_sg_element), PCI_DMA_TODEVICE);
+ dma_unmap_single(&s->itv->pdev->dev, s->sg_handle,
+ sizeof(struct ivtv_sg_element),
+ DMA_TO_DEVICE);
s->sg_handle = IVTV_DMA_UNMAPPED;
}
kfree(s->sg_pending);
--- a/drivers/media/pci/ivtv/ivtv-streams.c
+++ b/drivers/media/pci/ivtv/ivtv-streams.c
@@ -100,7 +100,7 @@ static struct {
{ /* IVTV_ENC_STREAM_TYPE_MPG */
"encoder MPG",
VFL_TYPE_VIDEO, 0,
- PCI_DMA_FROMDEVICE, 0,
+ DMA_FROM_DEVICE, 0,
V4L2_CAP_VIDEO_CAPTURE | V4L2_CAP_TUNER |
V4L2_CAP_AUDIO | V4L2_CAP_READWRITE,
&ivtv_v4l2_enc_fops
@@ -108,7 +108,7 @@ static struct {
{ /* IVTV_ENC_STREAM_TYPE_YUV */
"encoder YUV",
VFL_TYPE_VIDEO, IVTV_V4L2_ENC_YUV_OFFSET,
- PCI_DMA_FROMDEVICE, 0,
+ DMA_FROM_DEVICE, 0,
V4L2_CAP_VIDEO_CAPTURE | V4L2_CAP_TUNER |
V4L2_CAP_AUDIO | V4L2_CAP_READWRITE,
&ivtv_v4l2_enc_fops
@@ -116,7 +116,7 @@ static struct {
{ /* IVTV_ENC_STREAM_TYPE_VBI */
"encoder VBI",
VFL_TYPE_VBI, 0,
- PCI_DMA_FROMDEVICE, 0,
+ DMA_FROM_DEVICE, 0,
V4L2_CAP_VBI_CAPTURE | V4L2_CAP_SLICED_VBI_CAPTURE | V4L2_CAP_TUNER |
V4L2_CAP_AUDIO | V4L2_CAP_READWRITE,
&ivtv_v4l2_enc_fops
@@ -124,42 +124,42 @@ static struct {
{ /* IVTV_ENC_STREAM_TYPE_PCM */
"encoder PCM",
VFL_TYPE_VIDEO, IVTV_V4L2_ENC_PCM_OFFSET,
- PCI_DMA_FROMDEVICE, 0,
+ DMA_FROM_DEVICE, 0,
V4L2_CAP_TUNER | V4L2_CAP_AUDIO | V4L2_CAP_READWRITE,
&ivtv_v4l2_enc_fops
},
{ /* IVTV_ENC_STREAM_TYPE_RAD */
"encoder radio",
VFL_TYPE_RADIO, 0,
- PCI_DMA_NONE, 1,
+ DMA_NONE, 1,
V4L2_CAP_RADIO | V4L2_CAP_TUNER,
&ivtv_v4l2_radio_fops
},
{ /* IVTV_DEC_STREAM_TYPE_MPG */
"decoder MPG",
VFL_TYPE_VIDEO, IVTV_V4L2_DEC_MPG_OFFSET,
- PCI_DMA_TODEVICE, 0,
+ DMA_TO_DEVICE, 0,
V4L2_CAP_VIDEO_OUTPUT | V4L2_CAP_AUDIO | V4L2_CAP_READWRITE,
&ivtv_v4l2_dec_fops
},
{ /* IVTV_DEC_STREAM_TYPE_VBI */
"decoder VBI",
VFL_TYPE_VBI, IVTV_V4L2_DEC_VBI_OFFSET,
- PCI_DMA_NONE, 1,
+ DMA_NONE, 1,
V4L2_CAP_SLICED_VBI_CAPTURE | V4L2_CAP_READWRITE,
&ivtv_v4l2_enc_fops
},
{ /* IVTV_DEC_STREAM_TYPE_VOUT */
"decoder VOUT",
VFL_TYPE_VBI, IVTV_V4L2_DEC_VOUT_OFFSET,
- PCI_DMA_NONE, 1,
+ DMA_NONE, 1,
V4L2_CAP_SLICED_VBI_OUTPUT | V4L2_CAP_AUDIO | V4L2_CAP_READWRITE,
&ivtv_v4l2_dec_fops
},
{ /* IVTV_DEC_STREAM_TYPE_YUV */
"decoder YUV",
VFL_TYPE_VIDEO, IVTV_V4L2_DEC_YUV_OFFSET,
- PCI_DMA_TODEVICE, 0,
+ DMA_TO_DEVICE, 0,
V4L2_CAP_VIDEO_OUTPUT | V4L2_CAP_AUDIO | V4L2_CAP_READWRITE,
&ivtv_v4l2_dec_fops
}
@@ -179,7 +179,7 @@ static void ivtv_stream_init(struct ivtv
s->vdev.device_caps = ivtv_stream_info[type].v4l2_caps;
if (ivtv_stream_info[type].pio)
- s->dma = PCI_DMA_NONE;
+ s->dma = DMA_NONE;
else
s->dma = ivtv_stream_info[type].dma;
s->buf_size = itv->stream_buf_size[type];
@@ -217,7 +217,7 @@ static int ivtv_prep_dev(struct ivtv *it
/* User explicitly selected 0 buffers for these streams, so don't
create them. */
- if (ivtv_stream_info[type].dma != PCI_DMA_NONE &&
+ if (ivtv_stream_info[type].dma != DMA_NONE &&
itv->options.kilobytes[type] == 0) {
IVTV_INFO("Disabled %s device\n", ivtv_stream_info[type].name);
return 0;
--- a/drivers/media/pci/ivtv/ivtv-udma.c
+++ b/drivers/media/pci/ivtv/ivtv-udma.c
@@ -81,8 +81,10 @@ void ivtv_udma_alloc(struct ivtv *itv)
{
if (itv->udma.SG_handle == 0) {
/* Map DMA Page Array Buffer */
- itv->udma.SG_handle = pci_map_single(itv->pdev, itv->udma.SGarray,
- sizeof(itv->udma.SGarray), PCI_DMA_TODEVICE);
+ itv->udma.SG_handle = dma_map_single(&itv->pdev->dev,
+ itv->udma.SGarray,
+ sizeof(itv->udma.SGarray),
+ DMA_TO_DEVICE);
ivtv_udma_sync_for_cpu(itv);
}
}
@@ -138,7 +140,8 @@ int ivtv_udma_setup(struct ivtv *itv, un
}
/* Map SG List */
- dma->SG_length = pci_map_sg(itv->pdev, dma->SGlist, dma->page_count, PCI_DMA_TODEVICE);
+ dma->SG_length = dma_map_sg(&itv->pdev->dev, dma->SGlist,
+ dma->page_count, DMA_TO_DEVICE);
/* Fill SG Array with new values */
ivtv_udma_fill_sg_array (dma, ivtv_dest_addr, 0, -1);
@@ -163,7 +166,8 @@ void ivtv_udma_unmap(struct ivtv *itv)
/* Unmap Scatterlist */
if (dma->SG_length) {
- pci_unmap_sg(itv->pdev, dma->SGlist, dma->page_count, PCI_DMA_TODEVICE);
+ dma_unmap_sg(&itv->pdev->dev, dma->SGlist, dma->page_count,
+ DMA_TO_DEVICE);
dma->SG_length = 0;
}
/* sync DMA */
@@ -182,13 +186,14 @@ void ivtv_udma_free(struct ivtv *itv)
/* Unmap SG Array */
if (itv->udma.SG_handle) {
- pci_unmap_single(itv->pdev, itv->udma.SG_handle,
- sizeof(itv->udma.SGarray), PCI_DMA_TODEVICE);
+ dma_unmap_single(&itv->pdev->dev, itv->udma.SG_handle,
+ sizeof(itv->udma.SGarray), DMA_TO_DEVICE);
}
/* Unmap Scatterlist */
if (itv->udma.SG_length) {
- pci_unmap_sg(itv->pdev, itv->udma.SGlist, itv->udma.page_count, PCI_DMA_TODEVICE);
+ dma_unmap_sg(&itv->pdev->dev, itv->udma.SGlist,
+ itv->udma.page_count, DMA_TO_DEVICE);
}
for (i = 0; i < IVTV_DMA_SG_OSD_ENT; i++) {
--- a/drivers/media/pci/ivtv/ivtv-yuv.c
+++ b/drivers/media/pci/ivtv/ivtv-yuv.c
@@ -118,7 +118,8 @@ static int ivtv_yuv_prep_user_dma(struct
dma->page_count = 0;
return -ENOMEM;
}
- dma->SG_length = pci_map_sg(itv->pdev, dma->SGlist, dma->page_count, PCI_DMA_TODEVICE);
+ dma->SG_length = dma_map_sg(&itv->pdev->dev, dma->SGlist,
+ dma->page_count, DMA_TO_DEVICE);
/* Fill SG Array with new values */
ivtv_udma_fill_sg_array(dma, y_buffer_offset, uv_buffer_offset, y_size);
@@ -925,7 +926,9 @@ static void ivtv_yuv_init(struct ivtv *i
/* We need a buffer for blanking when Y plane is offset - non-fatal if we can't get one */
yi->blanking_ptr = kzalloc(720 * 16, GFP_ATOMIC|__GFP_NOWARN);
if (yi->blanking_ptr) {
- yi->blanking_dmaptr = pci_map_single(itv->pdev, yi->blanking_ptr, 720*16, PCI_DMA_TODEVICE);
+ yi->blanking_dmaptr = dma_map_single(&itv->pdev->dev,
+ yi->blanking_ptr,
+ 720 * 16, DMA_TO_DEVICE);
} else {
yi->blanking_dmaptr = 0;
IVTV_DEBUG_WARN("Failed to allocate yuv blanking buffer\n");
@@ -1269,7 +1272,8 @@ void ivtv_yuv_close(struct ivtv *itv)
if (yi->blanking_ptr) {
kfree(yi->blanking_ptr);
yi->blanking_ptr = NULL;
- pci_unmap_single(itv->pdev, yi->blanking_dmaptr, 720*16, PCI_DMA_TODEVICE);
+ dma_unmap_single(&itv->pdev->dev, yi->blanking_dmaptr,
+ 720 * 16, DMA_TO_DEVICE);
}
/* Invalidate the old dimension information */
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 157/224] media: pci: ivtv: Add missing check after DMA map
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 156/224] media: pci/ivtv: switch from pci_ to dma_ API Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 158/224] net: dl2k: switch from pci_ to dma_ API Greg Kroah-Hartman
` (74 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Hans Verkuil,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 1069a4fe637d0e3e4c163e3f8df9be306cc299b4 ]
The DMA map functions can fail and should be tested for errors.
If the mapping fails, free blanking_ptr and set it to 0. As 0 is a
valid DMA address, use blanking_ptr to test if the DMA address
is set.
Fixes: 1a0adaf37c30 ("V4L/DVB (5345): ivtv driver for Conexant cx23416/cx23415 MPEG encoder/decoder")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/pci/ivtv/ivtv-irq.c | 2 +-
drivers/media/pci/ivtv/ivtv-yuv.c | 8 +++++++-
2 files changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/media/pci/ivtv/ivtv-irq.c
+++ b/drivers/media/pci/ivtv/ivtv-irq.c
@@ -351,7 +351,7 @@ void ivtv_dma_stream_dec_prepare(struct
/* Insert buffer block for YUV if needed */
if (s->type == IVTV_DEC_STREAM_TYPE_YUV && f->offset_y) {
- if (yi->blanking_dmaptr) {
+ if (yi->blanking_ptr) {
s->sg_pending[idx].src = yi->blanking_dmaptr;
s->sg_pending[idx].dst = offset;
s->sg_pending[idx].size = 720 * 16;
--- a/drivers/media/pci/ivtv/ivtv-yuv.c
+++ b/drivers/media/pci/ivtv/ivtv-yuv.c
@@ -125,7 +125,7 @@ static int ivtv_yuv_prep_user_dma(struct
ivtv_udma_fill_sg_array(dma, y_buffer_offset, uv_buffer_offset, y_size);
/* If we've offset the y plane, ensure top area is blanked */
- if (f->offset_y && yi->blanking_dmaptr) {
+ if (f->offset_y && yi->blanking_ptr) {
dma->SGarray[dma->SG_length].size = cpu_to_le32(720*16);
dma->SGarray[dma->SG_length].src = cpu_to_le32(yi->blanking_dmaptr);
dma->SGarray[dma->SG_length].dst = cpu_to_le32(IVTV_DECODER_OFFSET + yuv_offset[frame]);
@@ -929,6 +929,12 @@ static void ivtv_yuv_init(struct ivtv *i
yi->blanking_dmaptr = dma_map_single(&itv->pdev->dev,
yi->blanking_ptr,
720 * 16, DMA_TO_DEVICE);
+ if (dma_mapping_error(&itv->pdev->dev, yi->blanking_dmaptr)) {
+ kfree(yi->blanking_ptr);
+ yi->blanking_ptr = NULL;
+ yi->blanking_dmaptr = 0;
+ IVTV_DEBUG_WARN("Failed to dma_map yuv blanking buffer\n");
+ }
} else {
yi->blanking_dmaptr = 0;
IVTV_DEBUG_WARN("Failed to allocate yuv blanking buffer\n");
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 158/224] net: dl2k: switch from pci_ to dma_ API
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 157/224] media: pci: ivtv: Add missing check after DMA map Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 159/224] net: dlink: handle dma_map_single() failure properly Greg Kroah-Hartman
` (73 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, David S. Miller,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit b49db89e9697ddfa7fbe7387e176072ee2feb2db ]
The wrappers in include/linux/pci-dma-compat.h should go away.
The patch has been generated with the coccinelle script below and has been
hand modified to replace GFP_ with a correct flag.
It has been compile tested.
When memory is allocated in 'rio_probe1()' GFP_KERNEL can be used because
it is a probe function and no lock is taken in the between.
@@
@@
- PCI_DMA_BIDIRECTIONAL
+ DMA_BIDIRECTIONAL
@@
@@
- PCI_DMA_TODEVICE
+ DMA_TO_DEVICE
@@
@@
- PCI_DMA_FROMDEVICE
+ DMA_FROM_DEVICE
@@
@@
- PCI_DMA_NONE
+ DMA_NONE
@@
expression e1, e2, e3;
@@
- pci_alloc_consistent(e1, e2, e3)
+ dma_alloc_coherent(&e1->dev, e2, e3, GFP_)
@@
expression e1, e2, e3;
@@
- pci_zalloc_consistent(e1, e2, e3)
+ dma_alloc_coherent(&e1->dev, e2, e3, GFP_)
@@
expression e1, e2, e3, e4;
@@
- pci_free_consistent(e1, e2, e3, e4)
+ dma_free_coherent(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_map_single(e1, e2, e3, e4)
+ dma_map_single(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_unmap_single(e1, e2, e3, e4)
+ dma_unmap_single(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4, e5;
@@
- pci_map_page(e1, e2, e3, e4, e5)
+ dma_map_page(&e1->dev, e2, e3, e4, e5)
@@
expression e1, e2, e3, e4;
@@
- pci_unmap_page(e1, e2, e3, e4)
+ dma_unmap_page(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_map_sg(e1, e2, e3, e4)
+ dma_map_sg(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_unmap_sg(e1, e2, e3, e4)
+ dma_unmap_sg(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_dma_sync_single_for_cpu(e1, e2, e3, e4)
+ dma_sync_single_for_cpu(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_dma_sync_single_for_device(e1, e2, e3, e4)
+ dma_sync_single_for_device(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_dma_sync_sg_for_cpu(e1, e2, e3, e4)
+ dma_sync_sg_for_cpu(&e1->dev, e2, e3, e4)
@@
expression e1, e2, e3, e4;
@@
- pci_dma_sync_sg_for_device(e1, e2, e3, e4)
+ dma_sync_sg_for_device(&e1->dev, e2, e3, e4)
@@
expression e1, e2;
@@
- pci_dma_mapping_error(e1, e2)
+ dma_mapping_error(&e1->dev, e2)
@@
expression e1, e2;
@@
- pci_set_dma_mask(e1, e2)
+ dma_set_mask(&e1->dev, e2)
@@
expression e1, e2;
@@
- pci_set_consistent_dma_mask(e1, e2)
+ dma_set_coherent_mask(&e1->dev, e2)
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 65946eac6d88 ("net: dlink: handle dma_map_single() failure properly")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/dlink/dl2k.c | 80 ++++++++++++++++---------------
1 file changed, 41 insertions(+), 39 deletions(-)
diff --git a/drivers/net/ethernet/dlink/dl2k.c b/drivers/net/ethernet/dlink/dl2k.c
index b4a8d4f12087a..8597648156635 100644
--- a/drivers/net/ethernet/dlink/dl2k.c
+++ b/drivers/net/ethernet/dlink/dl2k.c
@@ -233,13 +233,15 @@ rio_probe1 (struct pci_dev *pdev, const struct pci_device_id *ent)
pci_set_drvdata (pdev, dev);
- ring_space = pci_alloc_consistent (pdev, TX_TOTAL_SIZE, &ring_dma);
+ ring_space = dma_alloc_coherent(&pdev->dev, TX_TOTAL_SIZE, &ring_dma,
+ GFP_KERNEL);
if (!ring_space)
goto err_out_iounmap;
np->tx_ring = ring_space;
np->tx_ring_dma = ring_dma;
- ring_space = pci_alloc_consistent (pdev, RX_TOTAL_SIZE, &ring_dma);
+ ring_space = dma_alloc_coherent(&pdev->dev, RX_TOTAL_SIZE, &ring_dma,
+ GFP_KERNEL);
if (!ring_space)
goto err_out_unmap_tx;
np->rx_ring = ring_space;
@@ -290,9 +292,11 @@ rio_probe1 (struct pci_dev *pdev, const struct pci_device_id *ent)
return 0;
err_out_unmap_rx:
- pci_free_consistent (pdev, RX_TOTAL_SIZE, np->rx_ring, np->rx_ring_dma);
+ dma_free_coherent(&pdev->dev, RX_TOTAL_SIZE, np->rx_ring,
+ np->rx_ring_dma);
err_out_unmap_tx:
- pci_free_consistent (pdev, TX_TOTAL_SIZE, np->tx_ring, np->tx_ring_dma);
+ dma_free_coherent(&pdev->dev, TX_TOTAL_SIZE, np->tx_ring,
+ np->tx_ring_dma);
err_out_iounmap:
#ifdef MEM_MAPPING
pci_iounmap(pdev, np->ioaddr);
@@ -446,8 +450,9 @@ static void free_list(struct net_device *dev)
for (i = 0; i < RX_RING_SIZE; i++) {
skb = np->rx_skbuff[i];
if (skb) {
- pci_unmap_single(np->pdev, desc_to_dma(&np->rx_ring[i]),
- skb->len, PCI_DMA_FROMDEVICE);
+ dma_unmap_single(&np->pdev->dev,
+ desc_to_dma(&np->rx_ring[i]),
+ skb->len, DMA_FROM_DEVICE);
dev_kfree_skb(skb);
np->rx_skbuff[i] = NULL;
}
@@ -457,8 +462,9 @@ static void free_list(struct net_device *dev)
for (i = 0; i < TX_RING_SIZE; i++) {
skb = np->tx_skbuff[i];
if (skb) {
- pci_unmap_single(np->pdev, desc_to_dma(&np->tx_ring[i]),
- skb->len, PCI_DMA_TODEVICE);
+ dma_unmap_single(&np->pdev->dev,
+ desc_to_dma(&np->tx_ring[i]),
+ skb->len, DMA_TO_DEVICE);
dev_kfree_skb(skb);
np->tx_skbuff[i] = NULL;
}
@@ -515,9 +521,8 @@ static int alloc_list(struct net_device *dev)
sizeof(struct netdev_desc));
/* Rubicon now supports 40 bits of addressing space. */
np->rx_ring[i].fraginfo =
- cpu_to_le64(pci_map_single(
- np->pdev, skb->data, np->rx_buf_sz,
- PCI_DMA_FROMDEVICE));
+ cpu_to_le64(dma_map_single(&np->pdev->dev, skb->data,
+ np->rx_buf_sz, DMA_FROM_DEVICE));
np->rx_ring[i].fraginfo |= cpu_to_le64((u64)np->rx_buf_sz << 48);
}
@@ -683,9 +688,8 @@ rio_timer (struct timer_list *t)
}
np->rx_skbuff[entry] = skb;
np->rx_ring[entry].fraginfo =
- cpu_to_le64 (pci_map_single
- (np->pdev, skb->data, np->rx_buf_sz,
- PCI_DMA_FROMDEVICE));
+ cpu_to_le64 (dma_map_single(&np->pdev->dev, skb->data,
+ np->rx_buf_sz, DMA_FROM_DEVICE));
}
np->rx_ring[entry].fraginfo |=
cpu_to_le64((u64)np->rx_buf_sz << 48);
@@ -739,9 +743,8 @@ start_xmit (struct sk_buff *skb, struct net_device *dev)
((u64)np->vlan << 32) |
((u64)skb->priority << 45);
}
- txdesc->fraginfo = cpu_to_le64 (pci_map_single (np->pdev, skb->data,
- skb->len,
- PCI_DMA_TODEVICE));
+ txdesc->fraginfo = cpu_to_le64 (dma_map_single(&np->pdev->dev, skb->data,
+ skb->len, DMA_TO_DEVICE));
txdesc->fraginfo |= cpu_to_le64((u64)skb->len << 48);
/* DL2K bug: DMA fails to get next descriptor ptr in 10Mbps mode
@@ -838,9 +841,9 @@ rio_free_tx (struct net_device *dev, int irq)
if (!(np->tx_ring[entry].status & cpu_to_le64(TFDDone)))
break;
skb = np->tx_skbuff[entry];
- pci_unmap_single (np->pdev,
- desc_to_dma(&np->tx_ring[entry]),
- skb->len, PCI_DMA_TODEVICE);
+ dma_unmap_single(&np->pdev->dev,
+ desc_to_dma(&np->tx_ring[entry]), skb->len,
+ DMA_TO_DEVICE);
if (irq)
dev_consume_skb_irq(skb);
else
@@ -965,25 +968,25 @@ receive_packet (struct net_device *dev)
/* Small skbuffs for short packets */
if (pkt_len > copy_thresh) {
- pci_unmap_single (np->pdev,
- desc_to_dma(desc),
- np->rx_buf_sz,
- PCI_DMA_FROMDEVICE);
+ dma_unmap_single(&np->pdev->dev,
+ desc_to_dma(desc),
+ np->rx_buf_sz,
+ DMA_FROM_DEVICE);
skb_put (skb = np->rx_skbuff[entry], pkt_len);
np->rx_skbuff[entry] = NULL;
} else if ((skb = netdev_alloc_skb_ip_align(dev, pkt_len))) {
- pci_dma_sync_single_for_cpu(np->pdev,
- desc_to_dma(desc),
- np->rx_buf_sz,
- PCI_DMA_FROMDEVICE);
+ dma_sync_single_for_cpu(&np->pdev->dev,
+ desc_to_dma(desc),
+ np->rx_buf_sz,
+ DMA_FROM_DEVICE);
skb_copy_to_linear_data (skb,
np->rx_skbuff[entry]->data,
pkt_len);
skb_put (skb, pkt_len);
- pci_dma_sync_single_for_device(np->pdev,
- desc_to_dma(desc),
- np->rx_buf_sz,
- PCI_DMA_FROMDEVICE);
+ dma_sync_single_for_device(&np->pdev->dev,
+ desc_to_dma(desc),
+ np->rx_buf_sz,
+ DMA_FROM_DEVICE);
}
skb->protocol = eth_type_trans (skb, dev);
#if 0
@@ -1016,9 +1019,8 @@ receive_packet (struct net_device *dev)
}
np->rx_skbuff[entry] = skb;
np->rx_ring[entry].fraginfo =
- cpu_to_le64 (pci_map_single
- (np->pdev, skb->data, np->rx_buf_sz,
- PCI_DMA_FROMDEVICE));
+ cpu_to_le64(dma_map_single(&np->pdev->dev, skb->data,
+ np->rx_buf_sz, DMA_FROM_DEVICE));
}
np->rx_ring[entry].fraginfo |=
cpu_to_le64((u64)np->rx_buf_sz << 48);
@@ -1818,10 +1820,10 @@ rio_remove1 (struct pci_dev *pdev)
struct netdev_private *np = netdev_priv(dev);
unregister_netdev (dev);
- pci_free_consistent (pdev, RX_TOTAL_SIZE, np->rx_ring,
- np->rx_ring_dma);
- pci_free_consistent (pdev, TX_TOTAL_SIZE, np->tx_ring,
- np->tx_ring_dma);
+ dma_free_coherent(&pdev->dev, RX_TOTAL_SIZE, np->rx_ring,
+ np->rx_ring_dma);
+ dma_free_coherent(&pdev->dev, TX_TOTAL_SIZE, np->tx_ring,
+ np->tx_ring_dma);
#ifdef MEM_MAPPING
pci_iounmap(pdev, np->ioaddr);
#endif
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 159/224] net: dlink: handle dma_map_single() failure properly
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 158/224] net: dl2k: switch from pci_ to dma_ API Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 160/224] net/ip6_tunnel: Prevent perpetual tunnel growth Greg Kroah-Hartman
` (72 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yeounsu Moon, Simon Horman,
David S. Miller, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yeounsu Moon <yyyynoom@gmail.com>
[ Upstream commit 65946eac6d888d50ae527c4e5c237dbe5cc3a2f2 ]
There is no error handling for `dma_map_single()` failures.
Add error handling by checking `dma_mapping_error()` and freeing
the `skb` using `dev_kfree_skb()` (process context) when it fails.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yeounsu Moon <yyyynoom@gmail.com>
Tested-on: D-Link DGE-550T Rev-A3
Suggested-by: Simon Horman <horms@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/dlink/dl2k.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/dlink/dl2k.c b/drivers/net/ethernet/dlink/dl2k.c
index 8597648156635..855328ae6ea57 100644
--- a/drivers/net/ethernet/dlink/dl2k.c
+++ b/drivers/net/ethernet/dlink/dl2k.c
@@ -508,25 +508,34 @@ static int alloc_list(struct net_device *dev)
for (i = 0; i < RX_RING_SIZE; i++) {
/* Allocated fixed size of skbuff */
struct sk_buff *skb;
+ dma_addr_t addr;
skb = netdev_alloc_skb_ip_align(dev, np->rx_buf_sz);
np->rx_skbuff[i] = skb;
- if (!skb) {
- free_list(dev);
- return -ENOMEM;
- }
+ if (!skb)
+ goto err_free_list;
+
+ addr = dma_map_single(&np->pdev->dev, skb->data,
+ np->rx_buf_sz, DMA_FROM_DEVICE);
+ if (dma_mapping_error(&np->pdev->dev, addr))
+ goto err_kfree_skb;
np->rx_ring[i].next_desc = cpu_to_le64(np->rx_ring_dma +
((i + 1) % RX_RING_SIZE) *
sizeof(struct netdev_desc));
/* Rubicon now supports 40 bits of addressing space. */
- np->rx_ring[i].fraginfo =
- cpu_to_le64(dma_map_single(&np->pdev->dev, skb->data,
- np->rx_buf_sz, DMA_FROM_DEVICE));
+ np->rx_ring[i].fraginfo = cpu_to_le64(addr);
np->rx_ring[i].fraginfo |= cpu_to_le64((u64)np->rx_buf_sz << 48);
}
return 0;
+
+err_kfree_skb:
+ dev_kfree_skb(np->rx_skbuff[i]);
+ np->rx_skbuff[i] = NULL;
+err_free_list:
+ free_list(dev);
+ return -ENOMEM;
}
static void rio_hw_init(struct net_device *dev)
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 160/224] net/ip6_tunnel: Prevent perpetual tunnel growth
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 159/224] net: dlink: handle dma_map_single() failure properly Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 161/224] amd-xgbe: Avoid spurious link down messages during interface toggle Greg Kroah-Hartman
` (71 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Francesco Ruggeri,
Dmitry Safonov, Jakub Kicinski, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Safonov <dima@arista.com>
[ Upstream commit 21f4d45eba0b2dcae5dbc9e5e0ad08735c993f16 ]
Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too.
While ipv4 tunnel headroom adjustment growth was limited in
commit 5ae1e9922bbd ("net: ip_tunnel: prevent perpetual headroom growth"),
ipv6 tunnel yet increases the headroom without any ceiling.
Reflect ipv4 tunnel headroom adjustment limit on ipv6 version.
Credits to Francesco Ruggeri, who was originally debugging this issue
and wrote local Arista-specific patch and a reproducer.
Fixes: 8eb30be0352d ("ipv6: Create ip6_tnl_xmit")
Cc: Florian Westphal <fw@strlen.de>
Cc: Francesco Ruggeri <fruggeri05@gmail.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
Link: https://patch.msgid.link/20251009-ip6_tunnel-headroom-v2-1-8e4dbd8f7e35@arista.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/ip_tunnels.h | 15 +++++++++++++++
net/ipv4/ip_tunnel.c | 14 --------------
net/ipv6/ip6_tunnel.c | 3 +--
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
index 3a04e2ccfb393..d2945ec5aba21 100644
--- a/include/net/ip_tunnels.h
+++ b/include/net/ip_tunnels.h
@@ -454,6 +454,21 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb,
struct metadata_dst *iptunnel_metadata_reply(struct metadata_dst *md,
gfp_t flags);
+static inline void ip_tunnel_adj_headroom(struct net_device *dev,
+ unsigned int headroom)
+{
+ /* we must cap headroom to some upperlimit, else pskb_expand_head
+ * will overflow header offsets in skb_headers_offset_update().
+ */
+ const unsigned int max_allowed = 512;
+
+ if (headroom > max_allowed)
+ headroom = max_allowed;
+
+ if (headroom > READ_ONCE(dev->needed_headroom))
+ WRITE_ONCE(dev->needed_headroom, headroom);
+}
+
int iptunnel_handle_offloads(struct sk_buff *skb, int gso_type_mask);
static inline int iptunnel_pull_offloads(struct sk_buff *skb)
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 906c37c7f80d5..38cace81bfa2d 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -560,20 +560,6 @@ static int tnl_update_pmtu(struct net_device *dev, struct sk_buff *skb,
return 0;
}
-static void ip_tunnel_adj_headroom(struct net_device *dev, unsigned int headroom)
-{
- /* we must cap headroom to some upperlimit, else pskb_expand_head
- * will overflow header offsets in skb_headers_offset_update().
- */
- static const unsigned int max_allowed = 512;
-
- if (headroom > max_allowed)
- headroom = max_allowed;
-
- if (headroom > READ_ONCE(dev->needed_headroom))
- WRITE_ONCE(dev->needed_headroom, headroom);
-}
-
void ip_md_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
u8 proto, int tunnel_hlen)
{
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 5319093d9aa62..c79e6c032b300 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1201,8 +1201,7 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
*/
max_headroom = LL_RESERVED_SPACE(dst->dev) + sizeof(struct ipv6hdr)
+ dst->header_len + t->hlen;
- if (max_headroom > READ_ONCE(dev->needed_headroom))
- WRITE_ONCE(dev->needed_headroom, max_headroom);
+ ip_tunnel_adj_headroom(dev, max_headroom);
err = ip6_tnl_encap(skb, t, &proto, fl6);
if (err)
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 161/224] amd-xgbe: Avoid spurious link down messages during interface toggle
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 160/224] net/ip6_tunnel: Prevent perpetual tunnel growth Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 162/224] tcp: fix tcp_tso_should_defer() vs large RTT Greg Kroah-Hartman
` (70 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raju Rangoju, Dawid Osuchowski,
Paolo Abeni, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raju Rangoju <Raju.Rangoju@amd.com>
[ Upstream commit 2616222e423398bb374ffcb5d23dea4ba2c3e524 ]
During interface toggle operations (ifdown/ifup), the driver currently
resets the local helper variable 'phy_link' to -1. This causes the link
state machine to incorrectly interpret the state as a link change event,
resulting in spurious "Link is down" messages being logged when the
interface is brought back up.
Preserve the phy_link state across interface toggles to avoid treating
the -1 sentinel value as a legitimate link state transition.
Fixes: 88131a812b16 ("amd-xgbe: Perform phy connect/disconnect at dev open/stop")
Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Link: https://patch.msgid.link/20251010065142.1189310-1-Raju.Rangoju@amd.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 1 -
drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 1 +
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
index de10e7e3a68d0..1fa7eb75d1a39 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
@@ -1247,7 +1247,6 @@ static void xgbe_free_rx_data(struct xgbe_prv_data *pdata)
static int xgbe_phy_reset(struct xgbe_prv_data *pdata)
{
- pdata->phy_link = -1;
pdata->phy_speed = SPEED_UNKNOWN;
return pdata->phy_if.phy_reset(pdata);
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
index 3819b23c927d5..6dd95e7d81e41 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
@@ -1637,6 +1637,7 @@ static int xgbe_phy_init(struct xgbe_prv_data *pdata)
pdata->phy.duplex = DUPLEX_FULL;
}
+ pdata->phy_link = 0;
pdata->phy.link = 0;
pdata->phy.pause_autoneg = pdata->pause_autoneg;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 162/224] tcp: fix tcp_tso_should_defer() vs large RTT
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 161/224] amd-xgbe: Avoid spurious link down messages during interface toggle Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 163/224] tg3: prevent use of uninitialized remote_adv and local_adv variables Greg Kroah-Hartman
` (69 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neal Cardwell, Eric Dumazet,
Paolo Abeni, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 295ce1eb36ae47dc862d6c8a1012618a25516208 ]
Neal reported that using neper tcp_stream with TCP_TX_DELAY
set to 50ms would often lead to flows stuck in a small cwnd mode,
regardless of the congestion control.
While tcp_stream sets TCP_TX_DELAY too late after the connect(),
it highlighted two kernel bugs.
The following heuristic in tcp_tso_should_defer() seems wrong
for large RTT:
delta = tp->tcp_clock_cache - head->tstamp;
/* If next ACK is likely to come too late (half srtt), do not defer */
if ((s64)(delta - (u64)NSEC_PER_USEC * (tp->srtt_us >> 4)) < 0)
goto send_now;
If next ACK is expected to come in more than 1 ms, we should
not defer because we prefer a smooth ACK clocking.
While blamed commit was a step in the good direction, it was not
generic enough.
Another patch fixing TCP_TX_DELAY for established flows
will be proposed when net-next reopens.
Fixes: 50c8339e9299 ("tcp: tso: restore IW10 after TSO autosizing")
Reported-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
Tested-by: Neal Cardwell <ncardwell@google.com>
Link: https://patch.msgid.link/20251011115742.1245771-1-edumazet@google.com
[pabeni@redhat.com: fixed whitespace issue]
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_output.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 4f203cbbc99b5..6492110e0c9b0 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1952,7 +1952,8 @@ static bool tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb,
u32 max_segs)
{
const struct inet_connection_sock *icsk = inet_csk(sk);
- u32 send_win, cong_win, limit, in_flight;
+ u32 send_win, cong_win, limit, in_flight, threshold;
+ u64 srtt_in_ns, expected_ack, how_far_is_the_ack;
struct tcp_sock *tp = tcp_sk(sk);
struct sk_buff *head;
int win_divisor;
@@ -2014,9 +2015,19 @@ static bool tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb,
head = tcp_rtx_queue_head(sk);
if (!head)
goto send_now;
- delta = tp->tcp_clock_cache - head->tstamp;
- /* If next ACK is likely to come too late (half srtt), do not defer */
- if ((s64)(delta - (u64)NSEC_PER_USEC * (tp->srtt_us >> 4)) < 0)
+
+ srtt_in_ns = (u64)(NSEC_PER_USEC >> 3) * tp->srtt_us;
+ /* When is the ACK expected ? */
+ expected_ack = head->tstamp + srtt_in_ns;
+ /* How far from now is the ACK expected ? */
+ how_far_is_the_ack = expected_ack - tp->tcp_clock_cache;
+
+ /* If next ACK is likely to come too late,
+ * ie in more than min(1ms, half srtt), do not defer.
+ */
+ threshold = min(srtt_in_ns >> 1, NSEC_PER_MSEC);
+
+ if ((s64)(how_far_is_the_ack - threshold) > 0)
goto send_now;
/* Ok, it looks like it is advisable to defer.
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 163/224] tg3: prevent use of uninitialized remote_adv and local_adv variables
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 162/224] tcp: fix tcp_tso_should_defer() vs large RTT Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 164/224] tls: always set record_type in tls_process_cmsg Greg Kroah-Hartman
` (68 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandr Sapozhnikov, Alexey Simakov,
Pavan Chebbi, Jakub Kicinski, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Simakov <bigalex934@gmail.com>
[ Upstream commit 0c3f2e62815a43628e748b1e4ad97a1c46cce703 ]
Some execution paths that jump to the fiber_setup_done label
could leave the remote_adv and local_adv variables uninitialized
and then use it.
Initialize this variables at the point of definition to avoid this.
Fixes: 85730a631f0c ("tg3: Add SGMII phy support for 5719/5718 serdes")
Co-developed-by: Alexandr Sapozhnikov <alsp705@gmail.com>
Signed-off-by: Alexandr Sapozhnikov <alsp705@gmail.com>
Signed-off-by: Alexey Simakov <bigalex934@gmail.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/20251014164736.5890-1-bigalex934@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/tg3.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
index 55aa877713339..3ea966d85ea38 100644
--- a/drivers/net/ethernet/broadcom/tg3.c
+++ b/drivers/net/ethernet/broadcom/tg3.c
@@ -5827,7 +5827,7 @@ static int tg3_setup_fiber_mii_phy(struct tg3 *tp, bool force_reset)
u32 current_speed = SPEED_UNKNOWN;
u8 current_duplex = DUPLEX_UNKNOWN;
bool current_link_up = false;
- u32 local_adv, remote_adv, sgsr;
+ u32 local_adv = 0, remote_adv = 0, sgsr;
if ((tg3_asic_rev(tp) == ASIC_REV_5719 ||
tg3_asic_rev(tp) == ASIC_REV_5720) &&
@@ -5968,9 +5968,6 @@ static int tg3_setup_fiber_mii_phy(struct tg3 *tp, bool force_reset)
else
current_duplex = DUPLEX_HALF;
- local_adv = 0;
- remote_adv = 0;
-
if (bmcr & BMCR_ANENABLE) {
u32 common;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 164/224] tls: always set record_type in tls_process_cmsg
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 163/224] tg3: prevent use of uninitialized remote_adv and local_adv variables Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 165/224] tls: dont rely on tx_work during send() Greg Kroah-Hartman
` (67 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Sabrina Dubroca,
Jakub Kicinski, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit b6fe4c29bb51cf239ecf48eacf72b924565cb619 ]
When userspace wants to send a non-DATA record (via the
TLS_SET_RECORD_TYPE cmsg), we need to send any pending data from a
previous MSG_MORE send() as a separate DATA record. If that DATA record
is encrypted asynchronously, tls_handle_open_record will return
-EINPROGRESS. This is currently treated as an error by
tls_process_cmsg, and it will skip setting record_type to the correct
value, but the caller (tls_sw_sendmsg_locked) handles that return
value correctly and proceeds with sending the new message with an
incorrect record_type (DATA instead of whatever was requested in the
cmsg).
Always set record_type before handling the open record. If
tls_handle_open_record returns an error, record_type will be
ignored. If it succeeds, whether with synchronous crypto (returning 0)
or asynchronous (returning -EINPROGRESS), the caller will proceed
correctly.
Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/0457252e578a10a94e40c72ba6288b3a64f31662.1760432043.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_main.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index cb51a2f46b11d..5bf809b090342 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -181,12 +181,9 @@ int tls_proccess_cmsg(struct sock *sk, struct msghdr *msg,
if (msg->msg_flags & MSG_MORE)
return -EINVAL;
- rc = tls_handle_open_record(sk, msg->msg_flags);
- if (rc)
- return rc;
-
*record_type = *(unsigned char *)CMSG_DATA(cmsg);
- rc = 0;
+
+ rc = tls_handle_open_record(sk, msg->msg_flags);
break;
default:
return -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 165/224] tls: dont rely on tx_work during send()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 164/224] tls: always set record_type in tls_process_cmsg Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 166/224] sched: Make newidle_balance() static again Greg Kroah-Hartman
` (66 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Sabrina Dubroca,
Jakub Kicinski, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 7f846c65ca11e63d2409868ff039081f80e42ae4 ]
With async crypto, we rely on tx_work to actually transmit records
once encryption completes. But while send() is running, both the
tx_lock and socket lock are held, so tx_work_handler cannot process
the queue of encrypted records, and simply reschedules itself. During
a large send(), this could last a long time, and use a lot of memory.
Transmit any pending encrypted records before restarting the main
loop of tls_sw_sendmsg_locked.
Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/8396631478f70454b44afb98352237d33f48d34d.1760432043.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_sw.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 8dabbbf521688..b175f0595a478 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1052,6 +1052,13 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
else if (ret != -EAGAIN)
goto send_end;
}
+
+ /* Transmit if any encryptions have completed */
+ if (test_and_clear_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask)) {
+ cancel_delayed_work(&ctx->tx_work.work);
+ tls_tx_records(sk, msg->msg_flags);
+ }
+
continue;
rollback_iter:
copied -= try_to_copy;
@@ -1106,6 +1113,12 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
goto send_end;
}
}
+
+ /* Transmit if any encryptions have completed */
+ if (test_and_clear_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask)) {
+ cancel_delayed_work(&ctx->tx_work.work);
+ tls_tx_records(sk, msg->msg_flags);
+ }
}
continue;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 166/224] sched: Make newidle_balance() static again
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 165/224] tls: dont rely on tx_work during send() Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 167/224] sched/fair: Trivial correction of the newidle_balance() comment Greg Kroah-Hartman
` (65 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kbuild test robot, Peter Zijlstra,
Chen Yu, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Yu <yu.c.chen@intel.com>
[ Upstream commit d91cecc156620ec75d94c55369509c807c3d07e6 ]
After Commit 6e2df0581f56 ("sched: Fix pick_next_task() vs 'change'
pattern race"), there is no need to expose newidle_balance() as it
is only used within fair.c file. Change this function back to static again.
No functional change.
Reported-by: kbuild test robot <lkp@intel.com>
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Chen Yu <yu.c.chen@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/83cd3030b031ca5d646cd5e225be10e7a0fdd8f5.1587464698.git.yu.c.chen@intel.com
Stable-dep-of: 17e3e88ed0b6 ("sched/fair: Fix pelt lost idle time detection")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/fair.c | 6 ++++--
kernel/sched/sched.h | 4 ----
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 2680216234ff2..db4a1da522e42 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -3690,6 +3690,8 @@ static inline unsigned long cfs_rq_load_avg(struct cfs_rq *cfs_rq)
return cfs_rq->avg.load_avg;
}
+static int newidle_balance(struct rq *this_rq, struct rq_flags *rf);
+
static inline unsigned long task_util(struct task_struct *p)
{
return READ_ONCE(p->se.avg.util_avg);
@@ -3849,7 +3851,7 @@ attach_entity_load_avg(struct cfs_rq *cfs_rq, struct sched_entity *se, int flags
static inline void
detach_entity_load_avg(struct cfs_rq *cfs_rq, struct sched_entity *se) {}
-static inline int idle_balance(struct rq *rq, struct rq_flags *rf)
+static inline int newidle_balance(struct rq *rq, struct rq_flags *rf)
{
return 0;
}
@@ -9898,7 +9900,7 @@ static inline void nohz_newidle_balance(struct rq *this_rq) { }
* idle_balance is called by schedule() if this_cpu is about to become
* idle. Attempts to pull tasks from other CPUs.
*/
-int newidle_balance(struct rq *this_rq, struct rq_flags *rf)
+static int newidle_balance(struct rq *this_rq, struct rq_flags *rf)
{
unsigned long next_balance = jiffies + HZ;
int this_cpu = this_rq->cpu;
diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
index b8a3db59e3267..46e6f4e905dd6 100644
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -1464,14 +1464,10 @@ static inline void unregister_sched_domain_sysctl(void)
}
#endif
-extern int newidle_balance(struct rq *this_rq, struct rq_flags *rf);
-
#else
static inline void sched_ttwu_pending(void) { }
-static inline int newidle_balance(struct rq *this_rq, struct rq_flags *rf) { return 0; }
-
#endif /* CONFIG_SMP */
#include "stats.h"
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 167/224] sched/fair: Trivial correction of the newidle_balance() comment
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 166/224] sched: Make newidle_balance() static again Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 168/224] sched/balancing: Rename newidle_balance() => sched_balance_newidle() Greg Kroah-Hartman
` (64 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Barry Song, Peter Zijlstra (Intel),
Ingo Molnar, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Barry Song <song.bao.hua@hisilicon.com>
[ Upstream commit 5b78f2dc315354c05300795064f587366a02c6ff ]
idle_balance() has been renamed to newidle_balance(). To differentiate
with nohz_idle_balance, it seems refining the comment will be helpful
for the readers of the code.
Signed-off-by: Barry Song <song.bao.hua@hisilicon.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lkml.kernel.org/r/20201202220641.22752-1-song.bao.hua@hisilicon.com
Stable-dep-of: 17e3e88ed0b6 ("sched/fair: Fix pelt lost idle time detection")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/fair.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index db4a1da522e42..1d82b9cc9eb77 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -9897,7 +9897,7 @@ static inline void nohz_newidle_balance(struct rq *this_rq) { }
#endif /* CONFIG_NO_HZ_COMMON */
/*
- * idle_balance is called by schedule() if this_cpu is about to become
+ * newidle_balance is called by schedule() if this_cpu is about to become
* idle. Attempts to pull tasks from other CPUs.
*/
static int newidle_balance(struct rq *this_rq, struct rq_flags *rf)
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 168/224] sched/balancing: Rename newidle_balance() => sched_balance_newidle()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 167/224] sched/fair: Trivial correction of the newidle_balance() comment Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 169/224] sched/fair: Fix pelt lost idle time detection Greg Kroah-Hartman
` (63 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ingo Molnar, Shrikanth Hegde,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ingo Molnar <mingo@kernel.org>
[ Upstream commit 7d058285cd77cc1411c91efd1b1673530bb1bee8 ]
Standardize scheduler load-balancing function names on the
sched_balance_() prefix.
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Shrikanth Hegde <sshegde@linux.ibm.com>
Link: https://lore.kernel.org/r/20240308111819.1101550-11-mingo@kernel.org
Stable-dep-of: 17e3e88ed0b6 ("sched/fair: Fix pelt lost idle time detection")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/fair.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 1d82b9cc9eb77..62c0348ef556a 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -3690,7 +3690,7 @@ static inline unsigned long cfs_rq_load_avg(struct cfs_rq *cfs_rq)
return cfs_rq->avg.load_avg;
}
-static int newidle_balance(struct rq *this_rq, struct rq_flags *rf);
+static int sched_balance_newidle(struct rq *this_rq, struct rq_flags *rf);
static inline unsigned long task_util(struct task_struct *p)
{
@@ -3851,7 +3851,7 @@ attach_entity_load_avg(struct cfs_rq *cfs_rq, struct sched_entity *se, int flags
static inline void
detach_entity_load_avg(struct cfs_rq *cfs_rq, struct sched_entity *se) {}
-static inline int newidle_balance(struct rq *rq, struct rq_flags *rf)
+static inline int sched_balance_newidle(struct rq *rq, struct rq_flags *rf)
{
return 0;
}
@@ -6690,7 +6690,7 @@ balance_fair(struct rq *rq, struct task_struct *prev, struct rq_flags *rf)
if (rq->nr_running)
return 1;
- return newidle_balance(rq, rf) != 0;
+ return sched_balance_newidle(rq, rf) != 0;
}
#endif /* CONFIG_SMP */
@@ -6981,10 +6981,10 @@ done: __maybe_unused;
if (!rf)
return NULL;
- new_tasks = newidle_balance(rq, rf);
+ new_tasks = sched_balance_newidle(rq, rf);
/*
- * Because newidle_balance() releases (and re-acquires) rq->lock, it is
+ * Because sched_balance_newidle() releases (and re-acquires) rq->lock, it is
* possible for any higher priority task to appear. In that case we
* must re-start the pick_next_entity() loop.
*/
@@ -9182,7 +9182,7 @@ static int load_balance(int this_cpu, struct rq *this_rq,
ld_moved = 0;
/*
- * newidle_balance() disregards balance intervals, so we could
+ * sched_balance_newidle() disregards balance intervals, so we could
* repeatedly reach this code, which would lead to balance_interval
* skyrocketting in a short amount of time. Skip the balance_interval
* increase logic to avoid that.
@@ -9897,10 +9897,10 @@ static inline void nohz_newidle_balance(struct rq *this_rq) { }
#endif /* CONFIG_NO_HZ_COMMON */
/*
- * newidle_balance is called by schedule() if this_cpu is about to become
+ * sched_balance_newidle is called by schedule() if this_cpu is about to become
* idle. Attempts to pull tasks from other CPUs.
*/
-static int newidle_balance(struct rq *this_rq, struct rq_flags *rf)
+static int sched_balance_newidle(struct rq *this_rq, struct rq_flags *rf)
{
unsigned long next_balance = jiffies + HZ;
int this_cpu = this_rq->cpu;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 169/224] sched/fair: Fix pelt lost idle time detection
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 168/224] sched/balancing: Rename newidle_balance() => sched_balance_newidle() Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 170/224] ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings Greg Kroah-Hartman
` (62 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Guittot,
Peter Zijlstra (Intel), Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Guittot <vincent.guittot@linaro.org>
[ Upstream commit 17e3e88ed0b6318fde0d1c14df1a804711cab1b5 ]
The check for some lost idle pelt time should be always done when
pick_next_task_fair() fails to pick a task and not only when we call it
from the fair fast-path.
The case happens when the last running task on rq is a RT or DL task. When
the latter goes to sleep and the /Sum of util_sum of the rq is at the max
value, we don't account the lost of idle time whereas we should.
Fixes: 67692435c411 ("sched: Rework pick_next_task() slow-path")
Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/fair.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 62c0348ef556a..5e8f2167d8caa 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -6978,21 +6978,21 @@ done: __maybe_unused;
return p;
idle:
- if (!rf)
- return NULL;
-
- new_tasks = sched_balance_newidle(rq, rf);
+ if (rf) {
+ new_tasks = sched_balance_newidle(rq, rf);
- /*
- * Because sched_balance_newidle() releases (and re-acquires) rq->lock, it is
- * possible for any higher priority task to appear. In that case we
- * must re-start the pick_next_entity() loop.
- */
- if (new_tasks < 0)
- return RETRY_TASK;
+ /*
+ * Because sched_balance_newidle() releases (and re-acquires)
+ * rq->lock, it is possible for any higher priority task to
+ * appear. In that case we must re-start the pick_next_entity()
+ * loop.
+ */
+ if (new_tasks < 0)
+ return RETRY_TASK;
- if (new_tasks > 0)
- goto again;
+ if (new_tasks > 0)
+ goto again;
+ }
/*
* rq is about to be idle, check if we need to update the
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 170/224] ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 169/224] sched/fair: Fix pelt lost idle time detection Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 171/224] hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() Greg Kroah-Hartman
` (61 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Takashi Sakamoto,
Takashi Iwai, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit d41f68dff783d181a8fd462e612bda0fbab7f735 ]
Fix spelling of CIP_NO_HEADER to prevent a kernel-doc warning.
Warning: amdtp-stream.h:57 Enum value 'CIP_NO_HEADER' not described in enum 'cip_flags'
Warning: amdtp-stream.h:57 Excess enum value '%CIP_NO_HEADERS' description in 'cip_flags'
Fixes: 3b196c394dd9f ("ALSA: firewire-lib: add no-header packet processing")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/firewire/amdtp-stream.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/firewire/amdtp-stream.h b/sound/firewire/amdtp-stream.h
index bbbca964b9b46..f1933f7b9f1bf 100644
--- a/sound/firewire/amdtp-stream.h
+++ b/sound/firewire/amdtp-stream.h
@@ -32,7 +32,7 @@
* allows 5 times as large as IEC 61883-6 defines.
* @CIP_HEADER_WITHOUT_EOH: Only for in-stream. CIP Header doesn't include
* valid EOH.
- * @CIP_NO_HEADERS: a lack of headers in packets
+ * @CIP_NO_HEADER: a lack of headers in packets
* @CIP_UNALIGHED_DBC: Only for in-stream. The value of dbc is not alighed to
* the value of current SYT_INTERVAL; e.g. initial value is not zero.
*/
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 171/224] hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 170/224] ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 172/224] exec: Fix incorrect type for ret Greg Kroah-Hartman
` (60 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiaming Zhang, Viacheslav Dubeyko,
John Paul Adrian Glaubitz, Yangtao Li, linux-fsdevel, syzkaller
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
commit 42520df65bf67189541a425f7d36b0b3e7bd7844 upstream.
The hfsplus_strcasecmp() logic can trigger the issue:
[ 117.317703][ T9855] ==================================================================
[ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490
[ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855
[ 117.319577][ T9855]
[ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full)
[ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 117.319783][ T9855] Call Trace:
[ 117.319785][ T9855] <TASK>
[ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0
[ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0
[ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10
[ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0
[ 117.319816][ T9855] ? lock_release+0x4b/0x3e0
[ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40
[ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0
[ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0
[ 117.319842][ T9855] print_report+0x17e/0x7e0
[ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0
[ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0
[ 117.319862][ T9855] ? __phys_addr+0xd3/0x180
[ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490
[ 117.319876][ T9855] kasan_report+0x147/0x180
[ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490
[ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490
[ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10
[ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0
[ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470
[ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10
[ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10
[ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10
[ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510
[ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10
[ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10
[ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510
[ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0
[ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120
[ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890
[ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10
[ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0
[ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80
[ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10
[ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100
[ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150
[ 117.320034][ T9855] __lookup_slow+0x297/0x3d0
[ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10
[ 117.320045][ T9855] ? down_read+0x1ad/0x2e0
[ 117.320055][ T9855] lookup_slow+0x53/0x70
[ 117.320065][ T9855] walk_component+0x2f0/0x430
[ 117.320073][ T9855] path_lookupat+0x169/0x440
[ 117.320081][ T9855] filename_lookup+0x212/0x590
[ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10
[ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290
[ 117.320105][ T9855] ? getname_flags+0x1e5/0x540
[ 117.320112][ T9855] user_path_at+0x3a/0x60
[ 117.320117][ T9855] __x64_sys_umount+0xee/0x160
[ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10
[ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0
[ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0
[ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0
[ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07
[ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08
[ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
[ 117.320172][ T9855] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7dd7908b07
[ 117.320176][ T9855] RDX: 0000000000000009 RSI: 0000000000000009 RDI: 00007ffd5ebd9740
[ 117.320179][ T9855] RBP: 00007ffd5ebda780 R08: 0000000000000005 R09: 00007ffd5ebd9530
[ 117.320181][ T9855] R10: 00007f7dd799bfc0 R11: 0000000000000202 R12: 000055e2008b32d0
[ 117.320184][ T9855] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 117.320189][ T9855] </TASK>
[ 117.320190][ T9855]
[ 117.351311][ T9855] Allocated by task 9855:
[ 117.351683][ T9855] kasan_save_track+0x3e/0x80
[ 117.352093][ T9855] __kasan_kmalloc+0x8d/0xa0
[ 117.352490][ T9855] __kmalloc_noprof+0x288/0x510
[ 117.352914][ T9855] hfsplus_find_init+0x8c/0x1d0
[ 117.353342][ T9855] hfsplus_lookup+0x19c/0x890
[ 117.353747][ T9855] __lookup_slow+0x297/0x3d0
[ 117.354148][ T9855] lookup_slow+0x53/0x70
[ 117.354514][ T9855] walk_component+0x2f0/0x430
[ 117.354921][ T9855] path_lookupat+0x169/0x440
[ 117.355325][ T9855] filename_lookup+0x212/0x590
[ 117.355740][ T9855] user_path_at+0x3a/0x60
[ 117.356115][ T9855] __x64_sys_umount+0xee/0x160
[ 117.356529][ T9855] do_syscall_64+0xf3/0x3a0
[ 117.356920][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 117.357429][ T9855]
[ 117.357636][ T9855] The buggy address belongs to the object at ffff88802160f000
[ 117.357636][ T9855] which belongs to the cache kmalloc-2k of size 2048
[ 117.358827][ T9855] The buggy address is located 0 bytes to the right of
[ 117.358827][ T9855] allocated 1036-byte region [ffff88802160f000, ffff88802160f40c)
[ 117.360061][ T9855]
[ 117.360266][ T9855] The buggy address belongs to the physical page:
[ 117.360813][ T9855] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21608
[ 117.361562][ T9855] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 117.362285][ T9855] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 117.362929][ T9855] page_type: f5(slab)
[ 117.363282][ T9855] raw: 00fff00000000040 ffff88801a842f00 ffffea0000932000 dead000000000002
[ 117.364015][ T9855] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[ 117.364750][ T9855] head: 00fff00000000040 ffff88801a842f00 ffffea0000932000 dead000000000002
[ 117.365491][ T9855] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[ 117.366232][ T9855] head: 00fff00000000003 ffffea0000858201 00000000ffffffff 00000000ffffffff
[ 117.366968][ T9855] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 117.367711][ T9855] page dumped because: kasan: bad access detected
[ 117.368259][ T9855] page_owner tracks the page as allocated
[ 117.368745][ T9855] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN1
[ 117.370541][ T9855] post_alloc_hook+0x240/0x2a0
[ 117.370954][ T9855] get_page_from_freelist+0x2101/0x21e0
[ 117.371435][ T9855] __alloc_frozen_pages_noprof+0x274/0x380
[ 117.371935][ T9855] alloc_pages_mpol+0x241/0x4b0
[ 117.372360][ T9855] allocate_slab+0x8d/0x380
[ 117.372752][ T9855] ___slab_alloc+0xbe3/0x1400
[ 117.373159][ T9855] __kmalloc_cache_noprof+0x296/0x3d0
[ 117.373621][ T9855] nexthop_net_init+0x75/0x100
[ 117.374038][ T9855] ops_init+0x35c/0x5c0
[ 117.374400][ T9855] setup_net+0x10c/0x320
[ 117.374768][ T9855] copy_net_ns+0x31b/0x4d0
[ 117.375156][ T9855] create_new_namespaces+0x3f3/0x720
[ 117.375613][ T9855] unshare_nsproxy_namespaces+0x11c/0x170
[ 117.376094][ T9855] ksys_unshare+0x4ca/0x8d0
[ 117.376477][ T9855] __x64_sys_unshare+0x38/0x50
[ 117.376879][ T9855] do_syscall_64+0xf3/0x3a0
[ 117.377265][ T9855] page last free pid 9110 tgid 9110 stack trace:
[ 117.377795][ T9855] __free_frozen_pages+0xbeb/0xd50
[ 117.378229][ T9855] __put_partials+0x152/0x1a0
[ 117.378625][ T9855] put_cpu_partial+0x17c/0x250
[ 117.379026][ T9855] __slab_free+0x2d4/0x3c0
[ 117.379404][ T9855] qlist_free_all+0x97/0x140
[ 117.379790][ T9855] kasan_quarantine_reduce+0x148/0x160
[ 117.380250][ T9855] __kasan_slab_alloc+0x22/0x80
[ 117.380662][ T9855] __kmalloc_noprof+0x232/0x510
[ 117.381074][ T9855] tomoyo_supervisor+0xc0a/0x1360
[ 117.381498][ T9855] tomoyo_env_perm+0x149/0x1e0
[ 117.381903][ T9855] tomoyo_find_next_domain+0x15ad/0x1b90
[ 117.382378][ T9855] tomoyo_bprm_check_security+0x11c/0x180
[ 117.382859][ T9855] security_bprm_check+0x89/0x280
[ 117.383289][ T9855] bprm_execve+0x8f1/0x14a0
[ 117.383673][ T9855] do_execveat_common+0x528/0x6b0
[ 117.384103][ T9855] __x64_sys_execve+0x94/0xb0
[ 117.384500][ T9855]
[ 117.384706][ T9855] Memory state around the buggy address:
[ 117.385179][ T9855] ffff88802160f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 117.385854][ T9855] ffff88802160f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 117.386534][ T9855] >ffff88802160f400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 117.387204][ T9855] ^
[ 117.387566][ T9855] ffff88802160f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 117.388243][ T9855] ffff88802160f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 117.388918][ T9855] ==================================================================
The issue takes place if the length field of struct hfsplus_unistr
is bigger than HFSPLUS_MAX_STRLEN. The patch simply checks
the length of comparing strings. And if the strings' length
is bigger than HFSPLUS_MAX_STRLEN, then it is corrected
to this value.
v2
The string length correction has been added for hfsplus_strcmp().
Reported-by: Jiaming Zhang <r772577952@gmail.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
cc: Yangtao Li <frank.li@vivo.com>
cc: linux-fsdevel@vger.kernel.org
cc: syzkaller@googlegroups.com
Link: https://lore.kernel.org/r/20250919191243.1370388-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfsplus/unicode.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
--- a/fs/hfsplus/unicode.c
+++ b/fs/hfsplus/unicode.c
@@ -40,6 +40,18 @@ int hfsplus_strcasecmp(const struct hfsp
p1 = s1->unicode;
p2 = s2->unicode;
+ if (len1 > HFSPLUS_MAX_STRLEN) {
+ len1 = HFSPLUS_MAX_STRLEN;
+ pr_err("invalid length %u has been corrected to %d\n",
+ be16_to_cpu(s1->length), len1);
+ }
+
+ if (len2 > HFSPLUS_MAX_STRLEN) {
+ len2 = HFSPLUS_MAX_STRLEN;
+ pr_err("invalid length %u has been corrected to %d\n",
+ be16_to_cpu(s2->length), len2);
+ }
+
while (1) {
c1 = c2 = 0;
@@ -74,6 +86,18 @@ int hfsplus_strcmp(const struct hfsplus_
p1 = s1->unicode;
p2 = s2->unicode;
+ if (len1 > HFSPLUS_MAX_STRLEN) {
+ len1 = HFSPLUS_MAX_STRLEN;
+ pr_err("invalid length %u has been corrected to %d\n",
+ be16_to_cpu(s1->length), len1);
+ }
+
+ if (len2 > HFSPLUS_MAX_STRLEN) {
+ len2 = HFSPLUS_MAX_STRLEN;
+ pr_err("invalid length %u has been corrected to %d\n",
+ be16_to_cpu(s2->length), len2);
+ }
+
for (len = min(len1, len2); len > 0; len--) {
c1 = be16_to_cpu(*p1);
c2 = be16_to_cpu(*p2);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 172/224] exec: Fix incorrect type for ret
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 171/224] hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 173/224] hfs: clear offset and space out of valid records in b-tree node Greg Kroah-Hartman
` (59 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xichao Zhao, Jan Kara, Kees Cook,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xichao Zhao <zhao.xichao@vivo.com>
[ Upstream commit 5e088248375d171b80c643051e77ade6b97bc386 ]
In the setup_arg_pages(), ret is declared as an unsigned long.
The ret might take a negative value. Therefore, its type should
be changed to int.
Signed-off-by: Xichao Zhao <zhao.xichao@vivo.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20250825073609.219855-1-zhao.xichao@vivo.com
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/exec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/exec.c b/fs/exec.c
index 5dffc67745c80..5aa0d9ec7f21b 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -701,7 +701,7 @@ int setup_arg_pages(struct linux_binprm *bprm,
unsigned long stack_top,
int executable_stack)
{
- unsigned long ret;
+ int ret;
unsigned long stack_shift;
struct mm_struct *mm = current->mm;
struct vm_area_struct *vma = bprm->vma;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 173/224] hfs: clear offset and space out of valid records in b-tree node
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 172/224] exec: Fix incorrect type for ret Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 174/224] hfs: make proper initalization of struct hfs_find_data Greg Kroah-Hartman
` (58 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko,
John Paul Adrian Glaubitz, Yangtao Li, linux-fsdevel, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit 18b07c44f245beb03588b00b212b38fce9af7cc9 ]
Currently, hfs_brec_remove() executes moving records
towards the location of deleted record and it updates
offsets of moved records. However, the hfs_brec_remove()
logic ignores the "mess" of b-tree node's free space and
it doesn't touch the offsets out of records number.
Potentially, it could confuse fsck or driver logic or
to be a reason of potential corruption cases.
This patch reworks the logic of hfs_brec_remove()
by means of clearing freed space of b-tree node
after the records moving. And it clear the last
offset that keeping old location of free space
because now the offset before this one is keeping
the actual offset to the free space after the record
deletion.
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
cc: Yangtao Li <frank.li@vivo.com>
cc: linux-fsdevel@vger.kernel.org
Link: https://lore.kernel.org/r/20250815194918.38165-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfs/brec.c | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
index 896396554bcc1..b01db1fae147c 100644
--- a/fs/hfs/brec.c
+++ b/fs/hfs/brec.c
@@ -179,6 +179,7 @@ int hfs_brec_remove(struct hfs_find_data *fd)
struct hfs_btree *tree;
struct hfs_bnode *node, *parent;
int end_off, rec_off, data_off, size;
+ int src, dst, len;
tree = fd->tree;
node = fd->bnode;
@@ -208,10 +209,14 @@ int hfs_brec_remove(struct hfs_find_data *fd)
}
hfs_bnode_write_u16(node, offsetof(struct hfs_bnode_desc, num_recs), node->num_recs);
- if (rec_off == end_off)
- goto skip;
size = fd->keylength + fd->entrylength;
+ if (rec_off == end_off) {
+ src = fd->keyoffset;
+ hfs_bnode_clear(node, src, size);
+ goto skip;
+ }
+
do {
data_off = hfs_bnode_read_u16(node, rec_off);
hfs_bnode_write_u16(node, rec_off + 2, data_off - size);
@@ -219,9 +224,23 @@ int hfs_brec_remove(struct hfs_find_data *fd)
} while (rec_off >= end_off);
/* fill hole */
- hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size,
- data_off - fd->keyoffset - size);
+ dst = fd->keyoffset;
+ src = fd->keyoffset + size;
+ len = data_off - src;
+
+ hfs_bnode_move(node, dst, src, len);
+
+ src = dst + len;
+ len = data_off - src;
+
+ hfs_bnode_clear(node, src, len);
+
skip:
+ /*
+ * Remove the obsolete offset to free space.
+ */
+ hfs_bnode_write_u16(node, end_off, 0);
+
hfs_bnode_dump(node);
if (!fd->record)
hfs_brec_update_parent(fd);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 174/224] hfs: make proper initalization of struct hfs_find_data
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 173/224] hfs: clear offset and space out of valid records in b-tree node Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 175/224] hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() Greg Kroah-Hartman
` (57 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko,
John Paul Adrian Glaubitz, Yangtao Li, linux-fsdevel, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit c62663a986acee7c4485c1fa9de5fc40194b6290 ]
Potenatially, __hfs_ext_read_extent() could operate by
not initialized values of fd->key after hfs_brec_find() call:
static inline int __hfs_ext_read_extent(struct hfs_find_data *fd, struct hfs_extent *extent,
u32 cnid, u32 block, u8 type)
{
int res;
hfs_ext_build_key(fd->search_key, cnid, block, type);
fd->key->ext.FNum = 0;
res = hfs_brec_find(fd);
if (res && res != -ENOENT)
return res;
if (fd->key->ext.FNum != fd->search_key->ext.FNum ||
fd->key->ext.FkType != fd->search_key->ext.FkType)
return -ENOENT;
if (fd->entrylength != sizeof(hfs_extent_rec))
return -EIO;
hfs_bnode_read(fd->bnode, extent, fd->entryoffset, sizeof(hfs_extent_rec));
return 0;
}
This patch changes kmalloc() on kzalloc() in hfs_find_init()
and intializes fd->record, fd->keyoffset, fd->keylength,
fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
has been found nothing in the b-tree node.
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
cc: Yangtao Li <frank.li@vivo.com>
cc: linux-fsdevel@vger.kernel.org
Link: https://lore.kernel.org/r/20250818225252.126427-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfs/bfind.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c
index ef9498a6e88ac..6d37b4c759034 100644
--- a/fs/hfs/bfind.c
+++ b/fs/hfs/bfind.c
@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
fd->tree = tree;
fd->bnode = NULL;
- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
if (!ptr)
return -ENOMEM;
fd->search_key = ptr;
@@ -112,6 +112,12 @@ int hfs_brec_find(struct hfs_find_data *fd)
__be32 data;
int height, res;
+ fd->record = -1;
+ fd->keyoffset = -1;
+ fd->keylength = -1;
+ fd->entryoffset = -1;
+ fd->entrylength = -1;
+
tree = fd->tree;
if (fd->bnode)
hfs_bnode_put(fd->bnode);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 175/224] hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 174/224] hfs: make proper initalization of struct hfs_find_data Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 176/224] hfs: validate record offset in hfsplus_bmap_alloc Greg Kroah-Hartman
` (56 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Viacheslav Dubeyko,
John Paul Adrian Glaubitz, Yangtao Li, linux-fsdevel, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit 4840ceadef4290c56cc422f0fc697655f3cbf070 ]
The syzbot reported issue in __hfsplus_ext_cache_extent():
[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990
[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0
[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0
[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0
[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950
[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130
[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060
[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460
[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0
[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0
[ 70.199771][ T9350] ksys_write+0x23e/0x490
[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0
[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0
[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0
[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.202054][ T9350]
[ 70.202279][ T9350] Uninit was created at:
[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80
[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0
[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0
[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0
[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0
[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950
[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130
[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060
[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460
[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0
[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0
[ 70.207961][ T9350] ksys_write+0x23e/0x490
[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0
[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0
[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0
[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.210230][ T9350]
[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5
[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.212115][ T9350] =====================================================
[ 70.212734][ T9350] Disabling lock debugging due to kernel taint
[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...
[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5
[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE
[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.215999][ T9350] Call Trace:
[ 70.216309][ T9350] <TASK>
[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0
[ 70.217025][ T9350] dump_stack+0x1e/0x30
[ 70.217421][ T9350] panic+0x502/0xca0
[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...
kernel
:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
set ...
[ 70.221254][ T9350] ? __msan_warning+0x96/0x120
[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990
[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0
[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0
[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0
[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950
[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130
[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060
[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460
[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0
[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0
[ 70.228997][ T9350] ? ksys_write+0x23e/0x490
[ 70.229458][ T9350] ? __x64_sys_write+0x97/0xf0
[ 70.229939][ T9350] ? x64_sys_call+0x3015/0x3cf0
[ 70.230432][ T9350] ? do_syscall_64+0xd9/0x1d0
[ 70.230941][ T9350] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.231926][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
[ 70.232738][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
[ 70.233711][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
[ 70.234516][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
[ 70.235398][ T9350] ? __msan_metadata_ptr_for_load_4+0x24/0x40
[ 70.236323][ T9350] ? hfsplus_brec_find+0x218/0x9f0
[ 70.237090][ T9350] ? __pfx_hfs_find_rec_by_key+0x10/0x10
[ 70.237938][ T9350] ? __msan_instrument_asm_store+0xbf/0xf0
[ 70.238827][ T9350] ? __msan_metadata_ptr_for_store_4+0x27/0x40
[ 70.239772][ T9350] ? __hfsplus_ext_write_extent+0x536/0x620
[ 70.240666][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
[ 70.241175][ T9350] __msan_warning+0x96/0x120
[ 70.241645][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
[ 70.242223][ T9350] hfsplus_file_extend+0x74f/0x1cf0
[ 70.242748][ T9350] hfsplus_get_block+0xe16/0x17b0
[ 70.243255][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
[ 70.243878][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
[ 70.244400][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
[ 70.244967][ T9350] __block_write_begin_int+0x962/0x2ce0
[ 70.245531][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
[ 70.246079][ T9350] cont_write_begin+0x1000/0x1950
[ 70.246598][ T9350] hfsplus_write_begin+0x85/0x130
[ 70.247105][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10
[ 70.247650][ T9350] ? __pfx_hfsplus_write_begin+0x10/0x10
[ 70.248211][ T9350] generic_perform_write+0x3e8/0x1060
[ 70.248752][ T9350] __generic_file_write_iter+0x215/0x460
[ 70.249314][ T9350] generic_file_write_iter+0x109/0x5e0
[ 70.249856][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110
[ 70.250487][ T9350] vfs_write+0xb0f/0x14e0
[ 70.250930][ T9350] ? __pfx_generic_file_write_iter+0x10/0x10
[ 70.251530][ T9350] ksys_write+0x23e/0x490
[ 70.251974][ T9350] __x64_sys_write+0x97/0xf0
[ 70.252450][ T9350] x64_sys_call+0x3015/0x3cf0
[ 70.252924][ T9350] do_syscall_64+0xd9/0x1d0
[ 70.253384][ T9350] ? irqentry_exit+0x16/0x60
[ 70.253844][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.254430][ T9350] RIP: 0033:0x7f7a92adffc9
[ 70.254873][ T9350] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
[ 70.256674][ T9350] RSP: 002b:00007fff0bca3188 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[ 70.257485][ T9350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a92adffc9
[ 70.258246][ T9350] RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000004
[ 70.258998][ T9350] RBP: 00007fff0bca31a0 R08: 00007fff0bca31a0 R09: 00007fff0bca31a0
[ 70.259769][ T9350] R10: 0000000000000000 R11: 0000000000000202 R12: 000055e0d75f8250
[ 70.260520][ T9350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 70.261286][ T9350] </TASK>
[ 70.262026][ T9350] Kernel Offset: disabled
(gdb) l *__hfsplus_ext_cache_extent+0x7d0
0xffffffff8318aef0 is in __hfsplus_ext_cache_extent (fs/hfsplus/extents.c:168).
163 fd->key->ext.cnid = 0;
164 res = hfs_brec_find(fd, hfs_find_rec_by_key);
165 if (res && res != -ENOENT)
166 return res;
167 if (fd->key->ext.cnid != fd->search_key->ext.cnid ||
168 fd->key->ext.fork_type != fd->search_key->ext.fork_type)
169 return -ENOENT;
170 if (fd->entrylength != sizeof(hfsplus_extent_rec))
171 return -EIO;
172 hfs_bnode_read(fd->bnode, extent, fd->entryoffset,
The __hfsplus_ext_cache_extent() calls __hfsplus_ext_read_extent():
res = __hfsplus_ext_read_extent(fd, hip->cached_extents, inode->i_ino,
block, HFSPLUS_IS_RSRC(inode) ?
HFSPLUS_TYPE_RSRC :
HFSPLUS_TYPE_DATA);
And if inode->i_ino could be equal to zero or any non-available CNID,
then hfs_brec_find() could not find the record in the tree. As a result,
fd->key could be compared with fd->search_key. But hfsplus_find_init()
uses kmalloc() for fd->key and fd->search_key allocation:
int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
{
<skipped>
ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
if (!ptr)
return -ENOMEM;
fd->search_key = ptr;
fd->key = ptr + tree->max_key_len + 2;
<skipped>
}
Finally, fd->key is still not initialized if hfs_brec_find()
has found nothing.
This patch changes kmalloc() on kzalloc() in hfs_find_init()
and intializes fd->record, fd->keyoffset, fd->keylength,
fd->entryoffset, fd->entrylength for the case if hfs_brec_find()
has been found nothing in the b-tree node.
Reported-by: syzbot <syzbot+55ad87f38795d6787521@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=55ad87f38795d6787521
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
cc: Yangtao Li <frank.li@vivo.com>
cc: linux-fsdevel@vger.kernel.org
Link: https://lore.kernel.org/r/20250818225232.126402-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/bfind.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c
index 901e83d65d202..26ebac4c60424 100644
--- a/fs/hfsplus/bfind.c
+++ b/fs/hfsplus/bfind.c
@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
fd->tree = tree;
fd->bnode = NULL;
- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
if (!ptr)
return -ENOMEM;
fd->search_key = ptr;
@@ -158,6 +158,12 @@ int hfs_brec_find(struct hfs_find_data *fd, search_strategy_t do_key_compare)
__be32 data;
int height, res;
+ fd->record = -1;
+ fd->keyoffset = -1;
+ fd->keylength = -1;
+ fd->entryoffset = -1;
+ fd->entrylength = -1;
+
tree = fd->tree;
if (fd->bnode)
hfs_bnode_put(fd->bnode);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 176/224] hfs: validate record offset in hfsplus_bmap_alloc
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 175/224] hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 177/224] hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() Greg Kroah-Hartman
` (55 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+356aed408415a56543cd,
Yang Chenzhi, Viacheslav Dubeyko, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Chenzhi <yang.chenzhi@vivo.com>
[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ]
hfsplus_bmap_alloc can trigger a crash if a
record offset or length is larger than node_size
[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0
[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183
[ 15.265949]
[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)
[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 15.266167] Call Trace:
[ 15.266168] <TASK>
[ 15.266169] dump_stack_lvl+0x53/0x70
[ 15.266173] print_report+0xd0/0x660
[ 15.266181] kasan_report+0xce/0x100
[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0
[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0
[ 15.266217] hfsplus_brec_insert+0x870/0xb00
[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570
[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910
[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200
[ 15.266233] hfsplus_file_extend+0x5a7/0x1000
[ 15.266237] hfsplus_get_block+0x12b/0x8c0
[ 15.266238] __block_write_begin_int+0x36b/0x12c0
[ 15.266251] block_write_begin+0x77/0x110
[ 15.266252] cont_write_begin+0x428/0x720
[ 15.266259] hfsplus_write_begin+0x51/0x100
[ 15.266262] cont_write_begin+0x272/0x720
[ 15.266270] hfsplus_write_begin+0x51/0x100
[ 15.266274] generic_perform_write+0x321/0x750
[ 15.266285] generic_file_write_iter+0xc3/0x310
[ 15.266289] __kernel_write_iter+0x2fd/0x800
[ 15.266296] dump_user_range+0x2ea/0x910
[ 15.266301] elf_core_dump+0x2a94/0x2ed0
[ 15.266320] vfs_coredump+0x1d85/0x45e0
[ 15.266349] get_signal+0x12e3/0x1990
[ 15.266357] arch_do_signal_or_restart+0x89/0x580
[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110
[ 15.266364] asm_exc_page_fault+0x26/0x30
[ 15.266366] RIP: 0033:0x41bd35
[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f
[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283
[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000
[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100
[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000
[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000
[ 15.266376] </TASK>
When calling hfsplus_bmap_alloc to allocate a free node, this function
first retrieves the bitmap from header node and map node using node->page
together with the offset and length from hfs_brec_lenoff
```
len = hfs_brec_lenoff(node, 2, &off16);
off = off16;
off += node->page_offset;
pagep = node->page + (off >> PAGE_SHIFT);
data = kmap_local_page(*pagep);
```
However, if the retrieved offset or length is invalid(i.e. exceeds
node_size), the code may end up accessing pages outside the allocated
range for this node.
This patch adds proper validation of both offset and length before use,
preventing out-of-bounds page access. Move is_bnode_offset_valid and
check_and_correct_requested_length to hfsplus_fs.h, as they may be
required by other functions.
Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/
Signed-off-by: Yang Chenzhi <yang.chenzhi@vivo.com>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/bnode.c | 41 ----------------------------------------
fs/hfsplus/btree.c | 6 ++++++
fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 48 insertions(+), 41 deletions(-)
diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index c9c38fddf505b..e566cea238279 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -18,47 +18,6 @@
#include "hfsplus_fs.h"
#include "hfsplus_raw.h"
-static inline
-bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
-{
- bool is_valid = off < node->tree->node_size;
-
- if (!is_valid) {
- pr_err("requested invalid offset: "
- "NODE: id %u, type %#x, height %u, "
- "node_size %u, offset %d\n",
- node->this, node->type, node->height,
- node->tree->node_size, off);
- }
-
- return is_valid;
-}
-
-static inline
-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
-{
- unsigned int node_size;
-
- if (!is_bnode_offset_valid(node, off))
- return 0;
-
- node_size = node->tree->node_size;
-
- if ((off + len) > node_size) {
- int new_len = (int)node_size - off;
-
- pr_err("requested length has been corrected: "
- "NODE: id %u, type %#x, height %u, "
- "node_size %u, offset %d, "
- "requested_len %d, corrected_len %d\n",
- node->this, node->type, node->height,
- node->tree->node_size, off, len, new_len);
-
- return new_len;
- }
-
- return len;
-}
/* Copy a specified range of bytes from the raw data of a node */
void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
index 66774f4cb4fd5..2211907537fec 100644
--- a/fs/hfsplus/btree.c
+++ b/fs/hfsplus/btree.c
@@ -392,6 +392,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
len = hfs_brec_lenoff(node, 2, &off16);
off = off16;
+ if (!is_bnode_offset_valid(node, off)) {
+ hfs_bnode_put(node);
+ return ERR_PTR(-EIO);
+ }
+ len = check_and_correct_requested_length(node, off, len);
+
off += node->page_offset;
pagep = node->page + (off >> PAGE_SHIFT);
data = kmap(*pagep);
diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
index 86cfc147bf3d1..5355d1ff7a9b2 100644
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -561,6 +561,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree)
return class;
}
+static inline
+bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
+{
+ bool is_valid = off < node->tree->node_size;
+
+ if (!is_valid) {
+ pr_err("requested invalid offset: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off);
+ }
+
+ return is_valid;
+}
+
+static inline
+int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
+{
+ unsigned int node_size;
+
+ if (!is_bnode_offset_valid(node, off))
+ return 0;
+
+ node_size = node->tree->node_size;
+
+ if ((off + len) > node_size) {
+ int new_len = (int)node_size - off;
+
+ pr_err("requested length has been corrected: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, "
+ "requested_len %d, corrected_len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len, new_len);
+
+ return new_len;
+ }
+
+ return len;
+}
+
/* compatibility */
#define hfsp_mt2ut(t) (struct timespec){ .tv_sec = __hfsp_mt2ut(t) }
#define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec)
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 177/224] hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 176/224] hfs: validate record offset in hfsplus_bmap_alloc Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 178/224] dlm: check for defined force value in dlm_lockspace_release Greg Kroah-Hartman
` (54 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Viacheslav Dubeyko,
John Paul Adrian Glaubitz, Yangtao Li, linux-fsdevel, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit 9b3d15a758910bb98ba8feb4109d99cc67450ee4 ]
The syzbot reported issue in hfsplus_delete_cat():
[ 70.682285][ T9333] =====================================================
[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220
[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0
[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310
[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810
[ 70.685447][ T9333] do_rmdir+0x964/0xea0
[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0
[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0
[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.687646][ T9333]
[ 70.687856][ T9333] Uninit was stored to memory at:
[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800
[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600
[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70
[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0
[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30
[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0
[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0
[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.692773][ T9333]
[ 70.692990][ T9333] Uninit was stored to memory at:
[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800
[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700
[ 70.694911][ T9333] mount_bdev+0x37b/0x530
[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60
[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0
[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0
[ 70.696588][ T9333] do_new_mount+0x73e/0x1630
[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0
[ 70.697425][ T9333] __se_sys_mount+0x733/0x830
[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150
[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0
[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.699730][ T9333]
[ 70.699946][ T9333] Uninit was created at:
[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60
[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0
[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0
[ 70.701774][ T9333] allocate_slab+0x30e/0x1390
[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0
[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20
[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0
[ 70.703598][ T9333] alloc_inode+0x82/0x490
[ 70.703984][ T9333] iget_locked+0x22e/0x1320
[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0
[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0
[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700
[ 70.705776][ T9333] mount_bdev+0x37b/0x530
[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60
[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0
[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0
[ 70.707444][ T9333] do_new_mount+0x73e/0x1630
[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0
[ 70.708270][ T9333] __se_sys_mount+0x733/0x830
[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150
[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0
[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.710611][ T9333]
[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17
[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.712490][ T9333] =====================================================
[ 70.713085][ T9333] Disabling lock debugging due to kernel taint
[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...
[ 70.714159][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Tainted: G B 6.12.0-rc6-dirty #17
[ 70.715007][ T9333] Tainted: [B]=BAD_PAGE
[ 70.715365][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.716311][ T9333] Call Trace:
[ 70.716621][ T9333] <TASK>
[ 70.716899][ T9333] dump_stack_lvl+0x1fd/0x2b0
[ 70.717350][ T9333] dump_stack+0x1e/0x30
[ 70.717743][ T9333] panic+0x502/0xca0
[ 70.718116][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
[ 70.718611][ T9333] kmsan_report+0x296/0x2a0
[ 70.719038][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
[ 70.719859][ T9333] ? __msan_warning+0x96/0x120
[ 70.720345][ T9333] ? hfsplus_subfolders_dec+0x1d7/0x220
[ 70.720881][ T9333] ? hfsplus_delete_cat+0x105d/0x12b0
[ 70.721412][ T9333] ? hfsplus_rmdir+0x13d/0x310
[ 70.721880][ T9333] ? vfs_rmdir+0x5ba/0x810
[ 70.722458][ T9333] ? do_rmdir+0x964/0xea0
[ 70.722883][ T9333] ? __x64_sys_rmdir+0x71/0xb0
[ 70.723397][ T9333] ? x64_sys_call+0xcd8/0x3cf0
[ 70.723915][ T9333] ? do_syscall_64+0xd9/0x1d0
[ 70.724454][ T9333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.725110][ T9333] ? vprintk_emit+0xd1f/0xe60
[ 70.725616][ T9333] ? vprintk_default+0x3f/0x50
[ 70.726175][ T9333] ? vprintk+0xce/0xd0
[ 70.726628][ T9333] ? _printk+0x17e/0x1b0
[ 70.727129][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
[ 70.727739][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
[ 70.728324][ T9333] __msan_warning+0x96/0x120
[ 70.728854][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
[ 70.729479][ T9333] hfsplus_delete_cat+0x105d/0x12b0
[ 70.729984][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
[ 70.730646][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40
[ 70.731296][ T9333] ? kmsan_get_metadata+0x13e/0x1c0
[ 70.731863][ T9333] hfsplus_rmdir+0x13d/0x310
[ 70.732390][ T9333] ? __pfx_hfsplus_rmdir+0x10/0x10
[ 70.732919][ T9333] vfs_rmdir+0x5ba/0x810
[ 70.733416][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
[ 70.734044][ T9333] do_rmdir+0x964/0xea0
[ 70.734537][ T9333] __x64_sys_rmdir+0x71/0xb0
[ 70.735032][ T9333] x64_sys_call+0xcd8/0x3cf0
[ 70.735579][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.736092][ T9333] ? irqentry_exit+0x16/0x60
[ 70.736637][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.737269][ T9333] RIP: 0033:0x7fa9424eafc9
[ 70.737775][ T9333] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
[ 70.739844][ T9333] RSP: 002b:00007fff099cd8d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000054
[ 70.740760][ T9333] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa9424eafc9
[ 70.741642][ T9333] RDX: 006c6f72746e6f63 RSI: 000000000000000a RDI: 0000000020000100
[ 70.742543][ T9333] RBP: 00007fff099cd8e0 R08: 00007fff099cd910 R09: 00007fff099cd910
[ 70.743376][ T9333] R10: 0000000000000000 R11: 0000000000000202 R12: 0000565430642260
[ 70.744247][ T9333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 70.745082][ T9333] </TASK>
The main reason of the issue that struct hfsplus_inode_info
has not been properly initialized for the case of root folder.
In the case of root folder, hfsplus_fill_super() calls
the hfsplus_iget() that implements only partial initialization of
struct hfsplus_inode_info and subfolders field is not
initialized by hfsplus_iget() logic.
This patch implements complete initialization of
struct hfsplus_inode_info in the hfsplus_iget() logic with
the goal to prevent likewise issues for the case of
root folder.
Reported-by: syzbot <syzbot+fdedff847a0e5e84c39f@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=fdedff847a0e5e84c39f
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
cc: Yangtao Li <frank.li@vivo.com>
cc: linux-fsdevel@vger.kernel.org
Link: https://lore.kernel.org/r/20250825225103.326401-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/super.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
index 29a39afe26535..d744fde416804 100644
--- a/fs/hfsplus/super.c
+++ b/fs/hfsplus/super.c
@@ -67,13 +67,26 @@ struct inode *hfsplus_iget(struct super_block *sb, unsigned long ino)
if (!(inode->i_state & I_NEW))
return inode;
- INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
- spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
- mutex_init(&HFSPLUS_I(inode)->extents_lock);
- HFSPLUS_I(inode)->flags = 0;
+ atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
+ HFSPLUS_I(inode)->first_blocks = 0;
+ HFSPLUS_I(inode)->clump_blocks = 0;
+ HFSPLUS_I(inode)->alloc_blocks = 0;
+ HFSPLUS_I(inode)->cached_start = U32_MAX;
+ HFSPLUS_I(inode)->cached_blocks = 0;
+ memset(HFSPLUS_I(inode)->first_extents, 0, sizeof(hfsplus_extent_rec));
+ memset(HFSPLUS_I(inode)->cached_extents, 0, sizeof(hfsplus_extent_rec));
HFSPLUS_I(inode)->extent_state = 0;
+ mutex_init(&HFSPLUS_I(inode)->extents_lock);
HFSPLUS_I(inode)->rsrc_inode = NULL;
- atomic_set(&HFSPLUS_I(inode)->opencnt, 0);
+ HFSPLUS_I(inode)->create_date = 0;
+ HFSPLUS_I(inode)->linkid = 0;
+ HFSPLUS_I(inode)->flags = 0;
+ HFSPLUS_I(inode)->fs_blocks = 0;
+ HFSPLUS_I(inode)->userflags = 0;
+ HFSPLUS_I(inode)->subfolders = 0;
+ INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list);
+ spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock);
+ HFSPLUS_I(inode)->phys_size = 0;
if (inode->i_ino >= HFSPLUS_FIRSTUSER_CNID ||
inode->i_ino == HFSPLUS_ROOT_CNID) {
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 178/224] dlm: check for defined force value in dlm_lockspace_release
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 177/224] hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 179/224] hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() Greg Kroah-Hartman
` (53 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Aring, David Teigland,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Aring <aahringo@redhat.com>
[ Upstream commit 6af515c9f3ccec3eb8a262ca86bef2c499d07951 ]
Force values over 3 are undefined, so don't treat them as 3.
Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/dlm/lockspace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
index c689359ca532b..9030e0e5927cb 100644
--- a/fs/dlm/lockspace.c
+++ b/fs/dlm/lockspace.c
@@ -793,7 +793,7 @@ static int release_lockspace(struct dlm_ls *ls, int force)
dlm_device_deregister(ls);
- if (force < 3 && dlm_user_daemon_available())
+ if (force != 3 && dlm_user_daemon_available())
do_uevent(ls, 0);
dlm_recoverd_stop(ls);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 179/224] hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 178/224] dlm: check for defined force value in dlm_lockspace_release Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 180/224] hfsplus: return EIO when type of hidden directory mismatch in hfsplus_fill_super() Greg Kroah-Hartman
` (52 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Viacheslav Dubeyko,
John Paul Adrian Glaubitz, Yangtao Li, linux-fsdevel, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ]
The syzbot reported issue in hfs_find_set_zero_bits():
=====================================================
BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151
hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408
hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353
__block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151
block_write_begin fs/buffer.c:2262 [inline]
cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601
hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
cont_expand_zero fs/buffer.c:2528 [inline]
cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591
hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494
hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654
notify_change+0x1993/0x1aa0 fs/attr.c:552
do_truncate+0x28f/0x310 fs/open.c:68
do_ftruncate+0x698/0x730 fs/open.c:195
do_sys_ftruncate fs/open.c:210 [inline]
__do_sys_ftruncate fs/open.c:215 [inline]
__se_sys_ftruncate fs/open.c:213 [inline]
__x64_sys_ftruncate+0x11b/0x250 fs/open.c:213
x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4154 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
__kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354
kmalloc_noprof include/linux/slab.h:905 [inline]
hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175
hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337
get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681
get_tree_bdev+0x38/0x50 fs/super.c:1704
hfs_get_tree+0x35/0x40 fs/hfs/super.c:388
vfs_get_tree+0xb0/0x5c0 fs/super.c:1804
do_new_mount+0x738/0x1610 fs/namespace.c:3902
path_mount+0x6db/0x1e90 fs/namespace.c:4226
do_mount fs/namespace.c:4239 [inline]
__do_sys_mount fs/namespace.c:4450 [inline]
__se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427
__x64_sys_mount+0xe4/0x150 fs/namespace.c:4427
x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
=====================================================
The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get():
HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
Finally, it can trigger the reported issue because kmalloc()
doesn't clear the allocated memory. If allocated memory contains
only zeros, then everything will work pretty fine.
But if the allocated memory contains the "garbage", then
it can affect the bitmap operations and it triggers
the reported issue.
This patch simply exchanges the kmalloc() on kzalloc()
with the goal to guarantee the correctness of bitmap operations.
Because, newly created allocation bitmap should have all
available blocks free. Potentially, initialization bitmap's read
operation could not fill the whole allocated memory and
"garbage" in the not initialized memory will be the reason of
volume coruptions and file system driver bugs.
Reported-by: syzbot <syzbot+773fa9d79b29bd8b6831@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
cc: Yangtao Li <frank.li@vivo.com>
cc: linux-fsdevel@vger.kernel.org
Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfs/mdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
index 460281b1299eb..8036445672c5f 100644
--- a/fs/hfs/mdb.c
+++ b/fs/hfs/mdb.c
@@ -166,7 +166,7 @@ int hfs_mdb_get(struct super_block *sb)
pr_warn("continuing without an alternate MDB\n");
}
- HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);
+ HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL);
if (!HFS_SB(sb)->bitmap)
goto out;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 180/224] hfsplus: return EIO when type of hidden directory mismatch in hfsplus_fill_super()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 179/224] hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 181/224] m68k: bitops: Fix find_*_bit() signatures Greg Kroah-Hartman
` (51 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yangtao Li, Viacheslav Dubeyko,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yangtao Li <frank.li@vivo.com>
[ Upstream commit 9282bc905f0949fab8cf86c0f620ca988761254c ]
If Catalog File contains corrupted record for the case of
hidden directory's type, regard it as I/O error instead of
Invalid argument.
Signed-off-by: Yangtao Li <frank.li@vivo.com>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20250805165905.3390154-1-frank.li@vivo.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
index d744fde416804..db68ed59b4b21 100644
--- a/fs/hfsplus/super.c
+++ b/fs/hfsplus/super.c
@@ -539,7 +539,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent)
if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
hfs_find_exit(&fd);
if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
- err = -EINVAL;
+ err = -EIO;
goto out_put_root;
}
inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id));
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 181/224] m68k: bitops: Fix find_*_bit() signatures
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 180/224] hfsplus: return EIO when type of hidden directory mismatch in hfsplus_fill_super() Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 182/224] net: rtnetlink: remove redundant assignment to variable err Greg Kroah-Hartman
` (50 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Geert Uytterhoeven, Yury Norov (NVIDIA), Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert@linux-m68k.org>
[ Upstream commit 6d5674090543b89aac0c177d67e5fb32ddc53804 ]
The function signatures of the m68k-optimized implementations of the
find_{first,next}_{,zero_}bit() helpers do not match the generic
variants.
Fix this by changing all non-pointer inputs and outputs to "unsigned
long", and updating a few local variables.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202509092305.ncd9mzaZ-lkp@intel.com/
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: "Yury Norov (NVIDIA)" <yury.norov@gmail.com>
Link: https://patch.msgid.link/de6919554fbb4cd1427155c6bafbac8a9df822c8.1757517135.git.geert@linux-m68k.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/m68k/include/asm/bitops.h | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/arch/m68k/include/asm/bitops.h b/arch/m68k/include/asm/bitops.h
index 10133a968c8e1..d2a9aa0485175 100644
--- a/arch/m68k/include/asm/bitops.h
+++ b/arch/m68k/include/asm/bitops.h
@@ -314,12 +314,12 @@ static inline int bfchg_mem_test_and_change_bit(int nr,
#include <asm-generic/bitops/ffz.h>
#else
-static inline int find_first_zero_bit(const unsigned long *vaddr,
- unsigned size)
+static inline unsigned long find_first_zero_bit(const unsigned long *vaddr,
+ unsigned long size)
{
const unsigned long *p = vaddr;
- int res = 32;
- unsigned int words;
+ unsigned long res = 32;
+ unsigned long words;
unsigned long num;
if (!size)
@@ -340,8 +340,9 @@ static inline int find_first_zero_bit(const unsigned long *vaddr,
}
#define find_first_zero_bit find_first_zero_bit
-static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
- int offset)
+static inline unsigned long find_next_zero_bit(const unsigned long *vaddr,
+ unsigned long size,
+ unsigned long offset)
{
const unsigned long *p = vaddr + (offset >> 5);
int bit = offset & 31UL, res;
@@ -370,11 +371,12 @@ static inline int find_next_zero_bit(const unsigned long *vaddr, int size,
}
#define find_next_zero_bit find_next_zero_bit
-static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
+static inline unsigned long find_first_bit(const unsigned long *vaddr,
+ unsigned long size)
{
const unsigned long *p = vaddr;
- int res = 32;
- unsigned int words;
+ unsigned long res = 32;
+ unsigned long words;
unsigned long num;
if (!size)
@@ -395,8 +397,9 @@ static inline int find_first_bit(const unsigned long *vaddr, unsigned size)
}
#define find_first_bit find_first_bit
-static inline int find_next_bit(const unsigned long *vaddr, int size,
- int offset)
+static inline unsigned long find_next_bit(const unsigned long *vaddr,
+ unsigned long size,
+ unsigned long offset)
{
const unsigned long *p = vaddr + (offset >> 5);
int bit = offset & 31UL, res;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 182/224] net: rtnetlink: remove redundant assignment to variable err
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 181/224] m68k: bitops: Fix find_*_bit() signatures Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 183/224] net: rtnetlink: add msg kind names Greg Kroah-Hartman
` (49 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Colin Ian King, David S. Miller,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.king@canonical.com>
[ Upstream commit 7d3118016787b5c05da94b3bcdb96c9d6ff82c44 ]
The variable err is being initializeed with a value that is never read
and it is being updated later with a new value. The initialization
is redundant and can be removed.
Addresses-Coverity: ("Unused value")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: bf29555f5bdc ("rtnetlink: Allow deleting FDB entries in user namespace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/rtnetlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 2b7ad5cf8fbfd..f1338734c2eee 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -3823,8 +3823,8 @@ static int rtnl_fdb_del(struct sk_buff *skb, struct nlmsghdr *nlh,
struct ndmsg *ndm;
struct nlattr *tb[NDA_MAX+1];
struct net_device *dev;
- int err = -EINVAL;
__u8 *addr;
+ int err;
u16 vid;
if (!netlink_capable(skb, CAP_NET_ADMIN))
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 183/224] net: rtnetlink: add msg kind names
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 182/224] net: rtnetlink: remove redundant assignment to variable err Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 184/224] net: rtnetlink: add helper to extract msg types kind Greg Kroah-Hartman
` (48 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, David S. Miller,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <razor@blackwall.org>
[ Upstream commit 12dc5c2cb7b269c5a1c6d02844f40bfce942a7a6 ]
Add rtnl kind names instead of using raw values. We'll need to
check for DEL kind later to validate bulk flag support.
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: bf29555f5bdc ("rtnetlink: Allow deleting FDB entries in user namespace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/rtnetlink.h | 7 +++++++
net/core/rtnetlink.c | 6 +++---
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/include/net/rtnetlink.h b/include/net/rtnetlink.h
index 5c2a73bbfabee..74eff5259b361 100644
--- a/include/net/rtnetlink.h
+++ b/include/net/rtnetlink.h
@@ -13,6 +13,13 @@ enum rtnl_link_flags {
RTNL_FLAG_DOIT_UNLOCKED = 1,
};
+enum rtnl_kinds {
+ RTNL_KIND_NEW,
+ RTNL_KIND_DEL,
+ RTNL_KIND_GET,
+ RTNL_KIND_SET
+};
+
void rtnl_register(int protocol, int msgtype,
rtnl_doit_func, rtnl_dumpit_func, unsigned int flags);
int rtnl_register_module(struct module *owner, int protocol, int msgtype,
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index f1338734c2eee..2cdb07dd263bd 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -5193,11 +5193,11 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
{
struct net *net = sock_net(skb->sk);
struct rtnl_link *link;
+ enum rtnl_kinds kind;
struct module *owner;
int err = -EOPNOTSUPP;
rtnl_doit_func doit;
unsigned int flags;
- int kind;
int family;
int type;
@@ -5214,11 +5214,11 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family;
kind = type&3;
- if (kind != 2 && !netlink_net_capable(skb, CAP_NET_ADMIN))
+ if (kind != RTNL_KIND_GET && !netlink_net_capable(skb, CAP_NET_ADMIN))
return -EPERM;
rcu_read_lock();
- if (kind == 2 && nlh->nlmsg_flags&NLM_F_DUMP) {
+ if (kind == RTNL_KIND_GET && (nlh->nlmsg_flags & NLM_F_DUMP)) {
struct sock *rtnl;
rtnl_dumpit_func dumpit;
u16 min_dump_alloc = 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 184/224] net: rtnetlink: add helper to extract msg types kind
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 183/224] net: rtnetlink: add msg kind names Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 185/224] net: rtnetlink: use BIT for flag values Greg Kroah-Hartman
` (47 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, David S. Miller,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <razor@blackwall.org>
[ Upstream commit 2e9ea3e30f696fd438319c07836422bb0bbb4608 ]
Add a helper which extracts the msg type's kind using the kind mask (0x3).
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: bf29555f5bdc ("rtnetlink: Allow deleting FDB entries in user namespace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/rtnetlink.h | 6 ++++++
net/core/rtnetlink.c | 2 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/include/net/rtnetlink.h b/include/net/rtnetlink.h
index 74eff5259b361..02b0636a4523d 100644
--- a/include/net/rtnetlink.h
+++ b/include/net/rtnetlink.h
@@ -19,6 +19,12 @@ enum rtnl_kinds {
RTNL_KIND_GET,
RTNL_KIND_SET
};
+#define RTNL_KIND_MASK 0x3
+
+static inline enum rtnl_kinds rtnl_msgtype_kind(int msgtype)
+{
+ return msgtype & RTNL_KIND_MASK;
+}
void rtnl_register(int protocol, int msgtype,
rtnl_doit_func, rtnl_dumpit_func, unsigned int flags);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 2cdb07dd263bd..b41f31a09a7cd 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -5212,7 +5212,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
return 0;
family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family;
- kind = type&3;
+ kind = rtnl_msgtype_kind(type);
if (kind != RTNL_KIND_GET && !netlink_net_capable(skb, CAP_NET_ADMIN))
return -EPERM;
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 185/224] net: rtnetlink: use BIT for flag values
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 184/224] net: rtnetlink: add helper to extract msg types kind Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 186/224] net: netlink: add NLM_F_BULK delete request modifier Greg Kroah-Hartman
` (46 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, David S. Miller,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <razor@blackwall.org>
[ Upstream commit 0569e31f1bc2f50613ba4c219f3ecc0d1174d841 ]
Use BIT to define flag values.
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: bf29555f5bdc ("rtnetlink: Allow deleting FDB entries in user namespace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/rtnetlink.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/rtnetlink.h b/include/net/rtnetlink.h
index 02b0636a4523d..030fc7eef7401 100644
--- a/include/net/rtnetlink.h
+++ b/include/net/rtnetlink.h
@@ -10,7 +10,7 @@ typedef int (*rtnl_doit_func)(struct sk_buff *, struct nlmsghdr *,
typedef int (*rtnl_dumpit_func)(struct sk_buff *, struct netlink_callback *);
enum rtnl_link_flags {
- RTNL_FLAG_DOIT_UNLOCKED = 1,
+ RTNL_FLAG_DOIT_UNLOCKED = BIT(0),
};
enum rtnl_kinds {
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 186/224] net: netlink: add NLM_F_BULK delete request modifier
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 185/224] net: rtnetlink: use BIT for flag values Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 187/224] net: rtnetlink: add bulk delete support flag Greg Kroah-Hartman
` (45 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, David S. Miller,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <razor@blackwall.org>
[ Upstream commit 545528d788556c724eeb5400757f828ef27782a8 ]
Add a new delete request modifier called NLM_F_BULK which, when
supported, would cause the request to delete multiple objects. The flag
is a convenient way to signal that a multiple delete operation is
requested which can be gradually added to different delete requests. In
order to make sure older kernels will error out if the operation is not
supported instead of doing something unintended we have to break a
required condition when implementing support for this flag, f.e. for
neighbors we will omit the mandatory mac address attribute.
Initially it will be used to add flush with filtering support for bridge
fdbs, but it also opens the door to add similar support to others.
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: bf29555f5bdc ("rtnetlink: Allow deleting FDB entries in user namespace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/netlink.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h
index cf4e4836338f6..9ad4c47dea844 100644
--- a/include/uapi/linux/netlink.h
+++ b/include/uapi/linux/netlink.h
@@ -72,6 +72,7 @@ struct nlmsghdr {
/* Modifiers to DELETE request */
#define NLM_F_NONREC 0x100 /* Do not delete recursively */
+#define NLM_F_BULK 0x200 /* Delete multiple objects */
/* Flags for ACK message */
#define NLM_F_CAPPED 0x100 /* request was capped */
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 187/224] net: rtnetlink: add bulk delete support flag
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 186/224] net: netlink: add NLM_F_BULK delete request modifier Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 188/224] net: add ndo_fdb_del_bulk Greg Kroah-Hartman
` (44 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Ahern, Nikolay Aleksandrov,
David S. Miller, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <razor@blackwall.org>
[ Upstream commit a6cec0bcd34264be8887791594be793b3f12719f ]
Add a new rtnl flag (RTNL_FLAG_BULK_DEL_SUPPORTED) which is used to
verify that the delete operation allows bulk object deletion. Also emit
a warning if anyone tries to set it for non-delete kind.
Suggested-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: bf29555f5bdc ("rtnetlink: Allow deleting FDB entries in user namespace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/rtnetlink.h | 3 ++-
net/core/rtnetlink.c | 8 ++++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/include/net/rtnetlink.h b/include/net/rtnetlink.h
index 030fc7eef7401..e893b1f21913e 100644
--- a/include/net/rtnetlink.h
+++ b/include/net/rtnetlink.h
@@ -10,7 +10,8 @@ typedef int (*rtnl_doit_func)(struct sk_buff *, struct nlmsghdr *,
typedef int (*rtnl_dumpit_func)(struct sk_buff *, struct netlink_callback *);
enum rtnl_link_flags {
- RTNL_FLAG_DOIT_UNLOCKED = BIT(0),
+ RTNL_FLAG_DOIT_UNLOCKED = BIT(0),
+ RTNL_FLAG_BULK_DEL_SUPPORTED = BIT(1),
};
enum rtnl_kinds {
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index b41f31a09a7cd..c4b33a2ecac26 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -214,6 +214,8 @@ static int rtnl_register_internal(struct module *owner,
if (dumpit)
link->dumpit = dumpit;
+ WARN_ON(rtnl_msgtype_kind(msgtype) != RTNL_KIND_DEL &&
+ (flags & RTNL_FLAG_BULK_DEL_SUPPORTED));
link->flags |= flags;
/* publish protocol:msgtype */
@@ -5274,6 +5276,12 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
}
flags = link->flags;
+ if (kind == RTNL_KIND_DEL && (nlh->nlmsg_flags & NLM_F_BULK) &&
+ !(flags & RTNL_FLAG_BULK_DEL_SUPPORTED)) {
+ NL_SET_ERR_MSG(extack, "Bulk delete is not supported");
+ goto err_unlock;
+ }
+
if (flags & RTNL_FLAG_DOIT_UNLOCKED) {
doit = link->doit;
rcu_read_unlock();
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 188/224] net: add ndo_fdb_del_bulk
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 187/224] net: rtnetlink: add bulk delete support flag Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 189/224] net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del Greg Kroah-Hartman
` (43 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, David S. Miller,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <razor@blackwall.org>
[ Upstream commit 1306d5362a591493a2d07f685ed2cc480dcda320 ]
Add a new netdev op called ndo_fdb_del_bulk, it will be later used for
driver-specific bulk delete implementation dispatched from rtnetlink. The
first user will be the bridge, we need it to signal to rtnetlink from
the driver that we support bulk delete operation (NLM_F_BULK).
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: bf29555f5bdc ("rtnetlink: Allow deleting FDB entries in user namespace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netdevice.h | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index f5c1058f565c8..037a48bc5690a 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1158,6 +1158,10 @@ struct tlsdev_ops;
* struct net_device *dev,
* const unsigned char *addr, u16 vid)
* Deletes the FDB entry from dev coresponding to addr.
+ * int (*ndo_fdb_del_bulk)(struct ndmsg *ndm, struct nlattr *tb[],
+ * struct net_device *dev,
+ * u16 vid,
+ * struct netlink_ext_ack *extack);
* int (*ndo_fdb_dump)(struct sk_buff *skb, struct netlink_callback *cb,
* struct net_device *dev, struct net_device *filter_dev,
* int *idx)
@@ -1396,6 +1400,11 @@ struct net_device_ops {
struct net_device *dev,
const unsigned char *addr,
u16 vid);
+ int (*ndo_fdb_del_bulk)(struct ndmsg *ndm,
+ struct nlattr *tb[],
+ struct net_device *dev,
+ u16 vid,
+ struct netlink_ext_ack *extack);
int (*ndo_fdb_dump)(struct sk_buff *skb,
struct netlink_callback *cb,
struct net_device *dev,
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 189/224] net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 188/224] net: add ndo_fdb_del_bulk Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 190/224] rtnetlink: Allow deleting FDB entries in user namespace Greg Kroah-Hartman
` (42 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, David S. Miller,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <razor@blackwall.org>
[ Upstream commit 9e83425993f38bb89e0ea07849ba0039a748e85b ]
When NLM_F_BULK is specified in a fdb del message we need to handle it
differently. First since this is a new call we can strictly validate the
passed attributes, at first only ifindex and vlan are allowed as these
will be the initially supported filter attributes, any other attribute
is rejected. The mac address is no longer mandatory, but we use it
to error out in older kernels because it cannot be specified with bulk
request (the attribute is not allowed) and then we have to dispatch
the call to ndo_fdb_del_bulk if the device supports it. The del bulk
callback can do further validation of the attributes if necessary.
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: bf29555f5bdc ("rtnetlink: Allow deleting FDB entries in user namespace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/rtnetlink.c | 67 +++++++++++++++++++++++++++++++-------------
1 file changed, 48 insertions(+), 19 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index c4b33a2ecac26..3d3743ef4f691 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -3818,22 +3818,34 @@ int ndo_dflt_fdb_del(struct ndmsg *ndm,
}
EXPORT_SYMBOL(ndo_dflt_fdb_del);
+static const struct nla_policy fdb_del_bulk_policy[NDA_MAX + 1] = {
+ [NDA_VLAN] = { .type = NLA_U16 },
+ [NDA_IFINDEX] = NLA_POLICY_MIN(NLA_S32, 1),
+};
+
static int rtnl_fdb_del(struct sk_buff *skb, struct nlmsghdr *nlh,
struct netlink_ext_ack *extack)
{
+ bool del_bulk = !!(nlh->nlmsg_flags & NLM_F_BULK);
struct net *net = sock_net(skb->sk);
+ const struct net_device_ops *ops;
struct ndmsg *ndm;
struct nlattr *tb[NDA_MAX+1];
struct net_device *dev;
- __u8 *addr;
+ __u8 *addr = NULL;
int err;
u16 vid;
if (!netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
- err = nlmsg_parse_deprecated(nlh, sizeof(*ndm), tb, NDA_MAX, NULL,
- extack);
+ if (!del_bulk) {
+ err = nlmsg_parse_deprecated(nlh, sizeof(*ndm), tb, NDA_MAX,
+ NULL, extack);
+ } else {
+ err = nlmsg_parse(nlh, sizeof(*ndm), tb, NDA_MAX,
+ fdb_del_bulk_policy, extack);
+ }
if (err < 0)
return err;
@@ -3849,9 +3861,12 @@ static int rtnl_fdb_del(struct sk_buff *skb, struct nlmsghdr *nlh,
return -ENODEV;
}
- if (!tb[NDA_LLADDR] || nla_len(tb[NDA_LLADDR]) != ETH_ALEN) {
- NL_SET_ERR_MSG(extack, "invalid address");
- return -EINVAL;
+ if (!del_bulk) {
+ if (!tb[NDA_LLADDR] || nla_len(tb[NDA_LLADDR]) != ETH_ALEN) {
+ NL_SET_ERR_MSG(extack, "invalid address");
+ return -EINVAL;
+ }
+ addr = nla_data(tb[NDA_LLADDR]);
}
if (dev->type != ARPHRD_ETHER) {
@@ -3859,8 +3874,6 @@ static int rtnl_fdb_del(struct sk_buff *skb, struct nlmsghdr *nlh,
return -EINVAL;
}
- addr = nla_data(tb[NDA_LLADDR]);
-
err = fdb_vid_parse(tb[NDA_VLAN], &vid, extack);
if (err)
return err;
@@ -3871,10 +3884,16 @@ static int rtnl_fdb_del(struct sk_buff *skb, struct nlmsghdr *nlh,
if ((!ndm->ndm_flags || ndm->ndm_flags & NTF_MASTER) &&
netif_is_bridge_port(dev)) {
struct net_device *br_dev = netdev_master_upper_dev_get(dev);
- const struct net_device_ops *ops = br_dev->netdev_ops;
- if (ops->ndo_fdb_del)
- err = ops->ndo_fdb_del(ndm, tb, dev, addr, vid);
+ ops = br_dev->netdev_ops;
+ if (!del_bulk) {
+ if (ops->ndo_fdb_del)
+ err = ops->ndo_fdb_del(ndm, tb, dev, addr, vid);
+ } else {
+ if (ops->ndo_fdb_del_bulk)
+ err = ops->ndo_fdb_del_bulk(ndm, tb, dev, vid,
+ extack);
+ }
if (err)
goto out;
@@ -3884,15 +3903,24 @@ static int rtnl_fdb_del(struct sk_buff *skb, struct nlmsghdr *nlh,
/* Embedded bridge, macvlan, and any other device support */
if (ndm->ndm_flags & NTF_SELF) {
- if (dev->netdev_ops->ndo_fdb_del)
- err = dev->netdev_ops->ndo_fdb_del(ndm, tb, dev, addr,
- vid);
- else
- err = ndo_dflt_fdb_del(ndm, tb, dev, addr, vid);
+ ops = dev->netdev_ops;
+ if (!del_bulk) {
+ if (ops->ndo_fdb_del)
+ err = ops->ndo_fdb_del(ndm, tb, dev, addr, vid);
+ else
+ err = ndo_dflt_fdb_del(ndm, tb, dev, addr, vid);
+ } else {
+ /* in case err was cleared by NTF_MASTER call */
+ err = -EOPNOTSUPP;
+ if (ops->ndo_fdb_del_bulk)
+ err = ops->ndo_fdb_del_bulk(ndm, tb, dev, vid,
+ extack);
+ }
if (!err) {
- rtnl_fdb_notify(dev, addr, vid, RTM_DELNEIGH,
- ndm->ndm_state);
+ if (!del_bulk)
+ rtnl_fdb_notify(dev, addr, vid, RTM_DELNEIGH,
+ ndm->ndm_state);
ndm->ndm_flags &= ~NTF_SELF;
}
}
@@ -5407,7 +5435,8 @@ void __init rtnetlink_init(void)
rtnl_register(PF_UNSPEC, RTM_GETNETCONF, NULL, rtnl_dump_all, 0);
rtnl_register(PF_BRIDGE, RTM_NEWNEIGH, rtnl_fdb_add, NULL, 0);
- rtnl_register(PF_BRIDGE, RTM_DELNEIGH, rtnl_fdb_del, NULL, 0);
+ rtnl_register(PF_BRIDGE, RTM_DELNEIGH, rtnl_fdb_del, NULL,
+ RTNL_FLAG_BULK_DEL_SUPPORTED);
rtnl_register(PF_BRIDGE, RTM_GETNEIGH, rtnl_fdb_get, rtnl_fdb_dump, 0);
rtnl_register(PF_BRIDGE, RTM_GETLINK, NULL, rtnl_bridge_getlink, 0);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 190/224] rtnetlink: Allow deleting FDB entries in user namespace
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 189/224] net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 191/224] net: enetc: correct the value of ENETC_RXB_TRUESIZE Greg Kroah-Hartman
` (41 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Weiß, Harshal Gohel,
Johannes Wiesböck, Ido Schimmel, Nikolay Aleksandrov,
Jakub Kicinski, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Wiesböck <johannes.wiesboeck@aisec.fraunhofer.de>
[ Upstream commit bf29555f5bdc017bac22ca66fcb6c9f46ec8788f ]
Creating FDB entries is possible from a non-initial user namespace when
having CAP_NET_ADMIN, yet, when deleting FDB entries, processes receive
an EPERM because the capability is always checked against the initial
user namespace. This restricts the FDB management from unprivileged
containers.
Drop the netlink_capable check in rtnl_fdb_del as it was originally
dropped in c5c351088ae7 and reintroduced in 1690be63a27b without
intention.
This patch was tested using a container on GyroidOS, where it was
possible to delete FDB entries from an unprivileged user namespace and
private network namespace.
Fixes: 1690be63a27b ("bridge: Add vlan support to static neighbors")
Reviewed-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Tested-by: Harshal Gohel <hg@simonwunderlich.de>
Signed-off-by: Johannes Wiesböck <johannes.wiesboeck@aisec.fraunhofer.de>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20251015201548.319871-1-johannes.wiesboeck@aisec.fraunhofer.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/rtnetlink.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 3d3743ef4f691..342b92afd1219 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -3836,9 +3836,6 @@ static int rtnl_fdb_del(struct sk_buff *skb, struct nlmsghdr *nlh,
int err;
u16 vid;
- if (!netlink_capable(skb, CAP_NET_ADMIN))
- return -EPERM;
-
if (!del_bulk) {
err = nlmsg_parse_deprecated(nlh, sizeof(*ndm), tb, NDA_MAX,
NULL, extack);
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 191/224] net: enetc: correct the value of ENETC_RXB_TRUESIZE
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 190/224] rtnetlink: Allow deleting FDB entries in user namespace Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 192/224] arm64, mm: avoid always making PTE dirty in pte_mkwrite() Greg Kroah-Hartman
` (40 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei Fang, Claudiu Manoil,
Jakub Kicinski, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit e59bc32df2e989f034623a580e30a2a72af33b3f ]
The ENETC RX ring uses the page halves flipping mechanism, each page is
split into two halves for the RX ring to use. And ENETC_RXB_TRUESIZE is
defined to 2048 to indicate the size of half a page. However, the page
size is configurable, for ARM64 platform, PAGE_SIZE is default to 4K,
but it could be configured to 16K or 64K.
When PAGE_SIZE is set to 16K or 64K, ENETC_RXB_TRUESIZE is not correct,
and the RX ring will always use the first half of the page. This is not
consistent with the description in the relevant kernel doc and commit
messages.
This issue is invisible in most cases, but if users want to increase
PAGE_SIZE to receive a Jumbo frame with a single buffer for some use
cases, it will not work as expected, because the buffer size of each
RX BD is fixed to 2048 bytes.
Based on the above two points, we expect to correct ENETC_RXB_TRUESIZE
to (PAGE_SIZE >> 1), as described in the comment.
Fixes: d4fd0404c1c9 ("enetc: Introduce basic PF and VF ENETC ethernet drivers")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Reviewed-by: Claudiu Manoil <claudiu.manoil@nxp.com>
Link: https://patch.msgid.link/20251016080131.3127122-1-wei.fang@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/enetc/enetc.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/freescale/enetc/enetc.h b/drivers/net/ethernet/freescale/enetc/enetc.h
index b8801a2b6a025..6203d117d0d2c 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc.h
+++ b/drivers/net/ethernet/freescale/enetc/enetc.h
@@ -27,7 +27,7 @@ struct enetc_tx_swbd {
};
#define ENETC_RX_MAXFRM_SIZE ENETC_MAC_MAXFRM_SIZE
-#define ENETC_RXB_TRUESIZE 2048 /* PAGE_SIZE >> 1 */
+#define ENETC_RXB_TRUESIZE (PAGE_SIZE >> 1)
#define ENETC_RXB_PAD NET_SKB_PAD /* add extra space if needed */
#define ENETC_RXB_DMA_SIZE \
(SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - ENETC_RXB_PAD)
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 192/224] arm64, mm: avoid always making PTE dirty in pte_mkwrite()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 191/224] net: enetc: correct the value of ENETC_RXB_TRUESIZE Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 193/224] sctp: avoid NULL dereference when chunk data buffer is missing Greg Kroah-Hartman
` (39 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huang Ying, Will Deacon,
Anshuman Khandual, Ryan Roberts, Gavin Shan, Ard Biesheuvel,
Matthew Wilcox (Oracle), Yicong Yang, linux-arm-kernel,
linux-kernel, Catalin Marinas, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huang Ying <ying.huang@linux.alibaba.com>
[ Upstream commit 143937ca51cc6ae2fccc61a1cb916abb24cd34f5 ]
Current pte_mkwrite_novma() makes PTE dirty unconditionally. This may
mark some pages that are never written dirty wrongly. For example,
do_swap_page() may map the exclusive pages with writable and clean PTEs
if the VMA is writable and the page fault is for read access.
However, current pte_mkwrite_novma() implementation always dirties the
PTE. This may cause unnecessary disk writing if the pages are
never written before being reclaimed.
So, change pte_mkwrite_novma() to clear the PTE_RDONLY bit only if the
PTE_DIRTY bit is set to make it possible to make the PTE writable and
clean.
The current behavior was introduced in commit 73e86cb03cf2 ("arm64:
Move PTE_RDONLY bit handling out of set_pte_at()"). Before that,
pte_mkwrite() only sets the PTE_WRITE bit, while set_pte_at() only
clears the PTE_RDONLY bit if both the PTE_WRITE and the PTE_DIRTY bits
are set.
To test the performance impact of the patch, on an arm64 server
machine, run 16 redis-server processes on socket 1 and 16
memtier_benchmark processes on socket 0 with mostly get
transactions (that is, redis-server will mostly read memory only).
The memory footprint of redis-server is larger than the available
memory, so swap out/in will be triggered. Test results show that the
patch can avoid most swapping out because the pages are mostly clean.
And the benchmark throughput improves ~23.9% in the test.
Fixes: 73e86cb03cf2 ("arm64: Move PTE_RDONLY bit handling out of set_pte_at()")
Signed-off-by: Huang Ying <ying.huang@linux.alibaba.com>
Cc: Will Deacon <will@kernel.org>
Cc: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Gavin Shan <gshan@redhat.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Yicong Yang <yangyicong@hisilicon.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/pgtable.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h
index 709badd4475f5..a05d782dcf5e9 100644
--- a/arch/arm64/include/asm/pgtable.h
+++ b/arch/arm64/include/asm/pgtable.h
@@ -145,7 +145,8 @@ static inline pte_t set_pte_bit(pte_t pte, pgprot_t prot)
static inline pte_t pte_mkwrite(pte_t pte)
{
pte = set_pte_bit(pte, __pgprot(PTE_WRITE));
- pte = clear_pte_bit(pte, __pgprot(PTE_RDONLY));
+ if (pte_sw_dirty(pte))
+ pte = clear_pte_bit(pte, __pgprot(PTE_RDONLY));
return pte;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 193/224] sctp: avoid NULL dereference when chunk data buffer is missing
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 192/224] arm64, mm: avoid always making PTE dirty in pte_mkwrite() Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 194/224] net: bonding: fix possible peer notify event loss or dup issue Greg Kroah-Hartman
` (38 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Simakov,
Marcelo Ricardo Leitner, Jakub Kicinski, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Simakov <bigalex934@gmail.com>
[ Upstream commit 441f0647f7673e0e64d4910ef61a5fb8f16bfb82 ]
chunk->skb pointer is dereferenced in the if-block where it's supposed
to be NULL only.
chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list
instead and do it just before replacing chunk->skb. We're sure that
otherwise chunk->skb is non-NULL because of outer if() condition.
Fixes: 90017accff61 ("sctp: Add GSO support")
Signed-off-by: Alexey Simakov <bigalex934@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://patch.msgid.link/20251021130034.6333-1-bigalex934@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/inqueue.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index 7182c5a450fb5..6a434d441dc70 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -163,13 +163,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
chunk->head_skb = chunk->skb;
/* skbs with "cover letter" */
- if (chunk->head_skb && chunk->skb->data_len == chunk->skb->len)
+ if (chunk->head_skb && chunk->skb->data_len == chunk->skb->len) {
+ if (WARN_ON(!skb_shinfo(chunk->skb)->frag_list)) {
+ __SCTP_INC_STATS(dev_net(chunk->skb->dev),
+ SCTP_MIB_IN_PKT_DISCARDS);
+ sctp_chunk_free(chunk);
+ goto next_chunk;
+ }
chunk->skb = skb_shinfo(chunk->skb)->frag_list;
-
- if (WARN_ON(!chunk->skb)) {
- __SCTP_INC_STATS(dev_net(chunk->skb->dev), SCTP_MIB_IN_PKT_DISCARDS);
- sctp_chunk_free(chunk);
- goto next_chunk;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 234+ messages in thread
* [PATCH 5.4 194/224] net: bonding: fix possible peer notify event loss or dup issue
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 193/224] sctp: avoid NULL dereference when chunk data buffer is missing Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 195/224] Revert "cpuidle: menu: Avoid discarding useful information" Greg Kroah-Hartman
` (37 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jay Vosburgh, Andrew Lunn,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, Hangbin Liu,
Nikolay Aleksandrov, Vincent Bernat, Tonghao Zhang
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tonghao Zhang <tonghao@bamaicloud.com>
commit 10843e1492e474c02b91314963161731fa92af91 upstream.
If the send_peer_notif counter and the peer event notify are not synchronized.
It may cause problems such as the loss or dup of peer notify event.
Before this patch:
- If should_notify_peers is true and the lock for send_peer_notif-- fails, peer
event may be sent again in next mii_monitor loop, because should_notify_peers
is still true.
- If should_notify_peers is true and the lock for send_peer_notif-- succeeded,
but the lock for peer event fails, the peer event will be lost.
This patch locks the RTNL for send_peer_notif, events, and commit simultaneously.
Fixes: 07a4ddec3ce9 ("bonding: add an option to specify a delay between peer notifications")
Cc: Jay Vosburgh <jv@jvosburgh.net>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Hangbin Liu <liuhangbin@gmail.com>
Cc: Nikolay Aleksandrov <razor@blackwall.org>
Cc: Vincent Bernat <vincent@bernat.ch>
Cc: <stable@vger.kernel.org>
Signed-off-by: Tonghao Zhang <tonghao@bamaicloud.com>
Acked-by: Jay Vosburgh <jv@jvosburgh.net>
Link: https://patch.msgid.link/20251021050933.46412-1-tonghao@bamaicloud.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/bonding/bond_main.c | 40 ++++++++++++++++++----------------------
1 file changed, 18 insertions(+), 22 deletions(-)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2331,7 +2331,7 @@ static void bond_mii_monitor(struct work
{
struct bonding *bond = container_of(work, struct bonding,
mii_work.work);
- bool should_notify_peers = false;
+ bool should_notify_peers;
bool commit;
unsigned long delay;
struct slave *slave;
@@ -2343,30 +2343,33 @@ static void bond_mii_monitor(struct work
goto re_arm;
rcu_read_lock();
+
should_notify_peers = bond_should_notify_peers(bond);
commit = !!bond_miimon_inspect(bond);
- if (bond->send_peer_notif) {
- rcu_read_unlock();
- if (rtnl_trylock()) {
- bond->send_peer_notif--;
- rtnl_unlock();
- }
- } else {
- rcu_read_unlock();
- }
- if (commit) {
+ rcu_read_unlock();
+
+ if (commit || bond->send_peer_notif) {
/* Race avoidance with bond_close cancel of workqueue */
if (!rtnl_trylock()) {
delay = 1;
- should_notify_peers = false;
goto re_arm;
}
- bond_for_each_slave(bond, slave, iter) {
- bond_commit_link_state(slave, BOND_SLAVE_NOTIFY_LATER);
+ if (commit) {
+ bond_for_each_slave(bond, slave, iter) {
+ bond_commit_link_state(slave,
+ BOND_SLAVE_NOTIFY_LATER);
+ }
+ bond_miimon_commit(bond);
+ }
+
+ if (bond->send_peer_notif) {
+ bond->send_peer_notif--;
+ if (should_notify_peers)
+ call_netdevice_notifiers(NETDEV_NOTIFY_PEERS,
+ bond->dev);
}
- bond_miimon_commit(bond);
rtnl_unlock(); /* might sleep, hold no other locks */
}
@@ -2374,13 +2377,6 @@ static void bond_mii_monitor(struct work
re_arm:
if (bond->params.miimon)
queue_delayed_work(bond->wq, &bond->mii_work, delay);
-
- if (should_notify_peers) {
- if (!rtnl_trylock())
- return;
- call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, bond->dev);
- rtnl_unlock();
- }
}
static int bond_upper_dev_walk(struct net_device *upper, void *data)
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 195/224] Revert "cpuidle: menu: Avoid discarding useful information"
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 194/224] net: bonding: fix possible peer notify event loss or dup issue Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 196/224] MIPS: Malta: Fix keyboard resource preventing i8042 driver from registering Greg Kroah-Hartman
` (36 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sergey Senozhatsky,
Rafael J. Wysocki
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 10fad4012234a7dea621ae17c0c9486824f645a0 upstream.
It is reported that commit 85975daeaa4d ("cpuidle: menu: Avoid discarding
useful information") led to a performance regression on Intel Jasper Lake
systems because it reduced the time spent by CPUs in idle state C7 which
is correlated to the maximum frequency the CPUs can get to because of an
average running power limit [1].
Before that commit, get_typical_interval() would have returned UINT_MAX
whenever it had been unable to make a high-confidence prediction which
had led to selecting the deepest available idle state too often and
both power and performance had been inadequate as a result of that on
some systems. However, this had not been a problem on systems with
relatively aggressive average running power limits, like the Jasper Lake
systems in question, because on those systems it was compensated by the
ability to run CPUs faster.
It was addressed by causing get_typical_interval() to return a number
based on the recent idle duration information available to it even if it
could not make a high-confidence prediction, but that clearly did not
take the possible correlation between idle power and available CPU
capacity into account.
For this reason, revert most of the changes made by commit 85975daeaa4d,
except for one cosmetic cleanup, and add a comment explaining the
rationale for returning UINT_MAX from get_typical_interval() when it
is unable to make a high-confidence prediction.
Fixes: 85975daeaa4d ("cpuidle: menu: Avoid discarding useful information")
Closes: https://lore.kernel.org/linux-pm/36iykr223vmcfsoysexug6s274nq2oimcu55ybn6ww4il3g3cv@cohflgdbpnq7/ [1]
Reported-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/3663603.iIbC2pHGDl@rafael.j.wysocki
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
| 21 +++++++++------------
1 file changed, 9 insertions(+), 12 deletions(-)
--- a/drivers/cpuidle/governors/menu.c
+++ b/drivers/cpuidle/governors/menu.c
@@ -258,20 +258,17 @@ again:
*
* This can deal with workloads that have long pauses interspersed
* with sporadic activity with a bunch of short pauses.
+ *
+ * However, if the number of remaining samples is too small to exclude
+ * any more outliers, allow the deepest available idle state to be
+ * selected because there are systems where the time spent by CPUs in
+ * deep idle states is correlated to the maximum frequency the CPUs
+ * can get to. On those systems, shallow idle states should be avoided
+ * unless there is a clear indication that the given CPU is most likley
+ * going to be woken up shortly.
*/
- if (divisor * 4 <= INTERVALS * 3) {
- /*
- * If there are sufficiently many data points still under
- * consideration after the outliers have been eliminated,
- * returning without a prediction would be a mistake because it
- * is likely that the next interval will not exceed the current
- * maximum, so return the latter in that case.
- */
- if (divisor >= INTERVALS / 2)
- return max;
-
+ if (divisor * 4 <= INTERVALS * 3)
return UINT_MAX;
- }
thresh = max - 1;
goto again;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 196/224] MIPS: Malta: Fix keyboard resource preventing i8042 driver from registering
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 195/224] Revert "cpuidle: menu: Avoid discarding useful information" Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 197/224] ocfs2: clear extent cache after moving/defragmenting extents Greg Kroah-Hartman
` (35 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki, Bjorn Helgaas,
Ilpo Järvinen, Thomas Bogendoerfer
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit bf5570590a981d0659d0808d2d4bcda21b27a2a5 upstream.
MIPS Malta platform code registers the PCI southbridge legacy port I/O
PS/2 keyboard range as a standard resource marked as busy. It prevents
the i8042 driver from registering as it fails to claim the resource in
a call to i8042_platform_init(). Consequently PS/2 keyboard and mouse
devices cannot be used with this platform.
Fix the issue by removing the busy marker from the standard reservation,
making the driver register successfully:
serio: i8042 KBD port at 0x60,0x64 irq 1
serio: i8042 AUX port at 0x60,0x64 irq 12
and the resource show up as expected among the legacy devices:
00000000-00ffffff : MSC PCI I/O
00000000-0000001f : dma1
00000020-00000021 : pic1
00000040-0000005f : timer
00000060-0000006f : keyboard
00000060-0000006f : i8042
00000070-00000077 : rtc0
00000080-0000008f : dma page reg
000000a0-000000a1 : pic2
000000c0-000000df : dma2
[...]
If the i8042 driver has not been configured, then the standard resource
will remain there preventing any conflicting dynamic assignment of this
PCI port I/O address range.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Acked-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/alpine.DEB.2.21.2510211919240.8377@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/mti-malta/malta-setup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/mti-malta/malta-setup.c
+++ b/arch/mips/mti-malta/malta-setup.c
@@ -48,7 +48,7 @@ static struct resource standard_io_resou
.name = "keyboard",
.start = 0x60,
.end = 0x6f,
- .flags = IORESOURCE_IO | IORESOURCE_BUSY
+ .flags = IORESOURCE_IO
},
{
.name = "dma page reg",
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 197/224] ocfs2: clear extent cache after moving/defragmenting extents
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 196/224] MIPS: Malta: Fix keyboard resource preventing i8042 driver from registering Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 198/224] net: usb: rtl8150: Fix frame padding Greg Kroah-Hartman
` (34 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Deepanshu Kartikey,
syzbot+6fdd8fa3380730a4b22c, Mark Fasheh, Joseph Qi, Joel Becker,
Junxiao Bi, Changwei Ge, Jun Piao, Andrew Morton
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit 78a63493f8e352296dbc7cb7b3f4973105e8679e upstream.
The extent map cache can become stale when extents are moved or
defragmented, causing subsequent operations to see outdated extent flags.
This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters().
The problem occurs when:
1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED
2. ioctl(FITRIM) triggers ocfs2_move_extents()
3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2)
4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent()
which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0)
5. The extent map cache is not invalidated after the move
6. Later write() operations read stale cached flags (0x2) but disk has
updated flags (0x0), causing a mismatch
7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers
Fix by clearing the extent map cache after each extent move/defrag
operation in __ocfs2_move_extents_range(). This ensures subsequent
operations read fresh extent data from disk.
Link: https://lore.kernel.org/all/20251009142917.517229-1-kartikey406@gmail.com/T/
Link: https://lkml.kernel.org/r/20251009154903.522339-1-kartikey406@gmail.com
Fixes: 53069d4e7695 ("Ocfs2/move_extents: move/defrag extents within a certain range.")
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reported-by: syzbot+6fdd8fa3380730a4b22c@syzkaller.appspotmail.com
Tested-by: syzbot+6fdd8fa3380730a4b22c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=2959889e1f6e216585ce522f7e8bc002b46ad9e7
Reviewed-by: Mark Fasheh <mark@fasheh.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/move_extents.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/ocfs2/move_extents.c
+++ b/fs/ocfs2/move_extents.c
@@ -870,6 +870,11 @@ static int __ocfs2_move_extents_range(st
mlog_errno(ret);
goto out;
}
+ /*
+ * Invalidate extent cache after moving/defragging to prevent
+ * stale cached data with outdated extent flags.
+ */
+ ocfs2_extent_map_trunc(inode, cpos);
context->clusters_moved += alloc_size;
next:
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 198/224] net: usb: rtl8150: Fix frame padding
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 197/224] ocfs2: clear extent cache after moving/defragmenting extents Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 199/224] net: ravb: Ensure memory write completes before ringing TX doorbell Greg Kroah-Hartman
` (33 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Pecio, Simon Horman,
Jakub Kicinski
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Pecio <michal.pecio@gmail.com>
commit 75cea9860aa6b2350d90a8d78fed114d27c7eca2 upstream.
TX frames aren't padded and unknown memory is sent into the ether.
Theoretically, it isn't even guaranteed that the extra memory exists
and can be sent out, which could cause further problems. In practice,
I found that plenty of tailroom exists in the skb itself (in my test
with ping at least) and skb_padto() easily succeeds, so use it here.
In the event of -ENOMEM drop the frame like other drivers do.
The use of one more padding byte instead of a USB zero-length packet
is retained to avoid regression. I have a dodgy Etron xHCI controller
which doesn't seem to support sending ZLPs at all.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251014203528.3f9783c4.michal.pecio@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/rtl8150.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -705,9 +705,16 @@ static netdev_tx_t rtl8150_start_xmit(st
rtl8150_t *dev = netdev_priv(netdev);
int count, res;
+ /* pad the frame and ensure terminating USB packet, datasheet 9.2.3 */
+ count = max(skb->len, ETH_ZLEN);
+ if (count % 64 == 0)
+ count++;
+ if (skb_padto(skb, count)) {
+ netdev->stats.tx_dropped++;
+ return NETDEV_TX_OK;
+ }
+
netif_stop_queue(netdev);
- count = (skb->len < 60) ? 60 : skb->len;
- count = (count & 0x3f) ? count : count + 1;
dev->tx_skb = skb;
usb_fill_bulk_urb(dev->tx_urb, dev->udev, usb_sndbulkpipe(dev->udev, 2),
skb->data, count, write_bulk_callback, dev);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 199/224] net: ravb: Ensure memory write completes before ringing TX doorbell
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 198/224] net: usb: rtl8150: Fix frame padding Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 200/224] USB: serial: option: add UNISOC UIS7720 Greg Kroah-Hartman
` (32 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fabrizio Castro, Lad Prabhakar,
Niklas Söderlund, Jakub Kicinski
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
commit 706136c5723626fcde8dd8f598a4dcd251e24927 upstream.
Add a final dma_wmb() barrier before triggering the transmit request
(TCCR_TSRQ) to ensure all descriptor and buffer writes are visible to
the DMA engine.
According to the hardware manual, a read-back operation is required
before writing to the doorbell register to guarantee completion of
previous writes. Instead of performing a dummy read, a dma_wmb() is
used to both enforce the same ordering semantics on the CPU side and
also to ensure completion of writes.
Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
Cc: stable@vger.kernel.org
Co-developed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Link: https://patch.msgid.link/20251017151830.171062-5-prabhakar.mahadev-lad.rj@bp.renesas.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/renesas/ravb_main.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/net/ethernet/renesas/ravb_main.c
+++ b/drivers/net/ethernet/renesas/ravb_main.c
@@ -1602,6 +1602,14 @@ static netdev_tx_t ravb_start_xmit(struc
} else {
desc->die_dt = DT_FSINGLE;
}
+
+ /* Before ringing the doorbell we need to make sure that the latest
+ * writes have been committed to memory, otherwise it could delay
+ * things until the doorbell is rang again.
+ * This is in replacement of the read operation mentioned in the HW
+ * manuals.
+ */
+ dma_wmb();
ravb_modify(ndev, TCCR, TCCR_TSRQ0 << q, TCCR_TSRQ0 << q);
priv->cur_tx[q] += num_tx_desc;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 200/224] USB: serial: option: add UNISOC UIS7720
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 199/224] net: ravb: Ensure memory write completes before ringing TX doorbell Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 201/224] USB: serial: option: add Quectel RG255C Greg Kroah-Hartman
` (31 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Renjun Wang, Johan Hovold
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Renjun Wang <renjunw0@foxmail.com>
commit 71c07570b918f000de5d0f7f1bf17a2887e303b5 upstream.
Add support for UNISOC (Spreadtrum) UIS7720 (A7720) module.
T: Bus=05 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 5 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1782 ProdID=4064 Rev=04.04
S: Manufacturer=Unisoc-phone
S: Product=Unisoc-phone
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 9 Cfg#= 1 Atr=c0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0&1: RNDIS, 2: LOG, 3: DIAG, 4&5: AT Ports, 6&7: AT2 Ports, 8: ADB
Signed-off-by: Renjun Wang <renjunw0@foxmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -617,6 +617,7 @@ static void option_instat_callback(struc
#define UNISOC_VENDOR_ID 0x1782
/* TOZED LT70-C based on UNISOC SL8563 uses UNISOC's vendor ID */
#define TOZED_PRODUCT_LT70C 0x4055
+#define UNISOC_PRODUCT_UIS7720 0x4064
/* Luat Air72*U series based on UNISOC UIS8910 uses UNISOC's vendor ID */
#define LUAT_PRODUCT_AIR720U 0x4e00
@@ -2466,6 +2467,7 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9291, 0xff, 0xff, 0x30) },
{ USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9291, 0xff, 0xff, 0x40) },
{ USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, TOZED_PRODUCT_LT70C, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, UNISOC_PRODUCT_UIS7720, 0xff, 0, 0) },
{ USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, LUAT_PRODUCT_AIR720U, 0xff, 0, 0) },
{ USB_DEVICE_INTERFACE_CLASS(0x1bbb, 0x0530, 0xff), /* TCL IK512 MBIM */
.driver_info = NCTRL(1) },
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 201/224] USB: serial: option: add Quectel RG255C
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 200/224] USB: serial: option: add UNISOC UIS7720 Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 202/224] USB: serial: option: add Telit FN920C04 ECM compositions Greg Kroah-Hartman
` (30 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Reinhard Speyerer, Johan Hovold
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Reinhard Speyerer <rspmn@arcor.de>
commit 89205c60c0fc96b73567a2e9fe27ee3f59d01193 upstream.
Add support for Quectel RG255C devices to complement commit 5c964c8a97c1
("net: usb: qmi_wwan: add Quectel RG255C").
The composition is DM / NMEA / AT / QMI.
T: Bus=01 Lev=02 Prnt=99 Port=01 Cnt=02 Dev#=110 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=2c7c ProdID=0316 Rev= 5.15
S: Manufacturer=Quectel
S: Product=RG255C-GL
S: SerialNumber=xxxxxxxx
C:* #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=86(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -273,6 +273,7 @@ static void option_instat_callback(struc
#define QUECTEL_PRODUCT_EM05CN 0x0312
#define QUECTEL_PRODUCT_EM05G_GR 0x0313
#define QUECTEL_PRODUCT_EM05G_RS 0x0314
+#define QUECTEL_PRODUCT_RG255C 0x0316
#define QUECTEL_PRODUCT_EM12 0x0512
#define QUECTEL_PRODUCT_RM500Q 0x0800
#define QUECTEL_PRODUCT_RM520N 0x0801
@@ -1271,6 +1272,9 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500K, 0xff, 0x00, 0x00) },
{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RG650V, 0xff, 0xff, 0x30) },
{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RG650V, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RG255C, 0xff, 0xff, 0x30) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RG255C, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RG255C, 0xff, 0xff, 0x40) },
{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 202/224] USB: serial: option: add Telit FN920C04 ECM compositions
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 201/224] USB: serial: option: add Quectel RG255C Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 203/224] usb/core/quirks: Add Huawei ME906S to wakeup quirk Greg Kroah-Hartman
` (29 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, LI Qingwu, Johan Hovold
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: LI Qingwu <Qing-wu.Li@leica-geosystems.com.cn>
commit 622865c73ae30f254abdf182f4b66cccbe3e0f10 upstream.
Add support for the Telit Cinterion FN920C04 module when operating in
ECM (Ethernet Control Model) mode. The following USB product IDs are
used by the module when AT#USBCFG is set to 3 or 7.
0x10A3: ECM + tty (NMEA) + tty (DUN) [+ tty (DIAG)]
T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10a3 Rev= 5.15
S: Manufacturer=Telit Cinterion
S: Product=FN920
S: SerialNumber=76e7cb38
C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=06 Prot=00 Driver=cdc_ether
E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10A8: ECM + tty (DUN) + tty (AUX) [+ tty (DIAG)]
T: Bus=03 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10a8 Rev= 5.15
S: Manufacturer=Telit Cinterion
S: Product=FN920
S: SerialNumber=76e7cb38
C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=06 Prot=00 Driver=cdc_ether
E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Adding these IDs allows the option driver to automatically create the
corresponding /dev/ttyUSB* ports under ECM mode.
Tested with FN920C04 under ECM configuration (USBCFG=3 and 7).
Signed-off-by: LI Qingwu <Qing-wu.Li@leica-geosystems.com.cn>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1403,10 +1403,14 @@ static const struct usb_device_id option
.driver_info = RSVD(0) | NCTRL(3) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a2, 0xff), /* Telit FN920C04 (MBIM) */
.driver_info = NCTRL(4) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a3, 0xff), /* Telit FN920C04 (ECM) */
+ .driver_info = NCTRL(4) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a4, 0xff), /* Telit FN20C04 (rmnet) */
.driver_info = RSVD(0) | NCTRL(3) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a7, 0xff), /* Telit FN920C04 (MBIM) */
.driver_info = NCTRL(4) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a8, 0xff), /* Telit FN920C04 (ECM) */
+ .driver_info = NCTRL(4) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a9, 0xff), /* Telit FN20C04 (rmnet) */
.driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10aa, 0xff), /* Telit FN920C04 (MBIM) */
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 203/224] usb/core/quirks: Add Huawei ME906S to wakeup quirk
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 202/224] USB: serial: option: add Telit FN920C04 ECM compositions Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 204/224] xhci: dbc: enable back DbC in resume if it was enabled before suspend Greg Kroah-Hartman
` (28 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Tim Guttzeit, Werner Sembach
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Guttzeit <t.guttzeit@tuxedocomputers.com>
commit dfc2cf4dcaa03601cd4ca0f7def88b2630fca6ab upstream.
The list of Huawei LTE modules needing the quirk fixing spurious wakeups
was missing the IDs of the Huawei ME906S module, therefore suspend did not
work.
Cc: stable <stable@kernel.org>
Signed-off-by: Tim Guttzeit <t.guttzeit@tuxedocomputers.com>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Link: https://patch.msgid.link/20251020134304.35079-1-wse@tuxedocomputers.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -462,6 +462,8 @@ static const struct usb_device_id usb_qu
/* Huawei 4G LTE module */
{ USB_DEVICE(0x12d1, 0x15bb), .driver_info =
USB_QUIRK_DISCONNECT_SUSPEND },
+ { USB_DEVICE(0x12d1, 0x15c1), .driver_info =
+ USB_QUIRK_DISCONNECT_SUSPEND },
{ USB_DEVICE(0x12d1, 0x15c3), .driver_info =
USB_QUIRK_DISCONNECT_SUSPEND },
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 204/224] xhci: dbc: enable back DbC in resume if it was enabled before suspend
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 203/224] usb/core/quirks: Add Huawei ME906S to wakeup quirk Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 205/224] binder: remove "invalid inc weak" check Greg Kroah-Hartman
` (27 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Łukasz Bartosik,
Mathias Nyman
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 2bbd38fcd29670e46c0fdb9cd0e90507a8a1bf6a upstream.
DbC is currently only enabled back if it's in configured state during
suspend.
If system is suspended after DbC is enabled, but before the device is
properly enumerated by the host, then DbC would not be enabled back in
resume.
Always enable DbC back in resume if it's suspended in enabled,
connected, or configured state
Cc: stable <stable@kernel.org>
Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver")
Tested-by: Łukasz Bartosik <ukaszb@chromium.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-dbgcap.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-dbgcap.c
+++ b/drivers/usb/host/xhci-dbgcap.c
@@ -975,8 +975,15 @@ int xhci_dbc_suspend(struct xhci_hcd *xh
if (!dbc)
return 0;
- if (dbc->state == DS_CONFIGURED)
+ switch (dbc->state) {
+ case DS_ENABLED:
+ case DS_CONNECTED:
+ case DS_CONFIGURED:
dbc->resume_required = 1;
+ break;
+ default:
+ break;
+ }
xhci_dbc_stop(xhci);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 205/224] binder: remove "invalid inc weak" check
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 204/224] xhci: dbc: enable back DbC in resume if it was enabled before suspend Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 206/224] comedi: fix divide-by-zero in comedi_buf_munge() Greg Kroah-Hartman
` (26 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yu-Ting Tseng, Alice Ryhl
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Ryhl <aliceryhl@google.com>
commit d90eeb8ecd227c204ab6c34a17b372bd950b7aa2 upstream.
There are no scenarios where a weak increment is invalid on binder_node.
The only possible case where it could be invalid is if the kernel
delivers BR_DECREFS to the process that owns the node, and then
increments the weak refcount again, effectively "reviving" a dead node.
However, that is not possible: when the BR_DECREFS command is delivered,
the kernel removes and frees the binder_node. The fact that you were
able to call binder_inc_node_nilocked() implies that the node is not yet
destroyed, which implies that BR_DECREFS has not been delivered to
userspace, so incrementing the weak refcount is valid.
Note that it's currently possible to trigger this condition if the owner
calls BINDER_THREAD_EXIT while node->has_weak_ref is true. This causes
BC_INCREFS on binder_ref instances to fail when they should not.
Cc: stable@vger.kernel.org
Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
Reported-by: Yu-Ting Tseng <yutingtseng@google.com>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20251015-binder-weak-inc-v1-1-7914b092c371@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder.c | 11 +----------
1 file changed, 1 insertion(+), 10 deletions(-)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1208,17 +1208,8 @@ static int binder_inc_node_nilocked(stru
} else {
if (!internal)
node->local_weak_refs++;
- if (!node->has_weak_ref && list_empty(&node->work.entry)) {
- if (target_list == NULL) {
- pr_err("invalid inc weak node for %d\n",
- node->debug_id);
- return -EINVAL;
- }
- /*
- * See comment above
- */
+ if (!node->has_weak_ref && target_list && list_empty(&node->work.entry))
binder_enqueue_work_ilocked(&node->work, target_list);
- }
}
return 0;
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 206/224] comedi: fix divide-by-zero in comedi_buf_munge()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 205/224] binder: remove "invalid inc weak" check Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 207/224] arm64: cputype: Add Neoverse-V3AE definitions Greg Kroah-Hartman
` (25 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f6c3c066162d2c43a66c,
Deepanshu Kartikey, Ian Abbott
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit 87b318ba81dda2ee7b603f4f6c55e78ec3e95974 upstream.
The comedi_buf_munge() function performs a modulo operation
`async->munge_chan %= async->cmd.chanlist_len` without first
checking if chanlist_len is zero. If a user program submits a command with
chanlist_len set to zero, this causes a divide-by-zero error when the device
processes data in the interrupt handler path.
Add a check for zero chanlist_len at the beginning of the
function, similar to the existing checks for !map and
CMDF_RAWDATA flag. When chanlist_len is zero, update
munge_count and return early, indicating the data was
handled without munging.
This prevents potential kernel panics from malformed user commands.
Reported-by: syzbot+f6c3c066162d2c43a66c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f6c3c066162d2c43a66c
Cc: stable@vger.kernel.org
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20250924102639.1256191-1-kartikey406@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/comedi/comedi_buf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/comedi/comedi_buf.c
+++ b/drivers/staging/comedi/comedi_buf.c
@@ -369,7 +369,7 @@ static unsigned int comedi_buf_munge(str
unsigned int count = 0;
const unsigned int num_sample_bytes = comedi_bytes_per_sample(s);
- if (!s->munge || (async->cmd.flags & CMDF_RAWDATA)) {
+ if (!s->munge || (async->cmd.flags & CMDF_RAWDATA) || async->cmd.chanlist_len == 0) {
async->munge_count += num_bytes;
count = num_bytes;
} else {
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 207/224] arm64: cputype: Add Neoverse-V3AE definitions
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 206/224] comedi: fix divide-by-zero in comedi_buf_munge() Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 208/224] arm64: errata: Apply workarounds for Neoverse-V3AE Greg Kroah-Hartman
` (24 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, James Morse,
Will Deacon, Catalin Marinas, Ryan Roberts
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit 3bbf004c4808e2c3241e5c1ad6cc102f38a03c39 upstream.
Add cputype definitions for Neoverse-V3AE. These will be used for errata
detection in subsequent patches.
These values can be found in the Neoverse-V3AE TRM:
https://developer.arm.com/documentation/SDEN-2615521/9-0/
... in section A.6.1 ("MIDR_EL1, Main ID Register").
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
[ Ryan: Trivial backport ]
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -87,6 +87,7 @@
#define ARM_CPU_PART_NEOVERSE_V2 0xD4F
#define ARM_CPU_PART_CORTEX_A720 0xD81
#define ARM_CPU_PART_CORTEX_X4 0xD82
+#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83
#define ARM_CPU_PART_NEOVERSE_V3 0xD84
#define ARM_CPU_PART_CORTEX_X925 0xD85
#define ARM_CPU_PART_CORTEX_A725 0xD87
@@ -139,6 +140,7 @@
#define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2)
#define MIDR_CORTEX_A720 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720)
#define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4)
+#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE)
#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3)
#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925)
#define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725)
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 208/224] arm64: errata: Apply workarounds for Neoverse-V3AE
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 207/224] arm64: cputype: Add Neoverse-V3AE definitions Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 209/224] memory: samsung: exynos-srom: Correct alignment Greg Kroah-Hartman
` (23 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, James Morse,
Will Deacon, Catalin Marinas, Ryan Roberts
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit 0c33aa1804d101c11ba1992504f17a42233f0e11 upstream.
Neoverse-V3AE is also affected by erratum #3312417, as described in its
Software Developer Errata Notice (SDEN) document:
Neoverse V3AE (MP172) SDEN v9.0, erratum 3312417
https://developer.arm.com/documentation/SDEN-2615521/9-0/
Enable the workaround for Neoverse-V3AE, and document this.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
[ Ryan: Trivial backport ]
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/arm64/silicon-errata.rst | 2 ++
arch/arm64/Kconfig | 1 +
arch/arm64/kernel/cpu_errata.c | 1 +
3 files changed, 4 insertions(+)
--- a/Documentation/arm64/silicon-errata.rst
+++ b/Documentation/arm64/silicon-errata.rst
@@ -134,6 +134,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | MMU-500 | #841119,826419 | N/A |
+----------------+-----------------+-----------------+-----------------------------+
+----------------+-----------------+-----------------+-----------------------------+
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -617,6 +617,7 @@ config ARM64_ERRATUM_3194386
* ARM Neoverse-V1 erratum 3324341
* ARM Neoverse V2 erratum 3324336
* ARM Neoverse-V3 erratum 3312417
+ * ARM Neoverse-V3AE erratum 3312417
On affected cores "MSR SSBS, #0" instructions may not affect
subsequent speculative instructions, which may permit unexepected
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -863,6 +863,7 @@ static const struct midr_range erratum_s
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
{}
};
#endif
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 209/224] memory: samsung: exynos-srom: Correct alignment
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 208/224] arm64: errata: Apply workarounds for Neoverse-V3AE Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 210/224] memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe Greg Kroah-Hartman
` (22 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzk@kernel.org>
[ Upstream commit 90de1c75d8acd83e9a699b93153307a1e411ef3a ]
Align indentation with open parenthesis (or fix existing alignment).
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Stable-dep-of: 6744085079e7 ("memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/memory/samsung/exynos-srom.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
--- a/drivers/memory/samsung/exynos-srom.c
+++ b/drivers/memory/samsung/exynos-srom.c
@@ -47,9 +47,9 @@ struct exynos_srom {
struct exynos_srom_reg_dump *reg_offset;
};
-static struct exynos_srom_reg_dump *exynos_srom_alloc_reg_dump(
- const unsigned long *rdump,
- unsigned long nr_rdump)
+static struct exynos_srom_reg_dump *
+exynos_srom_alloc_reg_dump(const unsigned long *rdump,
+ unsigned long nr_rdump)
{
struct exynos_srom_reg_dump *rd;
unsigned int i;
@@ -116,7 +116,7 @@ static int exynos_srom_probe(struct plat
}
srom = devm_kzalloc(&pdev->dev,
- sizeof(struct exynos_srom), GFP_KERNEL);
+ sizeof(struct exynos_srom), GFP_KERNEL);
if (!srom)
return -ENOMEM;
@@ -130,7 +130,7 @@ static int exynos_srom_probe(struct plat
platform_set_drvdata(pdev, srom);
srom->reg_offset = exynos_srom_alloc_reg_dump(exynos_srom_offsets,
- ARRAY_SIZE(exynos_srom_offsets));
+ ARRAY_SIZE(exynos_srom_offsets));
if (!srom->reg_offset) {
iounmap(srom->reg_base);
return -ENOMEM;
@@ -157,16 +157,16 @@ static int exynos_srom_probe(struct plat
#ifdef CONFIG_PM_SLEEP
static void exynos_srom_save(void __iomem *base,
- struct exynos_srom_reg_dump *rd,
- unsigned int num_regs)
+ struct exynos_srom_reg_dump *rd,
+ unsigned int num_regs)
{
for (; num_regs > 0; --num_regs, ++rd)
rd->value = readl(base + rd->offset);
}
static void exynos_srom_restore(void __iomem *base,
- const struct exynos_srom_reg_dump *rd,
- unsigned int num_regs)
+ const struct exynos_srom_reg_dump *rd,
+ unsigned int num_regs)
{
for (; num_regs > 0; --num_regs, ++rd)
writel(rd->value, base + rd->offset);
@@ -177,7 +177,7 @@ static int exynos_srom_suspend(struct de
struct exynos_srom *srom = dev_get_drvdata(dev);
exynos_srom_save(srom->reg_base, srom->reg_offset,
- ARRAY_SIZE(exynos_srom_offsets));
+ ARRAY_SIZE(exynos_srom_offsets));
return 0;
}
@@ -186,7 +186,7 @@ static int exynos_srom_resume(struct dev
struct exynos_srom *srom = dev_get_drvdata(dev);
exynos_srom_restore(srom->reg_base, srom->reg_offset,
- ARRAY_SIZE(exynos_srom_offsets));
+ ARRAY_SIZE(exynos_srom_offsets));
return 0;
}
#endif
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 210/224] memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 209/224] memory: samsung: exynos-srom: Correct alignment Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 211/224] spi: cadence-quadspi: Flush posted register writes before INDAC access Greg Kroah-Hartman
` (21 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhen Ni, Krzysztof Kozlowski,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhen Ni <zhen.ni@easystack.cn>
[ Upstream commit 6744085079e785dae5f7a2239456135407c58b25 ]
The of_platform_populate() call at the end of the function has a
possible failure path, causing a resource leak.
Replace of_iomap() with devm_platform_ioremap_resource() to ensure
automatic cleanup of srom->reg_base.
This issue was detected by smatch static analysis:
drivers/memory/samsung/exynos-srom.c:155 exynos_srom_probe()warn:
'srom->reg_base' from of_iomap() not released on lines: 155.
Fixes: 8ac2266d8831 ("memory: samsung: exynos-srom: Add support for bank configuration")
Cc: stable@vger.kernel.org
Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
Link: https://lore.kernel.org/r/20250806025538.306593-1-zhen.ni@easystack.cn
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/memory/samsung/exynos-srom.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/memory/samsung/exynos-srom.c
+++ b/drivers/memory/samsung/exynos-srom.c
@@ -121,20 +121,18 @@ static int exynos_srom_probe(struct plat
return -ENOMEM;
srom->dev = dev;
- srom->reg_base = of_iomap(np, 0);
- if (!srom->reg_base) {
+ srom->reg_base = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(srom->reg_base)) {
dev_err(&pdev->dev, "iomap of exynos srom controller failed\n");
- return -ENOMEM;
+ return PTR_ERR(srom->reg_base);
}
platform_set_drvdata(pdev, srom);
srom->reg_offset = exynos_srom_alloc_reg_dump(exynos_srom_offsets,
ARRAY_SIZE(exynos_srom_offsets));
- if (!srom->reg_offset) {
- iounmap(srom->reg_base);
+ if (!srom->reg_offset)
return -ENOMEM;
- }
for_each_child_of_node(np, child) {
if (exynos_srom_configure_bank(srom, child)) {
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 211/224] spi: cadence-quadspi: Flush posted register writes before INDAC access
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 210/224] memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 212/224] spi: cadence-quadspi: Flush posted register writes before DAC access Greg Kroah-Hartman
` (20 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pratyush Yadav, Santhosh Kumar K,
Mark Brown, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pratyush Yadav <pratyush@kernel.org>
[ Upstream commit 29e0b471ccbd674d20d4bbddea1a51e7105212c5 ]
cqspi_indirect_read_execute() and cqspi_indirect_write_execute() first
set the enable bit on APB region and then start reading/writing to the
AHB region. On TI K3 SoCs these regions lie on different endpoints. This
means that the order of the two operations is not guaranteed, and they
might be reordered at the interconnect level.
It is possible for the AHB write to be executed before the APB write to
enable the indirect controller, causing the transaction to be invalid
and the write erroring out. Read back the APB region write before
accessing the AHB region to make sure the write got flushed and the race
condition is eliminated.
Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller")
CC: stable@vger.kernel.org
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
Message-ID: <20250905185958.3575037-2-s-k6@ti.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
[ applied changes to drivers/mtd/spi-nor/cadence-quadspi.c instead of drivers/spi/spi-cadence-quadspi.c ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/cadence-quadspi.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/mtd/spi-nor/cadence-quadspi.c
+++ b/drivers/mtd/spi-nor/cadence-quadspi.c
@@ -523,6 +523,7 @@ static int cqspi_indirect_read_execute(s
reinit_completion(&cqspi->transfer_complete);
writel(CQSPI_REG_INDIRECTRD_START_MASK,
reg_base + CQSPI_REG_INDIRECTRD);
+ readl(reg_base + CQSPI_REG_INDIRECTRD); /* Flush posted write. */
while (remaining > 0) {
if (!wait_for_completion_timeout(&cqspi->transfer_complete,
@@ -633,6 +634,8 @@ static int cqspi_indirect_write_execute(
reinit_completion(&cqspi->transfer_complete);
writel(CQSPI_REG_INDIRECTWR_START_MASK,
reg_base + CQSPI_REG_INDIRECTWR);
+ readl(reg_base + CQSPI_REG_INDIRECTWR); /* Flush posted write. */
+
/*
* As per 66AK2G02 TRM SPRUHY8F section 11.15.5.3 Indirect Access
* Controller programming sequence, couple of cycles of
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 212/224] spi: cadence-quadspi: Flush posted register writes before DAC access
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 211/224] spi: cadence-quadspi: Flush posted register writes before INDAC access Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 213/224] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Greg Kroah-Hartman
` (19 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pratyush Yadav, Santhosh Kumar K,
Mark Brown, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pratyush Yadav <pratyush@kernel.org>
[ Upstream commit 1ad55767e77a853c98752ed1e33b68049a243bd7 ]
cqspi_read_setup() and cqspi_write_setup() program the address width as
the last step in the setup. This is likely to be immediately followed by
a DAC region read/write. On TI K3 SoCs the DAC region is on a different
endpoint from the register region. This means that the order of the two
operations is not guaranteed, and they might be reordered at the
interconnect level. It is possible that the DAC read/write goes through
before the address width update goes through. In this situation if the
previous command used a different address width the OSPI command is sent
with the wrong number of address bytes, resulting in an invalid command
and undefined behavior.
Read back the size register to make sure the write gets flushed before
accessing the DAC region.
Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller")
CC: stable@vger.kernel.org
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
Message-ID: <20250905185958.3575037-3-s-k6@ti.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
[ backported to drivers/mtd/spi-nor ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/cadence-quadspi.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/mtd/spi-nor/cadence-quadspi.c
+++ b/drivers/mtd/spi-nor/cadence-quadspi.c
@@ -496,6 +496,7 @@ static int cqspi_read_setup(struct spi_n
reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK;
reg |= (nor->addr_width - 1);
writel(reg, reg_base + CQSPI_REG_SIZE);
+ readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */
return 0;
}
@@ -609,6 +610,7 @@ static int cqspi_write_setup(struct spi_
reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK;
reg |= (nor->addr_width - 1);
writel(reg, reg_base + CQSPI_REG_SIZE);
+ readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */
return 0;
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 213/224] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 212/224] spi: cadence-quadspi: Flush posted register writes before DAC access Greg Kroah-Hartman
@ 2025-10-27 18:35 ` Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 214/224] drm/amdgpu: use atomic functions with memory barriers for vm fault info Greg Kroah-Hartman
` (18 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Darrick J. Wong,
Theodore Tso, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
[ Upstream commit 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 ]
Unlike other strings in the ext4 superblock, we rely on tune2fs to
make sure s_mount_opts is NUL terminated. Harden
parse_apply_sb_mount_options() by treating s_mount_opts as a potential
__nonstring.
Cc: stable@vger.kernel.org
Fixes: 8b67f04ab9de ("ext4: Add mount options in superblock")
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Message-ID: <20250916-tune2fs-v2-1-d594dc7486f0@mit.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[ applied to ext4_fill_super() instead of parse_apply_sb_mount_options() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3882,18 +3882,16 @@ static int ext4_fill_super(struct super_
}
if (sbi->s_es->s_mount_opts[0]) {
- char *s_mount_opts = kstrndup(sbi->s_es->s_mount_opts,
- sizeof(sbi->s_es->s_mount_opts),
- GFP_KERNEL);
- if (!s_mount_opts)
- goto failed_mount;
+ char s_mount_opts[65];
+
+ strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts,
+ sizeof(s_mount_opts));
if (!parse_options(s_mount_opts, sb, &journal_devnum,
&journal_ioprio, 0)) {
ext4_msg(sb, KERN_WARNING,
"failed to parse options in superblock: %s",
s_mount_opts);
}
- kfree(s_mount_opts);
}
sbi->s_def_mount_opt = sbi->s_mount_opt;
if (!parse_options((char *) data, sb, &journal_devnum,
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 214/224] drm/amdgpu: use atomic functions with memory barriers for vm fault info
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2025-10-27 18:35 ` [PATCH 5.4 213/224] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Greg Kroah-Hartman
@ 2025-10-27 18:36 ` Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 215/224] ext4: detect invalid INLINE_DATA + EXTENTS flag combination Greg Kroah-Hartman
` (17 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Felix Kuehling,
Alex Deucher, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
[ Upstream commit 6df8e84aa6b5b1812cc2cacd6b3f5ccbb18cda2b ]
The atomic variable vm_fault_info_updated is used to synchronize access to
adev->gmc.vm_fault_info between the interrupt handler and
get_vm_fault_info().
The default atomic functions like atomic_set() and atomic_read() do not
provide memory barriers. This allows for CPU instruction reordering,
meaning the memory accesses to vm_fault_info and the vm_fault_info_updated
flag are not guaranteed to occur in the intended order. This creates a
race condition that can lead to inconsistent or stale data being used.
The previous implementation, which used an explicit mb(), was incomplete
and inefficient. It failed to account for all potential CPU reorderings,
such as the access of vm_fault_info being reordered before the atomic_read
of the flag. This approach is also more verbose and less performant than
using the proper atomic functions with acquire/release semantics.
Fix this by switching to atomic_set_release() and atomic_read_acquire().
These functions provide the necessary acquire and release semantics,
which act as memory barriers to ensure the correct order of operations.
It is also more efficient and idiomatic than using explicit full memory
barriers.
Fixes: b97dfa27ef3a ("drm/amdgpu: save vm fault information for amdkfd")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Signed-off-by: Felix Kuehling <felix.kuehling@amd.com>
Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[ kept kgd_dev parameter and adev cast in amdgpu_amdkfd_gpuvm_get_vm_fault_info ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 5 ++---
drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c | 7 +++----
drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 7 +++----
3 files changed, 8 insertions(+), 11 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
@@ -1572,10 +1572,9 @@ int amdgpu_amdkfd_gpuvm_get_vm_fault_inf
struct amdgpu_device *adev;
adev = (struct amdgpu_device *)kgd;
- if (atomic_read(&adev->gmc.vm_fault_info_updated) == 1) {
+ if (atomic_read_acquire(&adev->gmc.vm_fault_info_updated) == 1) {
*mem = *adev->gmc.vm_fault_info;
- mb();
- atomic_set(&adev->gmc.vm_fault_info_updated, 0);
+ atomic_set_release(&adev->gmc.vm_fault_info_updated, 0);
}
return 0;
}
--- a/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c
@@ -1042,7 +1042,7 @@ static int gmc_v7_0_sw_init(void *handle
GFP_KERNEL);
if (!adev->gmc.vm_fault_info)
return -ENOMEM;
- atomic_set(&adev->gmc.vm_fault_info_updated, 0);
+ atomic_set_release(&adev->gmc.vm_fault_info_updated, 0);
return 0;
}
@@ -1272,7 +1272,7 @@ static int gmc_v7_0_process_interrupt(st
vmid = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS,
VMID);
if (amdgpu_amdkfd_is_kfd_vmid(adev, vmid)
- && !atomic_read(&adev->gmc.vm_fault_info_updated)) {
+ && !atomic_read_acquire(&adev->gmc.vm_fault_info_updated)) {
struct kfd_vm_fault_info *info = adev->gmc.vm_fault_info;
u32 protections = REG_GET_FIELD(status,
VM_CONTEXT1_PROTECTION_FAULT_STATUS,
@@ -1288,8 +1288,7 @@ static int gmc_v7_0_process_interrupt(st
info->prot_read = protections & 0x8 ? true : false;
info->prot_write = protections & 0x10 ? true : false;
info->prot_exec = protections & 0x20 ? true : false;
- mb();
- atomic_set(&adev->gmc.vm_fault_info_updated, 1);
+ atomic_set_release(&adev->gmc.vm_fault_info_updated, 1);
}
return 0;
--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
@@ -1175,7 +1175,7 @@ static int gmc_v8_0_sw_init(void *handle
GFP_KERNEL);
if (!adev->gmc.vm_fault_info)
return -ENOMEM;
- atomic_set(&adev->gmc.vm_fault_info_updated, 0);
+ atomic_set_release(&adev->gmc.vm_fault_info_updated, 0);
return 0;
}
@@ -1464,7 +1464,7 @@ static int gmc_v8_0_process_interrupt(st
vmid = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS,
VMID);
if (amdgpu_amdkfd_is_kfd_vmid(adev, vmid)
- && !atomic_read(&adev->gmc.vm_fault_info_updated)) {
+ && !atomic_read_acquire(&adev->gmc.vm_fault_info_updated)) {
struct kfd_vm_fault_info *info = adev->gmc.vm_fault_info;
u32 protections = REG_GET_FIELD(status,
VM_CONTEXT1_PROTECTION_FAULT_STATUS,
@@ -1480,8 +1480,7 @@ static int gmc_v8_0_process_interrupt(st
info->prot_read = protections & 0x8 ? true : false;
info->prot_write = protections & 0x10 ? true : false;
info->prot_exec = protections & 0x20 ? true : false;
- mb();
- atomic_set(&adev->gmc.vm_fault_info_updated, 1);
+ atomic_set_release(&adev->gmc.vm_fault_info_updated, 1);
}
return 0;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 215/224] ext4: detect invalid INLINE_DATA + EXTENTS flag combination
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2025-10-27 18:36 ` [PATCH 5.4 214/224] drm/amdgpu: use atomic functions with memory barriers for vm fault info Greg Kroah-Hartman
@ 2025-10-27 18:36 ` Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 216/224] jbd2: ensure that all ongoing I/O complete before freeing blocks Greg Kroah-Hartman
` (16 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Zhang Yi, Deepanshu Kartikey,
Theodore Tso, Sasha Levin, syzbot+038b7bf43423e132b308
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit 1d3ad183943b38eec2acf72a0ae98e635dc8456b ]
syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity
file on a corrupted ext4 filesystem mounted without a journal.
The issue is that the filesystem has an inode with both the INLINE_DATA
and EXTENTS flags set:
EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15:
comm syz.0.17: corrupted extent tree: lblk 0 < prev 66
Investigation revealed that the inode has both flags set:
DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1
This is an invalid combination since an inode should have either:
- INLINE_DATA: data stored directly in the inode
- EXTENTS: data stored in extent-mapped blocks
Having both flags causes ext4_has_inline_data() to return true, skipping
extent tree validation in __ext4_iget(). The unvalidated out-of-order
extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer
underflow when calculating hole sizes.
Fix this by detecting this invalid flag combination early in ext4_iget()
and rejecting the corrupted inode.
Cc: stable@kernel.org
Reported-and-tested-by: syzbot+038b7bf43423e132b308@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=038b7bf43423e132b308
Suggested-by: Zhang Yi <yi.zhang@huawei.com>
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Message-ID: <20250930112810.315095-1-kartikey406@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5077,6 +5077,14 @@ struct inode *__ext4_iget(struct super_b
}
ei->i_flags = le32_to_cpu(raw_inode->i_flags);
ext4_set_inode_flags(inode);
+ /* Detect invalid flag combination - can't have both inline data and extents */
+ if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA) &&
+ ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) {
+ ext4_error_inode(inode, function, line, 0,
+ "inode has both inline data and extents flags");
+ ret = -EFSCORRUPTED;
+ goto bad_inode;
+ }
inode->i_blocks = ext4_inode_blocks(raw_inode, ei);
ei->i_file_acl = le32_to_cpu(raw_inode->i_file_acl_lo);
if (ext4_has_feature_64bit(sb))
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 216/224] jbd2: ensure that all ongoing I/O complete before freeing blocks
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2025-10-27 18:36 ` [PATCH 5.4 215/224] ext4: detect invalid INLINE_DATA + EXTENTS flag combination Greg Kroah-Hartman
@ 2025-10-27 18:36 ` Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 217/224] vfs: Dont leak disconnected dentries on umount Greg Kroah-Hartman
` (15 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jan Kara, Zhang Yi,
Theodore Tso, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
[ Upstream commit 3c652c3a71de1d30d72dc82c3bead8deb48eb749 ]
When releasing file system metadata blocks in jbd2_journal_forget(), if
this buffer has not yet been checkpointed, it may have already been
written back, currently be in the process of being written back, or has
not yet written back. jbd2_journal_forget() calls
jbd2_journal_try_remove_checkpoint() to check the buffer's status and
add it to the current transaction if it has not been written back. This
buffer can only be reallocated after the transaction is committed.
jbd2_journal_try_remove_checkpoint() attempts to lock the buffer and
check its dirty status while holding the buffer lock. If the buffer has
already been written back, everything proceeds normally. However, there
are two issues. First, the function returns immediately if the buffer is
locked by the write-back process. It does not wait for the write-back to
complete. Consequently, until the current transaction is committed and
the block is reallocated, there is no guarantee that the I/O will
complete. This means that ongoing I/O could write stale metadata to the
newly allocated block, potentially corrupting data. Second, the function
unlocks the buffer as soon as it detects that the buffer is still dirty.
If a concurrent write-back occurs immediately after this unlocking and
before clear_buffer_dirty() is called in jbd2_journal_forget(), data
corruption can theoretically still occur.
Although these two issues are unlikely to occur in practice since the
undergoing metadata writeback I/O does not take this long to complete,
it's better to explicitly ensure that all ongoing I/O operations are
completed.
Fixes: 597599268e3b ("jbd2: discard dirty data when forgetting an un-journalled buffer")
Cc: stable@kernel.org
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20250916093337.3161016-2-yi.zhang@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/transaction.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -1550,6 +1550,7 @@ int jbd2_journal_forget (handle_t *handl
int drop_reserve = 0;
int err = 0;
int was_modified = 0;
+ int wait_for_writeback = 0;
if (is_handle_aborted(handle))
return -EROFS;
@@ -1675,18 +1676,22 @@ int jbd2_journal_forget (handle_t *handl
}
/*
- * The buffer is still not written to disk, we should
- * attach this buffer to current transaction so that the
- * buffer can be checkpointed only after the current
- * transaction commits.
+ * The buffer has not yet been written to disk. We should
+ * either clear the buffer or ensure that the ongoing I/O
+ * is completed, and attach this buffer to current
+ * transaction so that the buffer can be checkpointed only
+ * after the current transaction commits.
*/
clear_buffer_dirty(bh);
+ wait_for_writeback = 1;
__jbd2_journal_file_buffer(jh, transaction, BJ_Forget);
spin_unlock(&journal->j_list_lock);
}
jbd_unlock_bh_state(bh);
__brelse(bh);
+ if (wait_for_writeback)
+ wait_on_buffer(bh);
drop:
if (drop_reserve) {
/* no need to reserve log space for this block -bzzz */
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 217/224] vfs: Dont leak disconnected dentries on umount
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2025-10-27 18:36 ` [PATCH 5.4 216/224] jbd2: ensure that all ongoing I/O complete before freeing blocks Greg Kroah-Hartman
@ 2025-10-27 18:36 ` Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 218/224] NFSD: Define a proc_layoutcommit for the FlexFiles layout type Greg Kroah-Hartman
` (14 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+1d79ebe5383fc016cf07,
Jan Kara, Christian Brauner, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
[ Upstream commit 56094ad3eaa21e6621396cc33811d8f72847a834 ]
When user calls open_by_handle_at() on some inode that is not cached, we
will create disconnected dentry for it. If such dentry is a directory,
exportfs_decode_fh_raw() will then try to connect this dentry to the
dentry tree through reconnect_path(). It may happen for various reasons
(such as corrupted fs or race with rename) that the call to
lookup_one_unlocked() in reconnect_one() will fail to find the dentry we
are trying to reconnect and instead create a new dentry under the
parent. Now this dentry will not be marked as disconnected although the
parent still may well be disconnected (at least in case this
inconsistency happened because the fs is corrupted and .. doesn't point
to the real parent directory). This creates inconsistency in
disconnected flags but AFAICS it was mostly harmless. At least until
commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon")
which removed adding of most disconnected dentries to sb->s_anon list.
Thus after this commit cleanup of disconnected dentries implicitely
relies on the fact that dput() will immediately reclaim such dentries.
However when some leaf dentry isn't marked as disconnected, as in the
scenario described above, the reclaim doesn't happen and the dentries
are "leaked". Memory reclaim can eventually reclaim them but otherwise
they stay in memory and if umount comes first, we hit infamous "Busy
inodes after unmount" bug. Make sure all dentries created under a
disconnected parent are marked as disconnected as well.
Reported-by: syzbot+1d79ebe5383fc016cf07@syzkaller.appspotmail.com
Fixes: f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon")
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>
[ relocated DCACHE_DISCONNECTED propagation from d_alloc_parallel() to d_alloc() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/dcache.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1782,6 +1782,8 @@ struct dentry *d_alloc(struct dentry * p
__dget_dlock(parent);
dentry->d_parent = parent;
list_add(&dentry->d_child, &parent->d_subdirs);
+ if (parent->d_flags & DCACHE_DISCONNECTED)
+ dentry->d_flags |= DCACHE_DISCONNECTED;
spin_unlock(&parent->d_lock);
return dentry;
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 218/224] NFSD: Define a proc_layoutcommit for the FlexFiles layout type
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2025-10-27 18:36 ` [PATCH 5.4 217/224] vfs: Dont leak disconnected dentries on umount Greg Kroah-Hartman
@ 2025-10-27 18:36 ` Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 219/224] KEYS: trusted_tpm1: Compare HMAC values in constant time Greg Kroah-Hartman
` (13 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robert Morris, Thomas Haynes,
Chuck Lever, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 4b47a8601b71ad98833b447d465592d847b4dc77 ]
Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT
operation on a FlexFiles layout.
Reported-by: Robert Morris <rtm@csail.mit.edu>
Closes: https://lore.kernel.org/linux-nfs/152f99b2-ba35-4dec-93a9-4690e625dccd@oracle.com/T/#t
Cc: Thomas Haynes <loghyr@hammerspace.com>
Cc: stable@vger.kernel.org
Fixes: 9b9960a0ca47 ("nfsd: Add a super simple flex file server")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
[ removed struct svc_rqst parameter from nfsd4_ff_proc_layoutcommit ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/flexfilelayout.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/nfsd/flexfilelayout.c
+++ b/fs/nfsd/flexfilelayout.c
@@ -124,6 +124,13 @@ nfsd4_ff_proc_getdeviceinfo(struct super
return 0;
}
+static __be32
+nfsd4_ff_proc_layoutcommit(struct inode *inode,
+ struct nfsd4_layoutcommit *lcp)
+{
+ return nfs_ok;
+}
+
const struct nfsd4_layout_ops ff_layout_ops = {
.notify_types =
NOTIFY_DEVICEID4_DELETE | NOTIFY_DEVICEID4_CHANGE,
@@ -132,4 +139,5 @@ const struct nfsd4_layout_ops ff_layout_
.encode_getdeviceinfo = nfsd4_ff_encode_getdeviceinfo,
.proc_layoutget = nfsd4_ff_proc_layoutget,
.encode_layoutget = nfsd4_ff_encode_layoutget,
+ .proc_layoutcommit = nfsd4_ff_proc_layoutcommit,
};
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 219/224] KEYS: trusted_tpm1: Compare HMAC values in constant time
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2025-10-27 18:36 ` [PATCH 5.4 218/224] NFSD: Define a proc_layoutcommit for the FlexFiles layout type Greg Kroah-Hartman
@ 2025-10-27 18:36 ` Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 220/224] padata: Reset next CPU when reorder sequence wraps around Greg Kroah-Hartman
` (12 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Biggers, Jarkko Sakkinen,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
[ Upstream commit eed0e3d305530066b4fc5370107cff8ef1a0d229 ]
To prevent timing attacks, HMAC value comparison needs to be constant
time. Replace the memcmp() with the correct function, crypto_memneq().
[For the Fixes commit I used the commit that introduced the memcmp().
It predates the introduction of crypto_memneq(), but it was still a bug
at the time even though a helper function didn't exist yet.]
Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
[ changed include from crypto/utils.h to crypto/algapi.h ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/trusted.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -9,6 +9,7 @@
*/
#include <crypto/hash_info.h>
+#include <crypto/algapi.h>
#include <linux/uaccess.h>
#include <linux/module.h>
#include <linux/init.h>
@@ -248,7 +249,7 @@ int TSS_checkhmac1(unsigned char *buffer
if (ret < 0)
goto out;
- if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
+ if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE))
ret = -EINVAL;
out:
kzfree(sdesc);
@@ -341,7 +342,7 @@ static int TSS_checkhmac2(unsigned char
TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
if (ret < 0)
goto out;
- if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
+ if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
ret = -EINVAL;
goto out;
}
@@ -350,7 +351,7 @@ static int TSS_checkhmac2(unsigned char
TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
if (ret < 0)
goto out;
- if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
+ if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE))
ret = -EINVAL;
out:
kzfree(sdesc);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 220/224] padata: Reset next CPU when reorder sequence wraps around
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2025-10-27 18:36 ` [PATCH 5.4 219/224] KEYS: trusted_tpm1: Compare HMAC values in constant time Greg Kroah-Hartman
@ 2025-10-27 18:36 ` Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 221/224] NFSD: Minor cleanup in layoutcommit processing Greg Kroah-Hartman
` (11 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xiao Liang, Herbert Xu, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiao Liang <shaw.leon@gmail.com>
[ Upstream commit 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b ]
When seq_nr wraps around, the next reorder job with seq 0 is hashed to
the first CPU in padata_do_serial(). Correspondingly, need reset pd->cpu
to the first one when pd->processed wraps around. Otherwise, if the
number of used CPUs is not a power of 2, padata_find_next() will be
checking a wrong list, hence deadlock.
Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in padata_reorder")
Cc: <stable@vger.kernel.org>
Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[ moved from padata_reorder() to padata_find_next() function ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/padata.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -204,7 +204,11 @@ static struct padata_priv *padata_find_n
list_del_init(&padata->list);
atomic_dec(&pd->reorder_objects);
++pd->processed;
- pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false);
+ /* When sequence wraps around, reset to the first CPU. */
+ if (unlikely(pd->processed == 0))
+ pd->cpu = cpumask_first(pd->cpumask.pcpu);
+ else
+ pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false);
}
spin_unlock(&reorder->lock);
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 221/224] NFSD: Minor cleanup in layoutcommit processing
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2025-10-27 18:36 ` [PATCH 5.4 220/224] padata: Reset next CPU when reorder sequence wraps around Greg Kroah-Hartman
@ 2025-10-27 18:36 ` Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 222/224] NFSD: Fix last write offset handling in layoutcommit Greg Kroah-Hartman
` (10 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Sergey Bashirov,
Chuck Lever, Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Bashirov <sergeybashirov@gmail.com>
[ Upstream commit 274365a51d88658fb51cca637ba579034e90a799 ]
Remove dprintk in nfsd4_layoutcommit. These are not needed
in day to day usage, and the information is also available
in Wireshark when capturing NFS traffic.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Stable-dep-of: d68886bae76a ("NFSD: Fix last write offset handling in layoutcommit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4proc.c | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1717,18 +1717,12 @@ nfsd4_layoutcommit(struct svc_rqst *rqst
inode = d_inode(current_fh->fh_dentry);
nfserr = nfserr_inval;
- if (new_size <= seg->offset) {
- dprintk("pnfsd: last write before layout segment\n");
+ if (new_size <= seg->offset)
goto out;
- }
- if (new_size > seg->offset + seg->length) {
- dprintk("pnfsd: last write beyond layout segment\n");
+ if (new_size > seg->offset + seg->length)
goto out;
- }
- if (!lcp->lc_newoffset && new_size > i_size_read(inode)) {
- dprintk("pnfsd: layoutcommit beyond EOF\n");
+ if (!lcp->lc_newoffset && new_size > i_size_read(inode))
goto out;
- }
nfserr = nfsd4_preprocess_layout_stateid(rqstp, cstate, &lcp->lc_sid,
false, lcp->lc_layout_type,
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 222/224] NFSD: Fix last write offset handling in layoutcommit
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2025-10-27 18:36 ` [PATCH 5.4 221/224] NFSD: Minor cleanup in layoutcommit processing Greg Kroah-Hartman
@ 2025-10-27 18:36 ` Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 223/224] media: s5p-mfc: remove an unused/uninitialized variable Greg Kroah-Hartman
` (9 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konstantin Evtushenko,
Sergey Bashirov, Christoph Hellwig, Jeff Layton, Chuck Lever,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Bashirov <sergeybashirov@gmail.com>
[ Upstream commit d68886bae76a4b9b3484d23e5b7df086f940fa38 ]
The data type of loca_last_write_offset is newoffset4 and is switched
on a boolean value, no_newoffset, that indicates if a previous write
occurred or not. If no_newoffset is FALSE, an offset is not given.
This means that client does not try to update the file size. Thus,
server should not try to calculate new file size and check if it fits
into the segment range. See RFC 8881, section 12.5.4.2.
Sometimes the current incorrect logic may cause clients to hang when
trying to sync an inode. If layoutcommit fails, the client marks the
inode as dirty again.
Fixes: 9cf514ccfacb ("nfsd: implement pNFS operations")
Cc: stable@vger.kernel.org
Co-developed-by: Konstantin Evtushenko <koevtushenko@yandex.com>
Signed-off-by: Konstantin Evtushenko <koevtushenko@yandex.com>
Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
[ replaced inode_get_mtime() with inode->i_mtime and removed rqstp parameter from proc_layoutcommit() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/blocklayout.c | 5 ++---
fs/nfsd/nfs4proc.c | 30 +++++++++++++++---------------
2 files changed, 17 insertions(+), 18 deletions(-)
--- a/fs/nfsd/blocklayout.c
+++ b/fs/nfsd/blocklayout.c
@@ -120,7 +120,6 @@ static __be32
nfsd4_block_commit_blocks(struct inode *inode, struct nfsd4_layoutcommit *lcp,
struct iomap *iomaps, int nr_iomaps)
{
- loff_t new_size = lcp->lc_last_wr + 1;
struct iattr iattr = { .ia_valid = 0 };
int error;
@@ -130,9 +129,9 @@ nfsd4_block_commit_blocks(struct inode *
iattr.ia_valid |= ATTR_ATIME | ATTR_CTIME | ATTR_MTIME;
iattr.ia_atime = iattr.ia_ctime = iattr.ia_mtime = lcp->lc_mtime;
- if (new_size > i_size_read(inode)) {
+ if (lcp->lc_size_chg) {
iattr.ia_valid |= ATTR_SIZE;
- iattr.ia_size = new_size;
+ iattr.ia_size = lcp->lc_newsize;
}
error = inode->i_sb->s_export_op->commit_blocks(inode, iomaps,
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1701,7 +1701,6 @@ nfsd4_layoutcommit(struct svc_rqst *rqst
const struct nfsd4_layout_seg *seg = &lcp->lc_seg;
struct svc_fh *current_fh = &cstate->current_fh;
const struct nfsd4_layout_ops *ops;
- loff_t new_size = lcp->lc_last_wr + 1;
struct inode *inode;
struct nfs4_layout_stateid *ls;
__be32 nfserr;
@@ -1716,13 +1715,21 @@ nfsd4_layoutcommit(struct svc_rqst *rqst
goto out;
inode = d_inode(current_fh->fh_dentry);
- nfserr = nfserr_inval;
- if (new_size <= seg->offset)
- goto out;
- if (new_size > seg->offset + seg->length)
- goto out;
- if (!lcp->lc_newoffset && new_size > i_size_read(inode))
- goto out;
+ lcp->lc_size_chg = false;
+ if (lcp->lc_newoffset) {
+ loff_t new_size = lcp->lc_last_wr + 1;
+
+ nfserr = nfserr_inval;
+ if (new_size <= seg->offset)
+ goto out;
+ if (new_size > seg->offset + seg->length)
+ goto out;
+
+ if (new_size > i_size_read(inode)) {
+ lcp->lc_size_chg = true;
+ lcp->lc_newsize = new_size;
+ }
+ }
nfserr = nfsd4_preprocess_layout_stateid(rqstp, cstate, &lcp->lc_sid,
false, lcp->lc_layout_type,
@@ -1738,13 +1745,6 @@ nfsd4_layoutcommit(struct svc_rqst *rqst
/* LAYOUTCOMMIT does not require any serialization */
mutex_unlock(&ls->ls_mutex);
- if (new_size > i_size_read(inode)) {
- lcp->lc_size_chg = 1;
- lcp->lc_newsize = new_size;
- } else {
- lcp->lc_size_chg = 0;
- }
-
nfserr = ops->proc_layoutcommit(inode, lcp);
nfs4_put_stid(&ls->ls_stid);
out:
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 223/224] media: s5p-mfc: remove an unused/uninitialized variable
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2025-10-27 18:36 ` [PATCH 5.4 222/224] NFSD: Fix last write offset handling in layoutcommit Greg Kroah-Hartman
@ 2025-10-27 18:36 ` Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 224/224] net: rtnetlink: fix module reference count leak issue in rtnetlink_rcv_msg Greg Kroah-Hartman
` (8 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Hans Verkuil,
Sasha Levin
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 7fa37ba25a1dfc084e24ea9acc14bf1fad8af14c ]
The s5p_mfc_cmd_args structure in the v6 driver is never used, not
initialized to anything other than zero, but as of clang-21 this
causes a warning:
drivers/media/platform/samsung/s5p-mfc/s5p_mfc_cmd_v6.c:45:7: error: variable 'h2r_args' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer]
45 | &h2r_args);
| ^~~~~~~~
Just remove this for simplicity. Since the function is also called
through a callback, this does require adding a trivial wrapper with
the correct prototype.
Fixes: f96f3cfa0bb8 ("[media] s5p-mfc: Update MFC v4l2 driver to support MFC6.x")
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/s5p-mfc/s5p_mfc_cmd_v6.c | 35 ++++++++----------------
1 file changed, 13 insertions(+), 22 deletions(-)
--- a/drivers/media/platform/s5p-mfc/s5p_mfc_cmd_v6.c
+++ b/drivers/media/platform/s5p-mfc/s5p_mfc_cmd_v6.c
@@ -14,8 +14,7 @@
#include "s5p_mfc_opr.h"
#include "s5p_mfc_cmd_v6.h"
-static int s5p_mfc_cmd_host2risc_v6(struct s5p_mfc_dev *dev, int cmd,
- struct s5p_mfc_cmd_args *args)
+static int s5p_mfc_cmd_host2risc_v6(struct s5p_mfc_dev *dev, int cmd)
{
mfc_debug(2, "Issue the command: %d\n", cmd);
@@ -31,7 +30,6 @@ static int s5p_mfc_cmd_host2risc_v6(stru
static int s5p_mfc_sys_init_cmd_v6(struct s5p_mfc_dev *dev)
{
- struct s5p_mfc_cmd_args h2r_args;
struct s5p_mfc_buf_size_v6 *buf_size = dev->variant->buf_size->priv;
int ret;
@@ -41,33 +39,23 @@ static int s5p_mfc_sys_init_cmd_v6(struc
mfc_write(dev, dev->ctx_buf.dma, S5P_FIMV_CONTEXT_MEM_ADDR_V6);
mfc_write(dev, buf_size->dev_ctx, S5P_FIMV_CONTEXT_MEM_SIZE_V6);
- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SYS_INIT_V6,
- &h2r_args);
+ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SYS_INIT_V6);
}
static int s5p_mfc_sleep_cmd_v6(struct s5p_mfc_dev *dev)
{
- struct s5p_mfc_cmd_args h2r_args;
-
- memset(&h2r_args, 0, sizeof(struct s5p_mfc_cmd_args));
- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SLEEP_V6,
- &h2r_args);
+ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SLEEP_V6);
}
static int s5p_mfc_wakeup_cmd_v6(struct s5p_mfc_dev *dev)
{
- struct s5p_mfc_cmd_args h2r_args;
-
- memset(&h2r_args, 0, sizeof(struct s5p_mfc_cmd_args));
- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_WAKEUP_V6,
- &h2r_args);
+ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_WAKEUP_V6);
}
/* Open a new instance and get its number */
static int s5p_mfc_open_inst_cmd_v6(struct s5p_mfc_ctx *ctx)
{
struct s5p_mfc_dev *dev = ctx->dev;
- struct s5p_mfc_cmd_args h2r_args;
int codec_type;
mfc_debug(2, "Requested codec mode: %d\n", ctx->codec_mode);
@@ -129,23 +117,20 @@ static int s5p_mfc_open_inst_cmd_v6(stru
mfc_write(dev, ctx->ctx.size, S5P_FIMV_CONTEXT_MEM_SIZE_V6);
mfc_write(dev, 0, S5P_FIMV_D_CRC_CTRL_V6); /* no crc */
- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_OPEN_INSTANCE_V6,
- &h2r_args);
+ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_OPEN_INSTANCE_V6);
}
/* Close instance */
static int s5p_mfc_close_inst_cmd_v6(struct s5p_mfc_ctx *ctx)
{
struct s5p_mfc_dev *dev = ctx->dev;
- struct s5p_mfc_cmd_args h2r_args;
int ret = 0;
dev->curr_ctx = ctx->num;
if (ctx->state != MFCINST_FREE) {
mfc_write(dev, ctx->inst_no, S5P_FIMV_INSTANCE_ID_V6);
ret = s5p_mfc_cmd_host2risc_v6(dev,
- S5P_FIMV_H2R_CMD_CLOSE_INSTANCE_V6,
- &h2r_args);
+ S5P_FIMV_H2R_CMD_CLOSE_INSTANCE_V6);
} else {
ret = -EINVAL;
}
@@ -153,9 +138,15 @@ static int s5p_mfc_close_inst_cmd_v6(str
return ret;
}
+static int s5p_mfc_cmd_host2risc_v6_args(struct s5p_mfc_dev *dev, int cmd,
+ struct s5p_mfc_cmd_args *ignored)
+{
+ return s5p_mfc_cmd_host2risc_v6(dev, cmd);
+}
+
/* Initialize cmd function pointers for MFC v6 */
static struct s5p_mfc_hw_cmds s5p_mfc_cmds_v6 = {
- .cmd_host2risc = s5p_mfc_cmd_host2risc_v6,
+ .cmd_host2risc = s5p_mfc_cmd_host2risc_v6_args,
.sys_init_cmd = s5p_mfc_sys_init_cmd_v6,
.sleep_cmd = s5p_mfc_sleep_cmd_v6,
.wakeup_cmd = s5p_mfc_wakeup_cmd_v6,
^ permalink raw reply [flat|nested] 234+ messages in thread
* [PATCH 5.4 224/224] net: rtnetlink: fix module reference count leak issue in rtnetlink_rcv_msg
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2025-10-27 18:36 ` [PATCH 5.4 223/224] media: s5p-mfc: remove an unused/uninitialized variable Greg Kroah-Hartman
@ 2025-10-27 18:36 ` Greg Kroah-Hartman
2025-10-27 19:31 ` [PATCH 5.4 000/224] 5.4.301-rc1 review Florian Fainelli
` (7 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Greg Kroah-Hartman @ 2025-10-27 18:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhengchao Shao, Nikolay Aleksandrov,
Jakub Kicinski
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchao Shao <shaozhengchao@huawei.com>
commit 5b22f62724a0a09e00d301abf5b57b0c12be8a16 upstream.
When bulk delete command is received in the rtnetlink_rcv_msg function,
if bulk delete is not supported, module_put is not called to release
the reference counting. As a result, module reference count is leaked.
Fixes: a6cec0bcd342 ("net: rtnetlink: add bulk delete support flag")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://lore.kernel.org/r/20220815024629.240367-1-shaozhengchao@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/rtnetlink.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -5304,6 +5304,7 @@ static int rtnetlink_rcv_msg(struct sk_b
if (kind == RTNL_KIND_DEL && (nlh->nlmsg_flags & NLM_F_BULK) &&
!(flags & RTNL_FLAG_BULK_DEL_SUPPORTED)) {
NL_SET_ERR_MSG(extack, "Bulk delete is not supported");
+ module_put(owner);
goto err_unlock;
}
^ permalink raw reply [flat|nested] 234+ messages in thread
* Re: [PATCH 5.4 055/224] wifi: ath10k: avoid unnecessary wait for service ready message
2025-10-27 18:33 ` [PATCH 5.4 055/224] wifi: ath10k: avoid unnecessary wait for service ready message Greg Kroah-Hartman
@ 2025-10-27 18:46 ` Jeff Johnson
0 siblings, 0 replies; 234+ messages in thread
From: Jeff Johnson @ 2025-10-27 18:46 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, Paul Menzel, Baochen Qiang, Vasanthakumar Thiagarajan,
Sasha Levin
On 10/27/2025 11:33 AM, Greg Kroah-Hartman wrote:
> 5.4-stable review patch. If anyone has any objections, please let me know.
Please do not propagate this. This had adverse effects on some platforms and a
revert is already in the pipeline:
https://git.kernel.org/pub/scm/linux/kernel/git/ath/ath.git/commit/?h=ath-current&id=2469bb6a6af944755a7d7daf66be90f3b8decbf9
The revert should hopefully land in v6.18-rc4.
/jeff
^ permalink raw reply [flat|nested] 234+ messages in thread
* Re: [PATCH 5.4 000/224] 5.4.301-rc1 review
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2025-10-27 18:36 ` [PATCH 5.4 224/224] net: rtnetlink: fix module reference count leak issue in rtnetlink_rcv_msg Greg Kroah-Hartman
@ 2025-10-27 19:31 ` Florian Fainelli
2025-10-28 8:14 ` Pavel Machek
` (6 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Florian Fainelli @ 2025-10-27 19:31 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr
On 10/27/25 11:32, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.301 release.
> There are 224 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 29 Oct 2025 18:34:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.301-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
There is a new warning showing up with
b27e16c9e625465fe9ea9955bd8ab095498de9e3 ("tcp: fix
tcp_tso_should_defer() vs large RTT") , but since 5.4 does not have the
full minmax backports this is expected:
In file included from ./include/linux/list.h:9,
from ./include/net/tcp.h:19,
from net/ipv4/tcp_output.c:40:
net/ipv4/tcp_output.c: In function 'tcp_tso_should_defer':
./include/linux/kernel.h:843:43: warning: comparison of distinct pointer
types lacks a cast
843 | (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1)))
| ^~
./include/linux/kernel.h:857:18: note: in expansion of macro '__typecheck'
857 | (__typecheck(x, y) && __no_side_effects(x, y))
| ^~~~~~~~~~~
./include/linux/kernel.h:867:31: note: in expansion of macro '__safe_cmp'
867 | __builtin_choose_expr(__safe_cmp(x, y), \
| ^~~~~~~~~~
./include/linux/kernel.h:876:25: note: in expansion of macro '__careful_cmp'
876 | #define min(x, y) __careful_cmp(x, y, <)
| ^~~~~~~~~~~~~
net/ipv4/tcp_output.c:2028:21: note: in expansion of macro 'min'
2028 | threshold = min(srtt_in_ns >> 1, NSEC_PER_MSEC);
| ^~~
I don't think this should hold off the release though.
--
Florian
^ permalink raw reply [flat|nested] 234+ messages in thread
* Re: [PATCH 5.4 000/224] 5.4.301-rc1 review
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2025-10-27 19:31 ` [PATCH 5.4 000/224] 5.4.301-rc1 review Florian Fainelli
@ 2025-10-28 8:14 ` Pavel Machek
2025-10-28 11:28 ` Jon Hunter
` (5 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Pavel Machek @ 2025-10-28 8:14 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
[-- Attachment #1: Type: text/plain, Size: 772 bytes --]
Hi!
> This is the start of the stable review cycle for the 5.4.301 release.
> There are 224 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
6.6, 5.4 pass our testing, so risc-v compilation problem seems to be
5.10 and 5.15 only.
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-6.6.y
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-5.4.y
Tested-by: Pavel Machek (CIP) <pavel@denx.de>
Best regards,
Pavel
--
In cooperation with DENX Software Engineering GmbH, HRB 165235 Munich,
Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 234+ messages in thread
* Re: [PATCH 5.4 000/224] 5.4.301-rc1 review
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2025-10-28 8:14 ` Pavel Machek
@ 2025-10-28 11:28 ` Jon Hunter
2025-10-28 13:45 ` Naresh Kamboju
` (4 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Jon Hunter @ 2025-10-28 11:28 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
linux-tegra, stable
On Mon, 27 Oct 2025 19:32:26 +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.301 release.
> There are 224 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 29 Oct 2025 18:34:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.301-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v5.4:
10 builds: 10 pass, 0 fail
24 boots: 24 pass, 0 fail
54 tests: 54 pass, 0 fail
Linux version: 5.4.301-rc1-g4e89a6191515
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra194-p2972-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 234+ messages in thread
* Re: [PATCH 5.4 000/224] 5.4.301-rc1 review
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2025-10-28 11:28 ` Jon Hunter
@ 2025-10-28 13:45 ` Naresh Kamboju
2025-10-28 13:55 ` Brett A C Sheffield
` (3 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Naresh Kamboju @ 2025-10-28 13:45 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Tue, 28 Oct 2025 at 00:10, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.4.301 release.
> There are 224 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 29 Oct 2025 18:34:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.301-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build
* kernel: 5.4.300-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git commit: e1a2ff52265e4d85abb275e2930b92c821a3dd19
* git describe: v5.4.299-82-ge1a2ff52265e
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.4.y/build/v5.4.299-82-ge1a2ff52265e
## Test Regressions (compared to v5.4.297-70-gf858bf548429)
## Metric Regressions (compared to v5.4.297-70-gf858bf548429)
## Test Fixes (compared to v5.4.297-70-gf858bf548429)
## Metric Fixes (compared to v5.4.297-70-gf858bf548429)
## Test result summary
total: 43391, pass: 32354, fail: 2994, skip: 7851, xfail: 192
## Build Summary
* arc: 5 total, 5 passed, 0 failed
* arm: 133 total, 133 passed, 0 failed
* arm64: 33 total, 31 passed, 2 failed
* i386: 20 total, 14 passed, 6 failed
* mips: 25 total, 25 passed, 0 failed
* parisc: 3 total, 0 passed, 3 failed
* powerpc: 26 total, 26 passed, 0 failed
* riscv: 9 total, 3 passed, 6 failed
* s390: 6 total, 6 passed, 0 failed
* sh: 10 total, 10 passed, 0 failed
* sparc: 6 total, 6 passed, 0 failed
* x86_64: 29 total, 29 passed, 0 failed
## Test suites summary
* boot
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-exec
* kselftest-fpu
* kselftest-futex
* kselftest-intel_pstate
* kselftest-kcmp
* kselftest-membarrier
* kselftest-mincore
* kselftest-mqueue
* kselftest-openat2
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-sigaltstack
* kselftest-size
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user_events
* kselftest-vDSO
* kselftest-x86
* kunit
* lava
* libhugetlbfs
* log-parser-boot
* log-parser-build-clang
* log-parser-build-gcc
* log-parser-test
* ltp-capability
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-hugetlb
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-pty
* ltp-sched
* ltp-smoke
* ltp-syscalls
* ltp-tracing
* rcutorture
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 234+ messages in thread
* Re: [PATCH 5.4 000/224] 5.4.301-rc1 review
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2025-10-28 13:45 ` Naresh Kamboju
@ 2025-10-28 13:55 ` Brett A C Sheffield
2025-10-28 14:17 ` [External] : " ALOK TIWARI
` (2 subsequent siblings)
231 siblings, 0 replies; 234+ messages in thread
From: Brett A C Sheffield @ 2025-10-28 13:55 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
Build and boots without error. No network tests run.
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 5.4.301-rc1-00225-g4e89a6191515 #124 SMP Tue Oct 28 13:44:03 -00 2025 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 234+ messages in thread
* Re: [External] : [PATCH 5.4 000/224] 5.4.301-rc1 review
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2025-10-28 13:55 ` Brett A C Sheffield
@ 2025-10-28 14:17 ` ALOK TIWARI
2025-10-28 19:27 ` Shuah Khan
2025-10-29 7:39 ` Naresh Kamboju
231 siblings, 0 replies; 234+ messages in thread
From: ALOK TIWARI @ 2025-10-28 14:17 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Hi Greg,
On 10/28/2025 12:02 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.301 release.
> There are 224 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 29 Oct 2025 18:34:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://urldefense.com/v3/__https://www.kernel.org/pub/linux/kernel/
> v5.x/stable-review/patch-5.4.301-rc1.gz__;!!ACWV5N9M2RV99hQ!
> NE7mCUe86dFjW5qDD5v2HZqN4VGLlPFhjP5yjZzxIl1E1aWheWUGJSZYLDzHSwCOOocva-
> zhvQlIsjzrcl4HtHPREg$
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
No problems seen on x86_64 and aarch64 with our testing.
Tested-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Thanks,
Alok
^ permalink raw reply [flat|nested] 234+ messages in thread
* Re: [PATCH 5.4 000/224] 5.4.301-rc1 review
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2025-10-28 14:17 ` [External] : " ALOK TIWARI
@ 2025-10-28 19:27 ` Shuah Khan
2025-10-29 7:39 ` Naresh Kamboju
231 siblings, 0 replies; 234+ messages in thread
From: Shuah Khan @ 2025-10-28 19:27 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr, Shuah Khan
On 10/27/25 12:32, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.301 release.
> There are 224 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 29 Oct 2025 18:34:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.301-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 234+ messages in thread
* Re: [PATCH 5.4 000/224] 5.4.301-rc1 review
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2025-10-28 19:27 ` Shuah Khan
@ 2025-10-29 7:39 ` Naresh Kamboju
231 siblings, 0 replies; 234+ messages in thread
From: Naresh Kamboju @ 2025-10-29 7:39 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Tue, 28 Oct 2025 at 00:10, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.4.301 release.
> There are 224 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 29 Oct 2025 18:34:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.301-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
NOTE:
As others reported the following build warnings noticed 5.4.301-rc1.
## Build log
In file included from include/linux/list.h:9,
from include/net/tcp.h:19,
from net/ipv4/tcp_output.c:40:
net/ipv4/tcp_output.c: In function 'tcp_tso_should_defer':
include/linux/kernel.h:843:43: warning: comparison of distinct pointer
types lacks a cast
843 | (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1)))
| ^~
## Build
* kernel: 5.4.301-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git commit: 4e89a6191515a2237a64d19f93bb359dc7f5f573
* git describe: v5.4.300-225-g4e89a6191515
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.4.y/build/v5.4.300-225-g4e89a6191515
## Test Regressions (compared to v5.4.299-82-ge1a2ff52265e)
## Metric Regressions (compared to v5.4.299-82-ge1a2ff52265e)
## Test Fixes (compared to v5.4.299-82-ge1a2ff52265e)
## Metric Fixes (compared to v5.4.299-82-ge1a2ff52265e)
## Test result summary
total: 39799, pass: 30266, fail: 2455, skip: 6960, xfail: 118
## Build Summary
* arc: 5 total, 5 passed, 0 failed
* arm: 131 total, 131 passed, 0 failed
* arm64: 31 total, 29 passed, 2 failed
* i386: 18 total, 13 passed, 5 failed
* mips: 25 total, 25 passed, 0 failed
* parisc: 3 total, 0 passed, 3 failed
* powerpc: 26 total, 26 passed, 0 failed
* riscv: 9 total, 3 passed, 6 failed
* s390: 6 total, 6 passed, 0 failed
* sh: 10 total, 10 passed, 0 failed
* sparc: 6 total, 6 passed, 0 failed
* x86_64: 27 total, 27 passed, 0 failed
## Test suites summary
* boot
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-exec
* kselftest-fpu
* kselftest-futex
* kselftest-intel_pstate
* kselftest-kcmp
* kselftest-livepatch
* kselftest-membarrier
* kselftest-mincore
* kselftest-mqueue
* kselftest-openat2
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-sigaltstack
* kselftest-size
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user_events
* kselftest-vDSO
* kselftest-x86
* kunit
* lava
* libhugetlbfs
* log-parser-boot
* log-parser-build-clang
* log-parser-build-gcc
* log-parser-test
* ltp-capability
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-hugetlb
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-pty
* ltp-sched
* ltp-smoke
* ltp-syscalls
* ltp-tracing
* perf
* rcutorture
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 234+ messages in thread
end of thread, other threads:[~2025-10-29 7:39 UTC | newest]
Thread overview: 234+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 001/224] scsi: target: target_core_configfs: Add length check to avoid buffer overflow Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 002/224] media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 003/224] udp: Fix memory accounting leak Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 004/224] media: tunner: xc5000: Refactor firmware load Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 005/224] media: tuner: xc5000: Fix use-after-free in xc5000_release Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 006/224] media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 007/224] media: rc: Add support for another iMON 0xffdc device Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 008/224] media: imon: reorganize serialization Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 009/224] media: imon: grab lock earlier in imon_ir_change_protocol() Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 010/224] media: rc: fix races with imon_disconnect() Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 011/224] USB: serial: option: add SIMCom 8230C compositions Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 012/224] wifi: rtlwifi: rtl8192cu: Dont claim USB ID 07b8:8188 Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 013/224] dm-integrity: limit MAX_TAG_SIZE to 255 Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 014/224] perf subcmd: avoid crash in exclude_cmds when excludes is empty Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 015/224] staging: axis-fifo: fix maximum TX packet length check Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 016/224] staging: axis-fifo: flush RX FIFO on read errors Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 017/224] driver core/PM: Set power.no_callbacks along with power.no_pm Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 018/224] perf: arm_spe: Prevent overflow in PERF_IDX2OFF() Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 019/224] x86/vdso: Fix output operand size of RDPID Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 020/224] regmap: Remove superfluous check for !config in __regmap_init() Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 021/224] ACPI: processor: idle: Fix memory leak when register cpuidle device failed Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 022/224] soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 023/224] pinctrl: meson-gxl: add missing i2c_d pinmux Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 024/224] blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 025/224] block: use int to store blk_stack_limits() return value Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 026/224] pwm: tiehrpwm: Fix corner case in clock divisor calculation Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 027/224] selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 028/224] bpf: Explicitly check accesses to bpf_sock_addr Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 029/224] i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 030/224] i2c: designware: Add disabling clocks when probe fails Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 031/224] drm/radeon/r600_cs: clean up of dead code in r600_cs Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 032/224] usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 033/224] serial: max310x: Add error checking in probe() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 034/224] scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 035/224] scsi: myrs: Fix dma_alloc_coherent() error check Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 036/224] media: rj54n1cb0c: Fix memleak in rj54n1_probe() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 037/224] ALSA: lx_core: use int type to store negative error codes Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 038/224] wifi: mwifiex: send world regulatory domain to driver Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 039/224] PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 040/224] tcp: fix __tcp_close() to only send RST when required Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 041/224] usb: phy: twl6030: Fix incorrect type for ret Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 042/224] usb: gadget: configfs: Correctly set use_os_string at bind Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 043/224] misc: genwqe: Fix incorrect cmd field being reported in error Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 044/224] pps: fix warning in pps_register_cdev when register device fail Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 045/224] ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 046/224] ASoC: Intel: bytcr_rt5640: " Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 047/224] ASoC: Intel: bytcr_rt5651: " Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 048/224] iio: consumers: Fix offset handling in iio_convert_raw_to_processed() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 049/224] netfilter: ipset: Remove unused htable_bits in macro ahash_region Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 050/224] watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 051/224] drivers/base/node: handle error properly in register_one_node() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 052/224] wifi: mt76: fix potential memory leak in mt76_wmac_probe() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 053/224] RDMA/core: Resolve MAC of next-hop device without ARP support Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 054/224] IB/sa: Fix sa_local_svc_timeout_ms read race Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 055/224] wifi: ath10k: avoid unnecessary wait for service ready message Greg Kroah-Hartman
2025-10-27 18:46 ` Jeff Johnson
2025-10-27 18:33 ` [PATCH 5.4 056/224] sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 057/224] sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 058/224] sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 059/224] sparc: fix accurate exception reporting in copy_to_user for Niagara 4 Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 060/224] sparc: fix accurate exception reporting in copy_{from,to}_user for M7 Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 061/224] remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 062/224] NFSv4.1: fix backchannel max_resp_sz verification check Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 063/224] ipvs: Defer ip_vs_ftp unregister during netns cleanup Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 064/224] scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 065/224] usb: vhci-hcd: Prevent suspending virtually attached devices Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 066/224] RDMA/siw: Always report immediate post SQ errors Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 067/224] net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 068/224] ocfs2: fix double free in user_cluster_connect() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 069/224] drivers/base/node: fix double free in register_one_node() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 070/224] nfp: fix RSS hash key size when RSS is not supported Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 071/224] net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 072/224] Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set" Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 073/224] Squashfs: fix uninit-value in squashfs_get_parent Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 074/224] uio_hv_generic: Let userspace take care of interrupt mask Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 075/224] mm: hugetlb: avoid soft lockup when mprotect to large memory area Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 076/224] Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 077/224] pinctrl: check the return value of pinmux_ops::get_function_name() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 078/224] clocksource/drivers/clps711x: Fix resource leaks in error paths Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 079/224] iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 080/224] perf util: Fix compression checks returning -1 as bool Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 081/224] rtc: x1205: Fix Xicor X1205 vendor prefix Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 082/224] perf session: Fix handling when buffer exceeds 2 GiB Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 083/224] clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 084/224] clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 085/224] scsi: libsas: Add sas_task_find_rq() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 086/224] scsi: mvsas: Delete mvs_tag_init() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 087/224] scsi: mvsas: Use sas_task_find_rq() for tagging Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 088/224] scsi: mvsas: Fix use-after-free bugs in mvs_work_queue Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 089/224] net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 090/224] drm/vmwgfx: Fix Use-after-free in validation Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 091/224] net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 092/224] tcp: Dont call reqsk_fastopen_remove() in tcp_conn_request() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 093/224] net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 094/224] tools build: Align warning options with perf Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 095/224] mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 096/224] mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 097/224] crypto: essiv - Check ssize for decryption and in-place encryption Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 098/224] tpm, tpm_tis: Claim locality before writing interrupt registers Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 099/224] tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 100/224] ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 101/224] ACPI: debug: fix signedness issues in read/write helpers Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 102/224] arm64: dts: qcom: msm8916: Add missing MDSS reset Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 103/224] xen/manage: Fix suspend error path Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 104/224] firmware: meson_sm: fix device leak at probe Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 105/224] media: i2c: mt9v111: fix incorrect type for ret Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 106/224] drm/nouveau: fix bad ret code in nouveau_bo_move_prep Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 107/224] cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 108/224] crypto: atmel - Fix dma_unmap_sg() direction Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 109/224] iio: dac: ad5360: use int type to store negative error codes Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 110/224] iio: dac: ad5421: " Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 111/224] iio: frequency: adf4350: Fix prescaler usage Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 112/224] lib/genalloc: fix device leak in of_gen_pool_get() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 113/224] parisc: dont reference obsolete termio struct for TC* constants Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 114/224] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 115/224] sctp: Fix MAC comparison to be constant-time Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 116/224] sparc64: fix hugetlb for sun4u Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 117/224] sparc: fix error handling in scan_one_device() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 118/224] mtd: rawnand: fsmc: Default to autodetect buswidth Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 119/224] mmc: core: SPI mode remove cmd7 Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 120/224] rtc: interface: Ensure alarm irq is enabled when UIE is enabled Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 121/224] rtc: interface: Fix long-standing race when setting alarm Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 122/224] rseq/selftests: Use weak symbol reference, not definition, to link with glibc Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 123/224] PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 124/224] PCI/AER: Fix missing uevent on recovery when a reset is requested Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 125/224] PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 126/224] x86/umip: Check that the instruction opcode is at least two bytes Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 127/224] x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases) Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 128/224] nfsd: nfserr_jukebox in nlm_fopen should lead to a retry Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 129/224] ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 130/224] ext4: correctly handle queries for metadata mappings Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 131/224] ext4: guard against EA inode refcount underflow in xattr update Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 132/224] net/9p: fix double req put in p9_fd_cancelled Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 133/224] KVM: x86: Dont (re)check L1 intercepts when completing userspace I/O Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 134/224] fs: udf: fix OOB read in lengthAllocDescs handling Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 135/224] mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 136/224] media: mc: Clear minor number before put device Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 137/224] Squashfs: add additional inode sanity checking Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 138/224] Squashfs: reject negative file sizes in squashfs_read_inode() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 139/224] mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register value Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 140/224] mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 141/224] mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 142/224] dm: fix NULL pointer dereference in __dm_suspend() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 143/224] tracing: Fix race condition in kprobe initialization causing NULL pointer dereference Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 144/224] minixfs: Verify inode mode when loading from disk Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 145/224] pid: Add a judgment for ns null in pid_nr_ns Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 146/224] fs: Add initramfs_options to set initramfs mount options Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 147/224] cramfs: Verify inode mode when loading from disk Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 148/224] xen/events: Cleanup find_virq() return codes Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 149/224] media: cx18: Add missing check after DMA map Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 150/224] pwm: berlin: Fix wrong register in suspend/resume Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 151/224] btrfs: avoid potential out-of-bounds in btrfs_encode_fh() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 152/224] drm/exynos: exynos7_drm_decon: remove ctx->suspended Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 153/224] media: rc: Directly use ida_free() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 154/224] media: lirc: Fix error handling in lirc_register() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 155/224] xen/events: Update virq_to_irq on migration Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 156/224] media: pci/ivtv: switch from pci_ to dma_ API Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 157/224] media: pci: ivtv: Add missing check after DMA map Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 158/224] net: dl2k: switch from pci_ to dma_ API Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 159/224] net: dlink: handle dma_map_single() failure properly Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 160/224] net/ip6_tunnel: Prevent perpetual tunnel growth Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 161/224] amd-xgbe: Avoid spurious link down messages during interface toggle Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 162/224] tcp: fix tcp_tso_should_defer() vs large RTT Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 163/224] tg3: prevent use of uninitialized remote_adv and local_adv variables Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 164/224] tls: always set record_type in tls_process_cmsg Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 165/224] tls: dont rely on tx_work during send() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 166/224] sched: Make newidle_balance() static again Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 167/224] sched/fair: Trivial correction of the newidle_balance() comment Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 168/224] sched/balancing: Rename newidle_balance() => sched_balance_newidle() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 169/224] sched/fair: Fix pelt lost idle time detection Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 170/224] ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 171/224] hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 172/224] exec: Fix incorrect type for ret Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 173/224] hfs: clear offset and space out of valid records in b-tree node Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 174/224] hfs: make proper initalization of struct hfs_find_data Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 175/224] hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 176/224] hfs: validate record offset in hfsplus_bmap_alloc Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 177/224] hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 178/224] dlm: check for defined force value in dlm_lockspace_release Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 179/224] hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 180/224] hfsplus: return EIO when type of hidden directory mismatch in hfsplus_fill_super() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 181/224] m68k: bitops: Fix find_*_bit() signatures Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 182/224] net: rtnetlink: remove redundant assignment to variable err Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 183/224] net: rtnetlink: add msg kind names Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 184/224] net: rtnetlink: add helper to extract msg types kind Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 185/224] net: rtnetlink: use BIT for flag values Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 186/224] net: netlink: add NLM_F_BULK delete request modifier Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 187/224] net: rtnetlink: add bulk delete support flag Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 188/224] net: add ndo_fdb_del_bulk Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 189/224] net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 190/224] rtnetlink: Allow deleting FDB entries in user namespace Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 191/224] net: enetc: correct the value of ENETC_RXB_TRUESIZE Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 192/224] arm64, mm: avoid always making PTE dirty in pte_mkwrite() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 193/224] sctp: avoid NULL dereference when chunk data buffer is missing Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 194/224] net: bonding: fix possible peer notify event loss or dup issue Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 195/224] Revert "cpuidle: menu: Avoid discarding useful information" Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 196/224] MIPS: Malta: Fix keyboard resource preventing i8042 driver from registering Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 197/224] ocfs2: clear extent cache after moving/defragmenting extents Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 198/224] net: usb: rtl8150: Fix frame padding Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 199/224] net: ravb: Ensure memory write completes before ringing TX doorbell Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 200/224] USB: serial: option: add UNISOC UIS7720 Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 201/224] USB: serial: option: add Quectel RG255C Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 202/224] USB: serial: option: add Telit FN920C04 ECM compositions Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 203/224] usb/core/quirks: Add Huawei ME906S to wakeup quirk Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 204/224] xhci: dbc: enable back DbC in resume if it was enabled before suspend Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 205/224] binder: remove "invalid inc weak" check Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 206/224] comedi: fix divide-by-zero in comedi_buf_munge() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 207/224] arm64: cputype: Add Neoverse-V3AE definitions Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 208/224] arm64: errata: Apply workarounds for Neoverse-V3AE Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 209/224] memory: samsung: exynos-srom: Correct alignment Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 210/224] memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 211/224] spi: cadence-quadspi: Flush posted register writes before INDAC access Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 212/224] spi: cadence-quadspi: Flush posted register writes before DAC access Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 213/224] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 214/224] drm/amdgpu: use atomic functions with memory barriers for vm fault info Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 215/224] ext4: detect invalid INLINE_DATA + EXTENTS flag combination Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 216/224] jbd2: ensure that all ongoing I/O complete before freeing blocks Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 217/224] vfs: Dont leak disconnected dentries on umount Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 218/224] NFSD: Define a proc_layoutcommit for the FlexFiles layout type Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 219/224] KEYS: trusted_tpm1: Compare HMAC values in constant time Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 220/224] padata: Reset next CPU when reorder sequence wraps around Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 221/224] NFSD: Minor cleanup in layoutcommit processing Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 222/224] NFSD: Fix last write offset handling in layoutcommit Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 223/224] media: s5p-mfc: remove an unused/uninitialized variable Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 224/224] net: rtnetlink: fix module reference count leak issue in rtnetlink_rcv_msg Greg Kroah-Hartman
2025-10-27 19:31 ` [PATCH 5.4 000/224] 5.4.301-rc1 review Florian Fainelli
2025-10-28 8:14 ` Pavel Machek
2025-10-28 11:28 ` Jon Hunter
2025-10-28 13:45 ` Naresh Kamboju
2025-10-28 13:55 ` Brett A C Sheffield
2025-10-28 14:17 ` [External] : " ALOK TIWARI
2025-10-28 19:27 ` Shuah Khan
2025-10-29 7:39 ` Naresh Kamboju
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).