* [PATCH 6.17 001/146] can: kvaser_usb: leaf: Fix potential infinite loop in command parsers
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 002/146] can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs Greg Kroah-Hartman
` (158 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Seungjin Bae, Jimmy Assarsson,
Marc Kleine-Budde, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seungjin Bae <eeodqql09@gmail.com>
[ Upstream commit 0c73772cd2b8cc108d5f5334de89ad648d89b9ec ]
The `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback`
functions contain logic to zero-length commands. These commands are used
to align data to the USB endpoint's wMaxPacketSize boundary.
The driver attempts to skip these placeholders by aligning the buffer
position `pos` to the next packet boundary using `round_up()` function.
However, if zero-length command is found exactly on a packet boundary
(i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up`
function will return the unchanged value of `pos`. This prevents `pos`
to be increased, causing an infinite loop in the parsing logic.
This patch fixes this in the function by using `pos + 1` instead.
This ensures that even if `pos` is on a boundary, the calculation is
based on `pos + 1`, forcing `round_up()` to always return the next
aligned boundary.
Fixes: 7259124eac7d ("can: kvaser_usb: Split driver into kvaser_usb_core.c and kvaser_usb_leaf.c")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Reviewed-by: Jimmy Assarsson <extja@kvaser.com>
Tested-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://patch.msgid.link/20251023162709.348240-1-eeodqql09@gmail.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
index c29828a94ad0e..1167d38344f1d 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
@@ -685,7 +685,7 @@ static int kvaser_usb_leaf_wait_cmd(const struct kvaser_usb *dev, u8 id,
* for further details.
*/
if (tmp->len == 0) {
- pos = round_up(pos,
+ pos = round_up(pos + 1,
le16_to_cpu
(dev->bulk_in->wMaxPacketSize));
continue;
@@ -1732,7 +1732,7 @@ static void kvaser_usb_leaf_read_bulk_callback(struct kvaser_usb *dev,
* number of events in case of a heavy rx load on the bus.
*/
if (cmd->len == 0) {
- pos = round_up(pos, le16_to_cpu
+ pos = round_up(pos + 1, le16_to_cpu
(dev->bulk_in->wMaxPacketSize));
continue;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 002/146] can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 001/146] can: kvaser_usb: leaf: Fix potential infinite loop in command parsers Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 003/146] can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header Greg Kroah-Hartman
` (157 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
[ Upstream commit 516a0cd1c03fa266bb67dd87940a209fd4e53ce7 ]
The driver lacks the cleanup of failed transfers of URBs. This reduces the
number of available URBs per error by 1. This leads to reduced performance
and ultimately to a complete stop of the transmission.
If the sending of a bulk URB fails do proper cleanup:
- increase netdev stats
- mark the echo_sbk as free
- free the driver's context and do accounting
- wake the send queue
Closes: https://github.com/candle-usb/candleLight_fw/issues/187
Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
Link: https://patch.msgid.link/20251114-gs_usb-fix-usb-callbacks-v1-1-a29b42eacada@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/usb/gs_usb.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
index 69b8d6da651bf..fa9bab8c89aea 100644
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -750,8 +750,21 @@ static void gs_usb_xmit_callback(struct urb *urb)
struct gs_can *dev = txc->dev;
struct net_device *netdev = dev->netdev;
- if (urb->status)
- netdev_info(netdev, "usb xmit fail %u\n", txc->echo_id);
+ if (!urb->status)
+ return;
+
+ if (urb->status != -ESHUTDOWN && net_ratelimit())
+ netdev_info(netdev, "failed to xmit URB %u: %pe\n",
+ txc->echo_id, ERR_PTR(urb->status));
+
+ netdev->stats.tx_dropped++;
+ netdev->stats.tx_errors++;
+
+ can_free_echo_skb(netdev, txc->echo_id, NULL);
+ gs_free_tx_context(txc);
+ atomic_dec(&dev->active_tx_urbs);
+
+ netif_wake_queue(netdev);
}
static netdev_tx_t gs_can_start_xmit(struct sk_buff *skb,
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 003/146] can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 001/146] can: kvaser_usb: leaf: Fix potential infinite loop in command parsers Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 002/146] can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 004/146] can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data Greg Kroah-Hartman
` (156 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
[ Upstream commit 6fe9f3279f7d2518439a7962c5870c6e9ecbadcf ]
The driver expects to receive a struct gs_host_frame in
gs_usb_receive_bulk_callback().
Use struct_group to describe the header of the struct gs_host_frame and
check that we have at least received the header before accessing any
members of it.
To resubmit the URB, do not dereference the pointer chain
"dev->parent->hf_size_rx" but use "parent->hf_size_rx" instead. Since
"urb->context" contains "parent", it is always defined, while "dev" is not
defined if the URB it too short.
Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
Link: https://patch.msgid.link/20251114-gs_usb-fix-usb-callbacks-v1-2-a29b42eacada@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/usb/gs_usb.c | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)
diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
index fa9bab8c89aea..51f8d694104d9 100644
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -262,13 +262,15 @@ struct canfd_quirk {
} __packed;
struct gs_host_frame {
- u32 echo_id;
- __le32 can_id;
+ struct_group(header,
+ u32 echo_id;
+ __le32 can_id;
- u8 can_dlc;
- u8 channel;
- u8 flags;
- u8 reserved;
+ u8 can_dlc;
+ u8 channel;
+ u8 flags;
+ u8 reserved;
+ );
union {
DECLARE_FLEX_ARRAY(struct classic_can, classic_can);
@@ -576,6 +578,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
int rc;
struct net_device_stats *stats;
struct gs_host_frame *hf = urb->transfer_buffer;
+ unsigned int minimum_length;
struct gs_tx_context *txc;
struct can_frame *cf;
struct canfd_frame *cfd;
@@ -594,6 +597,15 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
return;
}
+ minimum_length = sizeof(hf->header);
+ if (urb->actual_length < minimum_length) {
+ dev_err_ratelimited(&parent->udev->dev,
+ "short read (actual_length=%u, minimum_length=%u)\n",
+ urb->actual_length, minimum_length);
+
+ goto resubmit_urb;
+ }
+
/* device reports out of range channel id */
if (hf->channel >= parent->channel_cnt)
goto device_detach;
@@ -687,7 +699,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
resubmit_urb:
usb_fill_bulk_urb(urb, parent->udev,
parent->pipe_in,
- hf, dev->parent->hf_size_rx,
+ hf, parent->hf_size_rx,
gs_usb_receive_bulk_callback, parent);
rc = usb_submit_urb(urb, GFP_ATOMIC);
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 004/146] can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 003/146] can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 005/146] Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface Greg Kroah-Hartman
` (155 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
[ Upstream commit 395d988f93861101ec89d0dd9e3b876ae9392a5b ]
The URB received in gs_usb_receive_bulk_callback() contains a struct
gs_host_frame. The length of the data after the header depends on the
gs_host_frame hf::flags and the active device features (e.g. time
stamping).
Introduce a new function gs_usb_get_minimum_length() and check that we have
at least received the required amount of data before accessing it. Only
copy the data to that skb that has actually been received.
Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
Link: https://patch.msgid.link/20251114-gs_usb-fix-usb-callbacks-v1-3-a29b42eacada@pengutronix.de
[mkl: rename gs_usb_get_minimum_length() -> +gs_usb_get_minimum_rx_length()]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/usb/gs_usb.c | 59 +++++++++++++++++++++++++++++++++---
1 file changed, 54 insertions(+), 5 deletions(-)
diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
index 51f8d694104d9..8d8a610f91441 100644
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -261,6 +261,11 @@ struct canfd_quirk {
u8 quirk;
} __packed;
+/* struct gs_host_frame::echo_id == GS_HOST_FRAME_ECHO_ID_RX indicates
+ * a regular RX'ed CAN frame
+ */
+#define GS_HOST_FRAME_ECHO_ID_RX 0xffffffff
+
struct gs_host_frame {
struct_group(header,
u32 echo_id;
@@ -570,6 +575,37 @@ gs_usb_get_echo_skb(struct gs_can *dev, struct sk_buff *skb,
return len;
}
+static unsigned int
+gs_usb_get_minimum_rx_length(const struct gs_can *dev, const struct gs_host_frame *hf,
+ unsigned int *data_length_p)
+{
+ unsigned int minimum_length, data_length = 0;
+
+ if (hf->flags & GS_CAN_FLAG_FD) {
+ if (hf->echo_id == GS_HOST_FRAME_ECHO_ID_RX)
+ data_length = can_fd_dlc2len(hf->can_dlc);
+
+ if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP)
+ /* timestamp follows data field of max size */
+ minimum_length = struct_size(hf, canfd_ts, 1);
+ else
+ minimum_length = sizeof(hf->header) + data_length;
+ } else {
+ if (hf->echo_id == GS_HOST_FRAME_ECHO_ID_RX &&
+ !(hf->can_id & cpu_to_le32(CAN_RTR_FLAG)))
+ data_length = can_cc_dlc2len(hf->can_dlc);
+
+ if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP)
+ /* timestamp follows data field of max size */
+ minimum_length = struct_size(hf, classic_can_ts, 1);
+ else
+ minimum_length = sizeof(hf->header) + data_length;
+ }
+
+ *data_length_p = data_length;
+ return minimum_length;
+}
+
static void gs_usb_receive_bulk_callback(struct urb *urb)
{
struct gs_usb *parent = urb->context;
@@ -578,7 +614,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
int rc;
struct net_device_stats *stats;
struct gs_host_frame *hf = urb->transfer_buffer;
- unsigned int minimum_length;
+ unsigned int minimum_length, data_length;
struct gs_tx_context *txc;
struct can_frame *cf;
struct canfd_frame *cfd;
@@ -621,20 +657,33 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
if (!netif_running(netdev))
goto resubmit_urb;
- if (hf->echo_id == -1) { /* normal rx */
+ minimum_length = gs_usb_get_minimum_rx_length(dev, hf, &data_length);
+ if (urb->actual_length < minimum_length) {
+ stats->rx_errors++;
+ stats->rx_length_errors++;
+
+ if (net_ratelimit())
+ netdev_err(netdev,
+ "short read (actual_length=%u, minimum_length=%u)\n",
+ urb->actual_length, minimum_length);
+
+ goto resubmit_urb;
+ }
+
+ if (hf->echo_id == GS_HOST_FRAME_ECHO_ID_RX) { /* normal rx */
if (hf->flags & GS_CAN_FLAG_FD) {
skb = alloc_canfd_skb(netdev, &cfd);
if (!skb)
return;
cfd->can_id = le32_to_cpu(hf->can_id);
- cfd->len = can_fd_dlc2len(hf->can_dlc);
+ cfd->len = data_length;
if (hf->flags & GS_CAN_FLAG_BRS)
cfd->flags |= CANFD_BRS;
if (hf->flags & GS_CAN_FLAG_ESI)
cfd->flags |= CANFD_ESI;
- memcpy(cfd->data, hf->canfd->data, cfd->len);
+ memcpy(cfd->data, hf->canfd->data, data_length);
} else {
skb = alloc_can_skb(netdev, &cf);
if (!skb)
@@ -643,7 +692,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
cf->can_id = le32_to_cpu(hf->can_id);
can_frame_set_cc_len(cf, hf->can_dlc, dev->can.ctrlmode);
- memcpy(cf->data, hf->classic_can->data, 8);
+ memcpy(cf->data, hf->classic_can->data, data_length);
/* ERROR frames tell us information about the controller */
if (le32_to_cpu(hf->can_id) & CAN_ERR_FLAG)
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 005/146] Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 004/146] can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 006/146] Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP Greg Kroah-Hartman
` (154 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Lu, Luiz Augusto von Dentz,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Lu <chris.lu@mediatek.com>
[ Upstream commit 4015b979767125cf8a2233a145a3b3af78bfd8fb ]
When performing reset tests and encountering abnormal card drop issues
that lead to a kernel crash, it is necessary to perform a null check
before releasing resources to avoid attempting to release a null pointer.
<4>[ 29.158070] Hardware name: Google Quigon sku196612/196613 board (DT)
<4>[ 29.158076] Workqueue: hci0 hci_cmd_sync_work [bluetooth]
<4>[ 29.158154] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
<4>[ 29.158162] pc : klist_remove+0x90/0x158
<4>[ 29.158174] lr : klist_remove+0x88/0x158
<4>[ 29.158180] sp : ffffffc0846b3c00
<4>[ 29.158185] pmr_save: 000000e0
<4>[ 29.158188] x29: ffffffc0846b3c30 x28: ffffff80cd31f880 x27: ffffff80c1bdc058
<4>[ 29.158199] x26: dead000000000100 x25: ffffffdbdc624ea3 x24: ffffff80c1bdc4c0
<4>[ 29.158209] x23: ffffffdbdc62a3e6 x22: ffffff80c6c07000 x21: ffffffdbdc829290
<4>[ 29.158219] x20: 0000000000000000 x19: ffffff80cd3e0648 x18: 000000031ec97781
<4>[ 29.158229] x17: ffffff80c1bdc4a8 x16: ffffffdc10576548 x15: ffffff80c1180428
<4>[ 29.158238] x14: 0000000000000000 x13: 000000000000e380 x12: 0000000000000018
<4>[ 29.158248] x11: ffffff80c2a7fd10 x10: 0000000000000000 x9 : 0000000100000000
<4>[ 29.158257] x8 : 0000000000000000 x7 : 7f7f7f7f7f7f7f7f x6 : 2d7223ff6364626d
<4>[ 29.158266] x5 : 0000008000000000 x4 : 0000000000000020 x3 : 2e7325006465636e
<4>[ 29.158275] x2 : ffffffdc11afeff8 x1 : 0000000000000000 x0 : ffffffdc11be4d0c
<4>[ 29.158285] Call trace:
<4>[ 29.158290] klist_remove+0x90/0x158
<4>[ 29.158298] device_release_driver_internal+0x20c/0x268
<4>[ 29.158308] device_release_driver+0x1c/0x30
<4>[ 29.158316] usb_driver_release_interface+0x70/0x88
<4>[ 29.158325] btusb_mtk_release_iso_intf+0x68/0xd8 [btusb (HASH:e8b6 5)]
<4>[ 29.158347] btusb_mtk_reset+0x5c/0x480 [btusb (HASH:e8b6 5)]
<4>[ 29.158361] hci_cmd_sync_work+0x10c/0x188 [bluetooth (HASH:a4fa 6)]
<4>[ 29.158430] process_scheduled_works+0x258/0x4e8
<4>[ 29.158441] worker_thread+0x300/0x428
<4>[ 29.158448] kthread+0x108/0x1d0
<4>[ 29.158455] ret_from_fork+0x10/0x20
<0>[ 29.158467] Code: 91343000 940139d1 f9400268 927ff914 (f9401297)
<4>[ 29.158474] ---[ end trace 0000000000000000 ]---
<0>[ 29.167129] Kernel panic - not syncing: Oops: Fatal exception
<2>[ 29.167144] SMP: stopping secondary CPUs
<4>[ 29.167158] ------------[ cut here ]------------
Fixes: ceac1cb0259d ("Bluetooth: btusb: mediatek: add ISO data transmission functions")
Signed-off-by: Chris Lu <chris.lu@mediatek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 34 +++++++++++++++++++++++++-------
include/net/bluetooth/hci_core.h | 1 -
2 files changed, 27 insertions(+), 8 deletions(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index a722446ec73dd..202a845e0236f 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2711,9 +2711,16 @@ static int btusb_recv_event_realtek(struct hci_dev *hdev, struct sk_buff *skb)
static void btusb_mtk_claim_iso_intf(struct btusb_data *data)
{
- struct btmtk_data *btmtk_data = hci_get_priv(data->hdev);
+ struct btmtk_data *btmtk_data;
int err;
+ if (!data->hdev)
+ return;
+
+ btmtk_data = hci_get_priv(data->hdev);
+ if (!btmtk_data)
+ return;
+
/*
* The function usb_driver_claim_interface() is documented to need
* locks held if it's not called from a probe routine. The code here
@@ -2735,17 +2742,30 @@ static void btusb_mtk_claim_iso_intf(struct btusb_data *data)
static void btusb_mtk_release_iso_intf(struct hci_dev *hdev)
{
- struct btmtk_data *btmtk_data = hci_get_priv(hdev);
+ struct btmtk_data *btmtk_data;
+
+ if (!hdev)
+ return;
+
+ btmtk_data = hci_get_priv(hdev);
+ if (!btmtk_data)
+ return;
if (test_bit(BTMTK_ISOPKT_OVER_INTR, &btmtk_data->flags)) {
usb_kill_anchored_urbs(&btmtk_data->isopkt_anchor);
clear_bit(BTMTK_ISOPKT_RUNNING, &btmtk_data->flags);
- dev_kfree_skb_irq(btmtk_data->isopkt_skb);
- btmtk_data->isopkt_skb = NULL;
- usb_set_intfdata(btmtk_data->isopkt_intf, NULL);
- usb_driver_release_interface(&btusb_driver,
- btmtk_data->isopkt_intf);
+ if (btmtk_data->isopkt_skb) {
+ dev_kfree_skb_irq(btmtk_data->isopkt_skb);
+ btmtk_data->isopkt_skb = NULL;
+ }
+
+ if (btmtk_data->isopkt_intf) {
+ usb_set_intfdata(btmtk_data->isopkt_intf, NULL);
+ usb_driver_release_interface(&btusb_driver,
+ btmtk_data->isopkt_intf);
+ btmtk_data->isopkt_intf = NULL;
+ }
}
clear_bit(BTMTK_ISOPKT_OVER_INTR, &btmtk_data->flags);
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 8d78cb2b9f1ab..4ccb462a0a4b8 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -748,7 +748,6 @@ struct hci_conn {
__u8 remote_cap;
__u8 remote_auth;
- __u8 remote_id;
unsigned int sent;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 006/146] Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 005/146] Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 007/146] Bluetooth: hci_sock: Prevent race in socket write iter and sock bind Greg Kroah-Hartman
` (153 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 275ddfeb3fdc274050c2173ffd985b1e80a9aa37 ]
HCI_OP_NOP means no command was actually sent so there is no point in
triggering cmd_timer which may cause a hdev->reset in the process since
it is assumed that the controller is stuck processing a command.
Fixes: e2d471b7806b ("Bluetooth: ISO: Fix not using SID from adv report")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_core.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 55e0722fd0662..72c7607aac209 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -4093,7 +4093,7 @@ static void hci_rx_work(struct work_struct *work)
}
}
-static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
+static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
{
int err;
@@ -4105,16 +4105,19 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
if (!hdev->sent_cmd) {
skb_queue_head(&hdev->cmd_q, skb);
queue_work(hdev->workqueue, &hdev->cmd_work);
- return;
+ return -EINVAL;
}
if (hci_skb_opcode(skb) != HCI_OP_NOP) {
err = hci_send_frame(hdev, skb);
if (err < 0) {
hci_cmd_sync_cancel_sync(hdev, -err);
- return;
+ return err;
}
atomic_dec(&hdev->cmd_cnt);
+ } else {
+ err = -ENODATA;
+ kfree_skb(skb);
}
if (hdev->req_status == HCI_REQ_PEND &&
@@ -4122,12 +4125,15 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
kfree_skb(hdev->req_skb);
hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
}
+
+ return err;
}
static void hci_cmd_work(struct work_struct *work)
{
struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
struct sk_buff *skb;
+ int err;
BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
@@ -4138,7 +4144,9 @@ static void hci_cmd_work(struct work_struct *work)
if (!skb)
return;
- hci_send_cmd_sync(hdev, skb);
+ err = hci_send_cmd_sync(hdev, skb);
+ if (err)
+ return;
rcu_read_lock();
if (test_bit(HCI_RESET, &hdev->flags) ||
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 007/146] Bluetooth: hci_sock: Prevent race in socket write iter and sock bind
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 006/146] Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 008/146] Bluetooth: hci_core: lookup hci_conn on RX path on protocol side Greg Kroah-Hartman
` (152 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9aa47cd4633a3cf92a80,
Edward Adam Davis, Luiz Augusto von Dentz, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit 89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392 ]
There is a potential race condition between sock bind and socket write
iter. bind may free the same cmd via mgmt_pending before write iter sends
the cmd, just as syzbot reported in UAF[1].
Here we use hci_dev_lock to synchronize the two, thereby avoiding the
UAF mentioned in [1].
[1]
syzbot reported:
BUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316
Read of size 8 at addr ffff888077164818 by task syz.0.17/5989
Call Trace:
mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316
set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
sock_write_iter+0x279/0x360 net/socket.c:1195
Allocated by task 5989:
mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
sock_write_iter+0x279/0x360 net/socket.c:1195
Freed by task 5991:
mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477
hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314
Fixes: 6fe26f694c82 ("Bluetooth: MGMT: Protect mgmt_pending list with its own lock")
Reported-by: syzbot+9aa47cd4633a3cf92a80@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9aa47cd4633a3cf92a80
Tested-by: syzbot+9aa47cd4633a3cf92a80@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index fc866759910d9..ad19022ae127a 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -1311,7 +1311,9 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
goto done;
}
+ hci_dev_lock(hdev);
mgmt_index_removed(hdev);
+ hci_dev_unlock(hdev);
err = hci_dev_open(hdev->id);
if (err) {
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 008/146] Bluetooth: hci_core: lookup hci_conn on RX path on protocol side
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 007/146] Bluetooth: hci_sock: Prevent race in socket write iter and sock bind Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 009/146] Bluetooth: SMP: Fix not generating mackey and ltk when repairing Greg Kroah-Hartman
` (151 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d32d77220b92eddd89ad,
Pauli Virtanen, Luiz Augusto von Dentz, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pauli Virtanen <pav@iki.fi>
[ Upstream commit 79a2d4678ba90bdba577dc3af88cc900d6dcd5ee ]
The hdev lock/lookup/unlock/use pattern in the packet RX path doesn't
ensure hci_conn* is not concurrently modified/deleted. This locking
appears to be leftover from before conn_hash started using RCU
commit bf4c63252490b ("Bluetooth: convert conn hash to RCU")
and not clear if it had purpose since then.
Currently, there are code paths that delete hci_conn* from elsewhere
than the ordered hdev->workqueue where the RX work runs in. E.g.
commit 5af1f84ed13a ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync")
introduced some of these, and there probably were a few others before
it. It's better to do the locking so that even if these run
concurrently no UAF is possible.
Move the lookup of hci_conn and associated socket-specific conn to
protocol recv handlers, and do them within a single critical section
to cover hci_conn* usage and lookup.
syzkaller has reported a crash that appears to be this issue:
[Task hdev->workqueue] [Task 2]
hci_disconnect_all_sync
l2cap_recv_acldata(hcon)
hci_conn_get(hcon)
hci_abort_conn_sync(hcon)
hci_dev_lock
hci_dev_lock
hci_conn_del(hcon)
v-------------------------------- hci_dev_unlock
hci_conn_put(hcon)
conn = hcon->l2cap_data (UAF)
Fixes: 5af1f84ed13a ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync")
Reported-by: syzbot+d32d77220b92eddd89ad@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d32d77220b92eddd89ad
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/bluetooth/hci_core.h | 20 ++++++---
net/bluetooth/hci_core.c | 73 +++++++++++---------------------
net/bluetooth/iso.c | 30 ++++++++++---
net/bluetooth/l2cap_core.c | 23 +++++++---
net/bluetooth/sco.c | 35 +++++++++++----
5 files changed, 108 insertions(+), 73 deletions(-)
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 4ccb462a0a4b8..b020ce30929e6 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -855,11 +855,12 @@ extern struct mutex hci_cb_list_lock;
/* ----- HCI interface to upper protocols ----- */
int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr);
int l2cap_disconn_ind(struct hci_conn *hcon);
-void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags);
+int l2cap_recv_acldata(struct hci_dev *hdev, u16 handle, struct sk_buff *skb,
+ u16 flags);
#if IS_ENABLED(CONFIG_BT_BREDR)
int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags);
-void sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb);
+int sco_recv_scodata(struct hci_dev *hdev, u16 handle, struct sk_buff *skb);
#else
static inline int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr,
__u8 *flags)
@@ -867,23 +868,30 @@ static inline int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr,
return 0;
}
-static inline void sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb)
+static inline int sco_recv_scodata(struct hci_dev *hdev, u16 handle,
+ struct sk_buff *skb)
{
+ kfree_skb(skb);
+ return -ENOENT;
}
#endif
#if IS_ENABLED(CONFIG_BT_LE)
int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags);
-void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags);
+int iso_recv(struct hci_dev *hdev, u16 handle, struct sk_buff *skb,
+ u16 flags);
#else
static inline int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr,
__u8 *flags)
{
return 0;
}
-static inline void iso_recv(struct hci_conn *hcon, struct sk_buff *skb,
- u16 flags)
+
+static inline int iso_recv(struct hci_dev *hdev, u16 handle,
+ struct sk_buff *skb, u16 flags)
{
+ kfree_skb(skb);
+ return -ENOENT;
}
#endif
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 72c7607aac209..057ec1a5230d9 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -3804,13 +3804,14 @@ static void hci_tx_work(struct work_struct *work)
static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
{
struct hci_acl_hdr *hdr;
- struct hci_conn *conn;
__u16 handle, flags;
+ int err;
hdr = skb_pull_data(skb, sizeof(*hdr));
if (!hdr) {
bt_dev_err(hdev, "ACL packet too small");
- goto drop;
+ kfree_skb(skb);
+ return;
}
handle = __le16_to_cpu(hdr->handle);
@@ -3822,36 +3823,27 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
hdev->stat.acl_rx++;
- hci_dev_lock(hdev);
- conn = hci_conn_hash_lookup_handle(hdev, handle);
- hci_dev_unlock(hdev);
-
- if (conn) {
- hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
-
- /* Send to upper protocol */
- l2cap_recv_acldata(conn, skb, flags);
- return;
- } else {
+ err = l2cap_recv_acldata(hdev, handle, skb, flags);
+ if (err == -ENOENT)
bt_dev_err(hdev, "ACL packet for unknown connection handle %d",
handle);
- }
-
-drop:
- kfree_skb(skb);
+ else if (err)
+ bt_dev_dbg(hdev, "ACL packet recv for handle %d failed: %d",
+ handle, err);
}
/* SCO data packet */
static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
{
struct hci_sco_hdr *hdr;
- struct hci_conn *conn;
__u16 handle, flags;
+ int err;
hdr = skb_pull_data(skb, sizeof(*hdr));
if (!hdr) {
bt_dev_err(hdev, "SCO packet too small");
- goto drop;
+ kfree_skb(skb);
+ return;
}
handle = __le16_to_cpu(hdr->handle);
@@ -3863,34 +3855,28 @@ static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
hdev->stat.sco_rx++;
- hci_dev_lock(hdev);
- conn = hci_conn_hash_lookup_handle(hdev, handle);
- hci_dev_unlock(hdev);
+ hci_skb_pkt_status(skb) = flags & 0x03;
- if (conn) {
- /* Send to upper protocol */
- hci_skb_pkt_status(skb) = flags & 0x03;
- sco_recv_scodata(conn, skb);
- return;
- } else {
+ err = sco_recv_scodata(hdev, handle, skb);
+ if (err == -ENOENT)
bt_dev_err_ratelimited(hdev, "SCO packet for unknown connection handle %d",
handle);
- }
-
-drop:
- kfree_skb(skb);
+ else if (err)
+ bt_dev_dbg(hdev, "SCO packet recv for handle %d failed: %d",
+ handle, err);
}
static void hci_isodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
{
struct hci_iso_hdr *hdr;
- struct hci_conn *conn;
__u16 handle, flags;
+ int err;
hdr = skb_pull_data(skb, sizeof(*hdr));
if (!hdr) {
bt_dev_err(hdev, "ISO packet too small");
- goto drop;
+ kfree_skb(skb);
+ return;
}
handle = __le16_to_cpu(hdr->handle);
@@ -3900,22 +3886,13 @@ static void hci_isodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len,
handle, flags);
- hci_dev_lock(hdev);
- conn = hci_conn_hash_lookup_handle(hdev, handle);
- hci_dev_unlock(hdev);
-
- if (!conn) {
+ err = iso_recv(hdev, handle, skb, flags);
+ if (err == -ENOENT)
bt_dev_err(hdev, "ISO packet for unknown connection handle %d",
handle);
- goto drop;
- }
-
- /* Send to upper protocol */
- iso_recv(conn, skb, flags);
- return;
-
-drop:
- kfree_skb(skb);
+ else if (err)
+ bt_dev_dbg(hdev, "ISO packet recv for handle %d failed: %d",
+ handle, err);
}
static bool hci_req_is_complete(struct hci_dev *hdev)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 3d98cb6291da6..616c2fef91d24 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -2314,14 +2314,31 @@ static void iso_disconn_cfm(struct hci_conn *hcon, __u8 reason)
iso_conn_del(hcon, bt_to_errno(reason));
}
-void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
+int iso_recv(struct hci_dev *hdev, u16 handle, struct sk_buff *skb, u16 flags)
{
- struct iso_conn *conn = hcon->iso_data;
+ struct hci_conn *hcon;
+ struct iso_conn *conn;
struct skb_shared_hwtstamps *hwts;
__u16 pb, ts, len, sn;
- if (!conn)
- goto drop;
+ hci_dev_lock(hdev);
+
+ hcon = hci_conn_hash_lookup_handle(hdev, handle);
+ if (!hcon) {
+ hci_dev_unlock(hdev);
+ kfree_skb(skb);
+ return -ENOENT;
+ }
+
+ conn = iso_conn_hold_unless_zero(hcon->iso_data);
+ hcon = NULL;
+
+ hci_dev_unlock(hdev);
+
+ if (!conn) {
+ kfree_skb(skb);
+ return -EINVAL;
+ }
pb = hci_iso_flags_pb(flags);
ts = hci_iso_flags_ts(flags);
@@ -2377,7 +2394,7 @@ void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
hci_skb_pkt_status(skb) = flags & 0x03;
hci_skb_pkt_seqnum(skb) = sn;
iso_recv_frame(conn, skb);
- return;
+ goto done;
}
if (pb == ISO_SINGLE) {
@@ -2455,6 +2472,9 @@ void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
drop:
kfree_skb(skb);
+done:
+ iso_conn_put(conn);
+ return 0;
}
static struct hci_cb iso_cb = {
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 35c57657bcf4e..07b493331fd78 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -7510,13 +7510,24 @@ struct l2cap_conn *l2cap_conn_hold_unless_zero(struct l2cap_conn *c)
return c;
}
-void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
+int l2cap_recv_acldata(struct hci_dev *hdev, u16 handle,
+ struct sk_buff *skb, u16 flags)
{
+ struct hci_conn *hcon;
struct l2cap_conn *conn;
int len;
- /* Lock hdev to access l2cap_data to avoid race with l2cap_conn_del */
- hci_dev_lock(hcon->hdev);
+ /* Lock hdev for hci_conn, and race on l2cap_data vs. l2cap_conn_del */
+ hci_dev_lock(hdev);
+
+ hcon = hci_conn_hash_lookup_handle(hdev, handle);
+ if (!hcon) {
+ hci_dev_unlock(hdev);
+ kfree_skb(skb);
+ return -ENOENT;
+ }
+
+ hci_conn_enter_active_mode(hcon, BT_POWER_FORCE_ACTIVE_OFF);
conn = hcon->l2cap_data;
@@ -7524,12 +7535,13 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
conn = l2cap_conn_add(hcon);
conn = l2cap_conn_hold_unless_zero(conn);
+ hcon = NULL;
- hci_dev_unlock(hcon->hdev);
+ hci_dev_unlock(hdev);
if (!conn) {
kfree_skb(skb);
- return;
+ return -EINVAL;
}
BT_DBG("conn %p len %u flags 0x%x", conn, skb->len, flags);
@@ -7643,6 +7655,7 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
unlock:
mutex_unlock(&conn->lock);
l2cap_conn_put(conn);
+ return 0;
}
static struct hci_cb l2cap_cb = {
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index ab0cf442d57b9..298c2a9ab4df8 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -1458,22 +1458,39 @@ static void sco_disconn_cfm(struct hci_conn *hcon, __u8 reason)
sco_conn_del(hcon, bt_to_errno(reason));
}
-void sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb)
+int sco_recv_scodata(struct hci_dev *hdev, u16 handle, struct sk_buff *skb)
{
- struct sco_conn *conn = hcon->sco_data;
+ struct hci_conn *hcon;
+ struct sco_conn *conn;
- if (!conn)
- goto drop;
+ hci_dev_lock(hdev);
+
+ hcon = hci_conn_hash_lookup_handle(hdev, handle);
+ if (!hcon) {
+ hci_dev_unlock(hdev);
+ kfree_skb(skb);
+ return -ENOENT;
+ }
+
+ conn = sco_conn_hold_unless_zero(hcon->sco_data);
+ hcon = NULL;
+
+ hci_dev_unlock(hdev);
+
+ if (!conn) {
+ kfree_skb(skb);
+ return -EINVAL;
+ }
BT_DBG("conn %p len %u", conn, skb->len);
- if (skb->len) {
+ if (skb->len)
sco_recv_frame(conn, skb);
- return;
- }
+ else
+ kfree_skb(skb);
-drop:
- kfree_skb(skb);
+ sco_conn_put(conn);
+ return 0;
}
static struct hci_cb sco_cb = {
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 009/146] Bluetooth: SMP: Fix not generating mackey and ltk when repairing
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 008/146] Bluetooth: hci_core: lookup hci_conn on RX path on protocol side Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 010/146] veth: reduce XDP no_direct return section to fix race Greg Kroah-Hartman
` (150 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 545d7827b2cd5de5eb85580cebeda6b35b3ff443 ]
The change eed467b517e8 ("Bluetooth: fix passkey uninitialized when used")
introduced a goto that bypasses the creation of temporary mackey and ltk
which are later used by the likes of DHKey Check step.
Later ffee202a78c2 ("Bluetooth: Always request for user confirmation for
Just Works (LE SC)") which means confirm_hint is always set in case
JUST_WORKS so the branch checking for an existing LTK becomes pointless
as confirm_hint will always be set, so this just merge both cases of
malicious or legitimate devices to be confirmed before continuing with the
pairing procedure.
Link: https://github.com/bluez/bluez/issues/1622
Fixes: eed467b517e8 ("Bluetooth: fix passkey uninitialized when used")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/smp.c | 31 +++++++------------------------
1 file changed, 7 insertions(+), 24 deletions(-)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 45512b2ba951c..3a1ce04a7a536 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2136,7 +2136,7 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
struct smp_chan *smp = chan->data;
struct hci_conn *hcon = conn->hcon;
u8 *pkax, *pkbx, *na, *nb, confirm_hint;
- u32 passkey;
+ u32 passkey = 0;
int err;
bt_dev_dbg(hcon->hdev, "conn %p", conn);
@@ -2188,24 +2188,6 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
smp->prnd);
SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
-
- /* Only Just-Works pairing requires extra checks */
- if (smp->method != JUST_WORKS)
- goto mackey_and_ltk;
-
- /* If there already exists long term key in local host, leave
- * the decision to user space since the remote device could
- * be legitimate or malicious.
- */
- if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
- hcon->role)) {
- /* Set passkey to 0. The value can be any number since
- * it'll be ignored anyway.
- */
- passkey = 0;
- confirm_hint = 1;
- goto confirm;
- }
}
mackey_and_ltk:
@@ -2226,11 +2208,12 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
if (err)
return SMP_UNSPECIFIED;
- confirm_hint = 0;
-
-confirm:
- if (smp->method == JUST_WORKS)
- confirm_hint = 1;
+ /* Always require user confirmation for Just-Works pairing to prevent
+ * impersonation attacks, or in case of a legitimate device that is
+ * repairing use the confirmation as acknowledgment to proceed with the
+ * creation of new keys.
+ */
+ confirm_hint = smp->method == JUST_WORKS ? 1 : 0;
err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
hcon->dst_type, passkey, confirm_hint);
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 010/146] veth: reduce XDP no_direct return section to fix race
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 009/146] Bluetooth: SMP: Fix not generating mackey and ltk when repairing Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 011/146] drm/bridge: sii902x: Fix HDMI detection with DRM_BRIDGE_ATTACH_NO_CONNECTOR Greg Kroah-Hartman
` (149 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jesper Dangaard Brouer,
Jakub Kicinski, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jesper Dangaard Brouer <hawk@kernel.org>
[ Upstream commit a14602fcae17a3f1cb8a8521bedf31728f9e7e39 ]
As explain in commit fa349e396e48 ("veth: Fix race with AF_XDP exposing
old or uninitialized descriptors") for veth there is a chance after
napi_complete_done() that another CPU can manage start another NAPI
instance running veth_pool(). For NAPI this is correctly handled as the
napi_schedule_prep() check will prevent multiple instances from getting
scheduled, but for the remaining code in veth_pool() this can run
concurrent with the newly started NAPI instance.
The problem/race is that xdp_clear_return_frame_no_direct() isn't
designed to be nested.
Prior to commit 401cb7dae813 ("net: Reference bpf_redirect_info via
task_struct on PREEMPT_RT.") the temporary BPF net context
bpf_redirect_info was stored per CPU, where this wasn't an issue. Since
this commit the BPF context is stored in 'current' task_struct. When
running veth in threaded-NAPI mode, then the kthread becomes the storage
area. Now a race exists between two concurrent veth_pool() function calls
one exiting NAPI and one running new NAPI, both using the same BPF net
context.
Race is when another CPU gets within the xdp_set_return_frame_no_direct()
section before exiting veth_pool() calls the clear-function
xdp_clear_return_frame_no_direct().
Fixes: 401cb7dae8130 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.")
Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org>
Link: https://patch.msgid.link/176356963888.337072.4805242001928705046.stgit@firesoul
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/veth.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/net/veth.c b/drivers/net/veth.c
index 35dd89aff4a94..cc502bf022d55 100644
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -975,6 +975,9 @@ static int veth_poll(struct napi_struct *napi, int budget)
if (stats.xdp_redirect > 0)
xdp_do_flush();
+ if (stats.xdp_tx > 0)
+ veth_xdp_flush(rq, &bq);
+ xdp_clear_return_frame_no_direct();
if (done < budget && napi_complete_done(napi, done)) {
/* Write rx_notify_masked before reading ptr_ring */
@@ -987,10 +990,6 @@ static int veth_poll(struct napi_struct *napi, int budget)
}
}
- if (stats.xdp_tx > 0)
- veth_xdp_flush(rq, &bq);
- xdp_clear_return_frame_no_direct();
-
/* Release backpressure per NAPI poll */
smp_rmb(); /* Paired with netif_tx_stop_queue set_bit */
if (peer_txq && netif_tx_queue_stopped(peer_txq)) {
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 011/146] drm/bridge: sii902x: Fix HDMI detection with DRM_BRIDGE_ATTACH_NO_CONNECTOR
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 010/146] veth: reduce XDP no_direct return section to fix race Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 012/146] net: phy: mxl-gpy: fix bogus error on USXGMII and integrated PHY Greg Kroah-Hartman
` (148 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Devarsh Thakkar, Tomi Valkeinen,
Neil Armstrong, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Devarsh Thakkar <devarsht@ti.com>
[ Upstream commit d6732ef4ab252e5753be7acad87b0a91cfd06953 ]
The sii902x driver was caching HDMI detection state in a sink_is_hdmi field
and checking it in mode_set() to determine whether to set HDMI or DVI
output mode. This approach had two problems:
1. With DRM_BRIDGE_ATTACH_NO_CONNECTOR (used by modern display drivers like
TIDSS), the bridge's get_modes() is never called. Instead, the
drm_bridge_connector helper calls the bridge's edid_read() and updates the
connector itself. This meant sink_is_hdmi was never populated, causing the
driver to default to DVI mode and breaking HDMI audio.
2. The mode_set() callback doesn't receive atomic state or connector
pointer, making it impossible to check connector->display_info.is_hdmi
directly at that point.
Fix this by moving the HDMI vs DVI decision from mode_set() to
atomic_enable(), where we can access the connector via
drm_atomic_get_new_connector_for_encoder(). This works for both connector
models:
- With DRM_BRIDGE_ATTACH_NO_CONNECTOR: Returns the drm_bridge_connector
created by the display driver, which has already been updated by the
helper's call to drm_edid_connector_update()
- Without DRM_BRIDGE_ATTACH_NO_CONNECTOR (legacy): Returns the connector
embedded in sii902x struct, which gets updated by the bridge's own
get_modes()
Fixes: 3de47e1309c2 ("drm/bridge: sii902x: use display info is_hdmi")
Signed-off-by: Devarsh Thakkar <devarsht@ti.com>
Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20251030151635.3019864-1-devarsht@ti.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/bridge/sii902x.c | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)
diff --git a/drivers/gpu/drm/bridge/sii902x.c b/drivers/gpu/drm/bridge/sii902x.c
index d537b1d036fb0..1f0aba28ad1e1 100644
--- a/drivers/gpu/drm/bridge/sii902x.c
+++ b/drivers/gpu/drm/bridge/sii902x.c
@@ -179,7 +179,6 @@ struct sii902x {
struct drm_connector connector;
struct gpio_desc *reset_gpio;
struct i2c_mux_core *i2cmux;
- bool sink_is_hdmi;
u32 bus_width;
/*
@@ -315,8 +314,6 @@ static int sii902x_get_modes(struct drm_connector *connector)
drm_edid_free(drm_edid);
}
- sii902x->sink_is_hdmi = connector->display_info.is_hdmi;
-
return num;
}
@@ -342,9 +339,17 @@ static void sii902x_bridge_atomic_enable(struct drm_bridge *bridge,
struct drm_atomic_state *state)
{
struct sii902x *sii902x = bridge_to_sii902x(bridge);
+ struct drm_connector *connector;
+ u8 output_mode = SII902X_SYS_CTRL_OUTPUT_DVI;
+
+ connector = drm_atomic_get_new_connector_for_encoder(state, bridge->encoder);
+ if (connector && connector->display_info.is_hdmi)
+ output_mode = SII902X_SYS_CTRL_OUTPUT_HDMI;
mutex_lock(&sii902x->mutex);
+ regmap_update_bits(sii902x->regmap, SII902X_SYS_CTRL_DATA,
+ SII902X_SYS_CTRL_OUTPUT_MODE, output_mode);
regmap_update_bits(sii902x->regmap, SII902X_PWR_STATE_CTRL,
SII902X_AVI_POWER_STATE_MSK,
SII902X_AVI_POWER_STATE_D(0));
@@ -359,16 +364,12 @@ static void sii902x_bridge_mode_set(struct drm_bridge *bridge,
const struct drm_display_mode *adj)
{
struct sii902x *sii902x = bridge_to_sii902x(bridge);
- u8 output_mode = SII902X_SYS_CTRL_OUTPUT_DVI;
struct regmap *regmap = sii902x->regmap;
u8 buf[HDMI_INFOFRAME_SIZE(AVI)];
struct hdmi_avi_infoframe frame;
u16 pixel_clock_10kHz = adj->clock / 10;
int ret;
- if (sii902x->sink_is_hdmi)
- output_mode = SII902X_SYS_CTRL_OUTPUT_HDMI;
-
buf[0] = pixel_clock_10kHz & 0xff;
buf[1] = pixel_clock_10kHz >> 8;
buf[2] = drm_mode_vrefresh(adj);
@@ -384,11 +385,6 @@ static void sii902x_bridge_mode_set(struct drm_bridge *bridge,
mutex_lock(&sii902x->mutex);
- ret = regmap_update_bits(sii902x->regmap, SII902X_SYS_CTRL_DATA,
- SII902X_SYS_CTRL_OUTPUT_MODE, output_mode);
- if (ret)
- goto out;
-
ret = regmap_bulk_write(regmap, SII902X_TPI_VIDEO_DATA, buf, 10);
if (ret)
goto out;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 012/146] net: phy: mxl-gpy: fix bogus error on USXGMII and integrated PHY
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 011/146] drm/bridge: sii902x: Fix HDMI detection with DRM_BRIDGE_ATTACH_NO_CONNECTOR Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 013/146] platform/x86: intel: punit_ipc: fix memory corruption Greg Kroah-Hartman
` (147 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Golle, Maxime Chevallier,
Russell King (Oracle), Jakub Kicinski, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Golle <daniel@makrotopia.org>
[ Upstream commit ec3803b5917b6ff2f86ea965d0985c95d8a85119 ]
As the interface mode doesn't need to be updated on PHYs connected with
USXGMII and integrated PHYs, gpy_update_interface() should just return 0
in these cases rather than -EINVAL which has wrongly been introduced by
commit 7a495dde27ebc ("net: phy: mxl-gpy: Change gpy_update_interface()
function return type"), as this breaks support for those PHYs.
Fixes: 7a495dde27ebc ("net: phy: mxl-gpy: Change gpy_update_interface() function return type")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://patch.msgid.link/f744f721a1fcc5e2e936428c62ff2c7d94d2a293.1763648168.git.daniel@makrotopia.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mxl-gpy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/phy/mxl-gpy.c b/drivers/net/phy/mxl-gpy.c
index 0c8dc16ee7bde..221b315203d06 100644
--- a/drivers/net/phy/mxl-gpy.c
+++ b/drivers/net/phy/mxl-gpy.c
@@ -540,7 +540,7 @@ static int gpy_update_interface(struct phy_device *phydev)
/* Interface mode is fixed for USXGMII and integrated PHY */
if (phydev->interface == PHY_INTERFACE_MODE_USXGMII ||
phydev->interface == PHY_INTERFACE_MODE_INTERNAL)
- return -EINVAL;
+ return 0;
/* Automatically switch SERDES interface between SGMII and 2500-BaseX
* according to speed. Disable ANEG in 2500-BaseX mode.
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 013/146] platform/x86: intel: punit_ipc: fix memory corruption
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 012/146] net: phy: mxl-gpy: fix bogus error on USXGMII and integrated PHY Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 014/146] net: aquantia: Add missing descriptor cache invalidation on ATL2 Greg Kroah-Hartman
` (146 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Ilpo Järvinen,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 9b9c0adbc3f8a524d291baccc9d0c04097fb4869 ]
This passes the address of the pointer "&punit_ipcdev" when the intent
was to pass the pointer itself "punit_ipcdev" (without the ampersand).
This means that the:
complete(&ipcdev->cmd_complete);
in intel_punit_ioc() will write to a wrong memory address corrupting it.
Fixes: fdca4f16f57d ("platform:x86: add Intel P-Unit mailbox IPC driver")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/aSCmoBipSQ_tlD-D@stanley.mountain
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel/punit_ipc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel/punit_ipc.c b/drivers/platform/x86/intel/punit_ipc.c
index bafac8aa2baf6..14513010daadf 100644
--- a/drivers/platform/x86/intel/punit_ipc.c
+++ b/drivers/platform/x86/intel/punit_ipc.c
@@ -250,7 +250,7 @@ static int intel_punit_ipc_probe(struct platform_device *pdev)
} else {
ret = devm_request_irq(&pdev->dev, irq, intel_punit_ioc,
IRQF_NO_SUSPEND, "intel_punit_ipc",
- &punit_ipcdev);
+ punit_ipcdev);
if (ret) {
dev_err(&pdev->dev, "Failed to request irq: %d\n", irq);
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 014/146] net: aquantia: Add missing descriptor cache invalidation on ATL2
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 013/146] platform/x86: intel: punit_ipc: fix memory corruption Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 015/146] net: phy: mxl-gpy: fix link properties on USXGMII and internal PHYs Greg Kroah-Hartman
` (145 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carol Soto, Kai-Heng Feng,
Simon Horman, Paolo Abeni, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai-Heng Feng <kaihengf@nvidia.com>
[ Upstream commit 7526183cfdbe352c51c285762f0e15b7c428ea06 ]
ATL2 hardware was missing descriptor cache invalidation in hw_stop(),
causing SMMU translation faults during device shutdown and module removal:
[ 70.355743] arm-smmu-v3 arm-smmu-v3.5.auto: event 0x10 received:
[ 70.361893] arm-smmu-v3 arm-smmu-v3.5.auto: 0x0002060000000010
[ 70.367948] arm-smmu-v3 arm-smmu-v3.5.auto: 0x0000020000000000
[ 70.374002] arm-smmu-v3 arm-smmu-v3.5.auto: 0x00000000ff9bc000
[ 70.380055] arm-smmu-v3 arm-smmu-v3.5.auto: 0x0000000000000000
[ 70.386109] arm-smmu-v3 arm-smmu-v3.5.auto: event: F_TRANSLATION client: 0001:06:00.0 sid: 0x20600 ssid: 0x0 iova: 0xff9bc000 ipa: 0x0
[ 70.398531] arm-smmu-v3 arm-smmu-v3.5.auto: unpriv data write s1 "Input address caused fault" stag: 0x0
Commit 7a1bb49461b1 ("net: aquantia: fix potential IOMMU fault after
driver unbind") and commit ed4d81c4b3f2 ("net: aquantia: when cleaning
hw cache it should be toggled") fixed cache invalidation for ATL B0, but
ATL2 was left with only interrupt disabling. This allowed hardware to
write to cached descriptors after DMA memory was unmapped, triggering
SMMU faults. Once cache invalidation is applied to ATL2, the translation
fault can't be observed anymore.
Add shared aq_hw_invalidate_descriptor_cache() helper and use it in both
ATL B0 and ATL2 hw_stop() implementations for consistent behavior.
Fixes: e54dcf4bba3e ("net: atlantic: basic A2 init/deinit hw_ops")
Tested-by: Carol Soto <csoto@nvidia.com>
Signed-off-by: Kai-Heng Feng <kaihengf@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251120041537.62184-1-kaihengf@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/aquantia/atlantic/aq_hw_utils.c | 22 +++++++++++++++++++
.../ethernet/aquantia/atlantic/aq_hw_utils.h | 1 +
.../aquantia/atlantic/hw_atl/hw_atl_b0.c | 19 +---------------
.../aquantia/atlantic/hw_atl2/hw_atl2.c | 2 +-
4 files changed, 25 insertions(+), 19 deletions(-)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_hw_utils.c b/drivers/net/ethernet/aquantia/atlantic/aq_hw_utils.c
index 1921741f7311d..18b08277d2e1a 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_hw_utils.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_hw_utils.c
@@ -15,6 +15,7 @@
#include "aq_hw.h"
#include "aq_nic.h"
+#include "hw_atl/hw_atl_llh.h"
void aq_hw_write_reg_bit(struct aq_hw_s *aq_hw, u32 addr, u32 msk,
u32 shift, u32 val)
@@ -81,6 +82,27 @@ void aq_hw_write_reg64(struct aq_hw_s *hw, u32 reg, u64 value)
lo_hi_writeq(value, hw->mmio + reg);
}
+int aq_hw_invalidate_descriptor_cache(struct aq_hw_s *hw)
+{
+ int err;
+ u32 val;
+
+ /* Invalidate Descriptor Cache to prevent writing to the cached
+ * descriptors and to the data pointer of those descriptors
+ */
+ hw_atl_rdm_rx_dma_desc_cache_init_tgl(hw);
+
+ err = aq_hw_err_from_flags(hw);
+ if (err)
+ goto err_exit;
+
+ readx_poll_timeout_atomic(hw_atl_rdm_rx_dma_desc_cache_init_done_get,
+ hw, val, val == 1, 1000U, 10000U);
+
+err_exit:
+ return err;
+}
+
int aq_hw_err_from_flags(struct aq_hw_s *hw)
{
int err = 0;
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_hw_utils.h b/drivers/net/ethernet/aquantia/atlantic/aq_hw_utils.h
index ffa6e4067c211..d89c63d88e4a4 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_hw_utils.h
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_hw_utils.h
@@ -35,6 +35,7 @@ u32 aq_hw_read_reg(struct aq_hw_s *hw, u32 reg);
void aq_hw_write_reg(struct aq_hw_s *hw, u32 reg, u32 value);
u64 aq_hw_read_reg64(struct aq_hw_s *hw, u32 reg);
void aq_hw_write_reg64(struct aq_hw_s *hw, u32 reg, u64 value);
+int aq_hw_invalidate_descriptor_cache(struct aq_hw_s *hw);
int aq_hw_err_from_flags(struct aq_hw_s *hw);
int aq_hw_num_tcs(struct aq_hw_s *hw);
int aq_hw_q_per_tc(struct aq_hw_s *hw);
diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
index 493432d036b9a..c7895bfb2ecf8 100644
--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
+++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
@@ -1198,26 +1198,9 @@ static int hw_atl_b0_hw_interrupt_moderation_set(struct aq_hw_s *self)
static int hw_atl_b0_hw_stop(struct aq_hw_s *self)
{
- int err;
- u32 val;
-
hw_atl_b0_hw_irq_disable(self, HW_ATL_B0_INT_MASK);
- /* Invalidate Descriptor Cache to prevent writing to the cached
- * descriptors and to the data pointer of those descriptors
- */
- hw_atl_rdm_rx_dma_desc_cache_init_tgl(self);
-
- err = aq_hw_err_from_flags(self);
-
- if (err)
- goto err_exit;
-
- readx_poll_timeout_atomic(hw_atl_rdm_rx_dma_desc_cache_init_done_get,
- self, val, val == 1, 1000U, 10000U);
-
-err_exit:
- return err;
+ return aq_hw_invalidate_descriptor_cache(self);
}
int hw_atl_b0_hw_ring_tx_stop(struct aq_hw_s *self, struct aq_ring_s *ring)
diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2.c
index b0ed572e88c67..0ce9caae8799c 100644
--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2.c
+++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2.c
@@ -759,7 +759,7 @@ static int hw_atl2_hw_stop(struct aq_hw_s *self)
{
hw_atl_b0_hw_irq_disable(self, HW_ATL2_INT_MASK);
- return 0;
+ return aq_hw_invalidate_descriptor_cache(self);
}
static struct aq_stats_s *hw_atl2_utils_get_hw_stats(struct aq_hw_s *self)
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 015/146] net: phy: mxl-gpy: fix link properties on USXGMII and internal PHYs
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 014/146] net: aquantia: Add missing descriptor cache invalidation on ATL2 Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 016/146] net: lan966x: Fix the initialization of taprio Greg Kroah-Hartman
` (144 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Russell King (Oracle), Daniel Golle,
Paolo Abeni, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Golle <daniel@makrotopia.org>
[ Upstream commit 081156ce13f8fa4e97b5148dc54d8c0ddf02117b ]
gpy_update_interface() returns early in case the PHY is internal or
connected via USXGMII. In this case the gigabit master/slave property
as well as MDI/MDI-X status also won't be read which seems wrong.
Always read those properties by moving the logic to retrieve them to
gpy_read_status().
Fixes: fd8825cd8c6fc ("net: phy: mxl-gpy: Add PHY Auto/MDI/MDI-X set driver for GPY211 chips")
Fixes: 311abcdddc00a ("net: phy: add support to get Master-Slave configuration")
Suggested-by: "Russell King (Oracle)" <linux@armlinux.org.uk>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Link: https://patch.msgid.link/71fccf3f56742116eb18cc070d2a9810479ea7f9.1763650701.git.daniel@makrotopia.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mxl-gpy.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/drivers/net/phy/mxl-gpy.c b/drivers/net/phy/mxl-gpy.c
index 221b315203d06..2a873f791733a 100644
--- a/drivers/net/phy/mxl-gpy.c
+++ b/drivers/net/phy/mxl-gpy.c
@@ -578,13 +578,7 @@ static int gpy_update_interface(struct phy_device *phydev)
break;
}
- if (phydev->speed == SPEED_2500 || phydev->speed == SPEED_1000) {
- ret = genphy_read_master_slave(phydev);
- if (ret < 0)
- return ret;
- }
-
- return gpy_update_mdix(phydev);
+ return 0;
}
static int gpy_read_status(struct phy_device *phydev)
@@ -639,6 +633,16 @@ static int gpy_read_status(struct phy_device *phydev)
ret = gpy_update_interface(phydev);
if (ret < 0)
return ret;
+
+ if (phydev->speed == SPEED_2500 || phydev->speed == SPEED_1000) {
+ ret = genphy_read_master_slave(phydev);
+ if (ret < 0)
+ return ret;
+ }
+
+ ret = gpy_update_mdix(phydev);
+ if (ret < 0)
+ return ret;
}
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 016/146] net: lan966x: Fix the initialization of taprio
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 015/146] net: phy: mxl-gpy: fix link properties on USXGMII and internal PHYs Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 017/146] drm/xe: Fix conversion from clock ticks to milliseconds Greg Kroah-Hartman
` (143 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Horatiu Vultur, Simon Horman,
Paolo Abeni, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit 9780f535f8e0f20b4632b5a173ead71aa8f095d2 ]
To initialize the taprio block in lan966x, it is required to configure
the register REVISIT_DLY. The purpose of this register is to set the
delay before revisit the next gate and the value of this register depends
on the system clock. The problem is that the we calculated wrong the value
of the system clock period in picoseconds. The actual system clock is
~165.617754MHZ and this correspond to a period of 6038 pico seconds and
not 15125 as currently set.
Fixes: e462b2717380b4 ("net: lan966x: Add offload support for taprio")
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251121061411.810571-1-horatiu.vultur@microchip.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c b/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c
index b4377b8613c3a..8c40db90ee8f6 100644
--- a/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c
+++ b/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c
@@ -1,11 +1,14 @@
// SPDX-License-Identifier: GPL-2.0+
#include <linux/ptp_classify.h>
+#include <linux/units.h>
#include "lan966x_main.h"
#include "vcap_api.h"
#include "vcap_api_client.h"
+#define LAN9X66_CLOCK_RATE 165617754
+
#define LAN966X_MAX_PTP_ID 512
/* Represents 1ppm adjustment in 2^59 format with 6.037735849ns as reference
@@ -1126,5 +1129,5 @@ void lan966x_ptp_rxtstamp(struct lan966x *lan966x, struct sk_buff *skb,
u32 lan966x_ptp_get_period_ps(void)
{
/* This represents the system clock period in picoseconds */
- return 15125;
+ return PICO / LAN9X66_CLOCK_RATE;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 017/146] drm/xe: Fix conversion from clock ticks to milliseconds
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 016/146] net: lan966x: Fix the initialization of taprio Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 018/146] net/mlx5e: Fix validation logic in rate limiting Greg Kroah-Hartman
` (142 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ashutosh Dixit, Harish Chegondi,
Umesh Nerlige Ramappa, Lucas De Marchi, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harish Chegondi <harish.chegondi@intel.com>
[ Upstream commit 7276878b069c57d9a9cca5db01d2f7a427b73456 ]
When tick counts are large and multiplication by MSEC_PER_SEC is larger
than 64 bits, the conversion from clock ticks to milliseconds can go bad.
Use mul_u64_u32_div() instead.
Cc: Ashutosh Dixit <ashutosh.dixit@intel.com>
Signed-off-by: Harish Chegondi <harish.chegondi@intel.com>
Suggested-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
Fixes: 49cc215aad7f ("drm/xe: Add xe_gt_clock_interval_to_ms helper")
Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Link: https://patch.msgid.link/1562f1b62d5be3fbaee100f09107f3cc49e40dd1.1763408584.git.harish.chegondi@intel.com
(cherry picked from commit 96b93ac214f9dd66294d975d86c5dee256faef91)
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_gt_clock.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_gt_clock.c b/drivers/gpu/drm/xe/xe_gt_clock.c
index 4f011d1573c65..f65d1edd05671 100644
--- a/drivers/gpu/drm/xe/xe_gt_clock.c
+++ b/drivers/gpu/drm/xe/xe_gt_clock.c
@@ -93,11 +93,6 @@ int xe_gt_clock_init(struct xe_gt *gt)
return 0;
}
-static u64 div_u64_roundup(u64 n, u32 d)
-{
- return div_u64(n + d - 1, d);
-}
-
/**
* xe_gt_clock_interval_to_ms - Convert sampled GT clock ticks to msec
*
@@ -108,5 +103,5 @@ static u64 div_u64_roundup(u64 n, u32 d)
*/
u64 xe_gt_clock_interval_to_ms(struct xe_gt *gt, u64 count)
{
- return div_u64_roundup(count * MSEC_PER_SEC, gt->info.reference_clock);
+ return mul_u64_u32_div(count, MSEC_PER_SEC, gt->info.reference_clock);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 018/146] net/mlx5e: Fix validation logic in rate limiting
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 017/146] drm/xe: Fix conversion from clock ticks to milliseconds Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 019/146] team: Move team device type change at the end of team_port_add Greg Kroah-Hartman
` (141 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Danielle Costantino, Gal Pressman,
Jakub Kicinski, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danielle Costantino <dcostantino@meta.com>
[ Upstream commit d2099d9f16dbfa1c5266d4230ff7860047bb0b68 ]
The rate limiting validation condition currently checks the output
variable max_bw_value[i] instead of the input value
maxrate->tc_maxrate[i]. This causes the validation to compare an
uninitialized or stale value rather than the actual requested rate.
The condition should check the input rate to properly validate against
the upper limit:
} else if (maxrate->tc_maxrate[i] <= upper_limit_gbps) {
This aligns with the pattern used in the first branch, which correctly
checks maxrate->tc_maxrate[i] against upper_limit_mbps.
The current implementation can lead to unreliable validation behavior:
- For rates between 25.5 Gbps and 255 Gbps, if max_bw_value[i] is 0
from initialization, the GBPS path may be taken regardless of whether
the actual rate is within bounds
- When processing multiple TCs (i > 0), max_bw_value[i] contains the
value computed for the previous TC, affecting the validation logic
- The overflow check for rates exceeding 255 Gbps may not trigger
consistently depending on previous array values
This patch ensures the validation correctly examines the requested rate
value for proper bounds checking.
Fixes: 43b27d1bd88a ("net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps")
Signed-off-by: Danielle Costantino <dcostantino@meta.com>
Reviewed-by: Gal Pressman <gal@nvidia.com>
Link: https://patch.msgid.link/20251124180043.2314428-1-dcostantino@meta.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
index 9b93da4d52f64..cf8f14ce4cd50 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
@@ -627,7 +627,7 @@ static int mlx5e_dcbnl_ieee_setmaxrate(struct net_device *netdev,
MLX5E_100MB);
max_bw_value[i] = max_bw_value[i] ? max_bw_value[i] : 1;
max_bw_unit[i] = MLX5_100_MBPS_UNIT;
- } else if (max_bw_value[i] <= upper_limit_gbps) {
+ } else if (maxrate->tc_maxrate[i] <= upper_limit_gbps) {
max_bw_value[i] = div_u64(maxrate->tc_maxrate[i],
MLX5E_1GB);
max_bw_unit[i] = MLX5_GBPS_UNIT;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 019/146] team: Move team device type change at the end of team_port_add
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 018/146] net/mlx5e: Fix validation logic in rate limiting Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 020/146] net: sxgbe: fix potential NULL dereference in sxgbe_rx() Greg Kroah-Hartman
` (140 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+a2a3b519de727b0f7903,
Nikola Z. Ivanov, Jiri Pirko, Jakub Kicinski, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikola Z. Ivanov <zlatistiv@gmail.com>
[ Upstream commit 0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef ]
Attempting to add a port device that is already up will expectedly fail,
but not before modifying the team device header_ops.
In the case of the syzbot reproducer the gre0 device is
already in state UP when it attempts to add it as a
port device of team0, this fails but before that
header_ops->create of team0 is changed from eth_header to ipgre_header
in the call to team_dev_type_check_change.
Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense
as the private data of the device still holds a struct team.
Example sequence of iproute2 commands to reproduce the hang/BUG():
ip link add dev team0 type team
ip link add dev gre0 type gre
ip link set dev gre0 up
ip link set dev gre0 master team0
ip link set dev team0 up
ping -I team0 1.1.1.1
Move team_dev_type_check_change down where all other checks have passed
as it changes the dev type with no way to restore it in case
one of the checks that follow it fail.
Also make sure to preserve the origial mtu assignment:
- If port_dev is not the same type as dev, dev takes mtu from port_dev
- If port_dev is the same type as dev, port_dev takes mtu from dev
This is done by adding a conditional before the call to dev_set_mtu
to prevent it from assigning port_dev->mtu = dev->mtu and instead
letting team_dev_type_check_change assign dev->mtu = port_dev->mtu.
The conditional is needed because the patch moves the call to
team_dev_type_check_change past dev_set_mtu.
Testing:
- team device driver in-tree selftests
- Add/remove various devices as slaves of team device
- syzbot
Reported-by: syzbot+a2a3b519de727b0f7903@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a2a3b519de727b0f7903
Fixes: 1d76efe1577b ("team: add support for non-ethernet devices")
Signed-off-by: Nikola Z. Ivanov <zlatistiv@gmail.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://patch.msgid.link/20251122002027.695151-1-zlatistiv@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/team/team_core.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
index 17f07eb0ee52a..25562b17debe1 100644
--- a/drivers/net/team/team_core.c
+++ b/drivers/net/team/team_core.c
@@ -1191,10 +1191,6 @@ static int team_port_add(struct team *team, struct net_device *port_dev,
return -EPERM;
}
- err = team_dev_type_check_change(dev, port_dev);
- if (err)
- return err;
-
if (port_dev->flags & IFF_UP) {
NL_SET_ERR_MSG(extack, "Device is up. Set it down before adding it as a team port");
netdev_err(dev, "Device %s is up. Set it down before adding it as a team port\n",
@@ -1212,10 +1208,16 @@ static int team_port_add(struct team *team, struct net_device *port_dev,
INIT_LIST_HEAD(&port->qom_list);
port->orig.mtu = port_dev->mtu;
- err = dev_set_mtu(port_dev, dev->mtu);
- if (err) {
- netdev_dbg(dev, "Error %d calling dev_set_mtu\n", err);
- goto err_set_mtu;
+ /*
+ * MTU assignment will be handled in team_dev_type_check_change
+ * if dev and port_dev are of different types
+ */
+ if (dev->type == port_dev->type) {
+ err = dev_set_mtu(port_dev, dev->mtu);
+ if (err) {
+ netdev_dbg(dev, "Error %d calling dev_set_mtu\n", err);
+ goto err_set_mtu;
+ }
}
memcpy(port->orig.dev_addr, port_dev->dev_addr, port_dev->addr_len);
@@ -1290,6 +1292,10 @@ static int team_port_add(struct team *team, struct net_device *port_dev,
}
}
+ err = team_dev_type_check_change(dev, port_dev);
+ if (err)
+ goto err_set_dev_type;
+
if (dev->flags & IFF_UP) {
netif_addr_lock_bh(dev);
dev_uc_sync_multiple(port_dev, dev);
@@ -1308,6 +1314,7 @@ static int team_port_add(struct team *team, struct net_device *port_dev,
return 0;
+err_set_dev_type:
err_set_slave_promisc:
__team_option_inst_del_port(team, port);
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 020/146] net: sxgbe: fix potential NULL dereference in sxgbe_rx()
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 019/146] team: Move team device type change at the end of team_port_add Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 021/146] xsk: avoid overwriting skb fields for multi-buffer traffic Greg Kroah-Hartman
` (139 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Kodanev, Simon Horman,
Jakub Kicinski, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
[ Upstream commit f5bce28f6b9125502abec4a67d68eabcd24b3b17 ]
Currently, when skb is null, the driver prints an error and then
dereferences skb on the next line.
To fix this, let's add a 'break' after the error message to switch
to sxgbe_rx_refill(), which is similar to the approach taken by the
other drivers in this particular case, e.g. calxeda with xgmac_rx().
Found during a code review.
Fixes: 1edb9ca69e8a ("net: sxgbe: add basic framework for Samsung 10Gb ethernet driver")
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251121123834.97748-1-aleksei.kodanev@bell-sw.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c b/drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c
index 75bad561b3525..849c5a6c2af1e 100644
--- a/drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c
+++ b/drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c
@@ -1521,8 +1521,10 @@ static int sxgbe_rx(struct sxgbe_priv_data *priv, int limit)
skb = priv->rxq[qnum]->rx_skbuff[entry];
- if (unlikely(!skb))
+ if (unlikely(!skb)) {
netdev_err(priv->dev, "rx descriptor is not consistent\n");
+ break;
+ }
prefetch(skb->data - NET_IP_ALIGN);
priv->rxq[qnum]->rx_skbuff[entry] = NULL;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 021/146] xsk: avoid overwriting skb fields for multi-buffer traffic
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 020/146] net: sxgbe: fix potential NULL dereference in sxgbe_rx() Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 022/146] xsk: avoid data corruption on cq descriptor number Greg Kroah-Hartman
` (138 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej Fijalkowski,
Stanislav Fomichev, Jason Xing, Martin KaFai Lau, Jakub Kicinski,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
[ Upstream commit c30d084960cf316c95fbf145d39974ce1ff7889c ]
We are unnecessarily setting a bunch of skb fields per each processed
descriptor, which is redundant for fragmented frames.
Let us set these respective members for first fragment only. To address
both paths that we have within xsk_build_skb(), move assignments onto
xsk_set_destructor_arg() and rename it to xsk_skb_init_misc().
Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://patch.msgid.link/20250925160009.2474816-2-maciej.fijalkowski@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 0ebc27a4c67d ("xsk: avoid data corruption on cq descriptor number")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xdp/xsk.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index 72e34bd2d925c..01f258894faeb 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -618,11 +618,16 @@ static void xsk_destruct_skb(struct sk_buff *skb)
sock_wfree(skb);
}
-static void xsk_set_destructor_arg(struct sk_buff *skb, u64 addr)
+static void xsk_skb_init_misc(struct sk_buff *skb, struct xdp_sock *xs,
+ u64 addr)
{
BUILD_BUG_ON(sizeof(struct xsk_addr_head) > sizeof(skb->cb));
INIT_LIST_HEAD(&XSKCB(skb)->addrs_list);
+ skb->dev = xs->dev;
+ skb->priority = READ_ONCE(xs->sk.sk_priority);
+ skb->mark = READ_ONCE(xs->sk.sk_mark);
XSKCB(skb)->num_descs = 0;
+ skb->destructor = xsk_destruct_skb;
skb_shinfo(skb)->destructor_arg = (void *)(uintptr_t)addr;
}
@@ -673,7 +678,7 @@ static struct sk_buff *xsk_build_skb_zerocopy(struct xdp_sock *xs,
skb_reserve(skb, hr);
- xsk_set_destructor_arg(skb, desc->addr);
+ xsk_skb_init_misc(skb, xs, desc->addr);
} else {
xsk_addr = kmem_cache_zalloc(xsk_tx_generic_cache, GFP_KERNEL);
if (!xsk_addr)
@@ -757,7 +762,7 @@ static struct sk_buff *xsk_build_skb(struct xdp_sock *xs,
if (unlikely(err))
goto free_err;
- xsk_set_destructor_arg(skb, desc->addr);
+ xsk_skb_init_misc(skb, xs, desc->addr);
} else {
int nr_frags = skb_shinfo(skb)->nr_frags;
struct xsk_addr_node *xsk_addr;
@@ -826,14 +831,10 @@ static struct sk_buff *xsk_build_skb(struct xdp_sock *xs,
if (meta->flags & XDP_TXMD_FLAGS_LAUNCH_TIME)
skb->skb_mstamp_ns = meta->request.launch_time;
+ xsk_tx_metadata_to_compl(meta, &skb_shinfo(skb)->xsk_meta);
}
}
- skb->dev = dev;
- skb->priority = READ_ONCE(xs->sk.sk_priority);
- skb->mark = READ_ONCE(xs->sk.sk_mark);
- skb->destructor = xsk_destruct_skb;
- xsk_tx_metadata_to_compl(meta, &skb_shinfo(skb)->xsk_meta);
xsk_inc_num_desc(skb);
return skb;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 022/146] xsk: avoid data corruption on cq descriptor number
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 021/146] xsk: avoid overwriting skb fields for multi-buffer traffic Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 023/146] drm/amdgpu: fix cyan_skillfish2 gpu info fw handling Greg Kroah-Hartman
` (137 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski,
Fernando Fernandez Mancera, Maciej Fijalkowski, Jason Xing,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 0ebc27a4c67d44e5ce88d21cdad8201862b78837 ]
Since commit 30f241fcf52a ("xsk: Fix immature cq descriptor
production"), the descriptor number is stored in skb control block and
xsk_cq_submit_addr_locked() relies on it to put the umem addrs onto
pool's completion queue.
skb control block shouldn't be used for this purpose as after transmit
xsk doesn't have control over it and other subsystems could use it. This
leads to the following kernel panic due to a NULL pointer dereference.
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy) Debian 6.16.12-1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
RIP: 0010:xsk_destruct_skb+0xd0/0x180
[...]
Call Trace:
<IRQ>
? napi_complete_done+0x7a/0x1a0
ip_rcv_core+0x1bb/0x340
ip_rcv+0x30/0x1f0
__netif_receive_skb_one_core+0x85/0xa0
process_backlog+0x87/0x130
__napi_poll+0x28/0x180
net_rx_action+0x339/0x420
handle_softirqs+0xdc/0x320
? handle_edge_irq+0x90/0x1e0
do_softirq.part.0+0x3b/0x60
</IRQ>
<TASK>
__local_bh_enable_ip+0x60/0x70
__dev_direct_xmit+0x14e/0x1f0
__xsk_generic_xmit+0x482/0xb70
? __remove_hrtimer+0x41/0xa0
? __xsk_generic_xmit+0x51/0xb70
? _raw_spin_unlock_irqrestore+0xe/0x40
xsk_sendmsg+0xda/0x1c0
__sys_sendto+0x1ee/0x200
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x84/0x2f0
? __pfx_pollwake+0x10/0x10
? __rseq_handle_notify_resume+0xad/0x4c0
? restore_fpregs_from_fpstate+0x3c/0x90
? switch_fpu_return+0x5b/0xe0
? do_syscall_64+0x204/0x2f0
? do_syscall_64+0x204/0x2f0
? do_syscall_64+0x204/0x2f0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
[...]
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
Instead use the skb destructor_arg pointer along with pointer tagging.
As pointers are always aligned to 8B, use the bottom bit to indicate
whether this a single address or an allocated struct containing several
addresses.
Fixes: 30f241fcf52a ("xsk: Fix immature cq descriptor production")
Closes: https://lore.kernel.org/netdev/0435b904-f44f-48f8-afb0-68868474bf1c@nop.hu/
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
Link: https://patch.msgid.link/20251124171409.3845-1-fmancera@suse.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xdp/xsk.c | 143 +++++++++++++++++++++++++++++++-------------------
1 file changed, 88 insertions(+), 55 deletions(-)
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index 01f258894faeb..78fc25e88d7c3 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -36,20 +36,13 @@
#define TX_BATCH_SIZE 32
#define MAX_PER_SOCKET_BUDGET 32
-struct xsk_addr_node {
- u64 addr;
- struct list_head addr_node;
-};
-
-struct xsk_addr_head {
+struct xsk_addrs {
u32 num_descs;
- struct list_head addrs_list;
+ u64 addrs[MAX_SKB_FRAGS + 1];
};
static struct kmem_cache *xsk_tx_generic_cache;
-#define XSKCB(skb) ((struct xsk_addr_head *)((skb)->cb))
-
void xsk_set_rx_need_wakeup(struct xsk_buff_pool *pool)
{
if (pool->cached_need_wakeup & XDP_WAKEUP_RX)
@@ -558,29 +551,68 @@ static int xsk_cq_reserve_locked(struct xsk_buff_pool *pool)
return ret;
}
+static bool xsk_skb_destructor_is_addr(struct sk_buff *skb)
+{
+ return (uintptr_t)skb_shinfo(skb)->destructor_arg & 0x1UL;
+}
+
+static u64 xsk_skb_destructor_get_addr(struct sk_buff *skb)
+{
+ return (u64)((uintptr_t)skb_shinfo(skb)->destructor_arg & ~0x1UL);
+}
+
+static void xsk_skb_destructor_set_addr(struct sk_buff *skb, u64 addr)
+{
+ skb_shinfo(skb)->destructor_arg = (void *)((uintptr_t)addr | 0x1UL);
+}
+
+static void xsk_inc_num_desc(struct sk_buff *skb)
+{
+ struct xsk_addrs *xsk_addr;
+
+ if (!xsk_skb_destructor_is_addr(skb)) {
+ xsk_addr = (struct xsk_addrs *)skb_shinfo(skb)->destructor_arg;
+ xsk_addr->num_descs++;
+ }
+}
+
+static u32 xsk_get_num_desc(struct sk_buff *skb)
+{
+ struct xsk_addrs *xsk_addr;
+
+ if (xsk_skb_destructor_is_addr(skb))
+ return 1;
+
+ xsk_addr = (struct xsk_addrs *)skb_shinfo(skb)->destructor_arg;
+
+ return xsk_addr->num_descs;
+}
+
static void xsk_cq_submit_addr_locked(struct xsk_buff_pool *pool,
struct sk_buff *skb)
{
- struct xsk_addr_node *pos, *tmp;
+ u32 num_descs = xsk_get_num_desc(skb);
+ struct xsk_addrs *xsk_addr;
u32 descs_processed = 0;
unsigned long flags;
- u32 idx;
+ u32 idx, i;
spin_lock_irqsave(&pool->cq_lock, flags);
idx = xskq_get_prod(pool->cq);
- xskq_prod_write_addr(pool->cq, idx,
- (u64)(uintptr_t)skb_shinfo(skb)->destructor_arg);
- descs_processed++;
+ if (unlikely(num_descs > 1)) {
+ xsk_addr = (struct xsk_addrs *)skb_shinfo(skb)->destructor_arg;
- if (unlikely(XSKCB(skb)->num_descs > 1)) {
- list_for_each_entry_safe(pos, tmp, &XSKCB(skb)->addrs_list, addr_node) {
+ for (i = 0; i < num_descs; i++) {
xskq_prod_write_addr(pool->cq, idx + descs_processed,
- pos->addr);
+ xsk_addr->addrs[i]);
descs_processed++;
- list_del(&pos->addr_node);
- kmem_cache_free(xsk_tx_generic_cache, pos);
}
+ kmem_cache_free(xsk_tx_generic_cache, xsk_addr);
+ } else {
+ xskq_prod_write_addr(pool->cq, idx,
+ xsk_skb_destructor_get_addr(skb));
+ descs_processed++;
}
xskq_prod_submit_n(pool->cq, descs_processed);
spin_unlock_irqrestore(&pool->cq_lock, flags);
@@ -595,16 +627,6 @@ static void xsk_cq_cancel_locked(struct xsk_buff_pool *pool, u32 n)
spin_unlock_irqrestore(&pool->cq_lock, flags);
}
-static void xsk_inc_num_desc(struct sk_buff *skb)
-{
- XSKCB(skb)->num_descs++;
-}
-
-static u32 xsk_get_num_desc(struct sk_buff *skb)
-{
- return XSKCB(skb)->num_descs;
-}
-
static void xsk_destruct_skb(struct sk_buff *skb)
{
struct xsk_tx_metadata_compl *compl = &skb_shinfo(skb)->xsk_meta;
@@ -621,27 +643,22 @@ static void xsk_destruct_skb(struct sk_buff *skb)
static void xsk_skb_init_misc(struct sk_buff *skb, struct xdp_sock *xs,
u64 addr)
{
- BUILD_BUG_ON(sizeof(struct xsk_addr_head) > sizeof(skb->cb));
- INIT_LIST_HEAD(&XSKCB(skb)->addrs_list);
skb->dev = xs->dev;
skb->priority = READ_ONCE(xs->sk.sk_priority);
skb->mark = READ_ONCE(xs->sk.sk_mark);
- XSKCB(skb)->num_descs = 0;
skb->destructor = xsk_destruct_skb;
- skb_shinfo(skb)->destructor_arg = (void *)(uintptr_t)addr;
+ xsk_skb_destructor_set_addr(skb, addr);
}
static void xsk_consume_skb(struct sk_buff *skb)
{
struct xdp_sock *xs = xdp_sk(skb->sk);
u32 num_descs = xsk_get_num_desc(skb);
- struct xsk_addr_node *pos, *tmp;
+ struct xsk_addrs *xsk_addr;
if (unlikely(num_descs > 1)) {
- list_for_each_entry_safe(pos, tmp, &XSKCB(skb)->addrs_list, addr_node) {
- list_del(&pos->addr_node);
- kmem_cache_free(xsk_tx_generic_cache, pos);
- }
+ xsk_addr = (struct xsk_addrs *)skb_shinfo(skb)->destructor_arg;
+ kmem_cache_free(xsk_tx_generic_cache, xsk_addr);
}
skb->destructor = sock_wfree;
@@ -662,7 +679,6 @@ static struct sk_buff *xsk_build_skb_zerocopy(struct xdp_sock *xs,
{
struct xsk_buff_pool *pool = xs->pool;
u32 hr, len, ts, offset, copy, copied;
- struct xsk_addr_node *xsk_addr;
struct sk_buff *skb = xs->skb;
struct page *page;
void *buffer;
@@ -680,16 +696,26 @@ static struct sk_buff *xsk_build_skb_zerocopy(struct xdp_sock *xs,
xsk_skb_init_misc(skb, xs, desc->addr);
} else {
- xsk_addr = kmem_cache_zalloc(xsk_tx_generic_cache, GFP_KERNEL);
- if (!xsk_addr)
- return ERR_PTR(-ENOMEM);
+ struct xsk_addrs *xsk_addr;
+
+ if (xsk_skb_destructor_is_addr(skb)) {
+ xsk_addr = kmem_cache_zalloc(xsk_tx_generic_cache,
+ GFP_KERNEL);
+ if (!xsk_addr)
+ return ERR_PTR(-ENOMEM);
+
+ xsk_addr->num_descs = 1;
+ xsk_addr->addrs[0] = xsk_skb_destructor_get_addr(skb);
+ skb_shinfo(skb)->destructor_arg = (void *)xsk_addr;
+ } else {
+ xsk_addr = (struct xsk_addrs *)skb_shinfo(skb)->destructor_arg;
+ }
/* in case of -EOVERFLOW that could happen below,
* xsk_consume_skb() will release this node as whole skb
* would be dropped, which implies freeing all list elements
*/
- xsk_addr->addr = desc->addr;
- list_add_tail(&xsk_addr->addr_node, &XSKCB(skb)->addrs_list);
+ xsk_addr->addrs[xsk_addr->num_descs] = desc->addr;
}
addr = desc->addr;
@@ -765,10 +791,25 @@ static struct sk_buff *xsk_build_skb(struct xdp_sock *xs,
xsk_skb_init_misc(skb, xs, desc->addr);
} else {
int nr_frags = skb_shinfo(skb)->nr_frags;
- struct xsk_addr_node *xsk_addr;
+ struct xsk_addrs *xsk_addr;
struct page *page;
u8 *vaddr;
+ if (xsk_skb_destructor_is_addr(skb)) {
+ xsk_addr = kmem_cache_zalloc(xsk_tx_generic_cache,
+ GFP_KERNEL);
+ if (!xsk_addr) {
+ err = -ENOMEM;
+ goto free_err;
+ }
+
+ xsk_addr->num_descs = 1;
+ xsk_addr->addrs[0] = xsk_skb_destructor_get_addr(skb);
+ skb_shinfo(skb)->destructor_arg = (void *)xsk_addr;
+ } else {
+ xsk_addr = (struct xsk_addrs *)skb_shinfo(skb)->destructor_arg;
+ }
+
if (unlikely(nr_frags == (MAX_SKB_FRAGS - 1) && xp_mb_desc(desc))) {
err = -EOVERFLOW;
goto free_err;
@@ -780,13 +821,6 @@ static struct sk_buff *xsk_build_skb(struct xdp_sock *xs,
goto free_err;
}
- xsk_addr = kmem_cache_zalloc(xsk_tx_generic_cache, GFP_KERNEL);
- if (!xsk_addr) {
- __free_page(page);
- err = -ENOMEM;
- goto free_err;
- }
-
vaddr = kmap_local_page(page);
memcpy(vaddr, buffer, len);
kunmap_local(vaddr);
@@ -794,8 +828,7 @@ static struct sk_buff *xsk_build_skb(struct xdp_sock *xs,
skb_add_rx_frag(skb, nr_frags, page, 0, len, PAGE_SIZE);
refcount_add(PAGE_SIZE, &xs->sk.sk_wmem_alloc);
- xsk_addr->addr = desc->addr;
- list_add_tail(&xsk_addr->addr_node, &XSKCB(skb)->addrs_list);
+ xsk_addr->addrs[xsk_addr->num_descs] = desc->addr;
}
if (first_frag && desc->options & XDP_TX_METADATA) {
@@ -1892,7 +1925,7 @@ static int __init xsk_init(void)
goto out_pernet;
xsk_tx_generic_cache = kmem_cache_create("xsk_generic_xmit_cache",
- sizeof(struct xsk_addr_node),
+ sizeof(struct xsk_addrs),
0, SLAB_HWCACHE_ALIGN, NULL);
if (!xsk_tx_generic_cache) {
err = -ENOMEM;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 023/146] drm/amdgpu: fix cyan_skillfish2 gpu info fw handling
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 022/146] xsk: avoid data corruption on cq descriptor number Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 024/146] dma-direct: Fix missing sg_dma_len assignment in P2PDMA bus mappings Greg Kroah-Hartman
` (136 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit 7fa666ab07ba9e08f52f357cb8e1aad753e83ac6 ]
If the board supports IP discovery, we don't need to
parse the gpu info firmware.
Backport to 6.18.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4721
Fixes: fa819e3a7c1e ("drm/amdgpu: add support for cyan skillfish gpu_info")
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 5427e32fa3a0ba9a016db83877851ed277b065fb)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
index aaee97cd9a109..a713d5e6e4012 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -2604,6 +2604,8 @@ static int amdgpu_device_parse_gpu_info_fw(struct amdgpu_device *adev)
chip_name = "navi12";
break;
case CHIP_CYAN_SKILLFISH:
+ if (adev->mman.discovery_bin)
+ return 0;
chip_name = "cyan_skillfish";
break;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 024/146] dma-direct: Fix missing sg_dma_len assignment in P2PDMA bus mappings
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 023/146] drm/amdgpu: fix cyan_skillfish2 gpu info fw handling Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 025/146] net: wwan: mhi: Keep modem name match with Foxconn T99W640 Greg Kroah-Hartman
` (135 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacob Moroni, Pranjal Shrivastava,
Logan Gunthorpe, Leon Romanovsky, Shivaji Kant, Marek Szyprowski,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pranjal Shrivastava <praan@google.com>
[ Upstream commit d0d08f4bd7f667dc7a65cd7133c0a94a6f02aca3 ]
Prior to commit a25e7962db0d7 ("PCI/P2PDMA: Refactor the p2pdma mapping
helpers"), P2P segments were mapped using the pci_p2pdma_map_segment()
helper. This helper was responsible for populating sg->dma_address,
marking the bus address, and also setting sg_dma_len(sg).
The refactor[1] removed this helper and moved the mapping logic directly
into the callers. While iommu_dma_map_sg() was correctly updated to set
the length in the new flow, it was missed in dma_direct_map_sg().
Thus, in dma_direct_map_sg(), the PCI_P2PDMA_MAP_BUS_ADDR case sets the
dma_address and marks the segment, but immediately executes 'continue',
which causes the loop to skip the standard assignment logic at the end:
sg_dma_len(sg) = sg->length;
As a result, when CONFIG_NEED_SG_DMA_LENGTH is enabled, the dma_length
field remains uninitialized (zero) for P2P bus address mappings. This
breaks upper-layer drivers (for e.g. RDMA/IB) that rely on sg_dma_len()
to determine the transfer size.
Fix this by explicitly setting the DMA length in the
PCI_P2PDMA_MAP_BUS_ADDR case before continuing to the next scatterlist
entry.
Fixes: a25e7962db0d7 ("PCI/P2PDMA: Refactor the p2pdma mapping helpers")
Reported-by: Jacob Moroni <jmoroni@google.com>
Signed-off-by: Pranjal Shrivastava <praan@google.com>
[1]
https://lore.kernel.org/all/ac14a0e94355bf898de65d023ccf8a2ad22a3ece.1746424934.git.leon@kernel.org/
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Reviewed-by: Shivaji Kant <shivajikant@google.com>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/r/20251126114112.3694469-1-praan@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/dma/direct.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/dma/direct.c b/kernel/dma/direct.c
index 24c359d9c8799..95f37028032df 100644
--- a/kernel/dma/direct.c
+++ b/kernel/dma/direct.c
@@ -486,6 +486,7 @@ int dma_direct_map_sg(struct device *dev, struct scatterlist *sgl, int nents,
case PCI_P2PDMA_MAP_BUS_ADDR:
sg->dma_address = pci_p2pdma_bus_addr_map(&p2pdma_state,
sg_phys(sg));
+ sg_dma_len(sg) = sg->length;
sg_dma_mark_bus_address(sg);
continue;
default:
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 025/146] net: wwan: mhi: Keep modem name match with Foxconn T99W640
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 024/146] dma-direct: Fix missing sg_dma_len assignment in P2PDMA bus mappings Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 026/146] net: dsa: sja1105: fix SGMII linking at 10M or 100M but not passing traffic Greg Kroah-Hartman
` (134 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Slark Xiao, Loic Poulain,
Jakub Kicinski, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Slark Xiao <slark_xiao@163.com>
[ Upstream commit 4fcb8ab4a09b1855dbfd7062605dd13abd64c086 ]
Correct it since M.2 device T99W640 has updated from T99W515.
We need to align it with MHI side otherwise this modem can't
get the network.
Fixes: ae5a34264354 ("bus: mhi: host: pci_generic: Fix the modem name of Foxconn T99W640")
Signed-off-by: Slark Xiao <slark_xiao@163.com>
Reviewed-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
Link: https://patch.msgid.link/20251125070900.33324-1-slark_xiao@163.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wwan/mhi_wwan_mbim.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wwan/mhi_wwan_mbim.c b/drivers/net/wwan/mhi_wwan_mbim.c
index c814fbd756a1e..f8bc9a39bfa30 100644
--- a/drivers/net/wwan/mhi_wwan_mbim.c
+++ b/drivers/net/wwan/mhi_wwan_mbim.c
@@ -98,7 +98,7 @@ static struct mhi_mbim_link *mhi_mbim_get_link_rcu(struct mhi_mbim_context *mbim
static int mhi_mbim_get_link_mux_id(struct mhi_controller *cntrl)
{
if (strcmp(cntrl->name, "foxconn-dw5934e") == 0 ||
- strcmp(cntrl->name, "foxconn-t99w515") == 0)
+ strcmp(cntrl->name, "foxconn-t99w640") == 0)
return WDS_BIND_MUX_DATA_PORT_MUX_ID;
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 026/146] net: dsa: sja1105: fix SGMII linking at 10M or 100M but not passing traffic
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 025/146] net: wwan: mhi: Keep modem name match with Foxconn T99W640 Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 027/146] eth: fbnic: Fix counter roll-over issue Greg Kroah-Hartman
` (133 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Jakub Kicinski,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit da62abaaa268357b1aa66b372ace562189a05df1 ]
When using the SGMII PCS as a fixed-link chip-to-chip connection, it is
easy to miss the fact that traffic passes only at 1G, since that's what
any normal such connection would use.
When using the SGMII PCS connected towards an on-board PHY or an SFP
module, it is immediately noticeable that when the link resolves to a
speed other than 1G, traffic from the MAC fails to pass: TX counters
increase, but nothing gets decoded by the other end, and no local RX
counters increase either.
Artificially lowering a fixed-link rate to speed = <100> makes us able
to see the same issue as in the case of having an SGMII PHY.
Some debugging shows that the XPCS configuration is A-OK, but that the
MAC Configuration Table entry for the port has the SPEED bits still set
to 1000Mbps, due to a special condition in the driver. Deleting that
condition, and letting the resolved link speed be programmed directly
into the MAC speed field, results in a functional link at all 3 speeds.
This piece of evidence, based on testing on both generations with SGMII
support (SJA1105S and SJA1110A) directly contradicts the statement from
the blamed commit that "the MAC is fixed at 1 Gbps and we need to
configure the PCS only (if even that)". Worse, that statement is not
backed by any documentation, and no one from NXP knows what it might
refer to.
I am unable to recall sufficient context regarding my testing from March
2020 to understand what led me to draw such a braindead and factually
incorrect conclusion. Yet, there is nothing of value regarding forcing
the MAC speed, either for SGMII or 2500Base-X (introduced at a later
stage), so remove all such logic.
Fixes: ffe10e679cec ("net: dsa: sja1105: Add support for the SGMII port")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20251122111324.136761-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/sja1105/sja1105_main.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
index f674c400f05b2..aa2145cf29a67 100644
--- a/drivers/net/dsa/sja1105/sja1105_main.c
+++ b/drivers/net/dsa/sja1105/sja1105_main.c
@@ -1302,14 +1302,7 @@ static int sja1105_set_port_speed(struct sja1105_private *priv, int port,
* table, since this will be used for the clocking setup, and we no
* longer need to store it in the static config (already told hardware
* we want auto during upload phase).
- * Actually for the SGMII port, the MAC is fixed at 1 Gbps and
- * we need to configure the PCS only (if even that).
*/
- if (priv->phy_mode[port] == PHY_INTERFACE_MODE_SGMII)
- speed = priv->info->port_speed[SJA1105_SPEED_1000MBPS];
- else if (priv->phy_mode[port] == PHY_INTERFACE_MODE_2500BASEX)
- speed = priv->info->port_speed[SJA1105_SPEED_2500MBPS];
-
mac[port].speed = speed;
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 027/146] eth: fbnic: Fix counter roll-over issue
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 026/146] net: dsa: sja1105: fix SGMII linking at 10M or 100M but not passing traffic Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 028/146] net: atlantic: fix fragment overflow handling in RX path Greg Kroah-Hartman
` (132 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mohsin Bashir, Jakub Kicinski,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mohsin Bashir <mohsin.bashr@gmail.com>
[ Upstream commit 6d66e093e0740d39a36ef742c60eec247df26f41 ]
Fix a potential counter roll-over issue in fbnic_mbx_alloc_rx_msgs()
when calculating descriptor slots. The issue occurs when head - tail
results in a large positive value (unsigned) and the compiler interprets
head - tail - 1 as a signed value.
Since FBNIC_IPC_MBX_DESC_LEN is a power of two, use a masking operation,
which is a common way of avoiding this problem when dealing with these
sort of ring space calculations.
Fixes: da3cde08209e ("eth: fbnic: Add FW communication mechanism")
Signed-off-by: Mohsin Bashir <mohsin.bashr@gmail.com>
Link: https://patch.msgid.link/20251125211704.3222413-1-mohsin.bashr@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/meta/fbnic/fbnic_fw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/meta/fbnic/fbnic_fw.c b/drivers/net/ethernet/meta/fbnic/fbnic_fw.c
index 0c55be7d25476..acc1ad91b0c3a 100644
--- a/drivers/net/ethernet/meta/fbnic/fbnic_fw.c
+++ b/drivers/net/ethernet/meta/fbnic/fbnic_fw.c
@@ -201,7 +201,7 @@ static int fbnic_mbx_alloc_rx_msgs(struct fbnic_dev *fbd)
return -ENODEV;
/* Fill all but 1 unused descriptors in the Rx queue. */
- count = (head - tail - 1) % FBNIC_IPC_MBX_DESC_LEN;
+ count = (head - tail - 1) & (FBNIC_IPC_MBX_DESC_LEN - 1);
while (!err && count--) {
struct fbnic_tlv_msg *msg;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 028/146] net: atlantic: fix fragment overflow handling in RX path
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 027/146] eth: fbnic: Fix counter roll-over issue Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 029/146] net: mctp: unconditionally set skb->dev on dst output Greg Kroah-Hartman
` (131 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiefeng Zhang, Jakub Kicinski,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiefeng Zhang <jiefeng.z.zhang@gmail.com>
[ Upstream commit 5ffcb7b890f61541201461580bb6622ace405aec ]
The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)
fragments when handling large multi-descriptor packets. This causes an
out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.
The issue occurs because the driver doesn't check the total number of
fragments before calling skb_add_rx_frag(). When a packet requires more
than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.
Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,
then all fragments are accounted for. And reusing the existing check to
prevent the overflow earlier in the code path.
This crash occurred in production with an Aquantia AQC113 10G NIC.
Stack trace from production environment:
```
RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0
Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89
ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90
c8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48
89 fa 83
RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287
RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:
fffffffe0a0c8000
RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:
0000000000037a40
RBP: 0000000000000024 R08: 0000000000000000 R09:
0000000000000021
R10: 0000000000000848 R11: 0000000000000000 R12:
ffffa9bec02a8e24
R13: ffff925ad8615570 R14: 0000000000000000 R15:
ffff925b22e80a00
FS: 0000000000000000(0000)
GS:ffff925e47880000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:
0000000000f72ef0
PKRU: 55555554
Call Trace:
<IRQ>
aq_ring_rx_clean+0x175/0xe60 [atlantic]
? aq_ring_rx_clean+0x14d/0xe60 [atlantic]
? aq_ring_tx_clean+0xdf/0x190 [atlantic]
? kmem_cache_free+0x348/0x450
? aq_vec_poll+0x81/0x1d0 [atlantic]
? __napi_poll+0x28/0x1c0
? net_rx_action+0x337/0x420
```
Fixes: 6aecbba12b5c ("net: atlantic: add check for MAX_SKB_FRAGS")
Changes in v4:
- Add Fixes: tag to satisfy patch validation requirements.
Changes in v3:
- Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,
then all fragments are accounted for.
Signed-off-by: Jiefeng Zhang <jiefeng.z.zhang@gmail.com>
Link: https://patch.msgid.link/20251126032249.69358-1-jiefeng.z.zhang@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
index f21de0c21e524..d23d23bed39fe 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
@@ -547,6 +547,11 @@ static int __aq_ring_rx_clean(struct aq_ring_s *self, struct napi_struct *napi,
if (!buff->is_eop) {
unsigned int frag_cnt = 0U;
+
+ /* There will be an extra fragment */
+ if (buff->len > AQ_CFG_RX_HDR_SIZE)
+ frag_cnt++;
+
buff_ = buff;
do {
bool is_rsc_completed = true;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 029/146] net: mctp: unconditionally set skb->dev on dst output
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 028/146] net: atlantic: fix fragment overflow handling in RX path Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 030/146] net: fec: cancel perout_timer when PEROUT is disabled Greg Kroah-Hartman
` (130 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vince Chang, Jeremy Kerr,
Paolo Abeni, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Kerr <jk@codeconstruct.com.au>
[ Upstream commit b3e528a5811bbc8246dbdb962f0812dc9b721681 ]
On transmit, we are currently relying on skb->dev being set by
mctp_local_output() when we first set up the skb destination fields.
However, forwarded skbs do not use the local_output path, so will retain
their incoming netdev as their ->dev on tx. This does not work when
we're forwarding between interfaces.
Set skb->dev unconditionally in the transmit path, to allow for proper
forwarding.
We keep the skb->dev initialisation in mctp_local_output(), as we use it
for fragmentation.
Fixes: 269936db5eb3 ("net: mctp: separate routing database from routing operations")
Suggested-by: Vince Chang <vince_chang@aspeedtech.com>
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Link: https://patch.msgid.link/20251125-dev-forward-v1-1-54ecffcd0616@codeconstruct.com.au
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mctp/route.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/mctp/route.c b/net/mctp/route.c
index 4d314e062ba9c..2ac4011a953ff 100644
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -623,6 +623,7 @@ static int mctp_dst_output(struct mctp_dst *dst, struct sk_buff *skb)
skb->protocol = htons(ETH_P_MCTP);
skb->pkt_type = PACKET_OUTGOING;
+ skb->dev = dst->dev->dev;
if (skb->len > dst->mtu) {
kfree_skb(skb);
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 030/146] net: fec: cancel perout_timer when PEROUT is disabled
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 029/146] net: mctp: unconditionally set skb->dev on dst output Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 031/146] net: fec: do not update PEROUT if it is enabled Greg Kroah-Hartman
` (129 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wei Fang, Paolo Abeni, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit 50caa744689e505414673c20359b04aa918439e3 ]
The PEROUT allows the user to set a specified future time to output the
periodic signal. If the future time is far from the current time, the FEC
driver will use hrtimer to configure PEROUT one second before the future
time. However, the hrtimer will not be canceled if the PEROUT is disabled
before the hrtimer expires. So the PEROUT will be configured when the
hrtimer expires, which is not as expected. Therefore, cancel the hrtimer
in fec_ptp_pps_disable() to fix this issue.
Fixes: 350749b909bf ("net: fec: Add support for periodic output signal of PPS")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20251125085210.1094306-2-wei.fang@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec_ptp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c
index fa88b47d526c0..7a5367ea94101 100644
--- a/drivers/net/ethernet/freescale/fec_ptp.c
+++ b/drivers/net/ethernet/freescale/fec_ptp.c
@@ -497,6 +497,8 @@ static int fec_ptp_pps_disable(struct fec_enet_private *fep, uint channel)
{
unsigned long flags;
+ hrtimer_cancel(&fep->perout_timer);
+
spin_lock_irqsave(&fep->tmreg_lock, flags);
writel(0, fep->hwp + FEC_TCSR(channel));
spin_unlock_irqrestore(&fep->tmreg_lock, flags);
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 031/146] net: fec: do not update PEROUT if it is enabled
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 030/146] net: fec: cancel perout_timer when PEROUT is disabled Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 032/146] net: fec: do not allow enabling PPS and PEROUT simultaneously Greg Kroah-Hartman
` (128 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wei Fang, Paolo Abeni, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit e97faa0c20ea8840f45569ba434e30538fff8fc9 ]
If the previously set PEROUT is already active, updating it will cause
the new PEROUT to start immediately instead of at the specified time.
This is because fep->reload_period is updated whithout check whether
the PEROUT is enabled, and the old PEROUT is not disabled. Therefore,
the pulse period will be updated immediately in the pulse interrupt
handler fec_pps_interrupt().
Currently, the driver does not support directly updating PEROUT and it
will make the logic be more complicated. To fix the current issue, add
a check before enabling the PEROUT, the driver will return an error if
PEROUT is enabled. If users wants to update a new PEROUT, they should
disable the old PEROUT first.
Fixes: 350749b909bf ("net: fec: Add support for periodic output signal of PPS")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20251125085210.1094306-3-wei.fang@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec.h | 1 +
drivers/net/ethernet/freescale/fec_ptp.c | 43 ++++++++++++++++++------
2 files changed, 34 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/freescale/fec.h b/drivers/net/ethernet/freescale/fec.h
index 5c8fdcef759ba..2601e0b074dd6 100644
--- a/drivers/net/ethernet/freescale/fec.h
+++ b/drivers/net/ethernet/freescale/fec.h
@@ -680,6 +680,7 @@ struct fec_enet_private {
unsigned int reload_period;
int pps_enable;
unsigned int next_counter;
+ bool perout_enable;
struct hrtimer perout_timer;
u64 perout_stime;
diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c
index 7a5367ea94101..f31b1626c12f7 100644
--- a/drivers/net/ethernet/freescale/fec_ptp.c
+++ b/drivers/net/ethernet/freescale/fec_ptp.c
@@ -243,6 +243,7 @@ static int fec_ptp_pps_perout(struct fec_enet_private *fep)
* the FEC_TCCR register in time and missed the start time.
*/
if (fep->perout_stime < curr_time + 100 * NSEC_PER_MSEC) {
+ fep->perout_enable = false;
dev_err(&fep->pdev->dev, "Current time is too close to the start time!\n");
spin_unlock_irqrestore(&fep->tmreg_lock, flags);
return -1;
@@ -500,6 +501,7 @@ static int fec_ptp_pps_disable(struct fec_enet_private *fep, uint channel)
hrtimer_cancel(&fep->perout_timer);
spin_lock_irqsave(&fep->tmreg_lock, flags);
+ fep->perout_enable = false;
writel(0, fep->hwp + FEC_TCSR(channel));
spin_unlock_irqrestore(&fep->tmreg_lock, flags);
@@ -531,6 +533,8 @@ static int fec_ptp_enable(struct ptp_clock_info *ptp,
return ret;
} else if (rq->type == PTP_CLK_REQ_PEROUT) {
+ u32 reload_period;
+
/* Reject requests with unsupported flags */
if (rq->perout.flags)
return -EOPNOTSUPP;
@@ -550,12 +554,14 @@ static int fec_ptp_enable(struct ptp_clock_info *ptp,
return -EOPNOTSUPP;
}
- fep->reload_period = div_u64(period_ns, 2);
- if (on && fep->reload_period) {
+ reload_period = div_u64(period_ns, 2);
+ if (on && reload_period) {
+ u64 perout_stime;
+
/* Convert 1588 timestamp to ns*/
start_time.tv_sec = rq->perout.start.sec;
start_time.tv_nsec = rq->perout.start.nsec;
- fep->perout_stime = timespec64_to_ns(&start_time);
+ perout_stime = timespec64_to_ns(&start_time);
mutex_lock(&fep->ptp_clk_mutex);
if (!fep->ptp_clk_on) {
@@ -564,18 +570,35 @@ static int fec_ptp_enable(struct ptp_clock_info *ptp,
return -EOPNOTSUPP;
}
spin_lock_irqsave(&fep->tmreg_lock, flags);
+
+ if (fep->perout_enable) {
+ dev_err(&fep->pdev->dev,
+ "PEROUT has been enabled\n");
+ ret = -EBUSY;
+ goto unlock;
+ }
+
/* Read current timestamp */
curr_time = timecounter_read(&fep->tc);
- spin_unlock_irqrestore(&fep->tmreg_lock, flags);
- mutex_unlock(&fep->ptp_clk_mutex);
+ if (perout_stime <= curr_time) {
+ dev_err(&fep->pdev->dev,
+ "Start time must be greater than current time\n");
+ ret = -EINVAL;
+ goto unlock;
+ }
/* Calculate time difference */
- delta = fep->perout_stime - curr_time;
+ delta = perout_stime - curr_time;
+ fep->reload_period = reload_period;
+ fep->perout_stime = perout_stime;
+ fep->perout_enable = true;
- if (fep->perout_stime <= curr_time) {
- dev_err(&fep->pdev->dev, "Start time must larger than current time!\n");
- return -EINVAL;
- }
+unlock:
+ spin_unlock_irqrestore(&fep->tmreg_lock, flags);
+ mutex_unlock(&fep->ptp_clk_mutex);
+
+ if (ret)
+ return ret;
/* Because the timer counter of FEC only has 31-bits, correspondingly,
* the time comparison register FEC_TCCR also only low 31 bits can be
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 032/146] net: fec: do not allow enabling PPS and PEROUT simultaneously
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 031/146] net: fec: do not update PEROUT if it is enabled Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 033/146] net: fec: do not register PPS event for PEROUT Greg Kroah-Hartman
` (127 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wei Fang, Paolo Abeni, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit c0a1f3d7e128e8d1b6c0fe09c68eac5ebcf677c8 ]
In the current driver, PPS and PEROUT use the same channel to generate
the events, so they cannot be enabled at the same time. Otherwise, the
later configuration will overwrite the earlier configuration. Therefore,
when configuring PPS, the driver will check whether PEROUT is enabled.
Similarly, when configuring PEROUT, the driver will check whether PPS
is enabled.
Fixes: 350749b909bf ("net: fec: Add support for periodic output signal of PPS")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20251125085210.1094306-4-wei.fang@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec_ptp.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c
index f31b1626c12f7..ed5d59abeb537 100644
--- a/drivers/net/ethernet/freescale/fec_ptp.c
+++ b/drivers/net/ethernet/freescale/fec_ptp.c
@@ -128,6 +128,12 @@ static int fec_ptp_enable_pps(struct fec_enet_private *fep, uint enable)
spin_lock_irqsave(&fep->tmreg_lock, flags);
+ if (fep->perout_enable) {
+ spin_unlock_irqrestore(&fep->tmreg_lock, flags);
+ dev_err(&fep->pdev->dev, "PEROUT is running");
+ return -EBUSY;
+ }
+
if (fep->pps_enable == enable) {
spin_unlock_irqrestore(&fep->tmreg_lock, flags);
return 0;
@@ -571,6 +577,12 @@ static int fec_ptp_enable(struct ptp_clock_info *ptp,
}
spin_lock_irqsave(&fep->tmreg_lock, flags);
+ if (fep->pps_enable) {
+ dev_err(&fep->pdev->dev, "PPS is running");
+ ret = -EBUSY;
+ goto unlock;
+ }
+
if (fep->perout_enable) {
dev_err(&fep->pdev->dev,
"PEROUT has been enabled\n");
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 033/146] net: fec: do not register PPS event for PEROUT
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 032/146] net: fec: do not allow enabling PPS and PEROUT simultaneously Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 034/146] iio: st_lsm6dsx: Fixed calibrated timestamp calculation Greg Kroah-Hartman
` (126 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wei Fang, Paolo Abeni, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit 9a060d0fac9e75524f72864adec6d8cdb70a5bca ]
There are currently two situations that can trigger the PTP interrupt,
one is the PPS event, the other is the PEROUT event. However, the irq
handler fec_pps_interrupt() does not check the irq event type and
directly registers a PPS event into the system, but the event may be
a PEROUT event. This is incorrect because PEROUT is an output signal,
while PPS is the input of the kernel PPS system. Therefore, add a check
for the event type, if pps_enable is true, it means that the current
event is a PPS event, and then the PPS event is registered.
Fixes: 350749b909bf ("net: fec: Add support for periodic output signal of PPS")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20251125085210.1094306-5-wei.fang@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec_ptp.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c
index ed5d59abeb537..4b7bad9a485df 100644
--- a/drivers/net/ethernet/freescale/fec_ptp.c
+++ b/drivers/net/ethernet/freescale/fec_ptp.c
@@ -718,8 +718,11 @@ static irqreturn_t fec_pps_interrupt(int irq, void *dev_id)
fep->next_counter = (fep->next_counter + fep->reload_period) &
fep->cc.mask;
- event.type = PTP_CLOCK_PPS;
- ptp_clock_event(fep->ptp_clock, &event);
+ if (fep->pps_enable) {
+ event.type = PTP_CLOCK_PPS;
+ ptp_clock_event(fep->ptp_clock, &event);
+ }
+
return IRQ_HANDLED;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 034/146] iio: st_lsm6dsx: Fixed calibrated timestamp calculation
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 033/146] net: fec: do not register PPS event for PEROUT Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 035/146] usb: gadget: renesas_usbf: Handle devm_pm_runtime_enable() errors Greg Kroah-Hartman
` (125 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Tesi, Lorenzo Bianconi,
Jonathan Cameron, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Tesi <martepisa@gmail.com>
[ Upstream commit 8abbf45fcda028c2c05ba38eb14ede9fa9e7341b ]
The calibrated timestamp is calculated from the nominal value using the
formula:
ts_gain[ns] ≈ ts_sensitivity - (ts_trim_coeff * val) / 1000.
The values of ts_sensitivity and ts_trim_coeff are not the same for all
devices, so it is necessary to differentiate them based on the part name.
For the correct values please consult the relevant AN.
Fixes: cb3b6b8e1bc0 ("iio: imu: st_lsm6dsx: add odr calibration feature")
Signed-off-by: Mario Tesi <mario.tesi@st.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 18 ++++++++++++++++++
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 19 ++++++++-----------
2 files changed, 26 insertions(+), 11 deletions(-)
diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
index c225b246c8a55..f8486a1b02d07 100644
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
@@ -192,6 +192,22 @@ struct st_lsm6dsx_fifo_ops {
* @fifo_en: Hw timer FIFO enable register info (addr + mask).
* @decimator: Hw timer FIFO decimator register info (addr + mask).
* @freq_fine: Difference in % of ODR with respect to the typical.
+ * @ts_sensitivity: Nominal timestamp sensitivity.
+ * @ts_trim_coeff: Coefficient for calculating the calibrated timestamp gain.
+ * This coefficient comes into play when linearizing the formula
+ * used to calculate the calibrated timestamp (please see the
+ * relevant formula in the AN for the specific IMU).
+ * For example, in the case of LSM6DSO we have:
+ *
+ * 1 / (1 + x) ~= 1 - x (Taylor’s Series)
+ * ttrim[s] = 1 / (40000 * (1 + 0.0015 * val)) (from AN5192)
+ * ttrim[ns] ~= 25000 - 37.5 * val
+ * ttrim[ns] ~= 25000 - (37500 * val) / 1000
+ *
+ * so, replacing ts_sensitivity = 25000 and
+ * ts_trim_coeff = 37500
+ *
+ * ttrim[ns] ~= ts_sensitivity - (ts_trim_coeff * val) / 1000
*/
struct st_lsm6dsx_hw_ts_settings {
struct st_lsm6dsx_reg timer_en;
@@ -199,6 +215,8 @@ struct st_lsm6dsx_hw_ts_settings {
struct st_lsm6dsx_reg fifo_en;
struct st_lsm6dsx_reg decimator;
u8 freq_fine;
+ u16 ts_sensitivity;
+ u16 ts_trim_coeff;
};
/**
diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
index c65ad49829e7d..72d8af39a9535 100644
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
@@ -94,8 +94,6 @@
#define ST_LSM6DSX_REG_WHOAMI_ADDR 0x0f
-#define ST_LSM6DSX_TS_SENSITIVITY 25000UL /* 25us */
-
static const struct iio_chan_spec st_lsm6dsx_acc_channels[] = {
ST_LSM6DSX_CHANNEL_ACC(IIO_ACCEL, 0x28, IIO_MOD_X, 0),
ST_LSM6DSX_CHANNEL_ACC(IIO_ACCEL, 0x2a, IIO_MOD_Y, 1),
@@ -983,6 +981,8 @@ static const struct st_lsm6dsx_settings st_lsm6dsx_sensor_settings[] = {
.mask = GENMASK(7, 6),
},
.freq_fine = 0x63,
+ .ts_sensitivity = 25000,
+ .ts_trim_coeff = 37500,
},
.shub_settings = {
.page_mux = {
@@ -1196,6 +1196,8 @@ static const struct st_lsm6dsx_settings st_lsm6dsx_sensor_settings[] = {
.mask = GENMASK(7, 6),
},
.freq_fine = 0x63,
+ .ts_sensitivity = 25000,
+ .ts_trim_coeff = 37500,
},
.event_settings = {
.enable_reg = {
@@ -1371,6 +1373,8 @@ static const struct st_lsm6dsx_settings st_lsm6dsx_sensor_settings[] = {
.mask = GENMASK(7, 6),
},
.freq_fine = 0x4f,
+ .ts_sensitivity = 21701,
+ .ts_trim_coeff = 28212,
},
.shub_settings = {
.page_mux = {
@@ -2248,20 +2252,13 @@ static int st_lsm6dsx_init_hw_timer(struct st_lsm6dsx_hw *hw)
}
/* calibrate timestamp sensitivity */
- hw->ts_gain = ST_LSM6DSX_TS_SENSITIVITY;
+ hw->ts_gain = ts_settings->ts_sensitivity;
if (ts_settings->freq_fine) {
err = regmap_read(hw->regmap, ts_settings->freq_fine, &val);
if (err < 0)
return err;
- /*
- * linearize the AN5192 formula:
- * 1 / (1 + x) ~= 1 - x (Taylor’s Series)
- * ttrim[s] = 1 / (40000 * (1 + 0.0015 * val))
- * ttrim[ns] ~= 25000 - 37.5 * val
- * ttrim[ns] ~= 25000 - (37500 * val) / 1000
- */
- hw->ts_gain -= ((s8)val * 37500) / 1000;
+ hw->ts_gain -= ((s8)val * ts_settings->ts_trim_coeff) / 1000;
}
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 035/146] usb: gadget: renesas_usbf: Handle devm_pm_runtime_enable() errors
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 034/146] iio: st_lsm6dsx: Fixed calibrated timestamp calculation Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 036/146] mailbox: mailbox-test: Fix debugfs_create_dir error checking Greg Kroah-Hartman
` (124 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Herve Codina,
Geert Uytterhoeven, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 74851fbb6d647304f8a7dc491434d3a335ef4b8d ]
devm_pm_runtime_enable() can fail due to memory allocation.
The current code ignores its return value, potentially causing
pm_runtime_resume_and_get() to operate on uninitialized runtime
PM state.
Check the return value of devm_pm_runtime_enable() and return on failure.
Fixes: 3e6e14ffdea4 ("usb: gadget: udc: add Renesas RZ/N1 USBF controller support")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Acked-by: Herve Codina <herve.codina@bootlin.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20251124022215.1619-1-vulab@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/udc/renesas_usbf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/udc/renesas_usbf.c b/drivers/usb/gadget/udc/renesas_usbf.c
index 14f4b2cf05a48..4c201574a0af8 100644
--- a/drivers/usb/gadget/udc/renesas_usbf.c
+++ b/drivers/usb/gadget/udc/renesas_usbf.c
@@ -3262,7 +3262,9 @@ static int usbf_probe(struct platform_device *pdev)
if (IS_ERR(udc->regs))
return PTR_ERR(udc->regs);
- devm_pm_runtime_enable(&pdev->dev);
+ ret = devm_pm_runtime_enable(&pdev->dev);
+ if (ret)
+ return ret;
ret = pm_runtime_resume_and_get(&pdev->dev);
if (ret < 0)
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 036/146] mailbox: mailbox-test: Fix debugfs_create_dir error checking
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 035/146] usb: gadget: renesas_usbf: Handle devm_pm_runtime_enable() errors Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 037/146] mailbox: mtk-cmdq: Refine DMA address handling for the command buffer Greg Kroah-Hartman
` (123 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Jassi Brar,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 3acf1028f5003731977f750a7070f3321a9cb740 ]
The debugfs_create_dir() function returns ERR_PTR() on error, not NULL.
The current null-check fails to catch errors.
Use IS_ERR() to correctly check for errors.
Fixes: 8ea4484d0c2b ("mailbox: Add generic mechanism for testing Mailbox Controllers")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
index c9dd8c42c0cdf..3a28ab5c42e57 100644
--- a/drivers/mailbox/mailbox-test.c
+++ b/drivers/mailbox/mailbox-test.c
@@ -268,7 +268,7 @@ static int mbox_test_add_debugfs(struct platform_device *pdev,
return 0;
tdev->root_debugfs_dir = debugfs_create_dir(dev_name(&pdev->dev), NULL);
- if (!tdev->root_debugfs_dir) {
+ if (IS_ERR(tdev->root_debugfs_dir)) {
dev_err(&pdev->dev, "Failed to create Mailbox debugfs\n");
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 037/146] mailbox: mtk-cmdq: Refine DMA address handling for the command buffer
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 036/146] mailbox: mailbox-test: Fix debugfs_create_dir error checking Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 038/146] mailbox: pcc: dont zero error register Greg Kroah-Hartman
` (122 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason-JH Lin,
AngeloGioacchino Del Regno, Jassi Brar, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason-JH Lin <jason-jh.lin@mediatek.com>
[ Upstream commit a195c7ccfb7a21b8118139835e25936ec8722596 ]
GCE can only fetch the command buffer address from a 32-bit register.
Some SoCs support a 35-bit command buffer address for GCE, which
requires a right shift of 3 bits before setting the address into
the 32-bit register. A comment has been added to the header of
cmdq_get_shift_pa() to explain this requirement.
To prevent the GCE command buffer address from being DMA mapped beyond
its supported bit range, the DMA bit mask for the device is set during
initialization.
Additionally, to ensure the correct shift is applied when setting or
reading the register that stores the GCE command buffer address,
new APIs, cmdq_convert_gce_addr() and cmdq_revert_gce_addr(), have
been introduced for consistent operations on this register.
The variable type for the command buffer address has been standardized
to dma_addr_t to prevent handling issues caused by type mismatches.
Fixes: 0858fde496f8 ("mailbox: cmdq: variablize address shift in platform")
Signed-off-by: Jason-JH Lin <jason-jh.lin@mediatek.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mtk-cmdq-mailbox.c | 45 ++++++++++++++++--------
include/linux/mailbox/mtk-cmdq-mailbox.h | 10 ++++++
2 files changed, 41 insertions(+), 14 deletions(-)
diff --git a/drivers/mailbox/mtk-cmdq-mailbox.c b/drivers/mailbox/mtk-cmdq-mailbox.c
index 654a60f63756a..5791f80f995ab 100644
--- a/drivers/mailbox/mtk-cmdq-mailbox.c
+++ b/drivers/mailbox/mtk-cmdq-mailbox.c
@@ -92,6 +92,18 @@ struct gce_plat {
u32 gce_num;
};
+static inline u32 cmdq_convert_gce_addr(dma_addr_t addr, const struct gce_plat *pdata)
+{
+ /* Convert DMA addr (PA or IOVA) to GCE readable addr */
+ return addr >> pdata->shift;
+}
+
+static inline dma_addr_t cmdq_revert_gce_addr(u32 addr, const struct gce_plat *pdata)
+{
+ /* Revert GCE readable addr to DMA addr (PA or IOVA) */
+ return (dma_addr_t)addr << pdata->shift;
+}
+
u8 cmdq_get_shift_pa(struct mbox_chan *chan)
{
struct cmdq *cmdq = container_of(chan->mbox, struct cmdq, mbox);
@@ -188,13 +200,12 @@ static void cmdq_task_insert_into_thread(struct cmdq_task *task)
struct cmdq_task *prev_task = list_last_entry(
&thread->task_busy_list, typeof(*task), list_entry);
u64 *prev_task_base = prev_task->pkt->va_base;
+ u32 gce_addr = cmdq_convert_gce_addr(task->pa_base, task->cmdq->pdata);
/* let previous task jump to this task */
dma_sync_single_for_cpu(dev, prev_task->pa_base,
prev_task->pkt->cmd_buf_size, DMA_TO_DEVICE);
- prev_task_base[CMDQ_NUM_CMD(prev_task->pkt) - 1] =
- (u64)CMDQ_JUMP_BY_PA << 32 |
- (task->pa_base >> task->cmdq->pdata->shift);
+ prev_task_base[CMDQ_NUM_CMD(prev_task->pkt) - 1] = (u64)CMDQ_JUMP_BY_PA << 32 | gce_addr;
dma_sync_single_for_device(dev, prev_task->pa_base,
prev_task->pkt->cmd_buf_size, DMA_TO_DEVICE);
@@ -237,7 +248,8 @@ static void cmdq_thread_irq_handler(struct cmdq *cmdq,
struct cmdq_thread *thread)
{
struct cmdq_task *task, *tmp, *curr_task = NULL;
- u32 curr_pa, irq_flag, task_end_pa;
+ u32 irq_flag, gce_addr;
+ dma_addr_t curr_pa, task_end_pa;
bool err;
irq_flag = readl(thread->base + CMDQ_THR_IRQ_STATUS);
@@ -259,7 +271,8 @@ static void cmdq_thread_irq_handler(struct cmdq *cmdq,
else
return;
- curr_pa = readl(thread->base + CMDQ_THR_CURR_ADDR) << cmdq->pdata->shift;
+ gce_addr = readl(thread->base + CMDQ_THR_CURR_ADDR);
+ curr_pa = cmdq_revert_gce_addr(gce_addr, cmdq->pdata);
list_for_each_entry_safe(task, tmp, &thread->task_busy_list,
list_entry) {
@@ -378,7 +391,8 @@ static int cmdq_mbox_send_data(struct mbox_chan *chan, void *data)
struct cmdq_thread *thread = (struct cmdq_thread *)chan->con_priv;
struct cmdq *cmdq = dev_get_drvdata(chan->mbox->dev);
struct cmdq_task *task;
- unsigned long curr_pa, end_pa;
+ u32 gce_addr;
+ dma_addr_t curr_pa, end_pa;
/* Client should not flush new tasks if suspended. */
WARN_ON(cmdq->suspended);
@@ -402,20 +416,20 @@ static int cmdq_mbox_send_data(struct mbox_chan *chan, void *data)
*/
WARN_ON(cmdq_thread_reset(cmdq, thread) < 0);
- writel(task->pa_base >> cmdq->pdata->shift,
- thread->base + CMDQ_THR_CURR_ADDR);
- writel((task->pa_base + pkt->cmd_buf_size) >> cmdq->pdata->shift,
- thread->base + CMDQ_THR_END_ADDR);
+ gce_addr = cmdq_convert_gce_addr(task->pa_base, cmdq->pdata);
+ writel(gce_addr, thread->base + CMDQ_THR_CURR_ADDR);
+ gce_addr = cmdq_convert_gce_addr(task->pa_base + pkt->cmd_buf_size, cmdq->pdata);
+ writel(gce_addr, thread->base + CMDQ_THR_END_ADDR);
writel(thread->priority, thread->base + CMDQ_THR_PRIORITY);
writel(CMDQ_THR_IRQ_EN, thread->base + CMDQ_THR_IRQ_ENABLE);
writel(CMDQ_THR_ENABLED, thread->base + CMDQ_THR_ENABLE_TASK);
} else {
WARN_ON(cmdq_thread_suspend(cmdq, thread) < 0);
- curr_pa = readl(thread->base + CMDQ_THR_CURR_ADDR) <<
- cmdq->pdata->shift;
- end_pa = readl(thread->base + CMDQ_THR_END_ADDR) <<
- cmdq->pdata->shift;
+ gce_addr = readl(thread->base + CMDQ_THR_CURR_ADDR);
+ curr_pa = cmdq_revert_gce_addr(gce_addr, cmdq->pdata);
+ gce_addr = readl(thread->base + CMDQ_THR_END_ADDR);
+ end_pa = cmdq_revert_gce_addr(gce_addr, cmdq->pdata);
/* check boundary */
if (curr_pa == end_pa - CMDQ_INST_SIZE ||
curr_pa == end_pa) {
@@ -646,6 +660,9 @@ static int cmdq_probe(struct platform_device *pdev)
if (err)
return err;
+ dma_set_coherent_mask(dev,
+ DMA_BIT_MASK(sizeof(u32) * BITS_PER_BYTE + cmdq->pdata->shift));
+
cmdq->mbox.dev = dev;
cmdq->mbox.chans = devm_kcalloc(dev, cmdq->pdata->thread_nr,
sizeof(*cmdq->mbox.chans), GFP_KERNEL);
diff --git a/include/linux/mailbox/mtk-cmdq-mailbox.h b/include/linux/mailbox/mtk-cmdq-mailbox.h
index 4c1a91b07de39..e1555e06e7e55 100644
--- a/include/linux/mailbox/mtk-cmdq-mailbox.h
+++ b/include/linux/mailbox/mtk-cmdq-mailbox.h
@@ -77,6 +77,16 @@ struct cmdq_pkt {
size_t buf_size; /* real buffer size */
};
+/**
+ * cmdq_get_shift_pa() - get the shift bits of physical address
+ * @chan: mailbox channel
+ *
+ * GCE can only fetch the command buffer address from a 32-bit register.
+ * Some SOCs support more than 32-bit command buffer address for GCE, which
+ * requires some shift bits to make the address fit into the 32-bit register.
+ *
+ * Return: the shift bits of physical address
+ */
u8 cmdq_get_shift_pa(struct mbox_chan *chan);
#endif /* __MTK_CMDQ_MAILBOX_H__ */
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 038/146] mailbox: pcc: dont zero error register
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 037/146] mailbox: mtk-cmdq: Refine DMA address handling for the command buffer Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 039/146] spi: spi-cadence-quadspi: Remove duplicate pm_runtime_put_autosuspend() call Greg Kroah-Hartman
` (121 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamie Iles, Punit Agrawal,
Jassi Brar, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamie Iles <jamie.iles@oss.qualcomm.com>
[ Upstream commit ff0e4d4c97c94af34cc9cad37b5a5cdbe597a3b0 ]
The error status mask for a type 3/4 subspace is used for reading the
error status, and the bitwise inverse is used for clearing the error
with the intent being to preserve any of the non-error bits. However,
we were previously applying the mask to extract the status and then
applying the inverse to the result which ended up clearing all bits.
Instead, store the inverse mask in the preserve mask and then use that
on the original value read from the error status so that only the error
is cleared.
Fixes: c45ded7e1135 ("mailbox: pcc: Add support for PCCT extended PCC subspaces(type 3/4)")
Signed-off-by: Jamie Iles <jamie.iles@oss.qualcomm.com>
Signed-off-by: Punit Agrawal <punit.agrawal@oss.qualcomm.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/pcc.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/mailbox/pcc.c b/drivers/mailbox/pcc.c
index 0a00719b24827..ff292b9e0be9e 100644
--- a/drivers/mailbox/pcc.c
+++ b/drivers/mailbox/pcc.c
@@ -276,9 +276,8 @@ static int pcc_mbox_error_check_and_clear(struct pcc_chan_info *pchan)
if (ret)
return ret;
- val &= pchan->error.status_mask;
- if (val) {
- val &= ~pchan->error.status_mask;
+ if (val & pchan->error.status_mask) {
+ val &= pchan->error.preserve_mask;
pcc_chan_reg_write(&pchan->error, val);
return -EIO;
}
@@ -745,7 +744,8 @@ static int pcc_parse_subspace_db_reg(struct pcc_chan_info *pchan,
ret = pcc_chan_reg_init(&pchan->error,
&pcct_ext->error_status_register,
- 0, 0, pcct_ext->error_status_mask,
+ ~pcct_ext->error_status_mask, 0,
+ pcct_ext->error_status_mask,
"Error Status");
}
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 039/146] spi: spi-cadence-quadspi: Remove duplicate pm_runtime_put_autosuspend() call
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 038/146] mailbox: pcc: dont zero error register Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 040/146] spi: spi-cadence-quadspi: Enable pm runtime earlier to avoid imbalance Greg Kroah-Hartman
` (120 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Anurag Dutta, Mark Brown,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anurag Dutta <a-dutta@ti.com>
[ Upstream commit 10eaa4c4a257944e9b30d13fda7d09164a70866d ]
Fix runtime PM usage count underflow caused by calling
pm_runtime_put_autosuspend() twice with only one corresponding
pm_runtime_get_noresume() call. This triggers the warning:
"Runtime PM usage count underflow!"
Remove the duplicate put call to balance the runtime PM reference
counting.
Fixes: 30dbc1c8d50f ("spi: cadence-qspi: defer runtime support on socfpga if reset bit is enabled")
Signed-off-by: Anurag Dutta <a-dutta@ti.com>
Link: https://patch.msgid.link/20251105161146.2019090-3-a-dutta@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-cadence-quadspi.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c
index ce0f605ab688b..d7720931403c2 100644
--- a/drivers/spi/spi-cadence-quadspi.c
+++ b/drivers/spi/spi-cadence-quadspi.c
@@ -2012,7 +2012,6 @@ static int cqspi_probe(struct platform_device *pdev)
}
if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) {
- pm_runtime_put_autosuspend(dev);
pm_runtime_mark_last_busy(dev);
pm_runtime_put_autosuspend(dev);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 040/146] spi: spi-cadence-quadspi: Enable pm runtime earlier to avoid imbalance
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 039/146] spi: spi-cadence-quadspi: Remove duplicate pm_runtime_put_autosuspend() call Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:26 ` [PATCH 6.17 041/146] fs/namespace: fix reference leak in grab_requested_mnt_ns Greg Kroah-Hartman
` (119 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Anurag Dutta, Mark Brown,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anurag Dutta <a-dutta@ti.com>
[ Upstream commit f1eb4e792bb1ee3dcdffa66f8a83a4867cda2dd3 ]
The "probe_setup_failed" label calls pm_runtime_disable(), but
pm_runtime_enable() was placed after a possible jump to this label.
When cqspi_setup_flash() fails, control jumps to the label without
pm_runtime_enable() being called, leading to unbalanced PM runtime
reference counting.
Move pm_runtime_enable() and associated calls above the first
possible branch to "probe_setup_failed" to ensure balanced
enable/disable calls across all error paths.
Fixes: 30dbc1c8d50f ("spi: cadence-qspi: defer runtime support on socfpga if reset bit is enabled")
Signed-off-by: Anurag Dutta <a-dutta@ti.com>
Link: https://patch.msgid.link/20251105161146.2019090-2-a-dutta@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-cadence-quadspi.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c
index d7720931403c2..4a5a83dc8fe37 100644
--- a/drivers/spi/spi-cadence-quadspi.c
+++ b/drivers/spi/spi-cadence-quadspi.c
@@ -1981,6 +1981,13 @@ static int cqspi_probe(struct platform_device *pdev)
cqspi->current_cs = -1;
cqspi->sclk = 0;
+ if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) {
+ pm_runtime_enable(dev);
+ pm_runtime_set_autosuspend_delay(dev, CQSPI_AUTOSUSPEND_TIMEOUT);
+ pm_runtime_use_autosuspend(dev);
+ pm_runtime_get_noresume(dev);
+ }
+
ret = cqspi_setup_flash(cqspi);
if (ret) {
dev_err(dev, "failed to setup flash parameters %d\n", ret);
@@ -1998,13 +2005,6 @@ static int cqspi_probe(struct platform_device *pdev)
goto probe_dma_failed;
}
- if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) {
- pm_runtime_enable(dev);
- pm_runtime_set_autosuspend_delay(dev, CQSPI_AUTOSUSPEND_TIMEOUT);
- pm_runtime_use_autosuspend(dev);
- pm_runtime_get_noresume(dev);
- }
-
ret = spi_register_controller(host);
if (ret) {
dev_err(&pdev->dev, "failed to register SPI ctlr %d\n", ret);
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 041/146] fs/namespace: fix reference leak in grab_requested_mnt_ns
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 040/146] spi: spi-cadence-quadspi: Enable pm runtime earlier to avoid imbalance Greg Kroah-Hartman
@ 2025-12-03 15:26 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 042/146] afs: Fix delayed allocation of a cells anonymous key Greg Kroah-Hartman
` (118 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrei Vagin, Christian Brauner,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrei Vagin <avagin@google.com>
[ Upstream commit 7b6dcd9bfd869eee7693e45b1817dac8c56e5f86 ]
lookup_mnt_ns() already takes a reference on mnt_ns.
grab_requested_mnt_ns() doesn't need to take an extra reference.
Fixes: 78f0e33cd6c93 ("fs/namespace: correctly handle errors returned by grab_requested_mnt_ns")
Signed-off-by: Andrei Vagin <avagin@google.com>
Link: https://patch.msgid.link/20251122071953.3053755-1-avagin@google.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/namespace.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index fd988bc759bd3..e059c2c9867f0 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -5901,6 +5901,8 @@ static struct mnt_namespace *grab_requested_mnt_ns(const struct mnt_id_req *kreq
if (kreq->mnt_ns_id) {
mnt_ns = lookup_mnt_ns(kreq->mnt_ns_id);
+ if (!mnt_ns)
+ return ERR_PTR(-ENOENT);
} else if (kreq->mnt_ns_fd) {
struct ns_common *ns;
@@ -5916,13 +5918,12 @@ static struct mnt_namespace *grab_requested_mnt_ns(const struct mnt_id_req *kreq
return ERR_PTR(-EINVAL);
mnt_ns = to_mnt_ns(ns);
+ refcount_inc(&mnt_ns->passive);
} else {
mnt_ns = current->nsproxy->mnt_ns;
+ refcount_inc(&mnt_ns->passive);
}
- if (!mnt_ns)
- return ERR_PTR(-ENOENT);
- refcount_inc(&mnt_ns->passive);
return mnt_ns;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 042/146] afs: Fix delayed allocation of a cells anonymous key
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2025-12-03 15:26 ` [PATCH 6.17 041/146] fs/namespace: fix reference leak in grab_requested_mnt_ns Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 043/146] ovl: fail ovl_lock_rename_workdir() if either target is unhashed Greg Kroah-Hartman
` (117 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+41c68824eefb67cdf00c,
David Howells, Marc Dionne, linux-afs, linux-fsdevel,
Christian Brauner, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit d27c71257825dced46104eefe42e4d9964bd032e ]
The allocation of a cell's anonymous key is done in a background thread
along with other cell setup such as doing a DNS upcall. In the reported
bug, this is triggered by afs_parse_source() parsing the device name given
to mount() and calling afs_lookup_cell() with the name of the cell.
The normal key lookup then tries to use the key description on the
anonymous authentication key as the reference for request_key() - but it
may not yet be set and so an oops can happen.
This has been made more likely to happen by the fix for dynamic lookup
failure.
Fix this by firstly allocating a reference name and attaching it to the
afs_cell record when the record is created. It can share the memory
allocation with the cell name (unfortunately it can't just overlap the cell
name by prepending it with "afs@" as the cell name already has a '.'
prepended for other purposes). This reference name is then passed to
request_key().
Secondly, the anon key is now allocated on demand at the point a key is
requested in afs_request_key() if it is not already allocated. A mutex is
used to prevent multiple allocation for a cell.
Thirdly, make afs_request_key_rcu() return NULL if the anonymous key isn't
yet allocated (if we need it) and then the caller can return -ECHILD to
drop out of RCU-mode and afs_request_key() can be called.
Note that the anonymous key is kind of necessary to make the key lookup
cache work as that doesn't currently cache a negative lookup, but it's
probably worth some investigation to see if NULL can be used instead.
Fixes: 330e2c514823 ("afs: Fix dynamic lookup to fail on cell lookup failure")
Reported-by: syzbot+41c68824eefb67cdf00c@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/800328.1764325145@warthog.procyon.org.uk
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/afs/cell.c | 43 ++++++++----------------------------------
fs/afs/internal.h | 1 +
fs/afs/security.c | 48 +++++++++++++++++++++++++++++++++++++++--------
3 files changed, 49 insertions(+), 43 deletions(-)
diff --git a/fs/afs/cell.c b/fs/afs/cell.c
index d9b6fa1088b7b..71c10a05cebe5 100644
--- a/fs/afs/cell.c
+++ b/fs/afs/cell.c
@@ -140,7 +140,9 @@ static struct afs_cell *afs_alloc_cell(struct afs_net *net,
return ERR_PTR(-ENOMEM);
}
- cell->name = kmalloc(1 + namelen + 1, GFP_KERNEL);
+ /* Allocate the cell name and the key name in one go. */
+ cell->name = kmalloc(1 + namelen + 1 +
+ 4 + namelen + 1, GFP_KERNEL);
if (!cell->name) {
kfree(cell);
return ERR_PTR(-ENOMEM);
@@ -151,7 +153,11 @@ static struct afs_cell *afs_alloc_cell(struct afs_net *net,
cell->name_len = namelen;
for (i = 0; i < namelen; i++)
cell->name[i] = tolower(name[i]);
- cell->name[i] = 0;
+ cell->name[i++] = 0;
+
+ cell->key_desc = cell->name + i;
+ memcpy(cell->key_desc, "afs@", 4);
+ memcpy(cell->key_desc + 4, cell->name, cell->name_len + 1);
cell->net = net;
refcount_set(&cell->ref, 1);
@@ -710,33 +716,6 @@ void afs_set_cell_timer(struct afs_cell *cell, unsigned int delay_secs)
timer_reduce(&cell->management_timer, jiffies + delay_secs * HZ);
}
-/*
- * Allocate a key to use as a placeholder for anonymous user security.
- */
-static int afs_alloc_anon_key(struct afs_cell *cell)
-{
- struct key *key;
- char keyname[4 + AFS_MAXCELLNAME + 1], *cp, *dp;
-
- /* Create a key to represent an anonymous user. */
- memcpy(keyname, "afs@", 4);
- dp = keyname + 4;
- cp = cell->name;
- do {
- *dp++ = tolower(*cp);
- } while (*cp++);
-
- key = rxrpc_get_null_key(keyname);
- if (IS_ERR(key))
- return PTR_ERR(key);
-
- cell->anonymous_key = key;
-
- _debug("anon key %p{%x}",
- cell->anonymous_key, key_serial(cell->anonymous_key));
- return 0;
-}
-
/*
* Activate a cell.
*/
@@ -746,12 +725,6 @@ static int afs_activate_cell(struct afs_net *net, struct afs_cell *cell)
struct afs_cell *pcell;
int ret;
- if (!cell->anonymous_key) {
- ret = afs_alloc_anon_key(cell);
- if (ret < 0)
- return ret;
- }
-
ret = afs_proc_cell_setup(cell);
if (ret < 0)
return ret;
diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index 87828d685293f..470e6eef8bd49 100644
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -413,6 +413,7 @@ struct afs_cell {
u8 name_len; /* Length of name */
char *name; /* Cell name, case-flattened and NUL-padded */
+ char *key_desc; /* Authentication key description */
};
/*
diff --git a/fs/afs/security.c b/fs/afs/security.c
index 6a7744c9e2a2d..ff8830e6982fb 100644
--- a/fs/afs/security.c
+++ b/fs/afs/security.c
@@ -16,6 +16,30 @@
static DEFINE_HASHTABLE(afs_permits_cache, 10);
static DEFINE_SPINLOCK(afs_permits_lock);
+static DEFINE_MUTEX(afs_key_lock);
+
+/*
+ * Allocate a key to use as a placeholder for anonymous user security.
+ */
+static int afs_alloc_anon_key(struct afs_cell *cell)
+{
+ struct key *key;
+
+ mutex_lock(&afs_key_lock);
+ if (!cell->anonymous_key) {
+ key = rxrpc_get_null_key(cell->key_desc);
+ if (!IS_ERR(key))
+ cell->anonymous_key = key;
+ }
+ mutex_unlock(&afs_key_lock);
+
+ if (IS_ERR(key))
+ return PTR_ERR(key);
+
+ _debug("anon key %p{%x}",
+ cell->anonymous_key, key_serial(cell->anonymous_key));
+ return 0;
+}
/*
* get a key
@@ -23,11 +47,12 @@ static DEFINE_SPINLOCK(afs_permits_lock);
struct key *afs_request_key(struct afs_cell *cell)
{
struct key *key;
+ int ret;
- _enter("{%x}", key_serial(cell->anonymous_key));
+ _enter("{%s}", cell->key_desc);
- _debug("key %s", cell->anonymous_key->description);
- key = request_key_net(&key_type_rxrpc, cell->anonymous_key->description,
+ _debug("key %s", cell->key_desc);
+ key = request_key_net(&key_type_rxrpc, cell->key_desc,
cell->net->net, NULL);
if (IS_ERR(key)) {
if (PTR_ERR(key) != -ENOKEY) {
@@ -35,6 +60,12 @@ struct key *afs_request_key(struct afs_cell *cell)
return key;
}
+ if (!cell->anonymous_key) {
+ ret = afs_alloc_anon_key(cell);
+ if (ret < 0)
+ return ERR_PTR(ret);
+ }
+
/* act as anonymous user */
_leave(" = {%x} [anon]", key_serial(cell->anonymous_key));
return key_get(cell->anonymous_key);
@@ -52,11 +83,10 @@ struct key *afs_request_key_rcu(struct afs_cell *cell)
{
struct key *key;
- _enter("{%x}", key_serial(cell->anonymous_key));
+ _enter("{%s}", cell->key_desc);
- _debug("key %s", cell->anonymous_key->description);
- key = request_key_net_rcu(&key_type_rxrpc,
- cell->anonymous_key->description,
+ _debug("key %s", cell->key_desc);
+ key = request_key_net_rcu(&key_type_rxrpc, cell->key_desc,
cell->net->net);
if (IS_ERR(key)) {
if (PTR_ERR(key) != -ENOKEY) {
@@ -65,6 +95,8 @@ struct key *afs_request_key_rcu(struct afs_cell *cell)
}
/* act as anonymous user */
+ if (!cell->anonymous_key)
+ return NULL; /* Need to allocate */
_leave(" = {%x} [anon]", key_serial(cell->anonymous_key));
return key_get(cell->anonymous_key);
} else {
@@ -408,7 +440,7 @@ int afs_permission(struct mnt_idmap *idmap, struct inode *inode,
if (mask & MAY_NOT_BLOCK) {
key = afs_request_key_rcu(vnode->volume->cell);
- if (IS_ERR(key))
+ if (IS_ERR_OR_NULL(key))
return -ECHILD;
ret = -ECHILD;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 043/146] ovl: fail ovl_lock_rename_workdir() if either target is unhashed
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 042/146] afs: Fix delayed allocation of a cells anonymous key Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 044/146] riscv: dts: allwinner: d1: fix vlenb property Greg Kroah-Hartman
` (116 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+bfc9a0ccf0de47d04e8c,
NeilBrown, Amir Goldstein, Christian Brauner, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neil@brown.name>
[ Upstream commit e9c70084a64e51b65bb68f810692a03dc8bedffa ]
As well as checking that the parent hasn't changed after getting the
lock we need to check that the dentry hasn't been unhashed.
Otherwise we might try to rename something that has been removed.
Reported-by: syzbot+bfc9a0ccf0de47d04e8c@syzkaller.appspotmail.com
Fixes: d2c995581c7c ("ovl: Call ovl_create_temp() without lock held.")
Signed-off-by: NeilBrown <neil@brown.name>
Link: https://patch.msgid.link/176429295510.634289.1552337113663461690@noble.neil.brown.name
Tested-by: syzbot+bfc9a0ccf0de47d04e8c@syzkaller.appspotmail.com
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/overlayfs/util.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
index 41033bac96cbb..ab652164ffc90 100644
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -1234,9 +1234,9 @@ int ovl_lock_rename_workdir(struct dentry *workdir, struct dentry *work,
goto err;
if (trap)
goto err_unlock;
- if (work && work->d_parent != workdir)
+ if (work && (work->d_parent != workdir || d_unhashed(work)))
goto err_unlock;
- if (upper && upper->d_parent != upperdir)
+ if (upper && (upper->d_parent != upperdir || d_unhashed(upper)))
goto err_unlock;
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 044/146] riscv: dts: allwinner: d1: fix vlenb property
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 043/146] ovl: fail ovl_lock_rename_workdir() if either target is unhashed Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 045/146] spi: tegra114: remove Kconfig dependency on TEGRA20_APB_DMA Greg Kroah-Hartman
` (115 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sergey Matyukevich, Chen-Yu Tsai,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Matyukevich <geomatsi@gmail.com>
[ Upstream commit 9f393d8e757f79060baf4b2e703bd6b2d0d8d323 ]
According to [1], the C906 vector registers are 128 bits wide.
The 'thead,vlenb' property specifies the vector register length
in bytes, so its value must be set to 16.
[1] https://dl.linux-sunxi.org/D1/Xuantie_C906_R1S0_User_Manual.pdf
Fixes: ce1daeeba600 ("riscv: dts: allwinner: Add xtheadvector to the D1/D1s devicetree")
Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
Link: https://patch.msgid.link/20251119203508.1032716-1-geomatsi@gmail.com
Signed-off-by: Chen-Yu Tsai <wens@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/boot/dts/allwinner/sun20i-d1s.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/riscv/boot/dts/allwinner/sun20i-d1s.dtsi b/arch/riscv/boot/dts/allwinner/sun20i-d1s.dtsi
index 6367112e614a1..a7442a508433d 100644
--- a/arch/riscv/boot/dts/allwinner/sun20i-d1s.dtsi
+++ b/arch/riscv/boot/dts/allwinner/sun20i-d1s.dtsi
@@ -28,7 +28,7 @@
riscv,isa-base = "rv64i";
riscv,isa-extensions = "i", "m", "a", "f", "d", "c", "zicntr", "zicsr",
"zifencei", "zihpm", "xtheadvector";
- thead,vlenb = <128>;
+ thead,vlenb = <16>;
#cooling-cells = <2>;
cpu0_intc: interrupt-controller {
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 045/146] spi: tegra114: remove Kconfig dependency on TEGRA20_APB_DMA
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 044/146] riscv: dts: allwinner: d1: fix vlenb property Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 046/146] spi: amlogic-spifc-a1: Handle devm_pm_runtime_enable() errors Greg Kroah-Hartman
` (114 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francesco Lavra, Mark Brown,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Francesco Lavra <flavra@baylibre.com>
[ Upstream commit 3dcf44ab56e1d3ca3532083c0d5390b758e45b45 ]
This driver runs also on Tegra SoCs without a Tegra20 APB DMA controller
(e.g. Tegra234).
Remove the Kconfig dependency on TEGRA20_APB_DMA; in addition, amend the
help text to reflect the fact that this driver works on SoCs different from
Tegra114.
Fixes: bb9667d8187b ("arm64: tegra: Add SPI device tree nodes for Tegra234")
Signed-off-by: Francesco Lavra <flavra@baylibre.com>
Link: https://patch.msgid.link/20251126095027.4102004-1-flavra@baylibre.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/Kconfig b/drivers/spi/Kconfig
index 891729c9c5642..9f20cb75bb856 100644
--- a/drivers/spi/Kconfig
+++ b/drivers/spi/Kconfig
@@ -1170,10 +1170,10 @@ config SPI_TEGRA210_QUAD
config SPI_TEGRA114
tristate "NVIDIA Tegra114 SPI Controller"
- depends on (ARCH_TEGRA && TEGRA20_APB_DMA) || COMPILE_TEST
+ depends on ARCH_TEGRA || COMPILE_TEST
depends on RESET_CONTROLLER
help
- SPI driver for NVIDIA Tegra114 SPI Controller interface. This controller
+ SPI controller driver for NVIDIA Tegra114 and later SoCs. This controller
is different than the older SoCs SPI controller and also register interface
get changed with this controller.
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 046/146] spi: amlogic-spifc-a1: Handle devm_pm_runtime_enable() errors
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 045/146] spi: tegra114: remove Kconfig dependency on TEGRA20_APB_DMA Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 047/146] spi: spi-nxp-fspi: Add OCT-DTR mode support Greg Kroah-Hartman
` (113 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Mark Brown,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit a90903c2a3c38bce475f46ea3f93dbf6a9971553 ]
devm_pm_runtime_enable() can fail due to memory allocation. The current
code ignores its return value, potentially causing runtime PM operations
to fail silently after autosuspend configuration.
Check the return value of devm_pm_runtime_enable() and return on failure.
Fixes: 909fac05b926 ("spi: add support for Amlogic A1 SPI Flash Controller")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251124015852.937-1-vulab@iscas.ac.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-amlogic-spifc-a1.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-amlogic-spifc-a1.c b/drivers/spi/spi-amlogic-spifc-a1.c
index 18c9aa2cbc290..eb503790017b2 100644
--- a/drivers/spi/spi-amlogic-spifc-a1.c
+++ b/drivers/spi/spi-amlogic-spifc-a1.c
@@ -353,7 +353,9 @@ static int amlogic_spifc_a1_probe(struct platform_device *pdev)
pm_runtime_set_autosuspend_delay(spifc->dev, 500);
pm_runtime_use_autosuspend(spifc->dev);
- devm_pm_runtime_enable(spifc->dev);
+ ret = devm_pm_runtime_enable(spifc->dev);
+ if (ret)
+ return ret;
ctrl->num_chipselect = 1;
ctrl->dev.of_node = pdev->dev.of_node;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 047/146] spi: spi-nxp-fspi: Add OCT-DTR mode support
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 046/146] spi: amlogic-spifc-a1: Handle devm_pm_runtime_enable() errors Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 048/146] spi: nxp-fspi: Propagate fwnode in ACPI case as well Greg Kroah-Hartman
` (112 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haibo Chen, Frank Li, Mark Brown,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
[ Upstream commit 0f67557763accbdd56681f17ed5350735198c57b ]
Add OCT-DTR mode support in default, since flexspi do not supports
swapping bytes on a 16 bit boundary in OCT-DTR mode, so mark swap16
as false.
lx2160a do not support DQS, so add a quirk to disable DTR mode for this
platform.
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20250917-flexspi-ddr-v2-5-bb9fe2a01889@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 40ad64ac25bb ("spi: nxp-fspi: Propagate fwnode in ACPI case as well")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-nxp-fspi.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi-nxp-fspi.c b/drivers/spi/spi-nxp-fspi.c
index ab13f11242c3c..fcf10be66d391 100644
--- a/drivers/spi/spi-nxp-fspi.c
+++ b/drivers/spi/spi-nxp-fspi.c
@@ -330,6 +330,8 @@
/* Access flash memory using IP bus only */
#define FSPI_QUIRK_USE_IP_ONLY BIT(0)
+/* Disable DTR */
+#define FSPI_QUIRK_DISABLE_DTR BIT(1)
struct nxp_fspi_devtype_data {
unsigned int rxfifo;
@@ -344,7 +346,7 @@ static struct nxp_fspi_devtype_data lx2160a_data = {
.rxfifo = SZ_512, /* (64 * 64 bits) */
.txfifo = SZ_1K, /* (128 * 64 bits) */
.ahb_buf_size = SZ_2K, /* (256 * 64 bits) */
- .quirks = 0,
+ .quirks = FSPI_QUIRK_DISABLE_DTR,
.lut_num = 32,
.little_endian = true, /* little-endian */
};
@@ -1236,6 +1238,13 @@ static const struct spi_controller_mem_ops nxp_fspi_mem_ops = {
};
static const struct spi_controller_mem_caps nxp_fspi_mem_caps = {
+ .dtr = true,
+ .swap16 = false,
+ .per_op_freq = true,
+};
+
+static const struct spi_controller_mem_caps nxp_fspi_mem_caps_disable_dtr = {
+ .dtr = false,
.per_op_freq = true,
};
@@ -1351,7 +1360,12 @@ static int nxp_fspi_probe(struct platform_device *pdev)
ctlr->bus_num = -1;
ctlr->num_chipselect = NXP_FSPI_MAX_CHIPSELECT;
ctlr->mem_ops = &nxp_fspi_mem_ops;
- ctlr->mem_caps = &nxp_fspi_mem_caps;
+
+ if (f->devtype_data->quirks & FSPI_QUIRK_DISABLE_DTR)
+ ctlr->mem_caps = &nxp_fspi_mem_caps_disable_dtr;
+ else
+ ctlr->mem_caps = &nxp_fspi_mem_caps;
+
ctlr->dev.of_node = np;
ret = devm_add_action_or_reset(dev, nxp_fspi_cleanup, f);
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 048/146] spi: nxp-fspi: Propagate fwnode in ACPI case as well
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 047/146] spi: spi-nxp-fspi: Add OCT-DTR mode support Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 049/146] spi: bcm63xx: fix premature CS deassertion on RX-only transactions Greg Kroah-Hartman
` (111 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Haibo Chen,
Mark Brown, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 40ad64ac25bb736740f895d99a4aebbda9b80991 ]
Propagate fwnode of the ACPI device to the SPI controller Linux device.
Currently only OF case propagates fwnode to the controller.
While at it, replace several calls to dev_fwnode() with a single one
cached in a local variable, and unify checks for fwnode type by using
is_*_node() APIs.
Fixes: 55ab8487e01d ("spi: spi-nxp-fspi: Add ACPI support")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Haibo Chen <haibo.chen@nxp.com>
Link: https://patch.msgid.link/20251126202501.2319679-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-nxp-fspi.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/spi/spi-nxp-fspi.c b/drivers/spi/spi-nxp-fspi.c
index fcf10be66d391..f96638cae1d94 100644
--- a/drivers/spi/spi-nxp-fspi.c
+++ b/drivers/spi/spi-nxp-fspi.c
@@ -1270,7 +1270,7 @@ static int nxp_fspi_probe(struct platform_device *pdev)
{
struct spi_controller *ctlr;
struct device *dev = &pdev->dev;
- struct device_node *np = dev->of_node;
+ struct fwnode_handle *fwnode = dev_fwnode(dev);
struct resource *res;
struct nxp_fspi *f;
int ret, irq;
@@ -1292,7 +1292,7 @@ static int nxp_fspi_probe(struct platform_device *pdev)
platform_set_drvdata(pdev, f);
/* find the resources - configuration register address space */
- if (is_acpi_node(dev_fwnode(f->dev)))
+ if (is_acpi_node(fwnode))
f->iobase = devm_platform_ioremap_resource(pdev, 0);
else
f->iobase = devm_platform_ioremap_resource_byname(pdev, "fspi_base");
@@ -1300,7 +1300,7 @@ static int nxp_fspi_probe(struct platform_device *pdev)
return PTR_ERR(f->iobase);
/* find the resources - controller memory mapped space */
- if (is_acpi_node(dev_fwnode(f->dev)))
+ if (is_acpi_node(fwnode))
res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
else
res = platform_get_resource_byname(pdev,
@@ -1313,7 +1313,7 @@ static int nxp_fspi_probe(struct platform_device *pdev)
f->memmap_phy_size = resource_size(res);
/* find the clocks */
- if (dev_of_node(&pdev->dev)) {
+ if (is_of_node(fwnode)) {
f->clk_en = devm_clk_get(dev, "fspi_en");
if (IS_ERR(f->clk_en))
return PTR_ERR(f->clk_en);
@@ -1366,7 +1366,7 @@ static int nxp_fspi_probe(struct platform_device *pdev)
else
ctlr->mem_caps = &nxp_fspi_mem_caps;
- ctlr->dev.of_node = np;
+ device_set_node(&ctlr->dev, fwnode);
ret = devm_add_action_or_reset(dev, nxp_fspi_cleanup, f);
if (ret)
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 049/146] spi: bcm63xx: fix premature CS deassertion on RX-only transactions
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 048/146] spi: nxp-fspi: Propagate fwnode in ACPI case as well Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 050/146] afs: Fix uninit var in afs_alloc_anon_key() Greg Kroah-Hartman
` (110 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hang Zhou, Mark Brown, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hang Zhou <929513338@qq.com>
[ Upstream commit fd9862f726aedbc2f29a29916cabed7bcf5cadb6 ]
On BCM6358 (and also observed on BCM6368) the controller appears to
only generate as many SPI clocks as bytes that have been written into
the TX FIFO. For RX-only transfers the driver programs the transfer
length in SPI_MSG_CTL but does not write anything into the FIFO, so
chip select is deasserted early and the RX transfer segment is never
fully clocked in.
A concrete failing case is a three-transfer MAC address read from
SPI-NOR:
- TX 0x03 (read command)
- TX 3-byte address
- RX 6 bytes (MAC)
In contrast, a two-transfer JEDEC-ID read (0x9f + 6-byte RX) works
because the driver uses prepend_len and writes dummy bytes into the
TX FIFO for the RX part.
Fix this by writing 0xff dummy bytes into the TX FIFO for RX-only
segments so that the number of bytes written to the FIFO matches the
total message length seen by the controller.
Fixes: b17de076062a ("spi/bcm63xx: work around inability to keep CS up")
Signed-off-by: Hang Zhou <929513338@qq.com>
Link: https://patch.msgid.link/tencent_7AC88FCB3076489A4A7E6C2163DF1ACF8D06@qq.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-bcm63xx.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c
index b56210734caaf..2e3c62f12bef9 100644
--- a/drivers/spi/spi-bcm63xx.c
+++ b/drivers/spi/spi-bcm63xx.c
@@ -247,6 +247,20 @@ static int bcm63xx_txrx_bufs(struct spi_device *spi, struct spi_transfer *first,
if (t->rx_buf) {
do_rx = true;
+
+ /*
+ * In certain hardware implementations, there appears to be a
+ * hidden accumulator that tracks the number of bytes written into
+ * the hardware FIFO, and this accumulator overrides the length in
+ * the SPI_MSG_CTL register.
+ *
+ * Therefore, for read-only transfers, we need to write some dummy
+ * value into the FIFO to keep the accumulator tracking the correct
+ * length.
+ */
+ if (!t->tx_buf)
+ memset_io(bs->tx_io + len, 0xFF, t->len);
+
/* prepend is half-duplex write only */
if (t == first)
prepend_len = 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 050/146] afs: Fix uninit var in afs_alloc_anon_key()
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 049/146] spi: bcm63xx: fix premature CS deassertion on RX-only transactions Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 051/146] timekeeping: Fix error code in tk_aux_sysfs_init() Greg Kroah-Hartman
` (109 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantra, David Howells,
Marc Dionne, syzbot+41c68824eefb67cdf00c, linux-afs,
linux-fsdevel, Linus Torvalds, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 19eef1d98eeda3745df35839190b7d4a4adea656 ]
Fix an uninitialised variable (key) in afs_alloc_anon_key() by setting it
to cell->anonymous_key. Without this change, the error check may return a
false failure with a bad error number.
Most of the time this is unlikely to happen because the first encounter
with afs_alloc_anon_key() will usually be from (auto)mount, for which all
subsequent operations must wait - apart from other (auto)mounts. Once the
call->anonymous_key is allocated, all further calls to afs_request_key()
will skip the call to afs_alloc_anon_key() for that cell.
Fixes: d27c71257825 ("afs: Fix delayed allocation of a cell's anonymous key")
Reported-by: Paulo Alcantra <pc@manguebit.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Paulo Alcantara <pc@manguebit.org>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: syzbot+41c68824eefb67cdf00c@syzkaller.appspotmail.com
cc: linux-afs@lists.infradead.org
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/afs/security.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/afs/security.c b/fs/afs/security.c
index ff8830e6982fb..55ddce94af031 100644
--- a/fs/afs/security.c
+++ b/fs/afs/security.c
@@ -26,7 +26,8 @@ static int afs_alloc_anon_key(struct afs_cell *cell)
struct key *key;
mutex_lock(&afs_key_lock);
- if (!cell->anonymous_key) {
+ key = cell->anonymous_key;
+ if (!key) {
key = rxrpc_get_null_key(cell->key_desc);
if (!IS_ERR(key))
cell->anonymous_key = key;
--
2.51.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 051/146] timekeeping: Fix error code in tk_aux_sysfs_init()
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 050/146] afs: Fix uninit var in afs_alloc_anon_key() Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 052/146] Revert "drm/amd/display: Move setup_stream_attribute" Greg Kroah-Hartman
` (108 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Thomas Gleixner,
Malaya Kumar Rout
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit c7418164b463056bf4327b6a2abe638b78250f13 upstream.
If kobject_create_and_add() fails on the first iteration, then the error
code is set to -ENOMEM which is correct. But if it fails in subsequent
iterations then "ret" is zero, which means success, but it should be
-ENOMEM.
Set the error code to -ENOMEM correctly.
Fixes: 7b5ab04f035f ("timekeeping: Fix resource leak in tk_aux_sysfs_init() error paths")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Malaya Kumar Rout <mrout@redhat.com>
Link: https://patch.msgid.link/aSW1R8q5zoY_DgQE@stanley.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/timekeeping.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
index 08e0943b54da..4790da895203 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -3073,8 +3073,10 @@ static int __init tk_aux_sysfs_init(void)
char id[2] = { [0] = '0' + i, };
struct kobject *clk = kobject_create_and_add(id, auxo);
- if (!clk)
+ if (!clk) {
+ ret = -ENOMEM;
goto err_clean;
+ }
ret = sysfs_create_group(clk, &aux_clock_enable_attr_group);
if (ret)
--
2.52.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 052/146] Revert "drm/amd/display: Move setup_stream_attribute"
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 051/146] timekeeping: Fix error code in tk_aux_sysfs_init() Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 053/146] Revert "perf/x86: Always store regs->ip in perf_callchain_kernel()" Greg Kroah-Hartman
` (107 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sunpeng.Li, ivan.lipski,
Alex Deucher
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 3126c9ccb4373d8758733c6699ba5ab93dbe5c9d upstream.
This reverts commit 2681bf4ae8d24df950138b8c9ea9c271cd62e414.
This results in a blank screen on the HDMI port on some systems.
Revert for now so as not to regress 6.18, can be addressed
in 6.19 once the issue is root caused.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4652
Cc: Sunpeng.Li@amd.com
Cc: ivan.lipski@amd.com
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit d0e9de7a81503cdde37fb2d37f1d102f9e0f38fb)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 1 -
drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 2 --
drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 2 --
drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 3 +++
drivers/gpu/drm/amd/display/dc/virtual/virtual_stream_encoder.c | 7 -------
5 files changed, 3 insertions(+), 12 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c
@@ -671,7 +671,6 @@ void dce110_enable_stream(struct pipe_ct
uint32_t early_control = 0;
struct timing_generator *tg = pipe_ctx->stream_res.tg;
- link_hwss->setup_stream_attribute(pipe_ctx);
link_hwss->setup_stream_encoder(pipe_ctx);
dc->hwss.update_info_frame(pipe_ctx);
--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c
@@ -3060,8 +3060,6 @@ void dcn20_enable_stream(struct pipe_ctx
link_enc->transmitter - TRANSMITTER_UNIPHY_A);
}
- link_hwss->setup_stream_attribute(pipe_ctx);
-
if (dc->res_pool->dccg->funcs->set_pixel_rate_div)
dc->res_pool->dccg->funcs->set_pixel_rate_div(
dc->res_pool->dccg,
--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
@@ -968,8 +968,6 @@ void dcn401_enable_stream(struct pipe_ct
}
}
- link_hwss->setup_stream_attribute(pipe_ctx);
-
if (dc->res_pool->dccg->funcs->set_pixel_rate_div) {
dc->res_pool->dccg->funcs->set_pixel_rate_div(
dc->res_pool->dccg,
--- a/drivers/gpu/drm/amd/display/dc/link/link_dpms.c
+++ b/drivers/gpu/drm/amd/display/dc/link/link_dpms.c
@@ -2458,6 +2458,7 @@ void link_set_dpms_on(
struct link_encoder *link_enc = pipe_ctx->link_res.dio_link_enc;
enum otg_out_mux_dest otg_out_dest = OUT_MUX_DIO;
struct vpg *vpg = pipe_ctx->stream_res.stream_enc->vpg;
+ const struct link_hwss *link_hwss = get_link_hwss(link, &pipe_ctx->link_res);
bool apply_edp_fast_boot_optimization =
pipe_ctx->stream->apply_edp_fast_boot_optimization;
@@ -2501,6 +2502,8 @@ void link_set_dpms_on(
pipe_ctx->stream_res.tg->funcs->set_out_mux(pipe_ctx->stream_res.tg, otg_out_dest);
}
+ link_hwss->setup_stream_attribute(pipe_ctx);
+
pipe_ctx->stream->apply_edp_fast_boot_optimization = false;
// Enable VPG before building infoframe
--- a/drivers/gpu/drm/amd/display/dc/virtual/virtual_stream_encoder.c
+++ b/drivers/gpu/drm/amd/display/dc/virtual/virtual_stream_encoder.c
@@ -44,11 +44,6 @@ static void virtual_stream_encoder_dvi_s
struct dc_crtc_timing *crtc_timing,
bool is_dual_link) {}
-static void virtual_stream_encoder_lvds_set_stream_attribute(
- struct stream_encoder *enc,
- struct dc_crtc_timing *crtc_timing)
-{}
-
static void virtual_stream_encoder_set_throttled_vcp_size(
struct stream_encoder *enc,
struct fixed31_32 avg_time_slots_per_mtp)
@@ -120,8 +115,6 @@ static const struct stream_encoder_funcs
virtual_stream_encoder_hdmi_set_stream_attribute,
.dvi_set_stream_attribute =
virtual_stream_encoder_dvi_set_stream_attribute,
- .lvds_set_stream_attribute =
- virtual_stream_encoder_lvds_set_stream_attribute,
.set_throttled_vcp_size =
virtual_stream_encoder_set_throttled_vcp_size,
.update_hdmi_info_packets =
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 053/146] Revert "perf/x86: Always store regs->ip in perf_callchain_kernel()"
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 052/146] Revert "drm/amd/display: Move setup_stream_attribute" Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 054/146] iio: buffer-dma: support getting the DMA channel Greg Kroah-Hartman
` (106 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Song Liu, Jiri Olsa,
Alexei Starovoitov, Steven Rostedt (Google)
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Olsa <jolsa@kernel.org>
commit 6d08340d1e354787d6c65a8c3cdd4d41ffb8a5ed upstream.
This reverts commit 83f44ae0f8afcc9da659799db8693f74847e66b3.
Currently we store initial stacktrace entry twice for non-HW ot_regs, which
means callers that fail perf_hw_regs(regs) condition in perf_callchain_kernel.
It's easy to reproduce this bpftrace:
# bpftrace -e 'tracepoint:sched:sched_process_exec { print(kstack()); }'
Attaching 1 probe...
bprm_execve+1767
bprm_execve+1767
do_execveat_common.isra.0+425
__x64_sys_execve+56
do_syscall_64+133
entry_SYSCALL_64_after_hwframe+118
When perf_callchain_kernel calls unwind_start with first_frame, AFAICS
we do not skip regs->ip, but it's added as part of the unwind process.
Hence reverting the extra perf_callchain_store for non-hw regs leg.
I was not able to bisect this, so I'm not really sure why this was needed
in v5.2 and why it's not working anymore, but I could see double entries
as far as v5.10.
I did the test for both ORC and framepointer unwind with and without the
this fix and except for the initial entry the stacktraces are the same.
Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/r/20251104215405.168643-2-jolsa@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/core.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -2787,13 +2787,13 @@ perf_callchain_kernel(struct perf_callch
return;
}
- if (perf_callchain_store(entry, regs->ip))
- return;
-
- if (perf_hw_regs(regs))
+ if (perf_hw_regs(regs)) {
+ if (perf_callchain_store(entry, regs->ip))
+ return;
unwind_start(&state, current, regs, NULL);
- else
+ } else {
unwind_start(&state, current, NULL, (void *)regs->sp);
+ }
for (; !unwind_done(&state); unwind_next_frame(&state)) {
addr = unwind_get_return_address(&state);
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 054/146] iio: buffer-dma: support getting the DMA channel
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 053/146] Revert "perf/x86: Always store regs->ip in perf_callchain_kernel()" Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 055/146] iio: buffer-dmaengine: enable .get_dma_dev() Greg Kroah-Hartman
` (105 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Nuno Sá,
Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nuno Sá <nuno.sa@analog.com>
commit f9c198c3ccaf90a1a265fb2ffa8d4b093c3b0784 upstream.
Implement the .get_dma_dev() callback for DMA buffers by returning the
device that owns the DMA channel. This allows the core DMABUF
infrastructure to properly map DMA buffers using the correct device,
avoiding the need for bounce buffers on systems where memory is mapped
above the 32-bit range.
The function returns the DMA queue's device, which is the actual device
responsible for DMA operations in buffer-dma implementations.
Cc: stable@vger.kernel.org
Reviewed-by: David Lechner <dlechner@baylibre.com>
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/buffer/industrialio-buffer-dma.c | 6 ++++++
include/linux/iio/buffer-dma.h | 1 +
2 files changed, 7 insertions(+)
--- a/drivers/iio/buffer/industrialio-buffer-dma.c
+++ b/drivers/iio/buffer/industrialio-buffer-dma.c
@@ -786,6 +786,12 @@ out_end_signalling:
}
EXPORT_SYMBOL_NS_GPL(iio_dma_buffer_enqueue_dmabuf, "IIO_DMA_BUFFER");
+struct device *iio_dma_buffer_get_dma_dev(struct iio_buffer *buffer)
+{
+ return iio_buffer_to_queue(buffer)->dev;
+}
+EXPORT_SYMBOL_NS_GPL(iio_dma_buffer_get_dma_dev, "IIO_DMA_BUFFER");
+
void iio_dma_buffer_lock_queue(struct iio_buffer *buffer)
{
struct iio_dma_buffer_queue *queue = iio_buffer_to_queue(buffer);
--- a/include/linux/iio/buffer-dma.h
+++ b/include/linux/iio/buffer-dma.h
@@ -174,5 +174,6 @@ int iio_dma_buffer_enqueue_dmabuf(struct
size_t size, bool cyclic);
void iio_dma_buffer_lock_queue(struct iio_buffer *buffer);
void iio_dma_buffer_unlock_queue(struct iio_buffer *buffer);
+struct device *iio_dma_buffer_get_dma_dev(struct iio_buffer *buffer);
#endif
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 055/146] iio: buffer-dmaengine: enable .get_dma_dev()
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 054/146] iio: buffer-dma: support getting the DMA channel Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 056/146] iio: buffer: support getting dma channel from the buffer Greg Kroah-Hartman
` (104 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Nuno Sá, Stable,
Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nuno Sá <nuno.sa@analog.com>
commit 3db847df994d475db7812dde90376f2848bcd30a upstream.
Wire up the .get_dma_dev() callback to use the DMA buffer infrastructure's
implementation. This ensures that DMABUF operations use the correct DMA
device for mapping, which is essential for proper operation on systems
where memory is mapped above the 32-bit range.
Without this callback, the core would fall back to using the IIO device's
parent, which may not have the appropriate DMA mask configuration for
high memory access.
Fixes: 7a86d469983a ("iio: buffer-dmaengine: Support new DMABUF based userspace API")
Reviewed-by: David Lechner <dlechner@baylibre.com>
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/buffer/industrialio-buffer-dmaengine.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iio/buffer/industrialio-buffer-dmaengine.c
+++ b/drivers/iio/buffer/industrialio-buffer-dmaengine.c
@@ -177,6 +177,8 @@ static const struct iio_buffer_access_fu
.lock_queue = iio_dma_buffer_lock_queue,
.unlock_queue = iio_dma_buffer_unlock_queue,
+ .get_dma_dev = iio_dma_buffer_get_dma_dev,
+
.modes = INDIO_BUFFER_HARDWARE,
.flags = INDIO_BUFFER_FLAG_FIXED_WATERMARK,
};
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 056/146] iio: buffer: support getting dma channel from the buffer
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 055/146] iio: buffer-dmaengine: enable .get_dma_dev() Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 057/146] iio: humditiy: hdc3020: fix units for temperature and humidity measurement Greg Kroah-Hartman
` (103 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Nuno Sá,
Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nuno Sá <nuno.sa@analog.com>
commit a514bb109eada64f798f1c86c17182229cc20fe7 upstream.
Add a new buffer accessor .get_dma_dev() in order to get the
struct device responsible for actually providing the dma channel. We
cannot assume that we can use the parent of the IIO device for mapping
the DMA buffer. This becomes important on systems (like the Xilinx/AMD
zynqMP Ultrascale) where memory (or part of it) is mapped above the
32 bit range. On such systems and given that a device by default has
a dma mask of 32 bits we would then need to rely on bounce buffers (to
swiotlb) for mapping memory above the dma mask limit.
In the process, add an iio_buffer_get_dma_dev() helper function to get
the proper DMA device.
Cc: stable@vger.kernel.org
Reviewed-by: David Lechner <dlechner@baylibre.com>
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-buffer.c | 21 ++++++++++++++++-----
include/linux/iio/buffer_impl.h | 2 ++
2 files changed, 18 insertions(+), 5 deletions(-)
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -1623,19 +1623,28 @@ static int iio_dma_resv_lock(struct dma_
return 0;
}
+static struct device *iio_buffer_get_dma_dev(const struct iio_dev *indio_dev,
+ struct iio_buffer *buffer)
+{
+ if (buffer->access->get_dma_dev)
+ return buffer->access->get_dma_dev(buffer);
+
+ return indio_dev->dev.parent;
+}
+
static struct dma_buf_attachment *
iio_buffer_find_attachment(struct iio_dev_buffer_pair *ib,
struct dma_buf *dmabuf, bool nonblock)
{
- struct device *dev = ib->indio_dev->dev.parent;
struct iio_buffer *buffer = ib->buffer;
+ struct device *dma_dev = iio_buffer_get_dma_dev(ib->indio_dev, buffer);
struct dma_buf_attachment *attach = NULL;
struct iio_dmabuf_priv *priv;
guard(mutex)(&buffer->dmabufs_mutex);
list_for_each_entry(priv, &buffer->dmabufs, entry) {
- if (priv->attach->dev == dev
+ if (priv->attach->dev == dma_dev
&& priv->attach->dmabuf == dmabuf) {
attach = priv->attach;
break;
@@ -1653,6 +1662,7 @@ static int iio_buffer_attach_dmabuf(stru
{
struct iio_dev *indio_dev = ib->indio_dev;
struct iio_buffer *buffer = ib->buffer;
+ struct device *dma_dev = iio_buffer_get_dma_dev(indio_dev, buffer);
struct dma_buf_attachment *attach;
struct iio_dmabuf_priv *priv, *each;
struct dma_buf *dmabuf;
@@ -1679,7 +1689,7 @@ static int iio_buffer_attach_dmabuf(stru
goto err_free_priv;
}
- attach = dma_buf_attach(dmabuf, indio_dev->dev.parent);
+ attach = dma_buf_attach(dmabuf, dma_dev);
if (IS_ERR(attach)) {
err = PTR_ERR(attach);
goto err_dmabuf_put;
@@ -1719,7 +1729,7 @@ static int iio_buffer_attach_dmabuf(stru
* combo. If we do, refuse to attach.
*/
list_for_each_entry(each, &buffer->dmabufs, entry) {
- if (each->attach->dev == indio_dev->dev.parent
+ if (each->attach->dev == dma_dev
&& each->attach->dmabuf == dmabuf) {
/*
* We unlocked the reservation object, so going through
@@ -1758,6 +1768,7 @@ static int iio_buffer_detach_dmabuf(stru
{
struct iio_buffer *buffer = ib->buffer;
struct iio_dev *indio_dev = ib->indio_dev;
+ struct device *dma_dev = iio_buffer_get_dma_dev(indio_dev, buffer);
struct iio_dmabuf_priv *priv;
struct dma_buf *dmabuf;
int dmabuf_fd, ret = -EPERM;
@@ -1772,7 +1783,7 @@ static int iio_buffer_detach_dmabuf(stru
guard(mutex)(&buffer->dmabufs_mutex);
list_for_each_entry(priv, &buffer->dmabufs, entry) {
- if (priv->attach->dev == indio_dev->dev.parent
+ if (priv->attach->dev == dma_dev
&& priv->attach->dmabuf == dmabuf) {
list_del(&priv->entry);
--- a/include/linux/iio/buffer_impl.h
+++ b/include/linux/iio/buffer_impl.h
@@ -50,6 +50,7 @@ struct sg_table;
* @enqueue_dmabuf: called from userspace via ioctl to queue this DMABUF
* object to this buffer. Requires a valid DMABUF fd, that
* was previouly attached to this buffer.
+ * @get_dma_dev: called to get the DMA channel associated with this buffer.
* @lock_queue: called when the core needs to lock the buffer queue;
* it is used when enqueueing DMABUF objects.
* @unlock_queue: used to unlock a previously locked buffer queue
@@ -90,6 +91,7 @@ struct iio_buffer_access_funcs {
struct iio_dma_buffer_block *block,
struct dma_fence *fence, struct sg_table *sgt,
size_t size, bool cyclic);
+ struct device * (*get_dma_dev)(struct iio_buffer *buffer);
void (*lock_queue)(struct iio_buffer *buffer);
void (*unlock_queue)(struct iio_buffer *buffer);
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 057/146] iio: humditiy: hdc3020: fix units for temperature and humidity measurement
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 056/146] iio: buffer: support getting dma channel from the buffer Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 058/146] iio: humditiy: hdc3020: fix units for thresholds and hysteresis Greg Kroah-Hartman
` (102 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Lesiak, Javier Carrasco,
Dimitri Fedrau, Stable, Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dimitri Fedrau <dimitri.fedrau@liebherr.com>
commit 7b8dc11c0a830caa0d890c603d597161c6c26095 upstream.
According to the ABI the units after application of scale and offset are
milli degrees for temperature measurements and milli percent for relative
humidity measurements. Currently the resulting units are degree celsius for
temperature measurements and percent for relative humidity measurements.
Change scale factor to fix this issue.
Fixes: c9180b8e39be ("iio: humidity: Add driver for ti HDC302x humidity sensors")
Reported-by: Chris Lesiak <chris.lesiak@licorbio.com>
Suggested-by: Chris Lesiak <chris.lesiak@licorbio.com>
Reviewed-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Signed-off-by: Dimitri Fedrau <dimitri.fedrau@liebherr.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/humidity/hdc3020.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/humidity/hdc3020.c
+++ b/drivers/iio/humidity/hdc3020.c
@@ -301,9 +301,9 @@ static int hdc3020_read_raw(struct iio_d
case IIO_CHAN_INFO_SCALE:
*val2 = 65536;
if (chan->type == IIO_TEMP)
- *val = 175;
+ *val = 175 * MILLI;
else
- *val = 100;
+ *val = 100 * MILLI;
return IIO_VAL_FRACTIONAL;
case IIO_CHAN_INFO_OFFSET:
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 058/146] iio: humditiy: hdc3020: fix units for thresholds and hysteresis
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 057/146] iio: humditiy: hdc3020: fix units for temperature and humidity measurement Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 059/146] iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields Greg Kroah-Hartman
` (101 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Lesiak, Javier Carrasco,
Dimitri Fedrau, Stable, Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dimitri Fedrau <dimitri.fedrau@liebherr.com>
commit cb372b4f46d4285e5d2c07ba734374151b8e34e7 upstream.
According to the ABI the units after application of scale and offset are
milli degree celsius for temperature thresholds and milli percent for
relative humidity thresholds. Currently the resulting units are degree
celsius for temperature thresholds and hysteresis and percent for relative
humidity thresholds and hysteresis. Change scale factor to fix this issue.
Fixes: 3ad0e7e5f0cb ("iio: humidity: hdc3020: add threshold events support")
Reported-by: Chris Lesiak <chris.lesiak@licorbio.com>
Reviewed-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Signed-off-by: Dimitri Fedrau <dimitri.fedrau@liebherr.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/humidity/hdc3020.c | 69 ++++++++++++++++++++++++-----------------
1 file changed, 41 insertions(+), 28 deletions(-)
--- a/drivers/iio/humidity/hdc3020.c
+++ b/drivers/iio/humidity/hdc3020.c
@@ -72,6 +72,9 @@
#define HDC3020_MAX_TEMP_HYST_MICRO 164748607
#define HDC3020_MAX_HUM_MICRO 99220264
+/* Divide 65535 from the datasheet by 5 to avoid overflows */
+#define HDC3020_THRESH_FRACTION (65535 / 5)
+
struct hdc3020_data {
struct i2c_client *client;
struct gpio_desc *reset_gpio;
@@ -376,15 +379,18 @@ static int hdc3020_thresh_get_temp(u16 t
int temp;
/*
- * Get the temperature threshold from 9 LSBs, shift them to get
- * the truncated temperature threshold representation and
- * calculate the threshold according to the formula in the
- * datasheet. Result is degree celsius scaled by 65535.
+ * Get the temperature threshold from 9 LSBs, shift them to get the
+ * truncated temperature threshold representation and calculate the
+ * threshold according to the explicit formula in the datasheet:
+ * T(C) = -45 + (175 * temp) / 65535.
+ * Additionally scale by HDC3020_THRESH_FRACTION to avoid precision loss
+ * when calculating threshold and hysteresis values. Result is degree
+ * celsius scaled by HDC3020_THRESH_FRACTION.
*/
temp = FIELD_GET(HDC3020_THRESH_TEMP_MASK, thresh) <<
HDC3020_THRESH_TEMP_TRUNC_SHIFT;
- return -2949075 + (175 * temp);
+ return -2949075 / 5 + (175 / 5 * temp);
}
static int hdc3020_thresh_get_hum(u16 thresh)
@@ -394,13 +400,16 @@ static int hdc3020_thresh_get_hum(u16 th
/*
* Get the humidity threshold from 7 MSBs, shift them to get the
* truncated humidity threshold representation and calculate the
- * threshold according to the formula in the datasheet. Result is
- * percent scaled by 65535.
+ * threshold according to the explicit formula in the datasheet:
+ * RH(%) = 100 * hum / 65535.
+ * Additionally scale by HDC3020_THRESH_FRACTION to avoid precision loss
+ * when calculating threshold and hysteresis values. Result is percent
+ * scaled by HDC3020_THRESH_FRACTION.
*/
hum = FIELD_GET(HDC3020_THRESH_HUM_MASK, thresh) <<
HDC3020_THRESH_HUM_TRUNC_SHIFT;
- return hum * 100;
+ return hum * 100 / 5;
}
static u16 hdc3020_thresh_set_temp(int s_temp, u16 curr_thresh)
@@ -455,8 +464,8 @@ int hdc3020_thresh_clr(s64 s_thresh, s64
else
s_clr = s_thresh + s_hyst;
- /* Divide by 65535 to get units of micro */
- return div_s64(s_clr, 65535);
+ /* Divide by HDC3020_THRESH_FRACTION to get units of micro */
+ return div_s64(s_clr, HDC3020_THRESH_FRACTION);
}
static int _hdc3020_write_thresh(struct hdc3020_data *data, u16 reg, u16 val)
@@ -507,7 +516,7 @@ static int hdc3020_write_thresh(struct i
clr = ret;
/* Scale value to include decimal part into calculations */
- s_val = (val < 0) ? (val * 1000000 - val2) : (val * 1000000 + val2);
+ s_val = (val < 0) ? (val * 1000 - val2) : (val * 1000 + val2);
switch (chan->type) {
case IIO_TEMP:
switch (info) {
@@ -523,7 +532,8 @@ static int hdc3020_write_thresh(struct i
/* Calculate old hysteresis */
s_thresh = (s64)hdc3020_thresh_get_temp(thresh) * 1000000;
s_clr = (s64)hdc3020_thresh_get_temp(clr) * 1000000;
- s_hyst = div_s64(abs(s_thresh - s_clr), 65535);
+ s_hyst = div_s64(abs(s_thresh - s_clr),
+ HDC3020_THRESH_FRACTION);
/* Set new threshold */
thresh = reg_val;
/* Set old hysteresis */
@@ -532,16 +542,17 @@ static int hdc3020_write_thresh(struct i
case IIO_EV_INFO_HYSTERESIS:
/*
* Function hdc3020_thresh_get_temp returns temperature
- * in degree celsius scaled by 65535. Scale by 1000000
- * to be able to subtract scaled hysteresis value.
+ * in degree celsius scaled by HDC3020_THRESH_FRACTION.
+ * Scale by 1000000 to be able to subtract scaled
+ * hysteresis value.
*/
s_thresh = (s64)hdc3020_thresh_get_temp(thresh) * 1000000;
/*
* Units of s_val are in micro degree celsius, scale by
- * 65535 to get same units as s_thresh.
+ * HDC3020_THRESH_FRACTION to get same units as s_thresh.
*/
s_val = min(abs(s_val), HDC3020_MAX_TEMP_HYST_MICRO);
- s_hyst = (s64)s_val * 65535;
+ s_hyst = (s64)s_val * HDC3020_THRESH_FRACTION;
s_clr = hdc3020_thresh_clr(s_thresh, s_hyst, dir);
s_clr = max(s_clr, HDC3020_MIN_TEMP_MICRO);
s_clr = min(s_clr, HDC3020_MAX_TEMP_MICRO);
@@ -565,7 +576,8 @@ static int hdc3020_write_thresh(struct i
/* Calculate old hysteresis */
s_thresh = (s64)hdc3020_thresh_get_hum(thresh) * 1000000;
s_clr = (s64)hdc3020_thresh_get_hum(clr) * 1000000;
- s_hyst = div_s64(abs(s_thresh - s_clr), 65535);
+ s_hyst = div_s64(abs(s_thresh - s_clr),
+ HDC3020_THRESH_FRACTION);
/* Set new threshold */
thresh = reg_val;
/* Try to set old hysteresis */
@@ -574,15 +586,16 @@ static int hdc3020_write_thresh(struct i
case IIO_EV_INFO_HYSTERESIS:
/*
* Function hdc3020_thresh_get_hum returns relative
- * humidity in percent scaled by 65535. Scale by 1000000
- * to be able to subtract scaled hysteresis value.
+ * humidity in percent scaled by HDC3020_THRESH_FRACTION.
+ * Scale by 1000000 to be able to subtract scaled
+ * hysteresis value.
*/
s_thresh = (s64)hdc3020_thresh_get_hum(thresh) * 1000000;
/*
- * Units of s_val are in micro percent, scale by 65535
- * to get same units as s_thresh.
+ * Units of s_val are in micro percent, scale by
+ * HDC3020_THRESH_FRACTION to get same units as s_thresh.
*/
- s_hyst = (s64)s_val * 65535;
+ s_hyst = (s64)s_val * HDC3020_THRESH_FRACTION;
s_clr = hdc3020_thresh_clr(s_thresh, s_hyst, dir);
s_clr = max(s_clr, 0);
s_clr = min(s_clr, HDC3020_MAX_HUM_MICRO);
@@ -630,7 +643,7 @@ static int hdc3020_read_thresh(struct ii
thresh = hdc3020_thresh_get_temp(ret);
switch (info) {
case IIO_EV_INFO_VALUE:
- *val = thresh;
+ *val = thresh * MILLI;
break;
case IIO_EV_INFO_HYSTERESIS:
ret = hdc3020_read_be16(data, reg_clr);
@@ -638,18 +651,18 @@ static int hdc3020_read_thresh(struct ii
return ret;
clr = hdc3020_thresh_get_temp(ret);
- *val = abs(thresh - clr);
+ *val = abs(thresh - clr) * MILLI;
break;
default:
return -EOPNOTSUPP;
}
- *val2 = 65535;
+ *val2 = HDC3020_THRESH_FRACTION;
return IIO_VAL_FRACTIONAL;
case IIO_HUMIDITYRELATIVE:
thresh = hdc3020_thresh_get_hum(ret);
switch (info) {
case IIO_EV_INFO_VALUE:
- *val = thresh;
+ *val = thresh * MILLI;
break;
case IIO_EV_INFO_HYSTERESIS:
ret = hdc3020_read_be16(data, reg_clr);
@@ -657,12 +670,12 @@ static int hdc3020_read_thresh(struct ii
return ret;
clr = hdc3020_thresh_get_hum(ret);
- *val = abs(thresh - clr);
+ *val = abs(thresh - clr) * MILLI;
break;
default:
return -EOPNOTSUPP;
}
- *val2 = 65535;
+ *val2 = HDC3020_THRESH_FRACTION;
return IIO_VAL_FRACTIONAL;
default:
return -EOPNOTSUPP;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 059/146] iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 058/146] iio: humditiy: hdc3020: fix units for thresholds and hysteresis Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 060/146] iio: pressure: bmp280: correct meas_time_us calculation Greg Kroah-Hartman
` (100 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francesco Lavra, Lorenzo Bianconi,
Stable, Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Francesco Lavra <flavra@baylibre.com>
commit 3af0c1fb1cdc351b64ff1a4bc06d491490c1f10a upstream.
The `decimator` and `batch` fields of struct st_lsm6dsx_settings
are arrays indexed by sensor type, not by sensor hardware
identifier; moreover, the `batch` field is only used for the
accelerometer and gyroscope.
Change the array size for `decimator` from ST_LSM6DSX_MAX_ID to
ST_LSM6DSX_ID_MAX, and change the array size for `batch` from
ST_LSM6DSX_MAX_ID to 2; move the enum st_lsm6dsx_sensor_id
definition so that the ST_LSM6DSX_ID_MAX value is usable within
the struct st_lsm6dsx_settings definition.
Fixes: 801a6e0af0c6c ("iio: imu: st_lsm6dsx: add support to LSM6DSO")
Signed-off-by: Francesco Lavra <flavra@baylibre.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
@@ -270,6 +270,15 @@ struct st_lsm6dsx_event_settings {
u8 wakeup_src_x_mask;
};
+enum st_lsm6dsx_sensor_id {
+ ST_LSM6DSX_ID_GYRO,
+ ST_LSM6DSX_ID_ACC,
+ ST_LSM6DSX_ID_EXT0,
+ ST_LSM6DSX_ID_EXT1,
+ ST_LSM6DSX_ID_EXT2,
+ ST_LSM6DSX_ID_MAX
+};
+
enum st_lsm6dsx_ext_sensor_id {
ST_LSM6DSX_ID_MAGN,
};
@@ -355,23 +364,14 @@ struct st_lsm6dsx_settings {
struct st_lsm6dsx_odr_table_entry odr_table[2];
struct st_lsm6dsx_samples_to_discard samples_to_discard[2];
struct st_lsm6dsx_fs_table_entry fs_table[2];
- struct st_lsm6dsx_reg decimator[ST_LSM6DSX_MAX_ID];
- struct st_lsm6dsx_reg batch[ST_LSM6DSX_MAX_ID];
+ struct st_lsm6dsx_reg decimator[ST_LSM6DSX_ID_MAX];
+ struct st_lsm6dsx_reg batch[2];
struct st_lsm6dsx_fifo_ops fifo_ops;
struct st_lsm6dsx_hw_ts_settings ts_settings;
struct st_lsm6dsx_shub_settings shub_settings;
struct st_lsm6dsx_event_settings event_settings;
};
-enum st_lsm6dsx_sensor_id {
- ST_LSM6DSX_ID_GYRO,
- ST_LSM6DSX_ID_ACC,
- ST_LSM6DSX_ID_EXT0,
- ST_LSM6DSX_ID_EXT1,
- ST_LSM6DSX_ID_EXT2,
- ST_LSM6DSX_ID_MAX,
-};
-
enum st_lsm6dsx_fifo_mode {
ST_LSM6DSX_FIFO_BYPASS = 0x0,
ST_LSM6DSX_FIFO_CONT = 0x6,
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 060/146] iio: pressure: bmp280: correct meas_time_us calculation
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 059/146] iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 061/146] iio:common:ssp_sensors: Fix an error handling path ssp_probe() Greg Kroah-Hartman
` (99 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Achim Gratz, Stable,
Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Achim Gratz <Achim.Gratz@Stromeko.DE>
commit 0bf1bfde53b30da7fd7f4a6c3db5b8e77888958d upstream.
Correction of meas_time_us initialization based on an observation and
partial patch by David Lechner.
The constant part of the measurement time (as described in the
datasheet and implemented in the BM(P/E)2 Sensor API) was apparently
forgotten (it was already correctly applied for the BMP380) and is now
used.
There was also another thinko in bmp280_wait_conv:
data->oversampling_humid can actually have a value of 0 (for an
oversampling_ratio of 1), so it can not be used to detect the presence
of the humidity measurement capability. Use
data->chip_info->oversampling_humid_avail instead, which is NULL for
chips that cannot measure humidity and therefore must skip that part
of the calculation.
Closes: https://lore.kernel.org/linux-iio/875xgfg0wz.fsf@Gerda.invalid/
Fixes: 26ccfaa9ddaa ("iio: pressure: bmp280: Use sleep and forced mode for oneshot captures")
Suggested-by: David Lechner <dlechner@baylibre.com>
Tested-by: Achim Gratz <Achim.Gratz@Stromeko.DE>
Signed-off-by: Achim Gratz <Achim.Gratz@Stromeko.DE>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/pressure/bmp280-core.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/iio/pressure/bmp280-core.c
+++ b/drivers/iio/pressure/bmp280-core.c
@@ -1042,13 +1042,16 @@ static int bmp280_wait_conv(struct bmp28
unsigned int reg, meas_time_us;
int ret;
- /* Check if we are using a BME280 device */
- if (data->oversampling_humid)
- meas_time_us = BMP280_PRESS_HUMID_MEAS_OFFSET +
- BIT(data->oversampling_humid) * BMP280_MEAS_DUR;
+ /* Constant part of the measurement time */
+ meas_time_us = BMP280_MEAS_OFFSET;
- else
- meas_time_us = 0;
+ /*
+ * Check if we are using a BME280 device,
+ * Humidity measurement time
+ */
+ if (data->chip_info->oversampling_humid_avail)
+ meas_time_us += BMP280_PRESS_HUMID_MEAS_OFFSET +
+ BIT(data->oversampling_humid) * BMP280_MEAS_DUR;
/* Pressure measurement time */
meas_time_us += BMP280_PRESS_HUMID_MEAS_OFFSET +
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 061/146] iio:common:ssp_sensors: Fix an error handling path ssp_probe()
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 060/146] iio: pressure: bmp280: correct meas_time_us calculation Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 062/146] iio: adc: stm32-dfsdm: fix st,adc-alt-channel property handling Greg Kroah-Hartman
` (98 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Nuno Sá,
Stable, Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
commit 21553258b94861a73d7f2cf15469d69240e1170d upstream.
If an error occurs after a successful mfd_add_devices() call, it should be
undone by a corresponding mfd_remove_devices() call, as already done in the
remove function.
Fixes: 50dd64d57eee ("iio: common: ssp_sensors: Add sensorhub driver")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/common/ssp_sensors/ssp_dev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/iio/common/ssp_sensors/ssp_dev.c
+++ b/drivers/iio/common/ssp_sensors/ssp_dev.c
@@ -503,7 +503,7 @@ static int ssp_probe(struct spi_device *
ret = spi_setup(spi);
if (ret < 0) {
dev_err(&spi->dev, "Failed to setup spi\n");
- return ret;
+ goto err_setup_spi;
}
data->fw_dl_state = SSP_FW_DL_STATE_NONE;
@@ -568,6 +568,8 @@ err_read_reg:
err_setup_irq:
mutex_destroy(&data->pending_lock);
mutex_destroy(&data->comm_lock);
+err_setup_spi:
+ mfd_remove_devices(&spi->dev);
dev_err(&spi->dev, "Probe failed!\n");
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 062/146] iio: adc: stm32-dfsdm: fix st,adc-alt-channel property handling
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 061/146] iio:common:ssp_sensors: Fix an error handling path ssp_probe() Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 063/146] iio: accel: bmc150: Fix irq assumption regression Greg Kroah-Hartman
` (97 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olivier Moysan, Nuno Sá, Stable,
Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Olivier Moysan <olivier.moysan@foss.st.com>
commit 8a6b7989ff0cd0a95c93be1927f2af7ad10f28de upstream.
Initially st,adc-alt-channel property was defined as an enum in the DFSDM
binding. The DFSDM binding has been changed to use the new IIO backend
framework, along with the adoption of IIO generic channels.
In this new binding st,adc-alt-channel is defined as a boolean property,
but it is still handled has an enum in DFSDM driver.
Fix st,adc-alt-channel property handling in DFSDM driver.
Fixes: 3208fa0cd919 ("iio: adc: stm32-dfsdm: adopt generic channels bindings")
Signed-off-by: Olivier Moysan <olivier.moysan@foss.st.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/stm32-dfsdm-adc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/iio/adc/stm32-dfsdm-adc.c
+++ b/drivers/iio/adc/stm32-dfsdm-adc.c
@@ -725,9 +725,8 @@ static int stm32_dfsdm_generic_channel_p
}
df_ch->src = val;
- ret = fwnode_property_read_u32(node, "st,adc-alt-channel", &df_ch->alt_si);
- if (ret != -EINVAL)
- df_ch->alt_si = 0;
+ if (fwnode_property_present(node, "st,adc-alt-channel"))
+ df_ch->alt_si = 1;
if (adc->dev_data->type == DFSDM_IIO) {
backend = devm_iio_backend_fwnode_get(&indio_dev->dev, NULL, node);
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 063/146] iio: accel: bmc150: Fix irq assumption regression
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 062/146] iio: adc: stm32-dfsdm: fix st,adc-alt-channel property handling Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 064/146] iio: accel: fix ADXL355 startup race condition Greg Kroah-Hartman
` (96 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Andy Shevchenko,
Nuno Sá, Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit 3aa385a9c75c09b59dcab2ff76423439d23673ab upstream.
The code in bmc150-accel-core.c unconditionally calls
bmc150_accel_set_interrupt() in the iio_buffer_setup_ops,
such as on the runtime PM resume path giving a kernel
splat like this if the device has no interrupts:
Unable to handle kernel NULL pointer dereference at virtual
address 00000001 when read
PC is at bmc150_accel_set_interrupt+0x98/0x194
LR is at __pm_runtime_resume+0x5c/0x64
(...)
Call trace:
bmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108
bmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc
__iio_update_buffers from enable_store+0x84/0xc8
enable_store from kernfs_fop_write_iter+0x154/0x1b4
This bug seems to have been in the driver since the beginning,
but it only manifests recently, I do not know why.
Store the IRQ number in the state struct, as this is a common
pattern in other drivers, then use this to determine if we have
IRQ support or not.
Cc: stable@vger.kernel.org
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/accel/bmc150-accel-core.c | 5 +++++
drivers/iio/accel/bmc150-accel.h | 1 +
2 files changed, 6 insertions(+)
--- a/drivers/iio/accel/bmc150-accel-core.c
+++ b/drivers/iio/accel/bmc150-accel-core.c
@@ -526,6 +526,10 @@ static int bmc150_accel_set_interrupt(st
const struct bmc150_accel_interrupt_info *info = intr->info;
int ret;
+ /* We do not always have an IRQ */
+ if (data->irq <= 0)
+ return 0;
+
if (state) {
if (atomic_inc_return(&intr->users) > 1)
return 0;
@@ -1699,6 +1703,7 @@ int bmc150_accel_core_probe(struct devic
}
if (irq > 0) {
+ data->irq = irq;
ret = devm_request_threaded_irq(dev, irq,
bmc150_accel_irq_handler,
bmc150_accel_irq_thread_handler,
--- a/drivers/iio/accel/bmc150-accel.h
+++ b/drivers/iio/accel/bmc150-accel.h
@@ -58,6 +58,7 @@ enum bmc150_accel_trigger_id {
struct bmc150_accel_data {
struct regmap *regmap;
+ int irq;
struct regulator_bulk_data regulators[2];
struct bmc150_accel_interrupt interrupts[BMC150_ACCEL_INTERRUPTS];
struct bmc150_accel_trigger triggers[BMC150_ACCEL_TRIGGERS];
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 064/146] iio: accel: fix ADXL355 startup race condition
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 063/146] iio: accel: bmc150: Fix irq assumption regression Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 065/146] iio: adc: ad4030: Fix _scale value for common-mode channels Greg Kroah-Hartman
` (95 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Valek Andrej, Kessler Markus, Stable,
Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Valek Andrej <andrej.v@skyrain.eu>
commit c92c1bc408e9e11ae3c7011b062fdd74c09283a3 upstream.
There is an race-condition where device is not full working after SW reset.
Therefore it's necessary to wait some time after reset and verify shadow
registers values by reading and comparing the values before/after reset.
This mechanism is described in datasheet at least from revision D.
Fixes: 12ed27863ea3 ("iio: accel: Add driver support for ADXL355")
Signed-off-by: Valek Andrej <andrej.v@skyrain.eu>
Signed-off-by: Kessler Markus <markus.kessler@hilti.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/accel/adxl355_core.c | 44 ++++++++++++++++++++++++++++++++++-----
1 file changed, 39 insertions(+), 5 deletions(-)
--- a/drivers/iio/accel/adxl355_core.c
+++ b/drivers/iio/accel/adxl355_core.c
@@ -56,6 +56,8 @@
#define ADXL355_POWER_CTL_DRDY_MSK BIT(2)
#define ADXL355_SELF_TEST_REG 0x2E
#define ADXL355_RESET_REG 0x2F
+#define ADXL355_BASE_ADDR_SHADOW_REG 0x50
+#define ADXL355_SHADOW_REG_COUNT 5
#define ADXL355_DEVID_AD_VAL 0xAD
#define ADXL355_DEVID_MST_VAL 0x1D
@@ -294,7 +296,12 @@ static void adxl355_fill_3db_frequency_t
static int adxl355_setup(struct adxl355_data *data)
{
unsigned int regval;
+ int retries = 5; /* the number is chosen based on empirical reasons */
int ret;
+ u8 *shadow_regs __free(kfree) = kzalloc(ADXL355_SHADOW_REG_COUNT, GFP_KERNEL);
+
+ if (!shadow_regs)
+ return -ENOMEM;
ret = regmap_read(data->regmap, ADXL355_DEVID_AD_REG, ®val);
if (ret)
@@ -321,14 +328,41 @@ static int adxl355_setup(struct adxl355_
if (regval != ADXL355_PARTID_VAL)
dev_warn(data->dev, "Invalid DEV ID 0x%02x\n", regval);
- /*
- * Perform a software reset to make sure the device is in a consistent
- * state after start-up.
- */
- ret = regmap_write(data->regmap, ADXL355_RESET_REG, ADXL355_RESET_CODE);
+ /* Read shadow registers to be compared after reset */
+ ret = regmap_bulk_read(data->regmap,
+ ADXL355_BASE_ADDR_SHADOW_REG,
+ shadow_regs, ADXL355_SHADOW_REG_COUNT);
if (ret)
return ret;
+ do {
+ if (--retries == 0) {
+ dev_err(data->dev, "Shadow registers mismatch\n");
+ return -EIO;
+ }
+
+ /*
+ * Perform a software reset to make sure the device is in a consistent
+ * state after start-up.
+ */
+ ret = regmap_write(data->regmap, ADXL355_RESET_REG,
+ ADXL355_RESET_CODE);
+ if (ret)
+ return ret;
+
+ /* Wait at least 5ms after software reset */
+ usleep_range(5000, 10000);
+
+ /* Read shadow registers for comparison */
+ ret = regmap_bulk_read(data->regmap,
+ ADXL355_BASE_ADDR_SHADOW_REG,
+ data->buffer.buf,
+ ADXL355_SHADOW_REG_COUNT);
+ if (ret)
+ return ret;
+ } while (memcmp(shadow_regs, data->buffer.buf,
+ ADXL355_SHADOW_REG_COUNT));
+
ret = regmap_update_bits(data->regmap, ADXL355_POWER_CTL_REG,
ADXL355_POWER_CTL_DRDY_MSK,
FIELD_PREP(ADXL355_POWER_CTL_DRDY_MSK, 1));
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 065/146] iio: adc: ad4030: Fix _scale value for common-mode channels
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 064/146] iio: accel: fix ADXL355 startup race condition Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 066/146] iio: adc: ad7124: fix temperature channel Greg Kroah-Hartman
` (94 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcelo Schmitt, David Lechner,
Stable, Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcelo Schmitt <marcelo.schmitt@analog.com>
commit ffc74ad539136ae9e16f7b5f2e4582e88018cd49 upstream.
Previously, the driver always used the amount of precision bits of
differential input channels to provide the scale to mV. Though,
differential and common-mode voltage channels have different amount of
precision bits and the correct number of precision bits must be considered
to get to a proper mV scale factor for each one. Use channel specific
number of precision bits to provide the correct scale value for each
channel.
Fixes: de67f28abe58 ("iio: adc: ad4030: check scan_type for error")
Fixes: 949abd1ca5a4 ("iio: adc: ad4030: add averaging support")
Signed-off-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad4030.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/adc/ad4030.c
+++ b/drivers/iio/adc/ad4030.c
@@ -385,7 +385,7 @@ static int ad4030_get_chan_scale(struct
struct ad4030_state *st = iio_priv(indio_dev);
const struct iio_scan_type *scan_type;
- scan_type = iio_get_current_scan_type(indio_dev, st->chip->channels);
+ scan_type = iio_get_current_scan_type(indio_dev, chan);
if (IS_ERR(scan_type))
return PTR_ERR(scan_type);
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 066/146] iio: adc: ad7124: fix temperature channel
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 065/146] iio: adc: ad4030: Fix _scale value for common-mode channels Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 067/146] iio: adc: ad7280a: fix ad7280_store_balance_timer() Greg Kroah-Hartman
` (93 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcelo Schmitt, David Lechner,
Uwe Kleine-König, Stable, Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
commit e2cc390a6629c76924a2740c54b144b9b28fca59 upstream.
Fix temperature channel not working due to gain and offset not being
initialized. For channels other than the voltage ones calibration is
skipped (which is OK). However that results in the calibration register
values tracked in st->channels[i].cfg all being zero. These zeros are
later written to hardware before a measurement is made which caused the
raw temperature readings to be always 8388608 (0x800000).
To fix it, we just make sure the gain and offset values are set to the
default values and still return early without doing an internal
calibration.
While here, add a comment explaining why we don't bother calibrating
the temperature channel.
Fixes: 47036a03a303 ("iio: adc: ad7124: Implement internal calibration at probe time")
Reviewed-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
Signed-off-by: David Lechner <dlechner@baylibre.com>
Reviewed-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad7124.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/iio/adc/ad7124.c
+++ b/drivers/iio/adc/ad7124.c
@@ -1196,10 +1196,6 @@ static int __ad7124_calibrate_all(struct
int ret, i;
for (i = 0; i < st->num_channels; i++) {
-
- if (indio_dev->channels[i].type != IIO_VOLTAGE)
- continue;
-
/*
* For calibration the OFFSET register should hold its reset default
* value. For the GAIN register there is no such requirement but
@@ -1210,6 +1206,14 @@ static int __ad7124_calibrate_all(struct
st->channels[i].cfg.calibration_gain = st->gain_default;
/*
+ * Only the main voltage input channels are important enough
+ * to be automatically calibrated here. For everything else,
+ * just use the default values set above.
+ */
+ if (indio_dev->channels[i].type != IIO_VOLTAGE)
+ continue;
+
+ /*
* Full-scale calibration isn't supported at gain 1, so skip in
* that case. Note that untypically full-scale calibration has
* to happen before zero-scale calibration. This only applies to
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 067/146] iio: adc: ad7280a: fix ad7280_store_balance_timer()
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 066/146] iio: adc: ad7124: fix temperature channel Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 068/146] iio: adc: ad7380: fix SPI offload trigger rate Greg Kroah-Hartman
` (92 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Nuno Sá, Stable,
Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
commit bd886cdcbf9e746f61c74035a3acd42e9108e115 upstream.
Use correct argument to iio_str_to_fixpoint() to parse 3 decimal places.
iio_str_to_fixpoint() has a bit of an unintuitive API where the
fract_mult parameter is the multiplier of the first decimal place as if
it was already an integer. So to get 3 decimal places, fract_mult must
be 100 rather than 1000.
Fixes: 96ccdbc07a74 ("staging:iio:adc:ad7280a: Standardize extended ABI naming")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad7280a.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/adc/ad7280a.c
+++ b/drivers/iio/adc/ad7280a.c
@@ -541,7 +541,7 @@ static ssize_t ad7280_store_balance_time
int val, val2;
int ret;
- ret = iio_str_to_fixpoint(buf, 1000, &val, &val2);
+ ret = iio_str_to_fixpoint(buf, 100, &val, &val2);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 068/146] iio: adc: ad7380: fix SPI offload trigger rate
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 067/146] iio: adc: ad7280a: fix ad7280_store_balance_timer() Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 069/146] iio: adc: rtq6056: Correct the sign bit index Greg Kroah-Hartman
` (91 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Lechner, Stable,
Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
commit 632757312d7eb320b66ca60e0cfe098ec53cee08 upstream.
Add a special case to double the SPI offload trigger rate when all
channels of a single-ended chip are enabled in a buffered read.
The single-ended chips in the AD738x family can only do simultaneous
sampling of half their channels and have a multiplexer to allow reading
the other half. To comply with the IIO definition of sampling_frequency,
we need to trigger twice as often when the sequencer is enabled to so
that both banks can be read in a single sample period.
Fixes: bbeaec81a03e ("iio: ad7380: add support for SPI offload")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad7380.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/iio/adc/ad7380.c
+++ b/drivers/iio/adc/ad7380.c
@@ -1227,6 +1227,14 @@ static int ad7380_offload_buffer_postena
if (ret)
return ret;
+ /*
+ * When the sequencer is required to read all channels, we need to
+ * trigger twice per sample period in order to read one complete set
+ * of samples.
+ */
+ if (st->seq)
+ config.periodic.frequency_hz *= 2;
+
ret = spi_offload_trigger_enable(st->offload, st->offload_trigger, &config);
if (ret)
spi_unoptimize_message(&st->offload_msg);
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 069/146] iio: adc: rtq6056: Correct the sign bit index
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 068/146] iio: adc: ad7380: fix SPI offload trigger rate Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 070/146] MIPS: mm: Prevent a TLB shutdown on initial uniquification Greg Kroah-Hartman
` (90 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Hsu, ChiYuan Huang,
David Lechner, Stable, Jonathan Cameron
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: ChiYuan Huang <cy_huang@richtek.com>
commit 9b45744bf09fc2a3287e05287141d6e123c125a7 upstream.
The vshunt/current reported register is a signed 16bit integer. The
sign bit index should be '15', not '16'.
Fixes: 4396f45d211b ("iio: adc: Add rtq6056 support")
Reported-by: Andy Hsu <andy_ya_hsu@wiwynn.com>
Signed-off-by: ChiYuan Huang <cy_huang@richtek.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/rtq6056.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/adc/rtq6056.c
+++ b/drivers/iio/adc/rtq6056.c
@@ -300,7 +300,7 @@ static int rtq6056_adc_read_channel(stru
return IIO_VAL_INT;
case RTQ6056_REG_SHUNTVOLT:
case RTQ6056_REG_CURRENT:
- *val = sign_extend32(regval, 16);
+ *val = sign_extend32(regval, 15);
return IIO_VAL_INT;
default:
return -EINVAL;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 070/146] MIPS: mm: Prevent a TLB shutdown on initial uniquification
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 069/146] iio: adc: rtq6056: Correct the sign bit index Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 071/146] MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow Greg Kroah-Hartman
` (89 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki, Jiaxun Yang,
Thomas Bogendoerfer
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 9f048fa487409e364cf866c957cf0b0d782ca5a3 upstream.
Depending on the particular CPU implementation a TLB shutdown may occur
if multiple matching entries are detected upon the execution of a TLBP
or the TLBWI/TLBWR instructions. Given that we don't know what entries
we have been handed we need to be very careful with the initial TLB
setup and avoid all these instructions.
Therefore read all the TLB entries one by one with the TLBR instruction,
bypassing the content addressing logic, and truncate any large pages in
place so as to avoid a case in the second step where an incoming entry
for a large page at a lower address overlaps with a replacement entry
chosen at another index. Then preinitialize the TLB using addresses
outside our usual unique range and avoiding clashes with any entries
received, before making the usual call to local_flush_tlb_all().
This fixes (at least) R4x00 cores if TLBP hits multiple matching TLB
entries (SGI IP22 PROM for examples sets up all TLBs to the same virtual
address).
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Fixes: 35ad7e181541 ("MIPS: mm: tlb-r4k: Uniquify TLB entries on init")
Cc: stable@vger.kernel.org
Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Tested-by: Jiaxun Yang <jiaxun.yang@flygoat.com> # Boston I6400, M5150 sim
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/mm/tlb-r4k.c | 102 ++++++++++++++++++++++++++++++-------------------
1 file changed, 64 insertions(+), 38 deletions(-)
--- a/arch/mips/mm/tlb-r4k.c
+++ b/arch/mips/mm/tlb-r4k.c
@@ -15,6 +15,7 @@
#include <linux/mm.h>
#include <linux/hugetlb.h>
#include <linux/export.h>
+#include <linux/sort.h>
#include <asm/cpu.h>
#include <asm/cpu-type.h>
@@ -508,55 +509,79 @@ static int __init set_ntlb(char *str)
__setup("ntlb=", set_ntlb);
-/* Initialise all TLB entries with unique values */
+
+/* Comparison function for EntryHi VPN fields. */
+static int r4k_vpn_cmp(const void *a, const void *b)
+{
+ long v = *(unsigned long *)a - *(unsigned long *)b;
+ int s = sizeof(long) > sizeof(int) ? sizeof(long) * 8 - 1: 0;
+ return s ? (v != 0) | v >> s : v;
+}
+
+/*
+ * Initialise all TLB entries with unique values that do not clash with
+ * what we have been handed over and what we'll be using ourselves.
+ */
static void r4k_tlb_uniquify(void)
{
- int entry = num_wired_entries();
+ unsigned long tlb_vpns[1 << MIPS_CONF1_TLBS_SIZE];
+ int tlbsize = current_cpu_data.tlbsize;
+ int start = num_wired_entries();
+ unsigned long vpn_mask;
+ int cnt, ent, idx, i;
+
+ vpn_mask = GENMASK(cpu_vmbits - 1, 13);
+ vpn_mask |= IS_ENABLED(CONFIG_64BIT) ? 3ULL << 62 : 1 << 31;
htw_stop();
- write_c0_entrylo0(0);
- write_c0_entrylo1(0);
- while (entry < current_cpu_data.tlbsize) {
- unsigned long asid_mask = cpu_asid_mask(¤t_cpu_data);
- unsigned long asid = 0;
- int idx;
+ for (i = start, cnt = 0; i < tlbsize; i++, cnt++) {
+ unsigned long vpn;
- /* Skip wired MMID to make ginvt_mmid work */
- if (cpu_has_mmid)
- asid = MMID_KERNEL_WIRED + 1;
+ write_c0_index(i);
+ mtc0_tlbr_hazard();
+ tlb_read();
+ tlb_read_hazard();
+ vpn = read_c0_entryhi();
+ vpn &= vpn_mask & PAGE_MASK;
+ tlb_vpns[cnt] = vpn;
- /* Check for match before using UNIQUE_ENTRYHI */
- do {
- if (cpu_has_mmid) {
- write_c0_memorymapid(asid);
- write_c0_entryhi(UNIQUE_ENTRYHI(entry));
- } else {
- write_c0_entryhi(UNIQUE_ENTRYHI(entry) | asid);
- }
- mtc0_tlbw_hazard();
- tlb_probe();
- tlb_probe_hazard();
- idx = read_c0_index();
- /* No match or match is on current entry */
- if (idx < 0 || idx == entry)
- break;
- /*
- * If we hit a match, we need to try again with
- * a different ASID.
- */
- asid++;
- } while (asid < asid_mask);
-
- if (idx >= 0 && idx != entry)
- panic("Unable to uniquify TLB entry %d", idx);
-
- write_c0_index(entry);
+ /* Prevent any large pages from overlapping regular ones. */
+ write_c0_pagemask(read_c0_pagemask() & PM_DEFAULT_MASK);
mtc0_tlbw_hazard();
tlb_write_indexed();
- entry++;
+ tlbw_use_hazard();
}
+ sort(tlb_vpns, cnt, sizeof(tlb_vpns[0]), r4k_vpn_cmp, NULL);
+
+ write_c0_pagemask(PM_DEFAULT_MASK);
+ write_c0_entrylo0(0);
+ write_c0_entrylo1(0);
+
+ idx = 0;
+ ent = tlbsize;
+ for (i = start; i < tlbsize; i++)
+ while (1) {
+ unsigned long entryhi, vpn;
+
+ entryhi = UNIQUE_ENTRYHI(ent);
+ vpn = entryhi & vpn_mask & PAGE_MASK;
+
+ if (idx >= cnt || vpn < tlb_vpns[idx]) {
+ write_c0_entryhi(entryhi);
+ write_c0_index(i);
+ mtc0_tlbw_hazard();
+ tlb_write_indexed();
+ ent++;
+ break;
+ } else if (vpn == tlb_vpns[idx]) {
+ ent++;
+ } else {
+ idx++;
+ }
+ }
+
tlbw_use_hazard();
htw_start();
flush_micro_tlb();
@@ -602,6 +627,7 @@ static void r4k_tlb_configure(void)
/* From this point on the ARC firmware is dead. */
r4k_tlb_uniquify();
+ local_flush_tlb_all();
/* Did I tell you that ARC SUCKS? */
}
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 071/146] MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 070/146] MIPS: mm: Prevent a TLB shutdown on initial uniquification Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 072/146] virtio-net: avoid unnecessary checksum calculation on guest RX Greg Kroah-Hartman
` (88 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki, Gregory CLEMENT,
Klara Modin, Thomas Bogendoerfer
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
commit 841ecc979b18d3227fad5e2d6a1e6f92688776b5 upstream.
Owing to Config4.MMUSizeExt and VTLB/FTLB MMU features later MIPSr2+
cores can have more than 64 TLB entries. Therefore allocate an array
for uniquification instead of placing too an small array on the stack.
Fixes: 35ad7e181541 ("MIPS: mm: tlb-r4k: Uniquify TLB entries on init")
Co-developed-by: Maciej W. Rozycki <macro@orcam.me.uk>
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v6.17+: 9f048fa48740: MIPS: mm: Prevent a TLB shutdown on initial uniquification
Cc: stable@vger.kernel.org # v6.17+
Tested-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Tested-by: Klara Modin <klarasmodin@gmail.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/mm/tlb-r4k.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/arch/mips/mm/tlb-r4k.c
+++ b/arch/mips/mm/tlb-r4k.c
@@ -12,6 +12,7 @@
#include <linux/init.h>
#include <linux/sched.h>
#include <linux/smp.h>
+#include <linux/memblock.h>
#include <linux/mm.h>
#include <linux/hugetlb.h>
#include <linux/export.h>
@@ -522,17 +523,26 @@ static int r4k_vpn_cmp(const void *a, co
* Initialise all TLB entries with unique values that do not clash with
* what we have been handed over and what we'll be using ourselves.
*/
-static void r4k_tlb_uniquify(void)
+static void __ref r4k_tlb_uniquify(void)
{
- unsigned long tlb_vpns[1 << MIPS_CONF1_TLBS_SIZE];
int tlbsize = current_cpu_data.tlbsize;
+ bool use_slab = slab_is_available();
int start = num_wired_entries();
+ phys_addr_t tlb_vpn_size;
+ unsigned long *tlb_vpns;
unsigned long vpn_mask;
int cnt, ent, idx, i;
vpn_mask = GENMASK(cpu_vmbits - 1, 13);
vpn_mask |= IS_ENABLED(CONFIG_64BIT) ? 3ULL << 62 : 1 << 31;
+ tlb_vpn_size = tlbsize * sizeof(*tlb_vpns);
+ tlb_vpns = (use_slab ?
+ kmalloc(tlb_vpn_size, GFP_KERNEL) :
+ memblock_alloc_raw(tlb_vpn_size, sizeof(*tlb_vpns)));
+ if (WARN_ON(!tlb_vpns))
+ return; /* Pray local_flush_tlb_all() is good enough. */
+
htw_stop();
for (i = start, cnt = 0; i < tlbsize; i++, cnt++) {
@@ -585,6 +595,10 @@ static void r4k_tlb_uniquify(void)
tlbw_use_hazard();
htw_start();
flush_micro_tlb();
+ if (use_slab)
+ kfree(tlb_vpns);
+ else
+ memblock_free(tlb_vpns, tlb_vpn_size);
}
/*
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 072/146] virtio-net: avoid unnecessary checksum calculation on guest RX
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 071/146] MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 073/146] vhost: rewind next_avail_head while discarding descriptors Greg Kroah-Hartman
` (87 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jon Kohler, Michael S. Tsirkin,
Jason Wang, Jakub Kicinski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jon Kohler <jon@nutanix.com>
commit 1cd1c472343b06d6d32038636ce51bfa2251e3cf upstream.
Commit a2fb4bc4e2a6 ("net: implement virtio helpers to handle UDP
GSO tunneling.") inadvertently altered checksum offload behavior
for guests not using UDP GSO tunneling.
Before, tun_put_user called tun_vnet_hdr_from_skb, which passed
has_data_valid = true to virtio_net_hdr_from_skb.
After, tun_put_user began calling tun_vnet_hdr_tnl_from_skb instead,
which passes has_data_valid = false into both call sites.
This caused virtio hdr flags to not include VIRTIO_NET_HDR_F_DATA_VALID
for SKBs where skb->ip_summed == CHECKSUM_UNNECESSARY. As a result,
guests are forced to recalculate checksums unnecessarily.
Restore the previous behavior by ensuring has_data_valid = true is
passed in the !tnl_gso_type case, but only from tun side, as
virtio_net_hdr_tnl_from_skb() is used also by the virtio_net driver,
which in turn must not use VIRTIO_NET_HDR_F_DATA_VALID on tx.
cc: stable@vger.kernel.org
Fixes: a2fb4bc4e2a6 ("net: implement virtio helpers to handle UDP GSO tunneling.")
Signed-off-by: Jon Kohler <jon@nutanix.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Link: https://patch.msgid.link/20251125222754.1737443-1-jon@nutanix.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/tun_vnet.h | 2 +-
drivers/net/virtio_net.c | 3 ++-
include/linux/virtio_net.h | 7 ++++---
3 files changed, 7 insertions(+), 5 deletions(-)
--- a/drivers/net/tun_vnet.h
+++ b/drivers/net/tun_vnet.h
@@ -244,7 +244,7 @@ tun_vnet_hdr_tnl_from_skb(unsigned int f
if (virtio_net_hdr_tnl_from_skb(skb, tnl_hdr, has_tnl_offload,
tun_vnet_is_little_endian(flags),
- vlan_hlen)) {
+ vlan_hlen, true)) {
struct virtio_net_hdr_v1 *hdr = &tnl_hdr->hash_hdr.hdr;
struct skb_shared_info *sinfo = skb_shinfo(skb);
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -3340,7 +3340,8 @@ static int xmit_skb(struct send_queue *s
hdr = &skb_vnet_common_hdr(skb)->tnl_hdr;
if (virtio_net_hdr_tnl_from_skb(skb, hdr, vi->tx_tnl,
- virtio_is_little_endian(vi->vdev), 0))
+ virtio_is_little_endian(vi->vdev), 0,
+ false))
return -EPROTO;
if (vi->mergeable_rx_bufs)
--- a/include/linux/virtio_net.h
+++ b/include/linux/virtio_net.h
@@ -384,7 +384,8 @@ virtio_net_hdr_tnl_from_skb(const struct
struct virtio_net_hdr_v1_hash_tunnel *vhdr,
bool tnl_hdr_negotiated,
bool little_endian,
- int vlan_hlen)
+ int vlan_hlen,
+ bool has_data_valid)
{
struct virtio_net_hdr *hdr = (struct virtio_net_hdr *)vhdr;
unsigned int inner_nh, outer_th;
@@ -394,8 +395,8 @@ virtio_net_hdr_tnl_from_skb(const struct
tnl_gso_type = skb_shinfo(skb)->gso_type & (SKB_GSO_UDP_TUNNEL |
SKB_GSO_UDP_TUNNEL_CSUM);
if (!tnl_gso_type)
- return virtio_net_hdr_from_skb(skb, hdr, little_endian, false,
- vlan_hlen);
+ return virtio_net_hdr_from_skb(skb, hdr, little_endian,
+ has_data_valid, vlan_hlen);
/* Tunnel support not negotiated but skb ask for it. */
if (!tnl_hdr_negotiated)
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 073/146] vhost: rewind next_avail_head while discarding descriptors
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 072/146] virtio-net: avoid unnecessary checksum calculation on guest RX Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 074/146] tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs Greg Kroah-Hartman
` (86 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Wang, Michael S. Tsirkin,
Jakub Kicinski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Wang <jasowang@redhat.com>
commit 779bcdd4b9ae6566f309043c53c946e8ac0015fd upstream.
When discarding descriptors with IN_ORDER, we should rewind
next_avail_head otherwise it would run out of sync with
last_avail_idx. This would cause driver to report
"id X is not a head".
Fixing this by returning the number of descriptors that is used for
each buffer via vhost_get_vq_desc_n() so caller can use the value
while discarding descriptors.
Fixes: 67a873df0c41 ("vhost: basic in order support")
Cc: stable@vger.kernel.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Link: https://patch.msgid.link/20251120022950.10117-1-jasowang@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vhost/net.c | 53 ++++++++++++++++++------------
drivers/vhost/vhost.c | 76 +++++++++++++++++++++++++++++++++++--------
drivers/vhost/vhost.h | 10 +++++-
3 files changed, 103 insertions(+), 36 deletions(-)
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 35ded4330431..8f7f50acb6d6 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -592,14 +592,15 @@ static void vhost_net_busy_poll(struct vhost_net *net,
static int vhost_net_tx_get_vq_desc(struct vhost_net *net,
struct vhost_net_virtqueue *tnvq,
unsigned int *out_num, unsigned int *in_num,
- struct msghdr *msghdr, bool *busyloop_intr)
+ struct msghdr *msghdr, bool *busyloop_intr,
+ unsigned int *ndesc)
{
struct vhost_net_virtqueue *rnvq = &net->vqs[VHOST_NET_VQ_RX];
struct vhost_virtqueue *rvq = &rnvq->vq;
struct vhost_virtqueue *tvq = &tnvq->vq;
- int r = vhost_get_vq_desc(tvq, tvq->iov, ARRAY_SIZE(tvq->iov),
- out_num, in_num, NULL, NULL);
+ int r = vhost_get_vq_desc_n(tvq, tvq->iov, ARRAY_SIZE(tvq->iov),
+ out_num, in_num, NULL, NULL, ndesc);
if (r == tvq->num && tvq->busyloop_timeout) {
/* Flush batched packets first */
@@ -610,8 +611,8 @@ static int vhost_net_tx_get_vq_desc(struct vhost_net *net,
vhost_net_busy_poll(net, rvq, tvq, busyloop_intr, false);
- r = vhost_get_vq_desc(tvq, tvq->iov, ARRAY_SIZE(tvq->iov),
- out_num, in_num, NULL, NULL);
+ r = vhost_get_vq_desc_n(tvq, tvq->iov, ARRAY_SIZE(tvq->iov),
+ out_num, in_num, NULL, NULL, ndesc);
}
return r;
@@ -642,12 +643,14 @@ static int get_tx_bufs(struct vhost_net *net,
struct vhost_net_virtqueue *nvq,
struct msghdr *msg,
unsigned int *out, unsigned int *in,
- size_t *len, bool *busyloop_intr)
+ size_t *len, bool *busyloop_intr,
+ unsigned int *ndesc)
{
struct vhost_virtqueue *vq = &nvq->vq;
int ret;
- ret = vhost_net_tx_get_vq_desc(net, nvq, out, in, msg, busyloop_intr);
+ ret = vhost_net_tx_get_vq_desc(net, nvq, out, in, msg,
+ busyloop_intr, ndesc);
if (ret < 0 || ret == vq->num)
return ret;
@@ -766,6 +769,7 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock)
int sent_pkts = 0;
bool sock_can_batch = (sock->sk->sk_sndbuf == INT_MAX);
bool in_order = vhost_has_feature(vq, VIRTIO_F_IN_ORDER);
+ unsigned int ndesc = 0;
do {
bool busyloop_intr = false;
@@ -774,7 +778,7 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock)
vhost_tx_batch(net, nvq, sock, &msg);
head = get_tx_bufs(net, nvq, &msg, &out, &in, &len,
- &busyloop_intr);
+ &busyloop_intr, &ndesc);
/* On error, stop handling until the next kick. */
if (unlikely(head < 0))
break;
@@ -806,7 +810,7 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock)
goto done;
} else if (unlikely(err != -ENOSPC)) {
vhost_tx_batch(net, nvq, sock, &msg);
- vhost_discard_vq_desc(vq, 1);
+ vhost_discard_vq_desc(vq, 1, ndesc);
vhost_net_enable_vq(net, vq);
break;
}
@@ -829,7 +833,7 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock)
err = sock->ops->sendmsg(sock, &msg, len);
if (unlikely(err < 0)) {
if (err == -EAGAIN || err == -ENOMEM || err == -ENOBUFS) {
- vhost_discard_vq_desc(vq, 1);
+ vhost_discard_vq_desc(vq, 1, ndesc);
vhost_net_enable_vq(net, vq);
break;
}
@@ -868,6 +872,7 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock)
int err;
struct vhost_net_ubuf_ref *ubufs;
struct ubuf_info_msgzc *ubuf;
+ unsigned int ndesc = 0;
bool zcopy_used;
int sent_pkts = 0;
@@ -879,7 +884,7 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock)
busyloop_intr = false;
head = get_tx_bufs(net, nvq, &msg, &out, &in, &len,
- &busyloop_intr);
+ &busyloop_intr, &ndesc);
/* On error, stop handling until the next kick. */
if (unlikely(head < 0))
break;
@@ -941,7 +946,7 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock)
vq->heads[ubuf->desc].len = VHOST_DMA_DONE_LEN;
}
if (retry) {
- vhost_discard_vq_desc(vq, 1);
+ vhost_discard_vq_desc(vq, 1, ndesc);
vhost_net_enable_vq(net, vq);
break;
}
@@ -1045,11 +1050,12 @@ static int get_rx_bufs(struct vhost_net_virtqueue *nvq,
unsigned *iovcount,
struct vhost_log *log,
unsigned *log_num,
- unsigned int quota)
+ unsigned int quota,
+ unsigned int *ndesc)
{
struct vhost_virtqueue *vq = &nvq->vq;
bool in_order = vhost_has_feature(vq, VIRTIO_F_IN_ORDER);
- unsigned int out, in;
+ unsigned int out, in, desc_num, n = 0;
int seg = 0;
int headcount = 0;
unsigned d;
@@ -1064,9 +1070,9 @@ static int get_rx_bufs(struct vhost_net_virtqueue *nvq,
r = -ENOBUFS;
goto err;
}
- r = vhost_get_vq_desc(vq, vq->iov + seg,
- ARRAY_SIZE(vq->iov) - seg, &out,
- &in, log, log_num);
+ r = vhost_get_vq_desc_n(vq, vq->iov + seg,
+ ARRAY_SIZE(vq->iov) - seg, &out,
+ &in, log, log_num, &desc_num);
if (unlikely(r < 0))
goto err;
@@ -1093,6 +1099,7 @@ static int get_rx_bufs(struct vhost_net_virtqueue *nvq,
++headcount;
datalen -= len;
seg += in;
+ n += desc_num;
}
*iovcount = seg;
@@ -1113,9 +1120,11 @@ static int get_rx_bufs(struct vhost_net_virtqueue *nvq,
nheads[0] = headcount;
}
+ *ndesc = n;
+
return headcount;
err:
- vhost_discard_vq_desc(vq, headcount);
+ vhost_discard_vq_desc(vq, headcount, n);
return r;
}
@@ -1151,6 +1160,7 @@ static void handle_rx(struct vhost_net *net)
struct iov_iter fixup;
__virtio16 num_buffers;
int recv_pkts = 0;
+ unsigned int ndesc;
mutex_lock_nested(&vq->mutex, VHOST_NET_VQ_RX);
sock = vhost_vq_get_backend(vq);
@@ -1182,7 +1192,8 @@ static void handle_rx(struct vhost_net *net)
headcount = get_rx_bufs(nvq, vq->heads + count,
vq->nheads + count,
vhost_len, &in, vq_log, &log,
- likely(mergeable) ? UIO_MAXIOV : 1);
+ likely(mergeable) ? UIO_MAXIOV : 1,
+ &ndesc);
/* On error, stop handling until the next kick. */
if (unlikely(headcount < 0))
goto out;
@@ -1228,7 +1239,7 @@ static void handle_rx(struct vhost_net *net)
if (unlikely(err != sock_len)) {
pr_debug("Discarded rx packet: "
" len %d, expected %zd\n", err, sock_len);
- vhost_discard_vq_desc(vq, headcount);
+ vhost_discard_vq_desc(vq, headcount, ndesc);
continue;
}
/* Supply virtio_net_hdr if VHOST_NET_F_VIRTIO_NET_HDR */
@@ -1252,7 +1263,7 @@ static void handle_rx(struct vhost_net *net)
copy_to_iter(&num_buffers, sizeof num_buffers,
&fixup) != sizeof num_buffers) {
vq_err(vq, "Failed num_buffers write");
- vhost_discard_vq_desc(vq, headcount);
+ vhost_discard_vq_desc(vq, headcount, ndesc);
goto out;
}
nvq->done_idx += headcount;
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 8570fdf2e14a..a78226b37739 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -2792,18 +2792,34 @@ static int get_indirect(struct vhost_virtqueue *vq,
return 0;
}
-/* This looks in the virtqueue and for the first available buffer, and converts
- * it to an iovec for convenient access. Since descriptors consist of some
- * number of output then some number of input descriptors, it's actually two
- * iovecs, but we pack them into one and note how many of each there were.
+/**
+ * vhost_get_vq_desc_n - Fetch the next available descriptor chain and build iovecs
+ * @vq: target virtqueue
+ * @iov: array that receives the scatter/gather segments
+ * @iov_size: capacity of @iov in elements
+ * @out_num: the number of output segments
+ * @in_num: the number of input segments
+ * @log: optional array to record addr/len for each writable segment; NULL if unused
+ * @log_num: optional output; number of entries written to @log when provided
+ * @ndesc: optional output; number of descriptors consumed from the available ring
+ * (useful for rollback via vhost_discard_vq_desc)
*
- * This function returns the descriptor number found, or vq->num (which is
- * never a valid descriptor number) if none was found. A negative code is
- * returned on error. */
-int vhost_get_vq_desc(struct vhost_virtqueue *vq,
- struct iovec iov[], unsigned int iov_size,
- unsigned int *out_num, unsigned int *in_num,
- struct vhost_log *log, unsigned int *log_num)
+ * Extracts one available descriptor chain from @vq and translates guest addresses
+ * into host iovecs.
+ *
+ * On success, advances @vq->last_avail_idx by 1 and @vq->next_avail_head by the
+ * number of descriptors consumed (also stored via @ndesc when non-NULL).
+ *
+ * Return:
+ * - head index in [0, @vq->num) on success;
+ * - @vq->num if no descriptor is currently available;
+ * - negative errno on failure
+ */
+int vhost_get_vq_desc_n(struct vhost_virtqueue *vq,
+ struct iovec iov[], unsigned int iov_size,
+ unsigned int *out_num, unsigned int *in_num,
+ struct vhost_log *log, unsigned int *log_num,
+ unsigned int *ndesc)
{
bool in_order = vhost_has_feature(vq, VIRTIO_F_IN_ORDER);
struct vring_desc desc;
@@ -2921,17 +2937,49 @@ int vhost_get_vq_desc(struct vhost_virtqueue *vq,
vq->last_avail_idx++;
vq->next_avail_head += c;
+ if (ndesc)
+ *ndesc = c;
+
/* Assume notifications from guest are disabled at this point,
* if they aren't we would need to update avail_event index. */
BUG_ON(!(vq->used_flags & VRING_USED_F_NO_NOTIFY));
return head;
}
+EXPORT_SYMBOL_GPL(vhost_get_vq_desc_n);
+
+/* This looks in the virtqueue and for the first available buffer, and converts
+ * it to an iovec for convenient access. Since descriptors consist of some
+ * number of output then some number of input descriptors, it's actually two
+ * iovecs, but we pack them into one and note how many of each there were.
+ *
+ * This function returns the descriptor number found, or vq->num (which is
+ * never a valid descriptor number) if none was found. A negative code is
+ * returned on error.
+ */
+int vhost_get_vq_desc(struct vhost_virtqueue *vq,
+ struct iovec iov[], unsigned int iov_size,
+ unsigned int *out_num, unsigned int *in_num,
+ struct vhost_log *log, unsigned int *log_num)
+{
+ return vhost_get_vq_desc_n(vq, iov, iov_size, out_num, in_num,
+ log, log_num, NULL);
+}
EXPORT_SYMBOL_GPL(vhost_get_vq_desc);
-/* Reverse the effect of vhost_get_vq_desc. Useful for error handling. */
-void vhost_discard_vq_desc(struct vhost_virtqueue *vq, int n)
+/**
+ * vhost_discard_vq_desc - Reverse the effect of vhost_get_vq_desc_n()
+ * @vq: target virtqueue
+ * @nbufs: number of buffers to roll back
+ * @ndesc: number of descriptors to roll back
+ *
+ * Rewinds the internal consumer cursors after a failed attempt to use buffers
+ * returned by vhost_get_vq_desc_n().
+ */
+void vhost_discard_vq_desc(struct vhost_virtqueue *vq, int nbufs,
+ unsigned int ndesc)
{
- vq->last_avail_idx -= n;
+ vq->next_avail_head -= ndesc;
+ vq->last_avail_idx -= nbufs;
}
EXPORT_SYMBOL_GPL(vhost_discard_vq_desc);
diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
index 621a6d9a8791..b49f08e4a1b4 100644
--- a/drivers/vhost/vhost.h
+++ b/drivers/vhost/vhost.h
@@ -230,7 +230,15 @@ int vhost_get_vq_desc(struct vhost_virtqueue *,
struct iovec iov[], unsigned int iov_size,
unsigned int *out_num, unsigned int *in_num,
struct vhost_log *log, unsigned int *log_num);
-void vhost_discard_vq_desc(struct vhost_virtqueue *, int n);
+
+int vhost_get_vq_desc_n(struct vhost_virtqueue *vq,
+ struct iovec iov[], unsigned int iov_size,
+ unsigned int *out_num, unsigned int *in_num,
+ struct vhost_log *log, unsigned int *log_num,
+ unsigned int *ndesc);
+
+void vhost_discard_vq_desc(struct vhost_virtqueue *, int nbuf,
+ unsigned int ndesc);
bool vhost_vq_work_queue(struct vhost_virtqueue *vq, struct vhost_work *work);
bool vhost_vq_has_work(struct vhost_virtqueue *vq);
--
2.52.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 074/146] tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 073/146] vhost: rewind next_avail_head while discarding descriptors Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 075/146] ALSA: hda/cirrus fix cs420x MacPro 6,1 inverted jack detection Greg Kroah-Hartman
` (85 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+a72c325b042aae6403c7,
Deepanshu Kartikey, Steven Rostedt (Google)
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit b042fdf18e89a347177a49e795d8e5184778b5b6 upstream.
When a VMA is split (e.g., by partial munmap or MAP_FIXED), the kernel
calls vm_ops->close on each portion. For trace buffer mappings, this
results in ring_buffer_unmap() being called multiple times while
ring_buffer_map() was only called once.
This causes ring_buffer_unmap() to return -ENODEV on subsequent calls
because user_mapped is already 0, triggering a WARN_ON.
Trace buffer mappings cannot support partial mappings because the ring
buffer structure requires the complete buffer including the meta page.
Fix this by adding a may_split callback that returns -EINVAL to prevent
VMA splits entirely.
Cc: stable@vger.kernel.org
Fixes: cf9f0f7c4c5bb ("tracing: Allow user-space mapping of the ring-buffer")
Link: https://patch.msgid.link/20251119064019.25904-1-kartikey406@gmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a72c325b042aae6403c7
Tested-by: syzbot+a72c325b042aae6403c7@syzkaller.appspotmail.com
Reported-by: syzbot+a72c325b042aae6403c7@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -8781,8 +8781,18 @@ static void tracing_buffers_mmap_close(s
put_snapshot_map(iter->tr);
}
+static int tracing_buffers_may_split(struct vm_area_struct *vma, unsigned long addr)
+{
+ /*
+ * Trace buffer mappings require the complete buffer including
+ * the meta page. Partial mappings are not supported.
+ */
+ return -EINVAL;
+}
+
static const struct vm_operations_struct tracing_buffers_vmops = {
.close = tracing_buffers_mmap_close,
+ .may_split = tracing_buffers_may_split,
};
static int tracing_buffers_mmap(struct file *filp, struct vm_area_struct *vma)
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 075/146] ALSA: hda/cirrus fix cs420x MacPro 6,1 inverted jack detection
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 074/146] tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 076/146] ALSA: usb-audio: Add DSD quirk for LEAK Stereo 230 Greg Kroah-Hartman
` (84 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, René Rebe, sstable,
Takashi Iwai
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
commit 5719a189c9345977c16f10874fd5102f70094d8f upstream.
Turns out the Apple MacPro 6,1 trashcan also needs the inverted jack
detection like Mac mini patched, too.
Signed-off-by: René Rebe <rene@exactco.de>
Cc: <sstable@vger.kernel.org>
Link: https://patch.msgid.link/20251117.182351.1595411649664739497.rene@exactco.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/codecs/cirrus/cs420x.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/hda/codecs/cirrus/cs420x.c
+++ b/sound/hda/codecs/cirrus/cs420x.c
@@ -585,6 +585,7 @@ static const struct hda_quirk cs4208_mac
SND_PCI_QUIRK(0x106b, 0x6c00, "MacMini 7,1", CS4208_MACMINI),
SND_PCI_QUIRK(0x106b, 0x7100, "MacBookAir 6,1", CS4208_MBA6),
SND_PCI_QUIRK(0x106b, 0x7200, "MacBookAir 6,2", CS4208_MBA6),
+ SND_PCI_QUIRK(0x106b, 0x7800, "MacPro 6,1", CS4208_MACMINI),
SND_PCI_QUIRK(0x106b, 0x7b00, "MacBookPro 12,1", CS4208_MBP11),
{} /* terminator */
};
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 076/146] ALSA: usb-audio: Add DSD quirk for LEAK Stereo 230
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 075/146] ALSA: hda/cirrus fix cs420x MacPro 6,1 inverted jack detection Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 077/146] arm64: dts: imx8dxl-ss-conn: swap interrupts number of eqos Greg Kroah-Hartman
` (83 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ivan Zhaldak, Takashi Iwai
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Zhaldak <i.v.zhaldak@gmail.com>
commit c83fc13960643c4429cd9dfef1321e6430a81b47 upstream.
Integrated amplifier LEAK Stereo 230 by IAG Limited has built-in
ESS9038Q2M DAC served by XMOS controller. It supports both DSD Native
and DSD-over-PCM (DoP) operational modes. But it doesn't work properly
by default and tries DSD-to-PCM conversion. USB quirks below allow it
to operate as designed.
Add DSD_RAW quirk flag for IAG Limited devices (vendor ID 0x2622)
Add DSD format quirk for LEAK Stereo 230 (USB ID 0x2622:0x0061)
Signed-off-by: Ivan Zhaldak <i.v.zhaldak@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20251117125848.30769-1-i.v.zhaldak@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2028,6 +2028,7 @@ u64 snd_usb_interface_dsd_format_quirks(
case USB_ID(0x249c, 0x9326): /* M2Tech Young MkIII */
case USB_ID(0x2616, 0x0106): /* PS Audio NuWave DAC */
case USB_ID(0x2622, 0x0041): /* Audiolab M-DAC+ */
+ case USB_ID(0x2622, 0x0061): /* LEAK Stereo 230 */
case USB_ID(0x278b, 0x5100): /* Rotel RC-1590 */
case USB_ID(0x27f7, 0x3002): /* W4S DAC-2v2SE */
case USB_ID(0x29a2, 0x0086): /* Mutec MC3+ USB */
@@ -2411,6 +2412,8 @@ static const struct usb_audio_quirk_flag
QUIRK_FLAG_DSD_RAW),
VENDOR_FLG(0x25ce, /* Mytek devices */
QUIRK_FLAG_DSD_RAW),
+ VENDOR_FLG(0x2622, /* IAG Limited devices */
+ QUIRK_FLAG_DSD_RAW),
VENDOR_FLG(0x278b, /* Rotel? */
QUIRK_FLAG_DSD_RAW),
VENDOR_FLG(0x292b, /* Gustard/Ess based devices */
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 077/146] arm64: dts: imx8dxl-ss-conn: swap interrupts number of eqos
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 076/146] ALSA: usb-audio: Add DSD quirk for LEAK Stereo 230 Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 078/146] arm64: dts: imx8dxl: Correct pcie-ep interrupt number Greg Kroah-Hartman
` (82 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Frank Li, Alexander Dahl, Shawn Guo
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frank Li <Frank.Li@nxp.com>
commit 5b6677d6451bbbac3b6ab93fae6506b59e2c19bd upstream.
Swap interrupt numbers of eqos because the below commit just swap
interrupt-names and missed swap interrupts also.
The driver (drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c) use
interrupt-names to get irq numbers.
Fixes: f29c19a6e488 ("arm64: dts: imx8dxl-ss-conn: Fix Ethernet interrupt-names order")
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Tested-by: Alexander Dahl <ada@thorsis.com>
Cc: stable@vger.kernel.org
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/freescale/imx8dxl-ss-conn.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/boot/dts/freescale/imx8dxl-ss-conn.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8dxl-ss-conn.dtsi
@@ -27,8 +27,8 @@
compatible = "nxp,imx8dxl-dwmac-eqos", "snps,dwmac-5.10a";
reg = <0x5b050000 0x10000>;
interrupt-parent = <&gic>;
- interrupts = <GIC_SPI 163 IRQ_TYPE_LEVEL_HIGH>,
- <GIC_SPI 162 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts = <GIC_SPI 162 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 163 IRQ_TYPE_LEVEL_HIGH>;
interrupt-names = "macirq", "eth_wake_irq";
clocks = <&eqos_lpcg IMX_LPCG_CLK_4>,
<&eqos_lpcg IMX_LPCG_CLK_6>,
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 078/146] arm64: dts: imx8dxl: Correct pcie-ep interrupt number
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 077/146] arm64: dts: imx8dxl-ss-conn: swap interrupts number of eqos Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 079/146] arm64: dts: imx8qm-mek: fix mux-controller select/enable-gpios polarity Greg Kroah-Hartman
` (81 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Frank Li, Shawn Guo
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frank Li <Frank.Li@nxp.com>
commit f10a788e4b6a0ebe8629177894ca779b2dc6203d upstream.
Correct i.MX8DXL's pcie-ep interrupt number.
Fixes: d03743c5659a9 ("arm64: dts: imx8q: add PCIe EP for i.MX8QM and i.MX8QXP")
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Cc: stable@vger.kernel.org
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/freescale/imx8dxl-ss-hsio.dtsi | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8dxl-ss-hsio.dtsi b/arch/arm64/boot/dts/freescale/imx8dxl-ss-hsio.dtsi
index ec466e4d7df5..5c0d09c5c086 100644
--- a/arch/arm64/boot/dts/freescale/imx8dxl-ss-hsio.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8dxl-ss-hsio.dtsi
@@ -54,3 +54,8 @@ pcie0_ep: pcie-ep@5f010000 {
interrupt-names = "dma";
};
};
+
+&pcieb_ep {
+ interrupts = <GIC_SPI 46 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "dma";
+};
--
2.52.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 079/146] arm64: dts: imx8qm-mek: fix mux-controller select/enable-gpios polarity
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 078/146] arm64: dts: imx8dxl: Correct pcie-ep interrupt number Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 080/146] ARM: dts: nxp: imx6ul: correct SAI3 interrupt line Greg Kroah-Hartman
` (80 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jun Li, Xu Yang, Frank Li, Shawn Guo
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit e89ee35567d3d465ef0715953170be72f5ef1d4c upstream.
According to the board design, set SEL to high means flipped
connection (TX2/RX2). And the TCPM will output logical 1 if it needs
flipped connection. So switch to active high for select-gpios.
The EN pin on mux chip is low active, so switch to active low for
enable-gpios too.
Fixes: b237975b2cd5 ("arm64: dts: imx8qm-mek: add usb 3.0 and related type C nodes")
Cc: stable@vger.kernel.org
Reviewed-by: Jun Li <jun.li@nxp.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
+++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
@@ -217,8 +217,8 @@
compatible = "nxp,cbdtu02043", "gpio-sbu-mux";
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_typec_mux>;
- select-gpios = <&lsio_gpio4 6 GPIO_ACTIVE_LOW>;
- enable-gpios = <&lsio_gpio4 19 GPIO_ACTIVE_HIGH>;
+ select-gpios = <&lsio_gpio4 6 GPIO_ACTIVE_HIGH>;
+ enable-gpios = <&lsio_gpio4 19 GPIO_ACTIVE_LOW>;
orientation-switch;
port {
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 080/146] ARM: dts: nxp: imx6ul: correct SAI3 interrupt line
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 079/146] arm64: dts: imx8qm-mek: fix mux-controller select/enable-gpios polarity Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 081/146] atm/fore200e: Fix possible data race in fore200e_open() Greg Kroah-Hartman
` (79 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maarten Zanders, Shawn Guo
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maarten Zanders <maarten@zanders.be>
commit 1b03346314b791ad966d3c6d59253328226a2b2d upstream.
The i.MX6UL reference manual lists two possible interrupt lines for
SAI3 (56 and 57, offset +32). The current device tree entry uses
the first one (24), which prevents IRQs from being handled properly.
Use the second interrupt line (25), which does allow interrupts
to work as expected.
Fixes: 36e2edf6ac07 ("ARM: dts: imx6ul: add sai support")
Signed-off-by: Maarten Zanders <maarten@zanders.be>
Cc: stable@vger.kernel.org
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/nxp/imx/imx6ul.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/dts/nxp/imx/imx6ul.dtsi
+++ b/arch/arm/boot/dts/nxp/imx/imx6ul.dtsi
@@ -339,7 +339,7 @@
#sound-dai-cells = <0>;
compatible = "fsl,imx6ul-sai", "fsl,imx6sx-sai";
reg = <0x02030000 0x4000>;
- interrupts = <GIC_SPI 24 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts = <GIC_SPI 25 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&clks IMX6UL_CLK_SAI3_IPG>,
<&clks IMX6UL_CLK_SAI3>,
<&clks IMX6UL_CLK_DUMMY>, <&clks IMX6UL_CLK_DUMMY>;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 081/146] atm/fore200e: Fix possible data race in fore200e_open()
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 080/146] ARM: dts: nxp: imx6ul: correct SAI3 interrupt line Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 082/146] Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref Greg Kroah-Hartman
` (78 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Simon Horman,
Paolo Abeni
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
commit 82fca3d8a4a34667f01ec2351a607135249c9cff upstream.
Protect access to fore200e->available_cell_rate with rate_mtx lock in the
error handling path of fore200e_open() to prevent a data race.
The field fore200e->available_cell_rate is a shared resource used to track
available bandwidth. It is concurrently accessed by fore200e_open(),
fore200e_close(), and fore200e_change_qos().
In fore200e_open(), the lock rate_mtx is correctly held when subtracting
vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth.
However, if the subsequent call to fore200e_activate_vcin() fails, the
function restores the reserved bandwidth by adding back to
available_cell_rate without holding the lock.
This introduces a race condition because available_cell_rate is a global
device resource shared across all VCCs. If the error path in
fore200e_open() executes concurrently with operations like
fore200e_close() or fore200e_change_qos() on other VCCs, a
read-modify-write race occurs.
Specifically, the error path reads the rate without the lock. If another
CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in
fore200e_close()) between this read and the subsequent write, the error
path will overwrite the concurrent update with a stale value. This results
in incorrect bandwidth accounting.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251120120657.2462194-1-hanguidong02@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/atm/fore200e.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/atm/fore200e.c
+++ b/drivers/atm/fore200e.c
@@ -1374,7 +1374,9 @@ fore200e_open(struct atm_vcc *vcc)
vcc->dev_data = NULL;
+ mutex_lock(&fore200e->rate_mtx);
fore200e->available_cell_rate += vcc->qos.txtp.max_pcr;
+ mutex_unlock(&fore200e->rate_mtx);
kfree(fore200e_vcc);
return -EINVAL;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 082/146] Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 081/146] atm/fore200e: Fix possible data race in fore200e_open() Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 083/146] can: rcar_canfd: Fix CAN-FD mode as default Greg Kroah-Hartman
` (77 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, IncogCyberpunk, Douglas Anderson,
Luiz Augusto von Dentz
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit c884a0b27b4586e607431d86a1aa0bb4fb39169c upstream.
In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to:
usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM)
That function can return NULL in some cases. Even when it returns
NULL, though, we still go on to call btusb_mtk_claim_iso_intf().
As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for
usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf()
when `btmtk_data->isopkt_intf` is NULL will cause a crash because
we'll end up passing a bad pointer to device_lock(). Prior to that
commit we'd pass the NULL pointer directly to
usb_driver_claim_interface() which would detect it and return an
error, which was handled.
Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check
at the start of the function. This makes the code handle a NULL
`btmtk_data->isopkt_intf` the same way it did before the problematic
commit (just with a slight change to the error message printed).
Reported-by: IncogCyberpunk <incogcyberpunk@proton.me>
Closes: http://lore.kernel.org/r/a380d061-479e-4713-bddd-1d6571ca7e86@leemhuis.info
Fixes: e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()")
Cc: stable@vger.kernel.org
Tested-by: IncogCyberpunk <incogcyberpunk@proton.me>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btusb.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2721,6 +2721,11 @@ static void btusb_mtk_claim_iso_intf(str
if (!btmtk_data)
return;
+ if (!btmtk_data->isopkt_intf) {
+ bt_dev_err(data->hdev, "Can't claim NULL iso interface");
+ return;
+ }
+
/*
* The function usb_driver_claim_interface() is documented to need
* locks held if it's not called from a probe routine. The code here
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 083/146] can: rcar_canfd: Fix CAN-FD mode as default
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 082/146] Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 084/146] can: sja1000: fix max irq loop handling Greg Kroah-Hartman
` (76 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Biju Das, Marc Kleine-Budde
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
commit 6d849ff573722afcf5508d2800017bdd40f27eb9 upstream.
The commit 5cff263606a1 ("can: rcar_canfd: Fix controller mode setting")
has aligned with the flow mentioned in the hardware manual for all SoCs
except R-Car Gen3 and RZ/G2L SoCs. On R-Car Gen4 and RZ/G3E SoCs, due to
the wrong logic in the commit[1] sets the default mode to FD-Only mode
instead of CAN-FD mode.
This patch sets the CAN-FD mode as the default for all SoCs by dropping
the rcar_canfd_set_mode() as some SoC requires mode setting in global
reset mode, and the rest of the SoCs in channel reset mode and update the
rcar_canfd_reset_controller() to take care of these constraints. Moreover,
the RZ/G3E and R-Car Gen4 SoCs support 3 modes compared to 2 modes on the
R-Car Gen3. Use inverted logic in rcar_canfd_reset_controller() to
simplify the code later to support FD-only mode.
[1]
commit 45721c406dcf ("can: rcar_canfd: Add support for r8a779a0 SoC")
Fixes: 5cff263606a1 ("can: rcar_canfd: Fix controller mode setting")
Cc: stable@vger.kernel.org
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Link: https://patch.msgid.link/20251118123926.193445-1-biju.das.jz@bp.renesas.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/rcar/rcar_canfd.c | 53 ++++++++++++++++++++++----------------
1 file changed, 31 insertions(+), 22 deletions(-)
--- a/drivers/net/can/rcar/rcar_canfd.c
+++ b/drivers/net/can/rcar/rcar_canfd.c
@@ -726,6 +726,11 @@ static void rcar_canfd_set_bit_reg(void
rcar_canfd_update(val, val, addr);
}
+static void rcar_canfd_clear_bit_reg(void __iomem *addr, u32 val)
+{
+ rcar_canfd_update(val, 0, addr);
+}
+
static void rcar_canfd_update_bit_reg(void __iomem *addr, u32 mask, u32 val)
{
rcar_canfd_update(mask, val, addr);
@@ -772,25 +777,6 @@ static void rcar_canfd_set_rnc(struct rc
rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLCFG(w), rnc);
}
-static void rcar_canfd_set_mode(struct rcar_canfd_global *gpriv)
-{
- if (gpriv->info->ch_interface_mode) {
- u32 ch, val = gpriv->fdmode ? RCANFD_GEN4_FDCFG_FDOE
- : RCANFD_GEN4_FDCFG_CLOE;
-
- for_each_set_bit(ch, &gpriv->channels_mask,
- gpriv->info->max_channels)
- rcar_canfd_set_bit_reg(&gpriv->fcbase[ch].cfdcfg, val);
- } else {
- if (gpriv->fdmode)
- rcar_canfd_set_bit(gpriv->base, RCANFD_GRMCFG,
- RCANFD_GRMCFG_RCMC);
- else
- rcar_canfd_clear_bit(gpriv->base, RCANFD_GRMCFG,
- RCANFD_GRMCFG_RCMC);
- }
-}
-
static int rcar_canfd_reset_controller(struct rcar_canfd_global *gpriv)
{
struct device *dev = &gpriv->pdev->dev;
@@ -823,6 +809,16 @@ static int rcar_canfd_reset_controller(s
/* Reset Global error flags */
rcar_canfd_write(gpriv->base, RCANFD_GERFL, 0x0);
+ /* Set the controller into appropriate mode */
+ if (!gpriv->info->ch_interface_mode) {
+ if (gpriv->fdmode)
+ rcar_canfd_set_bit(gpriv->base, RCANFD_GRMCFG,
+ RCANFD_GRMCFG_RCMC);
+ else
+ rcar_canfd_clear_bit(gpriv->base, RCANFD_GRMCFG,
+ RCANFD_GRMCFG_RCMC);
+ }
+
/* Transition all Channels to reset mode */
for_each_set_bit(ch, &gpriv->channels_mask, gpriv->info->max_channels) {
rcar_canfd_clear_bit(gpriv->base,
@@ -840,10 +836,23 @@ static int rcar_canfd_reset_controller(s
dev_dbg(dev, "channel %u reset failed\n", ch);
return err;
}
- }
- /* Set the controller into appropriate mode */
- rcar_canfd_set_mode(gpriv);
+ /* Set the controller into appropriate mode */
+ if (gpriv->info->ch_interface_mode) {
+ /* Do not set CLOE and FDOE simultaneously */
+ if (!gpriv->fdmode) {
+ rcar_canfd_clear_bit_reg(&gpriv->fcbase[ch].cfdcfg,
+ RCANFD_GEN4_FDCFG_FDOE);
+ rcar_canfd_set_bit_reg(&gpriv->fcbase[ch].cfdcfg,
+ RCANFD_GEN4_FDCFG_CLOE);
+ } else {
+ rcar_canfd_clear_bit_reg(&gpriv->fcbase[ch].cfdcfg,
+ RCANFD_GEN4_FDCFG_FDOE);
+ rcar_canfd_clear_bit_reg(&gpriv->fcbase[ch].cfdcfg,
+ RCANFD_GEN4_FDCFG_CLOE);
+ }
+ }
+ }
return 0;
}
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 084/146] can: sja1000: fix max irq loop handling
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 083/146] can: rcar_canfd: Fix CAN-FD mode as default Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 085/146] can: sun4i_can: sun4i_can_interrupt(): " Greg Kroah-Hartman
` (75 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Mühlbacher,
Oliver Hartkopp, Marc Kleine-Budde
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Mühlbacher <tmuehlbacher@posteo.net>
commit 30db4451c7f6aabcada029b15859a76962ec0cf8 upstream.
Reading the interrupt register `SJA1000_IR` causes all of its bits to be
reset. If we ever reach the condition of handling more than
`SJA1000_MAX_IRQ` IRQs, we will have read the register and reset all its
bits but without actually handling the interrupt inside of the loop
body.
This may, among other issues, cause us to never `netif_wake_queue()`
again after a transmission interrupt.
Fixes: 429da1cc841b ("can: Driver for the SJA1000 CAN controller")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Mühlbacher <tmuehlbacher@posteo.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Link: https://patch.msgid.link/20251115153437.11419-1-tmuehlbacher@posteo.net
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/sja1000/sja1000.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/can/sja1000/sja1000.c
+++ b/drivers/net/can/sja1000/sja1000.c
@@ -548,8 +548,8 @@ irqreturn_t sja1000_interrupt(int irq, v
if (priv->read_reg(priv, SJA1000_IER) == IRQ_OFF)
goto out;
- while ((isrc = priv->read_reg(priv, SJA1000_IR)) &&
- (n < SJA1000_MAX_IRQ)) {
+ while ((n < SJA1000_MAX_IRQ) &&
+ (isrc = priv->read_reg(priv, SJA1000_IR))) {
status = priv->read_reg(priv, SJA1000_SR);
/* check for absent controller due to hw unplug */
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 085/146] can: sun4i_can: sun4i_can_interrupt(): fix max irq loop handling
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 084/146] can: sja1000: fix max irq loop handling Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 086/146] ceph: fix crash in process_v2_sparse_read() for encrypted directories Greg Kroah-Hartman
` (74 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Mühlbacher,
Jernej Skrabec, Marc Kleine-Budde
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit 76544beea7cfe5bcce6d60f53811657b88ec8be1 upstream.
Reading the interrupt register `SUN4I_REG_INT_ADDR` causes all of its bits
to be reset. If we ever reach the condition of handling more than
`SUN4I_CAN_MAX_IRQ` IRQs, we will have read the register and reset all its
bits but without actually handling the interrupt inside of the loop body.
This may, among other issues, cause us to never `netif_wake_queue()` again
after a transmission interrupt.
Fixes: 0738eff14d81 ("can: Allwinner A10/A20 CAN Controller support - Kernel module")
Cc: stable@vger.kernel.org
Co-developed-by: Thomas Mühlbacher <tmuehlbacher@posteo.net>
Signed-off-by: Thomas Mühlbacher <tmuehlbacher@posteo.net>
Acked-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Link: https://patch.msgid.link/20251116-sun4i-fix-loop-v1-1-3d76d3f81950@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/sun4i_can.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/can/sun4i_can.c
+++ b/drivers/net/can/sun4i_can.c
@@ -657,8 +657,8 @@ static irqreturn_t sun4i_can_interrupt(i
u8 isrc, status;
int n = 0;
- while ((isrc = readl(priv->base + SUN4I_REG_INT_ADDR)) &&
- (n < SUN4I_CAN_MAX_IRQ)) {
+ while ((n < SUN4I_CAN_MAX_IRQ) &&
+ (isrc = readl(priv->base + SUN4I_REG_INT_ADDR))) {
n++;
status = readl(priv->base + SUN4I_REG_STA_ADDR);
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 086/146] ceph: fix crash in process_v2_sparse_read() for encrypted directories
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 085/146] can: sun4i_can: sun4i_can_interrupt(): " Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 087/146] counter: microchip-tcb-capture: Allow shared IRQ for multi-channel TCBs Greg Kroah-Hartman
` (73 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko, Ilya Dryomov
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
commit 43962db4a6f593903340c85591056a0cef812dfd upstream.
The crash in process_v2_sparse_read() for fscrypt-encrypted directories
has been reported. Issue takes place for Ceph msgr2 protocol in secure
mode. It can be reproduced by the steps:
sudo mount -t ceph :/ /mnt/cephfs/ -o name=admin,fs=cephfs,ms_mode=secure
(1) mkdir /mnt/cephfs/fscrypt-test-3
(2) cp area_decrypted.tar /mnt/cephfs/fscrypt-test-3
(3) fscrypt encrypt --source=raw_key --key=./my.key /mnt/cephfs/fscrypt-test-3
(4) fscrypt lock /mnt/cephfs/fscrypt-test-3
(5) fscrypt unlock --key=my.key /mnt/cephfs/fscrypt-test-3
(6) cat /mnt/cephfs/fscrypt-test-3/area_decrypted.tar
(7) Issue has been triggered
[ 408.072247] ------------[ cut here ]------------
[ 408.072251] WARNING: CPU: 1 PID: 392 at net/ceph/messenger_v2.c:865
ceph_con_v2_try_read+0x4b39/0x72f0
[ 408.072267] Modules linked in: intel_rapl_msr intel_rapl_common
intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery
pmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass
polyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse
serio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg
pata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore
[ 408.072304] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Not tainted 6.17.0-rc7+
[ 408.072307] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.17.0-5.fc42 04/01/2014
[ 408.072310] Workqueue: ceph-msgr ceph_con_workfn
[ 408.072314] RIP: 0010:ceph_con_v2_try_read+0x4b39/0x72f0
[ 408.072317] Code: c7 c1 20 f0 d4 ae 50 31 d2 48 c7 c6 60 27 d5 ae 48 c7 c7 f8
8e 6f b0 68 60 38 d5 ae e8 00 47 61 fe 48 83 c4 18 e9 ac fc ff ff <0f> 0b e9 06
fe ff ff 4c 8b 9d 98 fd ff ff 0f 84 64 e7 ff ff 89 85
[ 408.072319] RSP: 0018:ffff88811c3e7a30 EFLAGS: 00010246
[ 408.072322] RAX: ffffed1024874c6f RBX: ffffea00042c2b40 RCX: 0000000000000f38
[ 408.072324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 408.072325] RBP: ffff88811c3e7ca8 R08: 0000000000000000 R09: 00000000000000c8
[ 408.072326] R10: 00000000000000c8 R11: 0000000000000000 R12: 00000000000000c8
[ 408.072327] R13: dffffc0000000000 R14: ffff8881243a6030 R15: 0000000000003000
[ 408.072329] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000)
knlGS:0000000000000000
[ 408.072331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 408.072332] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0
[ 408.072336] PKRU: 55555554
[ 408.072337] Call Trace:
[ 408.072338] <TASK>
[ 408.072340] ? sched_clock_noinstr+0x9/0x10
[ 408.072344] ? __pfx_ceph_con_v2_try_read+0x10/0x10
[ 408.072347] ? _raw_spin_unlock+0xe/0x40
[ 408.072349] ? finish_task_switch.isra.0+0x15d/0x830
[ 408.072353] ? __kasan_check_write+0x14/0x30
[ 408.072357] ? mutex_lock+0x84/0xe0
[ 408.072359] ? __pfx_mutex_lock+0x10/0x10
[ 408.072361] ceph_con_workfn+0x27e/0x10e0
[ 408.072364] ? metric_delayed_work+0x311/0x2c50
[ 408.072367] process_one_work+0x611/0xe20
[ 408.072371] ? __kasan_check_write+0x14/0x30
[ 408.072373] worker_thread+0x7e3/0x1580
[ 408.072375] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 408.072378] ? __pfx_worker_thread+0x10/0x10
[ 408.072381] kthread+0x381/0x7a0
[ 408.072383] ? __pfx__raw_spin_lock_irq+0x10/0x10
[ 408.072385] ? __pfx_kthread+0x10/0x10
[ 408.072387] ? __kasan_check_write+0x14/0x30
[ 408.072389] ? recalc_sigpending+0x160/0x220
[ 408.072392] ? _raw_spin_unlock_irq+0xe/0x50
[ 408.072394] ? calculate_sigpending+0x78/0xb0
[ 408.072395] ? __pfx_kthread+0x10/0x10
[ 408.072397] ret_from_fork+0x2b6/0x380
[ 408.072400] ? __pfx_kthread+0x10/0x10
[ 408.072402] ret_from_fork_asm+0x1a/0x30
[ 408.072406] </TASK>
[ 408.072407] ---[ end trace 0000000000000000 ]---
[ 408.072418] Oops: general protection fault, probably for non-canonical
address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
[ 408.072984] KASAN: null-ptr-deref in range [0x0000000000000000-
0x0000000000000007]
[ 408.073350] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Tainted: G W
6.17.0-rc7+ #1 PREEMPT(voluntary)
[ 408.073886] Tainted: [W]=WARN
[ 408.074042] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.17.0-5.fc42 04/01/2014
[ 408.074468] Workqueue: ceph-msgr ceph_con_workfn
[ 408.074694] RIP: 0010:ceph_msg_data_advance+0x79/0x1a80
[ 408.074976] Code: fc ff df 49 8d 77 08 48 c1 ee 03 80 3c 16 00 0f 85 07 11 00
00 48 ba 00 00 00 00 00 fc ff df 49 8b 5f 08 48 89 de 48 c1 ee 03 <0f> b6 14 16
84 d2 74 09 80 fa 03 0f 8e 0f 0e 00 00 8b 13 83 fa 03
[ 408.075884] RSP: 0018:ffff88811c3e7990 EFLAGS: 00010246
[ 408.076305] RAX: ffff8881243a6388 RBX: 0000000000000000 RCX: 0000000000000000
[ 408.076909] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff8881243a6378
[ 408.077466] RBP: ffff88811c3e7a20 R08: 0000000000000000 R09: 00000000000000c8
[ 408.078034] R10: ffff8881243a6388 R11: 0000000000000000 R12: ffffed1024874c71
[ 408.078575] R13: dffffc0000000000 R14: ffff8881243a6030 R15: ffff8881243a6378
[ 408.079159] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000)
knlGS:0000000000000000
[ 408.079736] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 408.080039] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0
[ 408.080376] PKRU: 55555554
[ 408.080513] Call Trace:
[ 408.080630] <TASK>
[ 408.080729] ceph_con_v2_try_read+0x49b9/0x72f0
[ 408.081115] ? __pfx_ceph_con_v2_try_read+0x10/0x10
[ 408.081348] ? _raw_spin_unlock+0xe/0x40
[ 408.081538] ? finish_task_switch.isra.0+0x15d/0x830
[ 408.081768] ? __kasan_check_write+0x14/0x30
[ 408.081986] ? mutex_lock+0x84/0xe0
[ 408.082160] ? __pfx_mutex_lock+0x10/0x10
[ 408.082343] ceph_con_workfn+0x27e/0x10e0
[ 408.082529] ? metric_delayed_work+0x311/0x2c50
[ 408.082737] process_one_work+0x611/0xe20
[ 408.082948] ? __kasan_check_write+0x14/0x30
[ 408.083156] worker_thread+0x7e3/0x1580
[ 408.083331] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 408.083557] ? __pfx_worker_thread+0x10/0x10
[ 408.083751] kthread+0x381/0x7a0
[ 408.083922] ? __pfx__raw_spin_lock_irq+0x10/0x10
[ 408.084139] ? __pfx_kthread+0x10/0x10
[ 408.084310] ? __kasan_check_write+0x14/0x30
[ 408.084510] ? recalc_sigpending+0x160/0x220
[ 408.084708] ? _raw_spin_unlock_irq+0xe/0x50
[ 408.084917] ? calculate_sigpending+0x78/0xb0
[ 408.085138] ? __pfx_kthread+0x10/0x10
[ 408.085335] ret_from_fork+0x2b6/0x380
[ 408.085525] ? __pfx_kthread+0x10/0x10
[ 408.085720] ret_from_fork_asm+0x1a/0x30
[ 408.085922] </TASK>
[ 408.086036] Modules linked in: intel_rapl_msr intel_rapl_common
intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery
pmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass
polyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse
serio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg
pata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore
[ 408.087778] ---[ end trace 0000000000000000 ]---
[ 408.088007] RIP: 0010:ceph_msg_data_advance+0x79/0x1a80
[ 408.088260] Code: fc ff df 49 8d 77 08 48 c1 ee 03 80 3c 16 00 0f 85 07 11 00
00 48 ba 00 00 00 00 00 fc ff df 49 8b 5f 08 48 89 de 48 c1 ee 03 <0f> b6 14 16
84 d2 74 09 80 fa 03 0f 8e 0f 0e 00 00 8b 13 83 fa 03
[ 408.089118] RSP: 0018:ffff88811c3e7990 EFLAGS: 00010246
[ 408.089357] RAX: ffff8881243a6388 RBX: 0000000000000000 RCX: 0000000000000000
[ 408.089678] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff8881243a6378
[ 408.090020] RBP: ffff88811c3e7a20 R08: 0000000000000000 R09: 00000000000000c8
[ 408.090360] R10: ffff8881243a6388 R11: 0000000000000000 R12: ffffed1024874c71
[ 408.090687] R13: dffffc0000000000 R14: ffff8881243a6030 R15: ffff8881243a6378
[ 408.091035] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000)
knlGS:0000000000000000
[ 408.091452] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 408.092015] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0
[ 408.092530] PKRU: 55555554
[ 417.112915]
==================================================================
[ 417.113491] BUG: KASAN: slab-use-after-free in
__mutex_lock.constprop.0+0x1522/0x1610
[ 417.114014] Read of size 4 at addr ffff888124870034 by task kworker/2:0/4951
[ 417.114587] CPU: 2 UID: 0 PID: 4951 Comm: kworker/2:0 Tainted: G D W
6.17.0-rc7+ #1 PREEMPT(voluntary)
[ 417.114592] Tainted: [D]=DIE, [W]=WARN
[ 417.114593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.17.0-5.fc42 04/01/2014
[ 417.114596] Workqueue: events handle_timeout
[ 417.114601] Call Trace:
[ 417.114602] <TASK>
[ 417.114604] dump_stack_lvl+0x5c/0x90
[ 417.114610] print_report+0x171/0x4dc
[ 417.114613] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 417.114617] ? kasan_complete_mode_report_info+0x80/0x220
[ 417.114621] kasan_report+0xbd/0x100
[ 417.114625] ? __mutex_lock.constprop.0+0x1522/0x1610
[ 417.114628] ? __mutex_lock.constprop.0+0x1522/0x1610
[ 417.114630] __asan_report_load4_noabort+0x14/0x30
[ 417.114633] __mutex_lock.constprop.0+0x1522/0x1610
[ 417.114635] ? queue_con_delay+0x8d/0x200
[ 417.114638] ? __pfx___mutex_lock.constprop.0+0x10/0x10
[ 417.114641] ? __send_subscribe+0x529/0xb20
[ 417.114644] __mutex_lock_slowpath+0x13/0x20
[ 417.114646] mutex_lock+0xd4/0xe0
[ 417.114649] ? __pfx_mutex_lock+0x10/0x10
[ 417.114652] ? ceph_monc_renew_subs+0x2a/0x40
[ 417.114654] ceph_con_keepalive+0x22/0x110
[ 417.114656] handle_timeout+0x6b3/0x11d0
[ 417.114659] ? _raw_spin_unlock_irq+0xe/0x50
[ 417.114662] ? __pfx_handle_timeout+0x10/0x10
[ 417.114664] ? queue_delayed_work_on+0x8e/0xa0
[ 417.114669] process_one_work+0x611/0xe20
[ 417.114672] ? __kasan_check_write+0x14/0x30
[ 417.114676] worker_thread+0x7e3/0x1580
[ 417.114678] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 417.114682] ? __pfx_sched_setscheduler_nocheck+0x10/0x10
[ 417.114687] ? __pfx_worker_thread+0x10/0x10
[ 417.114689] kthread+0x381/0x7a0
[ 417.114692] ? __pfx__raw_spin_lock_irq+0x10/0x10
[ 417.114694] ? __pfx_kthread+0x10/0x10
[ 417.114697] ? __kasan_check_write+0x14/0x30
[ 417.114699] ? recalc_sigpending+0x160/0x220
[ 417.114703] ? _raw_spin_unlock_irq+0xe/0x50
[ 417.114705] ? calculate_sigpending+0x78/0xb0
[ 417.114707] ? __pfx_kthread+0x10/0x10
[ 417.114710] ret_from_fork+0x2b6/0x380
[ 417.114713] ? __pfx_kthread+0x10/0x10
[ 417.114715] ret_from_fork_asm+0x1a/0x30
[ 417.114720] </TASK>
[ 417.125171] Allocated by task 2:
[ 417.125333] kasan_save_stack+0x26/0x60
[ 417.125522] kasan_save_track+0x14/0x40
[ 417.125742] kasan_save_alloc_info+0x39/0x60
[ 417.125945] __kasan_slab_alloc+0x8b/0xb0
[ 417.126133] kmem_cache_alloc_node_noprof+0x13b/0x460
[ 417.126381] copy_process+0x320/0x6250
[ 417.126595] kernel_clone+0xb7/0x840
[ 417.126792] kernel_thread+0xd6/0x120
[ 417.126995] kthreadd+0x85c/0xbe0
[ 417.127176] ret_from_fork+0x2b6/0x380
[ 417.127378] ret_from_fork_asm+0x1a/0x30
[ 417.127692] Freed by task 0:
[ 417.127851] kasan_save_stack+0x26/0x60
[ 417.128057] kasan_save_track+0x14/0x40
[ 417.128267] kasan_save_free_info+0x3b/0x60
[ 417.128491] __kasan_slab_free+0x6c/0xa0
[ 417.128708] kmem_cache_free+0x182/0x550
[ 417.128906] free_task+0xeb/0x140
[ 417.129070] __put_task_struct+0x1d2/0x4f0
[ 417.129259] __put_task_struct_rcu_cb+0x15/0x20
[ 417.129480] rcu_do_batch+0x3d3/0xe70
[ 417.129681] rcu_core+0x549/0xb30
[ 417.129839] rcu_core_si+0xe/0x20
[ 417.130005] handle_softirqs+0x160/0x570
[ 417.130190] __irq_exit_rcu+0x189/0x1e0
[ 417.130369] irq_exit_rcu+0xe/0x20
[ 417.130531] sysvec_apic_timer_interrupt+0x9f/0xd0
[ 417.130768] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ 417.131082] Last potentially related work creation:
[ 417.131305] kasan_save_stack+0x26/0x60
[ 417.131484] kasan_record_aux_stack+0xae/0xd0
[ 417.131695] __call_rcu_common+0xcd/0x14b0
[ 417.131909] call_rcu+0x31/0x50
[ 417.132071] delayed_put_task_struct+0x128/0x190
[ 417.132295] rcu_do_batch+0x3d3/0xe70
[ 417.132478] rcu_core+0x549/0xb30
[ 417.132658] rcu_core_si+0xe/0x20
[ 417.132808] handle_softirqs+0x160/0x570
[ 417.132993] __irq_exit_rcu+0x189/0x1e0
[ 417.133181] irq_exit_rcu+0xe/0x20
[ 417.133353] sysvec_apic_timer_interrupt+0x9f/0xd0
[ 417.133584] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ 417.133921] Second to last potentially related work creation:
[ 417.134183] kasan_save_stack+0x26/0x60
[ 417.134362] kasan_record_aux_stack+0xae/0xd0
[ 417.134566] __call_rcu_common+0xcd/0x14b0
[ 417.134782] call_rcu+0x31/0x50
[ 417.134929] put_task_struct_rcu_user+0x58/0xb0
[ 417.135143] finish_task_switch.isra.0+0x5d3/0x830
[ 417.135366] __schedule+0xd30/0x5100
[ 417.135534] schedule_idle+0x5a/0x90
[ 417.135712] do_idle+0x25f/0x410
[ 417.135871] cpu_startup_entry+0x53/0x70
[ 417.136053] start_secondary+0x216/0x2c0
[ 417.136233] common_startup_64+0x13e/0x141
[ 417.136894] The buggy address belongs to the object at ffff888124870000
which belongs to the cache task_struct of size 10504
[ 417.138122] The buggy address is located 52 bytes inside of
freed 10504-byte region [ffff888124870000, ffff888124872908)
[ 417.139465] The buggy address belongs to the physical page:
[ 417.140016] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
pfn:0x124870
[ 417.140789] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0
pincount:0
[ 417.141519] memcg:ffff88811aa20e01
[ 417.141874] anon flags:
0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
[ 417.142600] page_type: f5(slab)
[ 417.142922] raw: 0017ffffc0000040 ffff88810094f040 0000000000000000
dead000000000001
[ 417.143554] raw: 0000000000000000 0000000000030003 00000000f5000000
ffff88811aa20e01
[ 417.143954] head: 0017ffffc0000040 ffff88810094f040 0000000000000000
dead000000000001
[ 417.144329] head: 0000000000000000 0000000000030003 00000000f5000000
ffff88811aa20e01
[ 417.144710] head: 0017ffffc0000003 ffffea0004921c01 00000000ffffffff
00000000ffffffff
[ 417.145106] head: ffffffffffffffff 0000000000000000 00000000ffffffff
0000000000000008
[ 417.145485] page dumped because: kasan: bad access detected
[ 417.145859] Memory state around the buggy address:
[ 417.146094] ffff88812486ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 417.146439] ffff88812486ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 417.146791] >ffff888124870000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 417.147145] ^
[ 417.147387] ffff888124870080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 417.147751] ffff888124870100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 417.148123]
==================================================================
First of all, we have warning in get_bvec_at() because
cursor->total_resid contains zero value. And, finally,
we have crash in ceph_msg_data_advance() because
cursor->data is NULL. It means that get_bvec_at()
receives not initialized ceph_msg_data_cursor structure
because data is NULL and total_resid contains zero.
Moreover, we don't have likewise issue for the case of
Ceph msgr1 protocol because ceph_msg_data_cursor_init()
has been called before reading sparse data.
This patch adds calling of ceph_msg_data_cursor_init()
in the beginning of process_v2_sparse_read() with
the goal to guarantee that logic of reading sparse data
works correctly for the case of Ceph msgr2 protocol.
Cc: stable@vger.kernel.org
Link: https://tracker.ceph.com/issues/73152
Signed-off-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/messenger_v2.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -1087,13 +1087,16 @@ static int decrypt_control_remainder(str
static int process_v2_sparse_read(struct ceph_connection *con,
struct page **pages, int spos)
{
- struct ceph_msg_data_cursor *cursor = &con->v2.in_cursor;
+ struct ceph_msg_data_cursor cursor;
int ret;
+ ceph_msg_data_cursor_init(&cursor, con->in_msg,
+ con->in_msg->sparse_read_total);
+
for (;;) {
char *buf = NULL;
- ret = con->ops->sparse_read(con, cursor, &buf);
+ ret = con->ops->sparse_read(con, &cursor, &buf);
if (ret <= 0)
return ret;
@@ -1111,11 +1114,11 @@ static int process_v2_sparse_read(struct
} else {
struct bio_vec bv;
- get_bvec_at(cursor, &bv);
+ get_bvec_at(&cursor, &bv);
len = min_t(int, len, bv.bv_len);
memcpy_page(bv.bv_page, bv.bv_offset,
spage, soff, len);
- ceph_msg_data_advance(cursor, len);
+ ceph_msg_data_advance(&cursor, len);
}
spos += len;
ret -= len;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 087/146] counter: microchip-tcb-capture: Allow shared IRQ for multi-channel TCBs
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 086/146] ceph: fix crash in process_v2_sparse_read() for encrypted directories Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 088/146] dm-verity: fix unreliable memory allocation Greg Kroah-Hartman
` (72 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dharma Balasubiramani, Kamel Bouhara,
Bence Csókás, William Breathitt Gray
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dharma Balasubiramani <dharma.b@microchip.com>
commit 109ff654934a4752f8875ded672efd1fbfe4d31d upstream.
Mark the interrupt as IRQF_SHARED to permit multiple counter channels to
share the same TCB IRQ line.
Each Timer/Counter Block (TCB) instance shares a single IRQ line among its
three internal channels. When multiple counter channels (e.g., counter@0
and counter@1) within the same TCB are enabled, the second call to
devm_request_irq() fails because the IRQ line is already requested by the
first channel.
Cc: stable@vger.kernel.org
Fixes: e5d581396821 ("counter: microchip-tcb-capture: Add IRQ handling")
Signed-off-by: Dharma Balasubiramani <dharma.b@microchip.com>
Reviewed-by: Kamel Bouhara <kamel.bouhara@bootlin.com>
Reviewed-by: Bence Csókás <bence98@sch.bme.hu>
Link: https://lore.kernel.org/r/20251006-microchip-tcb-v1-1-09c19181bb4a@microchip.com
Signed-off-by: William Breathitt Gray <wbg@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/counter/microchip-tcb-capture.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/counter/microchip-tcb-capture.c b/drivers/counter/microchip-tcb-capture.c
index 1a299d1f350b..19d457ae4c3b 100644
--- a/drivers/counter/microchip-tcb-capture.c
+++ b/drivers/counter/microchip-tcb-capture.c
@@ -451,7 +451,7 @@ static void mchp_tc_irq_remove(void *ptr)
static int mchp_tc_irq_enable(struct counter_device *const counter, int irq)
{
struct mchp_tc_data *const priv = counter_priv(counter);
- int ret = devm_request_irq(counter->parent, irq, mchp_tc_isr, 0,
+ int ret = devm_request_irq(counter->parent, irq, mchp_tc_isr, IRQF_SHARED,
dev_name(counter->parent), counter);
if (ret < 0)
--
2.52.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 088/146] dm-verity: fix unreliable memory allocation
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 087/146] counter: microchip-tcb-capture: Allow shared IRQ for multi-channel TCBs Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 089/146] drivers/usb/dwc3: fix PCI parent check Greg Kroah-Hartman
` (71 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Eric Biggers
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit fe680d8c747f4e676ac835c8c7fb0f287cd98758 upstream.
GFP_NOWAIT allocation may fail anytime. It needs to be changed to
GFP_NOIO. There's no need to handle an error because mempool_alloc with
GFP_NOIO can't fail.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-verity-fec.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/drivers/md/dm-verity-fec.c
+++ b/drivers/md/dm-verity-fec.c
@@ -320,11 +320,7 @@ static int fec_alloc_bufs(struct dm_veri
if (fio->bufs[n])
continue;
- fio->bufs[n] = mempool_alloc(&v->fec->prealloc_pool, GFP_NOWAIT);
- if (unlikely(!fio->bufs[n])) {
- DMERR("failed to allocate FEC buffer");
- return -ENOMEM;
- }
+ fio->bufs[n] = mempool_alloc(&v->fec->prealloc_pool, GFP_NOIO);
}
/* try to allocate the maximum number of buffers */
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 089/146] drivers/usb/dwc3: fix PCI parent check
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 088/146] dm-verity: fix unreliable memory allocation Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 090/146] drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Greg Kroah-Hartman
` (70 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jamie Iles, Punit Agrawal,
Thinh Nguyen
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamie Iles <jamie.iles@oss.qualcomm.com>
commit 40f8d17eed7533ed2bbb5e3cc680049b19411b2e upstream.
The sysdev_is_parent check was being used to infer PCI devices that have
the DMA mask set from the PCI capabilities, but sysdev_is_parent is also
used for non-PCI ACPI devices in which case the DMA mask would be the
bus default or as set by the _DMA method.
Without this fix the DMA mask would default to 32-bits and so allocation
would fail if there was no DRAM below 4GB.
Fixes: 47ce45906ca9 ("usb: dwc3: leave default DMA for PCI devices")
Cc: stable <stable@kernel.org>
Signed-off-by: Jamie Iles <jamie.iles@oss.qualcomm.com>
Signed-off-by: Punit Agrawal <punit.agrawal@oss.qualcomm.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20251107104437.1602509-1-punit.agrawal@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -25,6 +25,7 @@
#include <linux/of.h>
#include <linux/of_graph.h>
#include <linux/acpi.h>
+#include <linux/pci.h>
#include <linux/pinctrl/consumer.h>
#include <linux/pinctrl/devinfo.h>
#include <linux/reset.h>
@@ -2240,7 +2241,7 @@ int dwc3_core_probe(const struct dwc3_pr
dev_set_drvdata(dev, dwc);
dwc3_cache_hwparams(dwc);
- if (!dwc->sysdev_is_parent &&
+ if (!dev_is_pci(dwc->sysdev) &&
DWC3_GHWPARAMS0_AWIDTH(dwc->hwparams.hwparams0) == 64) {
ret = dma_set_mask_and_coherent(dwc->sysdev, DMA_BIT_MASK(64));
if (ret)
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 090/146] drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 089/146] drivers/usb/dwc3: fix PCI parent check Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 091/146] smb: client: fix memory leak in cifs_construct_tcon() Greg Kroah-Hartman
` (69 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann,
Javier Martinez Canillas, Alex Deucher, dri-devel, nouveau,
amd-gfx, linux-fbdev
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
commit eb76d0f5553575599561010f24c277cc5b31d003 upstream.
Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB
access in fbcon_remap_all(). Without holding the console lock the call
races with switching outputs.
VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon
function uses struct fb_info.node, which is set by register_framebuffer().
As the fb-helper code currently sets up VGA switcheroo before registering
the framebuffer, the value of node is -1 and therefore not a legal value.
For example, fbcon uses the value within set_con2fb_map() [1] as an index
into an array.
Moving vga_switcheroo_client_fb_set() after register_framebuffer() can
result in VGA switching that does not switch fbcon correctly.
Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(),
which already holds the console lock. Fbdev calls fbcon_fb_registered()
from within register_framebuffer(). Serializes the helper with VGA
switcheroo's call to fbcon_remap_all().
Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info
as parameter, it really only needs the contained fbcon state. Moving the
call to fbcon initialization is therefore cleaner than before. Only amdgpu,
i915, nouveau and radeon support vga_switcheroo. For all other drivers,
this change does nothing.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://elixir.bootlin.com/linux/v6.17/source/drivers/video/fbdev/core/fbcon.c#L2942 # [1]
Fixes: 6a9ee8af344e ("vga_switcheroo: initial implementation (v15)")
Acked-by: Javier Martinez Canillas <javierm@redhat.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Cc: dri-devel@lists.freedesktop.org
Cc: nouveau@lists.freedesktop.org
Cc: amd-gfx@lists.freedesktop.org
Cc: linux-fbdev@vger.kernel.org
Cc: <stable@vger.kernel.org> # v2.6.34+
Link: https://patch.msgid.link/20251105161549.98836-1-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_fb_helper.c | 14 --------------
drivers/video/fbdev/core/fbcon.c | 9 +++++++++
2 files changed, 9 insertions(+), 14 deletions(-)
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -31,9 +31,7 @@
#include <linux/console.h>
#include <linux/export.h>
-#include <linux/pci.h>
#include <linux/sysrq.h>
-#include <linux/vga_switcheroo.h>
#include <drm/drm_atomic.h>
#include <drm/drm_drv.h>
@@ -566,11 +564,6 @@ EXPORT_SYMBOL(drm_fb_helper_release_info
*/
void drm_fb_helper_unregister_info(struct drm_fb_helper *fb_helper)
{
- struct fb_info *info = fb_helper->info;
- struct device *dev = info->device;
-
- if (dev_is_pci(dev))
- vga_switcheroo_client_fb_set(to_pci_dev(dev), NULL);
unregister_framebuffer(fb_helper->info);
}
EXPORT_SYMBOL(drm_fb_helper_unregister_info);
@@ -1632,7 +1625,6 @@ static int drm_fb_helper_single_fb_probe
struct drm_client_dev *client = &fb_helper->client;
struct drm_device *dev = fb_helper->dev;
struct drm_fb_helper_surface_size sizes;
- struct fb_info *info;
int ret;
if (drm_WARN_ON(dev, !dev->driver->fbdev_probe))
@@ -1653,12 +1645,6 @@ static int drm_fb_helper_single_fb_probe
strcpy(fb_helper->fb->comm, "[fbcon]");
- info = fb_helper->info;
-
- /* Set the fb info for vgaswitcheroo clients. Does nothing otherwise. */
- if (dev_is_pci(info->device))
- vga_switcheroo_client_fb_set(to_pci_dev(info->device), info);
-
return 0;
}
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -66,6 +66,7 @@
#include <linux/string.h>
#include <linux/kd.h>
#include <linux/panic.h>
+#include <linux/pci.h>
#include <linux/printk.h>
#include <linux/slab.h>
#include <linux/fb.h>
@@ -78,6 +79,7 @@
#include <linux/interrupt.h>
#include <linux/crc32.h> /* For counting font checksums */
#include <linux/uaccess.h>
+#include <linux/vga_switcheroo.h>
#include <asm/irq.h>
#include "fbcon.h"
@@ -2906,6 +2908,9 @@ void fbcon_fb_unregistered(struct fb_inf
console_lock();
+ if (info->device && dev_is_pci(info->device))
+ vga_switcheroo_client_fb_set(to_pci_dev(info->device), NULL);
+
fbcon_registered_fb[info->node] = NULL;
fbcon_num_registered_fb--;
@@ -3039,6 +3044,10 @@ static int do_fb_registered(struct fb_in
}
}
+ /* Set the fb info for vga_switcheroo clients. Does nothing otherwise. */
+ if (info->device && dev_is_pci(info->device))
+ vga_switcheroo_client_fb_set(to_pci_dev(info->device), info);
+
return ret;
}
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 091/146] smb: client: fix memory leak in cifs_construct_tcon()
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 090/146] drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 092/146] thunderbolt: Add support for Intel Wildcat Lake Greg Kroah-Hartman
` (68 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
David Howells, Jay Shin, linux-cifs, Steve French
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.org>
commit 3184b6a5a24ec9ee74087b2a550476f386df7dc2 upstream.
When having a multiuser mount with domain= specified and using
cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname,
so it needs to be freed before leaving cifs_construct_tcon().
This fixes the following memory leak reported by kmemleak:
mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,...
su - testuser
cifscreds add -d ZELDA -u testuser
...
ls /mnt/1
...
umount /mnt
echo scan > /sys/kernel/debug/kmemleak
cat /sys/kernel/debug/kmemleak
unreferenced object 0xffff8881203c3f08 (size 8):
comm "ls", pid 5060, jiffies 4307222943
hex dump (first 8 bytes):
5a 45 4c 44 41 00 cc cc ZELDA...
backtrace (crc d109a8cf):
__kmalloc_node_track_caller_noprof+0x572/0x710
kstrdup+0x3a/0x70
cifs_sb_tlink+0x1209/0x1770 [cifs]
cifs_get_fattr+0xe1/0xf50 [cifs]
cifs_get_inode_info+0xb5/0x240 [cifs]
cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs]
cifs_getattr+0x28e/0x450 [cifs]
vfs_getattr_nosec+0x126/0x180
vfs_statx+0xf6/0x220
do_statx+0xab/0x110
__x64_sys_statx+0xd5/0x130
do_syscall_64+0xbb/0x380
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: f2aee329a68f ("cifs: set domainName when a domain-key is used in multiuser")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Cc: Jay Shin <jaeshin@redhat.com>
Cc: stable@vger.kernel.org
Cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/connect.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -4455,6 +4455,7 @@ cifs_construct_tcon(struct cifs_sb_info
out:
kfree(ctx->username);
+ kfree(ctx->domainname);
kfree_sensitive(ctx->password);
kfree(origin_fullpath);
kfree(ctx);
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 092/146] thunderbolt: Add support for Intel Wildcat Lake
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 091/146] smb: client: fix memory leak in cifs_construct_tcon() Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 093/146] slimbus: ngd: Fix reference count leak in qcom_slim_ngd_notify_slaves Greg Kroah-Hartman
` (67 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Borzeszkowski, Mika Westerberg
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Borzeszkowski <alan.borzeszkowski@linux.intel.com>
commit 3575254546a27210a4b661ea37fbbfb836c0815d upstream.
Intel Wildcat Lake derives its Thunderbolt/USB4 controller from Lunar
Lake platform. Add Wildcat Lake PCI ID to the driver list of supported
devices.
Signed-off-by: Alan Borzeszkowski <alan.borzeszkowski@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/nhi.c | 2 ++
drivers/thunderbolt/nhi.h | 1 +
2 files changed, 3 insertions(+)
--- a/drivers/thunderbolt/nhi.c
+++ b/drivers/thunderbolt/nhi.c
@@ -1528,6 +1528,8 @@ static struct pci_device_id nhi_ids[] =
.driver_data = (kernel_ulong_t)&icl_nhi_ops },
{ PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_PTL_P_NHI1),
.driver_data = (kernel_ulong_t)&icl_nhi_ops },
+ { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_WCL_NHI0),
+ .driver_data = (kernel_ulong_t)&icl_nhi_ops },
{ PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_80G_NHI) },
{ PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_40G_NHI) },
--- a/drivers/thunderbolt/nhi.h
+++ b/drivers/thunderbolt/nhi.h
@@ -75,6 +75,7 @@ extern const struct tb_nhi_ops icl_nhi_o
#define PCI_DEVICE_ID_INTEL_TITAN_RIDGE_DD_BRIDGE 0x15ef
#define PCI_DEVICE_ID_INTEL_ADL_NHI0 0x463e
#define PCI_DEVICE_ID_INTEL_ADL_NHI1 0x466d
+#define PCI_DEVICE_ID_INTEL_WCL_NHI0 0x4d33
#define PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_80G_NHI 0x5781
#define PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_40G_NHI 0x5784
#define PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HUB_80G_BRIDGE 0x5786
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 093/146] slimbus: ngd: Fix reference count leak in qcom_slim_ngd_notify_slaves
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 092/146] thunderbolt: Add support for Intel Wildcat Lake Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 094/146] nvmem: layouts: fix nvmem_layout_bus_uevent Greg Kroah-Hartman
` (66 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Miaoqian Lin,
Dmitry Baryshkov
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 96cf8500934e0ce2a6c486f1dbc3b1fff12f7a5e upstream.
The function qcom_slim_ngd_notify_slaves() calls of_slim_get_device() which
internally uses device_find_child() to obtain a device reference.
According to the device_find_child() documentation,
the caller must drop the reference with put_device() after use.
Found via static analysis and this is similar to commit 4e65bda8273c
("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()")
Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://patch.msgid.link/20251027060601.33228-1-linmq006@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/qcom-ngd-ctrl.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1241,6 +1241,7 @@ static void qcom_slim_ngd_notify_slaves(
if (slim_get_logical_addr(sbdev))
dev_err(ctrl->dev, "Failed to get logical address\n");
+ put_device(&sbdev->dev);
}
}
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 094/146] nvmem: layouts: fix nvmem_layout_bus_uevent
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 093/146] slimbus: ngd: Fix reference count leak in qcom_slim_ngd_notify_slaves Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 095/146] pmdomain: tegra: Add GENPD_FLAG_NO_STAY_ON flag Greg Kroah-Hartman
` (65 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, WangYuli, Wentao Guan,
Srinivas Kandagatla
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Guan <guanwentao@uniontech.com>
commit 03bc4831ef064e114328dea906101cff7c6fb8b3 upstream.
correctly check the ENODEV return value.
Fixes: 810b790033cc ("nvmem: layouts: fix automatic module loading")
CC: stable@vger.kernel.org
Co-developed-by: WangYuli <wangyl5933@chinaunicom.cn>
Signed-off-by: WangYuli <wangyl5933@chinaunicom.cn>
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20251114110539.143154-1-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvmem/layouts.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/nvmem/layouts.c
+++ b/drivers/nvmem/layouts.c
@@ -51,7 +51,7 @@ static int nvmem_layout_bus_uevent(const
int ret;
ret = of_device_uevent_modalias(dev, env);
- if (ret != ENODEV)
+ if (ret != -ENODEV)
return ret;
return 0;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 095/146] pmdomain: tegra: Add GENPD_FLAG_NO_STAY_ON flag
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 094/146] nvmem: layouts: fix nvmem_layout_bus_uevent Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 096/146] r8169: fix RTL8127 hang on suspend/shutdown Greg Kroah-Hartman
` (64 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jon Hunter, Ulf Hansson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jon Hunter <jonathanh@nvidia.com>
commit c98c99d5dbdf9fb0063650594edfd7d49b5f4e29 upstream.
Commit 13a4b7fb6260 ("pmdomain: core: Leave powered-on genpds on until
late_initcall_sync") kept power-domains on longer during boot which is
causing some GPU related tests to fail on Tegra234. While this is being
investigated, add the flag GENPD_FLAG_NO_STAY_ON for Tegra devices to
restore the previous behaviour to fix this.
Fixes: 13a4b7fb6260 ("pmdomain: core: Leave powered-on genpds on until late_initcall_sync")
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pmdomain/tegra/powergate-bpmp.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/pmdomain/tegra/powergate-bpmp.c
+++ b/drivers/pmdomain/tegra/powergate-bpmp.c
@@ -184,6 +184,7 @@ tegra_powergate_add(struct tegra_bpmp *b
powergate->genpd.name = kstrdup(info->name, GFP_KERNEL);
powergate->genpd.power_on = tegra_powergate_power_on;
powergate->genpd.power_off = tegra_powergate_power_off;
+ powergate->genpd.flags = GENPD_FLAG_NO_STAY_ON;
err = pm_genpd_init(&powergate->genpd, NULL, off);
if (err < 0) {
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 096/146] r8169: fix RTL8127 hang on suspend/shutdown
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 095/146] pmdomain: tegra: Add GENPD_FLAG_NO_STAY_ON flag Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 097/146] regulator: rtq2208: Correct buck group2 phase mapping logic Greg Kroah-Hartman
` (63 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fabio Baltieri, Heiner Kallweit,
Jakub Kicinski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiner Kallweit <hkallweit1@gmail.com>
commit ae1737e7339b513f8c2fc21b500a0fc215d155c3 upstream.
There have been reports that RTL8127 hangs on suspend and shutdown,
partially disappearing from lspci until power-cycling.
According to Realtek disabling PLL's when switching to D3 should be
avoided on that chip version. Fix this by aligning disabling PLL's
with the vendor drivers, what in addition results in PLL's not being
disabled when switching to D3hot on other chip versions.
Fixes: f24f7b2f3af9 ("r8169: add support for RTL8127A")
Tested-by: Fabio Baltieri <fabio.baltieri@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Link: https://patch.msgid.link/d7faae7e-66bc-404a-a432-3a496600575f@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/realtek/r8169_main.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
index d18734fe12e4..853aabedb128 100644
--- a/drivers/net/ethernet/realtek/r8169_main.c
+++ b/drivers/net/ethernet/realtek/r8169_main.c
@@ -1514,11 +1514,20 @@ static enum rtl_dash_type rtl_get_dash_type(struct rtl8169_private *tp)
static void rtl_set_d3_pll_down(struct rtl8169_private *tp, bool enable)
{
- if (tp->mac_version >= RTL_GIGA_MAC_VER_25 &&
- tp->mac_version != RTL_GIGA_MAC_VER_28 &&
- tp->mac_version != RTL_GIGA_MAC_VER_31 &&
- tp->mac_version != RTL_GIGA_MAC_VER_38)
- r8169_mod_reg8_cond(tp, PMCH, D3_NO_PLL_DOWN, !enable);
+ switch (tp->mac_version) {
+ case RTL_GIGA_MAC_VER_02 ... RTL_GIGA_MAC_VER_24:
+ case RTL_GIGA_MAC_VER_28:
+ case RTL_GIGA_MAC_VER_31:
+ case RTL_GIGA_MAC_VER_38:
+ break;
+ case RTL_GIGA_MAC_VER_80:
+ r8169_mod_reg8_cond(tp, PMCH, D3_NO_PLL_DOWN, true);
+ break;
+ default:
+ r8169_mod_reg8_cond(tp, PMCH, D3HOT_NO_PLL_DOWN, true);
+ r8169_mod_reg8_cond(tp, PMCH, D3COLD_NO_PLL_DOWN, !enable);
+ break;
+ }
}
static void rtl_reset_packet_filter(struct rtl8169_private *tp)
--
2.52.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 097/146] regulator: rtq2208: Correct buck group2 phase mapping logic
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 096/146] r8169: fix RTL8127 hang on suspend/shutdown Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 098/146] regulator: rtq2208: Correct LDO2 logic judgment bits Greg Kroah-Hartman
` (62 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yoon Dong Min, ChiYuan Huang,
Mark Brown
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: ChiYuan Huang <cy_huang@richtek.com>
commit 45cc214152bc1f6b1cc135532cd7cdbe08716aaf upstream.
Correct buck group2 H and F mapping logic.
Cc: stable@vger.kernel.org
Reported-by: Yoon Dong Min <dm.youn@telechips.com>
Fixes: 1742e7e978ba ("regulator: rtq2208: Fix incorrect buck converter phase mapping")
Signed-off-by: ChiYuan Huang <cy_huang@richtek.com>
Link: https://patch.msgid.link/8527ae02a72b754d89b7580a5fe7474d6f80f5c3.1764209258.git.cy_huang@richtek.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/rtq2208-regulator.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/regulator/rtq2208-regulator.c b/drivers/regulator/rtq2208-regulator.c
index 9cde7181b0f0..4a174e27c579 100644
--- a/drivers/regulator/rtq2208-regulator.c
+++ b/drivers/regulator/rtq2208-regulator.c
@@ -543,14 +543,14 @@ static int rtq2208_regulator_check(struct device *dev, int *num, int *regulator_
switch (FIELD_GET(RTQ2208_MASK_BUCKPH_GROUP2, buck_phase)) {
case 2:
- rtq2208_used_table[RTQ2208_BUCK_F] = true;
+ rtq2208_used_table[RTQ2208_BUCK_H] = true;
fallthrough;
case 1:
rtq2208_used_table[RTQ2208_BUCK_E] = true;
fallthrough;
case 0:
case 3:
- rtq2208_used_table[RTQ2208_BUCK_H] = true;
+ rtq2208_used_table[RTQ2208_BUCK_F] = true;
fallthrough;
default:
rtq2208_used_table[RTQ2208_BUCK_G] = true;
--
2.52.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 098/146] regulator: rtq2208: Correct LDO2 logic judgment bits
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 097/146] regulator: rtq2208: Correct buck group2 phase mapping logic Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 099/146] io_uring/net: ensure vectored buffer node import is tied to notification Greg Kroah-Hartman
` (61 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yoon Dong Min, ChiYuan Huang,
Mark Brown
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: ChiYuan Huang <cy_huang@richtek.com>
commit 8684229e19c4185d53d6fb7004d733907c865a91 upstream.
The LDO2 judgement bit position should be 7, not 6.
Cc: stable@vger.kernel.org
Reported-by: Yoon Dong Min <dm.youn@telechips.com>
Fixes: b65439d90150 ("regulator: rtq2208: Fix the LDO DVS capability")
Signed-off-by: ChiYuan Huang <cy_huang@richtek.com>
Link: https://patch.msgid.link/faadb009f84b88bfcabe39fc5009c7357b00bbe2.1764209258.git.cy_huang@richtek.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/rtq2208-regulator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/regulator/rtq2208-regulator.c b/drivers/regulator/rtq2208-regulator.c
index 4a174e27c579..f669a562f036 100644
--- a/drivers/regulator/rtq2208-regulator.c
+++ b/drivers/regulator/rtq2208-regulator.c
@@ -53,7 +53,7 @@
#define RTQ2208_MASK_BUCKPH_GROUP1 GENMASK(6, 4)
#define RTQ2208_MASK_BUCKPH_GROUP2 GENMASK(2, 0)
#define RTQ2208_MASK_LDO2_OPT0 BIT(7)
-#define RTQ2208_MASK_LDO2_OPT1 BIT(6)
+#define RTQ2208_MASK_LDO2_OPT1 BIT(7)
#define RTQ2208_MASK_LDO1_FIXED BIT(6)
/* Size */
--
2.52.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 099/146] io_uring/net: ensure vectored buffer node import is tied to notification
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 098/146] regulator: rtq2208: Correct LDO2 logic judgment bits Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 100/146] firmware: stratix10-svc: fix bug in saving controller data Greg Kroah-Hartman
` (60 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Google Big Sleep, Jens Axboe
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
commit f6041803a831266a2a5a5b5af66f7de0845bcbf3 upstream.
When support for vectored registered buffers was added, the import
itself is using 'req' rather than the notification io_kiocb, sr->notif.
For non-vectored imports, sr->notif is correctly used. This is important
as the lifetime of the two may be different. Use the correct io_kiocb
for the vectored buffer import.
Cc: stable@vger.kernel.org
Fixes: 23371eac7d9a ("io_uring/net: implement vectored reg bufs for zctx")
Reported-by: Google Big Sleep <big-sleep-vuln-reports+bigsleep-463332873@google.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/net.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -1542,8 +1542,10 @@ int io_sendmsg_zc(struct io_kiocb *req,
unsigned uvec_segs = kmsg->msg.msg_iter.nr_segs;
int ret;
- ret = io_import_reg_vec(ITER_SOURCE, &kmsg->msg.msg_iter, req,
- &kmsg->vec, uvec_segs, issue_flags);
+ sr->notif->buf_index = req->buf_index;
+ ret = io_import_reg_vec(ITER_SOURCE, &kmsg->msg.msg_iter,
+ sr->notif, &kmsg->vec, uvec_segs,
+ issue_flags);
if (unlikely(ret))
return ret;
req->flags &= ~REQ_F_IMPORT_BUFFER;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 100/146] firmware: stratix10-svc: fix bug in saving controller data
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 099/146] io_uring/net: ensure vectored buffer node import is tied to notification Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:27 ` [PATCH 6.17 101/146] iommufd/driver: Fix counter initialization for counted_by annotation Greg Kroah-Hartman
` (59 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ang Tien Sung, Khairul Anuar Romli,
Dinh Nguyen
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Khairul Anuar Romli <khairul.anuar.romli@altera.com>
commit d0fcf70c680e4d1669fcb3a8632f41400b9a73c2 upstream.
Fix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They
both are of the same data and overrides each other. This resulted in the
rmmod of the svc driver to fail and throw a kernel panic for kthread_stop
and fifo free.
Fixes: b5dc75c915cd ("firmware: stratix10-svc: extend svc to support new RSU features")
Cc: stable@vger.kernel.org # 6.6+
Signed-off-by: Ang Tien Sung <tiensung.ang@altera.com>
Signed-off-by: Khairul Anuar Romli <khairul.anuar.romli@altera.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/stratix10-svc.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/firmware/stratix10-svc.c
+++ b/drivers/firmware/stratix10-svc.c
@@ -134,6 +134,7 @@ struct stratix10_svc_data {
* @complete_status: state for completion
* @svc_fifo_lock: protect access to service message data queue
* @invoke_fn: function to issue secure monitor call or hypervisor call
+ * @svc: manages the list of client svc drivers
*
* This struct is used to create communication channels for service clients, to
* handle secure monitor or hypervisor call.
@@ -150,6 +151,7 @@ struct stratix10_svc_controller {
struct completion complete_status;
spinlock_t svc_fifo_lock;
svc_invoke_fn *invoke_fn;
+ struct stratix10_svc *svc;
};
/**
@@ -1206,6 +1208,7 @@ static int stratix10_svc_drv_probe(struc
ret = -ENOMEM;
goto err_free_kfifo;
}
+ controller->svc = svc;
svc->stratix10_svc_rsu = platform_device_alloc(STRATIX10_RSU, 0);
if (!svc->stratix10_svc_rsu) {
@@ -1237,8 +1240,6 @@ static int stratix10_svc_drv_probe(struc
if (ret)
goto err_unregister_fcs_dev;
- dev_set_drvdata(dev, svc);
-
pr_info("Intel Service Layer Driver Initialized\n");
return 0;
@@ -1256,8 +1257,8 @@ err_destroy_pool:
static void stratix10_svc_drv_remove(struct platform_device *pdev)
{
- struct stratix10_svc *svc = dev_get_drvdata(&pdev->dev);
struct stratix10_svc_controller *ctrl = platform_get_drvdata(pdev);
+ struct stratix10_svc *svc = ctrl->svc;
of_platform_depopulate(ctrl->dev);
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 101/146] iommufd/driver: Fix counter initialization for counted_by annotation
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 100/146] firmware: stratix10-svc: fix bug in saving controller data Greg Kroah-Hartman
@ 2025-12-03 15:27 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 102/146] mm/huge_memory: fix NULL pointer deference when splitting folio Greg Kroah-Hartman
` (58 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gustavo A. R. Silva, Kevin Tian,
Nicolin Chen, Jason Gunthorpe
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gustavo A. R. Silva <gustavoars@kernel.org>
commit ac84ff453305d12bc799074a9f9af30ff97fff70 upstream.
One of the requirements for counted_by annotations is that the counter
member must be initialized before the first reference to the
flexible-array member.
Move the vevent->data_len = data_len; initialization to before the
first access to flexible array vevent->event_data.
Link: https://patch.msgid.link/r/aRL7ZFFqM5bRTd2D@kspp
Cc: stable@vger.kernel.org
Fixes: e8e1ef9b77a7 ("iommufd/viommu: Add iommufd_viommu_report_event helper")
Signed-off-by: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/driver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/iommufd/driver.c b/drivers/iommu/iommufd/driver.c
index 6f1010da221c..21d4a35538f6 100644
--- a/drivers/iommu/iommufd/driver.c
+++ b/drivers/iommu/iommufd/driver.c
@@ -161,8 +161,8 @@ int iommufd_viommu_report_event(struct iommufd_viommu *viommu,
vevent = &veventq->lost_events_header;
goto out_set_header;
}
- memcpy(vevent->event_data, event_data, data_len);
vevent->data_len = data_len;
+ memcpy(vevent->event_data, event_data, data_len);
veventq->num_events++;
out_set_header:
--
2.52.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 102/146] mm/huge_memory: fix NULL pointer deference when splitting folio
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2025-12-03 15:27 ` [PATCH 6.17 101/146] iommufd/driver: Fix counter initialization for counted_by annotation Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 103/146] mm/memfd: fix information leak in hugetlb folios Greg Kroah-Hartman
` (57 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei Yang, Zi Yan,
David Hildenbrand (Red Hat), Baolin Wang, Andrew Morton
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Yang <richard.weiyang@gmail.com>
commit cff47b9e39a6abf03dde5f4f156f841b0c54bba0 upstream.
Commit c010d47f107f ("mm: thp: split huge page to any lower order pages")
introduced an early check on the folio's order via mapping->flags before
proceeding with the split work.
This check introduced a bug: for shmem folios in the swap cache and
truncated folios, the mapping pointer can be NULL. Accessing
mapping->flags in this state leads directly to a NULL pointer dereference.
This commit fixes the issue by moving the check for mapping != NULL before
any attempt to access mapping->flags.
Link: https://lkml.kernel.org/r/20251119235302.24773-1-richard.weiyang@gmail.com
Fixes: c010d47f107f ("mm: thp: split huge page to any lower order pages")
Signed-off-by: Wei Yang <richard.weiyang@gmail.com>
Reviewed-by: Zi Yan <ziy@nvidia.com>
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/huge_memory.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -3626,6 +3626,16 @@ static int __folio_split(struct folio *f
if (folio != page_folio(split_at) || folio != page_folio(lock_at))
return -EINVAL;
+ /*
+ * Folios that just got truncated cannot get split. Signal to the
+ * caller that there was a race.
+ *
+ * TODO: this will also currently refuse shmem folios that are in the
+ * swapcache.
+ */
+ if (!is_anon && !folio->mapping)
+ return -EBUSY;
+
if (new_order >= folio_order(folio))
return -EINVAL;
@@ -3666,18 +3676,6 @@ static int __folio_split(struct folio *f
gfp_t gfp;
mapping = folio->mapping;
-
- /* Truncated ? */
- /*
- * TODO: add support for large shmem folio in swap cache.
- * When shmem is in swap cache, mapping is NULL and
- * folio_test_swapcache() is true.
- */
- if (!mapping) {
- ret = -EBUSY;
- goto out;
- }
-
min_order = mapping_min_folio_order(folio->mapping);
if (new_order < min_order) {
ret = -EINVAL;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 103/146] mm/memfd: fix information leak in hugetlb folios
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 102/146] mm/huge_memory: fix NULL pointer deference when splitting folio Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 104/146] mmc: sdhci-of-dwcmshc: Promote the th1520 reset handling to ip level Greg Kroah-Hartman
` (56 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Deepanshu Kartikey,
syzbot+f64019ba229e3a5c411b, Oscar Salvador, David Hildenbrand,
David Hildenbrand (Red Hat), Hugh Dickins, Vivek Kasireddy,
Jason Gunthorpe, Dave Airlie, Gerd Hoffmann, Andrew Morton,
Christoph Hellwig
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit de8798965fd0d9a6c47fc2ac57767ec32de12b49 upstream.
When allocating hugetlb folios for memfd, three initialization steps are
missing:
1. Folios are not zeroed, leading to kernel memory disclosure to userspace
2. Folios are not marked uptodate before adding to page cache
3. hugetlb_fault_mutex is not taken before hugetlb_add_to_page_cache()
The memfd allocation path bypasses the normal page fault handler
(hugetlb_no_page) which would handle all of these initialization steps.
This is problematic especially for udmabuf use cases where folios are
pinned and directly accessed by userspace via DMA.
Fix by matching the initialization pattern used in hugetlb_no_page():
- Zero the folio using folio_zero_user() which is optimized for huge pages
- Mark it uptodate with folio_mark_uptodate()
- Take hugetlb_fault_mutex before adding to page cache to prevent races
The folio_zero_user() change also fixes a potential security issue where
uninitialized kernel memory could be disclosed to userspace through read()
or mmap() operations on the memfd.
Link: https://lkml.kernel.org/r/20251112145034.2320452-1-kartikey406@gmail.com
Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios")
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reported-by: syzbot+f64019ba229e3a5c411b@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/20251112031631.2315651-1-kartikey406@gmail.com/ [v1]
Closes: https://syzkaller.appspot.com/bug?extid=f64019ba229e3a5c411b
Suggested-by: Oscar Salvador <osalvador@suse.de>
Suggested-by: David Hildenbrand <david@redhat.com>
Tested-by: syzbot+f64019ba229e3a5c411b@syzkaller.appspotmail.com
Acked-by: Oscar Salvador <osalvador@suse.de>
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Vivek Kasireddy <vivek.kasireddy@intel.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: Jason Gunthorpe <jgg@nvidia.com> (v2)
Cc: Christoph Hellwig <hch@lst.de> (v6)
Cc: Dave Airlie <airlied@redhat.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memfd.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -96,9 +96,36 @@ struct folio *memfd_alloc_folio(struct f
NULL,
gfp_mask);
if (folio) {
+ u32 hash;
+
+ /*
+ * Zero the folio to prevent information leaks to userspace.
+ * Use folio_zero_user() which is optimized for huge/gigantic
+ * pages. Pass 0 as addr_hint since this is not a faulting path
+ * and we don't have a user virtual address yet.
+ */
+ folio_zero_user(folio, 0);
+
+ /*
+ * Mark the folio uptodate before adding to page cache,
+ * as required by filemap.c and other hugetlb paths.
+ */
+ __folio_mark_uptodate(folio);
+
+ /*
+ * Serialize hugepage allocation and instantiation to prevent
+ * races with concurrent allocations, as required by all other
+ * callers of hugetlb_add_to_page_cache().
+ */
+ hash = hugetlb_fault_mutex_hash(memfd->f_mapping, idx);
+ mutex_lock(&hugetlb_fault_mutex_table[hash]);
+
err = hugetlb_add_to_page_cache(folio,
memfd->f_mapping,
idx);
+
+ mutex_unlock(&hugetlb_fault_mutex_table[hash]);
+
if (err) {
folio_put(folio);
goto err_unresv;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 104/146] mmc: sdhci-of-dwcmshc: Promote the th1520 reset handling to ip level
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 103/146] mm/memfd: fix information leak in hugetlb folios Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 105/146] mptcp: clear scheduled subflows on retransmit Greg Kroah-Hartman
` (55 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jisheng Zhang, Ulf Hansson
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jisheng Zhang <jszhang@kernel.org>
commit 747528729c9b6733839f9c95f300d5bef95ee52c upstream.
Commit 27e8fe0da3b7 ("mmc: sdhci-of-dwcmshc: Prevent stale command
interrupt handling") clears pending interrupts when resetting
host->pending_reset to ensure no pending stale interrupts after
sdhci_threaded_irq restores interrupts. But this fix is only added for
th1520 platforms, in fact per my test, this issue exists on all
dwcmshc users, such as cv1800b, sg2002, and synaptics platforms.
So promote the above reset handling from th1520 to ip level. And keep
reset handling on rk, sg2042 and bf3 as is, until it's confirmed that
the same issue exists on these platforms too.
Fixes: 017199c2849c ("mmc: sdhci-of-dwcmshc: Add support for Sophgo CV1800B and SG2002")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-of-dwcmshc.c | 29 +++++++++++++++++------------
1 file changed, 17 insertions(+), 12 deletions(-)
--- a/drivers/mmc/host/sdhci-of-dwcmshc.c
+++ b/drivers/mmc/host/sdhci-of-dwcmshc.c
@@ -289,6 +289,19 @@ static void dwcmshc_adma_write_desc(stru
sdhci_adma_write_desc(host, desc, addr, len, cmd);
}
+static void dwcmshc_reset(struct sdhci_host *host, u8 mask)
+{
+ sdhci_reset(host, mask);
+
+ /* The dwcmshc does not comply with the SDHCI specification
+ * regarding the "Software Reset for CMD line should clear 'Command
+ * Complete' in the Normal Interrupt Status Register." Clear the bit
+ * here to compensate for this quirk.
+ */
+ if (mask & SDHCI_RESET_CMD)
+ sdhci_writel(host, SDHCI_INT_RESPONSE, SDHCI_INT_STATUS);
+}
+
static unsigned int dwcmshc_get_max_clock(struct sdhci_host *host)
{
struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
@@ -832,15 +845,7 @@ static void th1520_sdhci_reset(struct sd
struct dwcmshc_priv *priv = sdhci_pltfm_priv(pltfm_host);
u16 ctrl_2;
- sdhci_reset(host, mask);
-
- /* The T-Head 1520 SoC does not comply with the SDHCI specification
- * regarding the "Software Reset for CMD line should clear 'Command
- * Complete' in the Normal Interrupt Status Register." Clear the bit
- * here to compensate for this quirk.
- */
- if (mask & SDHCI_RESET_CMD)
- sdhci_writel(host, SDHCI_INT_RESPONSE, SDHCI_INT_STATUS);
+ dwcmshc_reset(host, mask);
if (priv->flags & FLAG_IO_FIXED_1V8) {
ctrl_2 = sdhci_readw(host, SDHCI_HOST_CONTROL2);
@@ -886,7 +891,7 @@ static void cv18xx_sdhci_reset(struct sd
struct dwcmshc_priv *priv = sdhci_pltfm_priv(pltfm_host);
u32 val, emmc_caps = MMC_CAP2_NO_SD | MMC_CAP2_NO_SDIO;
- sdhci_reset(host, mask);
+ dwcmshc_reset(host, mask);
if ((host->mmc->caps2 & emmc_caps) == emmc_caps) {
val = sdhci_readl(host, priv->vendor_specific_area1 + CV18XX_SDHCI_MSHC_CTRL);
@@ -958,7 +963,7 @@ static void cv18xx_sdhci_post_tuning(str
val |= SDHCI_INT_DATA_AVAIL;
sdhci_writel(host, val, SDHCI_INT_STATUS);
- sdhci_reset(host, SDHCI_RESET_CMD | SDHCI_RESET_DATA);
+ dwcmshc_reset(host, SDHCI_RESET_CMD | SDHCI_RESET_DATA);
}
static int cv18xx_sdhci_execute_tuning(struct sdhci_host *host, u32 opcode)
@@ -1100,7 +1105,7 @@ static const struct sdhci_ops sdhci_dwcm
.set_bus_width = sdhci_set_bus_width,
.set_uhs_signaling = dwcmshc_set_uhs_signaling,
.get_max_clock = dwcmshc_get_max_clock,
- .reset = sdhci_reset,
+ .reset = dwcmshc_reset,
.adma_write_desc = dwcmshc_adma_write_desc,
.irq = dwcmshc_cqe_irq_handler,
};
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 105/146] mptcp: clear scheduled subflows on retransmit
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 104/146] mmc: sdhci-of-dwcmshc: Promote the th1520 reset handling to ip level Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 106/146] mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose() Greg Kroah-Hartman
` (54 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filip Pokryvka, Paolo Abeni,
Matthieu Baerts (NGI0), Jakub Kicinski
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 27fd02860164bfa78cec2640dfad630d832e302c upstream.
When __mptcp_retrans() kicks-in, it schedules one or more subflows for
retransmission, but such subflows could be actually left alone if there
is no more data to retransmit and/or in case of concurrent fallback.
Scheduled subflows could be processed much later in time, i.e. when new
data will be transmitted, leading to bad subflow selection.
Explicitly clear all scheduled subflows before leaving the
retransmission function.
Fixes: ee2708aedad0 ("mptcp: use get_retrans wrapper")
Cc: stable@vger.kernel.org
Reported-by: Filip Pokryvka <fpokryvk@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251125-net-mptcp-clear-sched-rtx-v1-1-1cea4ad2165f@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2637,7 +2637,7 @@ static void __mptcp_retrans(struct sock
}
if (!mptcp_send_head(sk))
- return;
+ goto clear_scheduled;
goto reset_timer;
}
@@ -2668,7 +2668,7 @@ static void __mptcp_retrans(struct sock
if (__mptcp_check_fallback(msk)) {
spin_unlock_bh(&msk->fallback_lock);
release_sock(ssk);
- return;
+ goto clear_scheduled;
}
while (info.sent < info.limit) {
@@ -2700,6 +2700,15 @@ reset_timer:
if (!mptcp_rtx_timer_pending(sk))
mptcp_reset_rtx_timer(sk);
+
+clear_scheduled:
+ /* If no rtx data was available or in case of fallback, there
+ * could be left-over scheduled subflows; clear them all
+ * or later xmit could use bad ones
+ */
+ mptcp_for_each_subflow(msk, subflow)
+ if (READ_ONCE(subflow->scheduled))
+ mptcp_subflow_set_scheduled(subflow, false);
}
/* schedule the timeout timer for the relevant event: either close timeout
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 106/146] mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 105/146] mptcp: clear scheduled subflows on retransmit Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 107/146] serial: 8250: Fix 8250_rsa symbol loop Greg Kroah-Hartman
` (53 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3a92d359bc2ec6255a33,
Kuniyuki Iwashima, Matthieu Baerts (NGI0), Paolo Abeni
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
commit f07f4ea53e22429c84b20832fa098b5ecc0d4e35 upstream.
syzbot reported divide-by-zero in __tcp_select_window() by
MPTCP socket. [0]
We had a similar issue for the bare TCP and fixed in commit
499350a5a6e7 ("tcp: initialize rcv_mss to TCP_MIN_MSS instead
of 0").
Let's apply the same fix to mptcp_do_fastclose().
[0]:
Oops: divide error: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336
Code: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 ca 49 01 f8 e9 9c 00 00 00 e8 c0 49 01 f8 44 89 e0 99 <f7> 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00
RSP: 0018:ffffc90003017640 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807b469e40
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003017730 R08: ffff888033268143 R09: 1ffff1100664d028
R10: dffffc0000000000 R11: ffffed100664d029 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 000055557faa0500(0000) GS:ffff888126135000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f64a1912ff8 CR3: 0000000072122000 CR4: 00000000003526f0
Call Trace:
<TASK>
tcp_select_window net/ipv4/tcp_output.c:281 [inline]
__tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568
tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline]
tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836
mptcp_do_fastclose+0x27e/0x380 net/mptcp/protocol.c:2793
mptcp_disconnect+0x238/0x710 net/mptcp/protocol.c:3253
mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1776
mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1855
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0xe5/0x270 net/socket.c:742
__sys_sendto+0x3bd/0x520 net/socket.c:2244
__do_sys_sendto net/socket.c:2251 [inline]
__se_sys_sendto net/socket.c:2247 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2247
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f66e998f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffff9acedb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f66e9be5fa0 RCX: 00007f66e998f749
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffff9acee10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007f66e9be5fa0 R14: 00007f66e9be5fa0 R15: 0000000000000006
</TASK>
Fixes: ae155060247b ("mptcp: fix duplicate reset on fastclose")
Reported-by: syzbot+3a92d359bc2ec6255a33@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/69260882.a70a0220.d98e3.00b4.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251125195331.309558-1-kuniyu@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2770,6 +2770,12 @@ static void mptcp_do_fastclose(struct so
goto unlock;
subflow->send_fastclose = 1;
+
+ /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
+ * issue in __tcp_select_window(), see tcp_disconnect().
+ */
+ inet_csk(ssk)->icsk_ack.rcv_mss = TCP_MIN_MSS;
+
tcp_send_active_reset(ssk, ssk->sk_allocation,
SK_RST_REASON_TCP_ABORT_ON_CLOSE);
unlock:
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 107/146] serial: 8250: Fix 8250_rsa symbol loop
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 106/146] mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose() Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 108/146] serial: amba-pl011: prefer dma_mapping_error() over explicit address checking Greg Kroah-Hartman
` (52 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Rothwell, Alex Davis, stable,
Andy Shevchenko, Jiri Slaby, Ilpo Järvinen
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
commit 2bf95a9bcb50002ca9d47403d60aedaeb2e19abe upstream.
Depmod fails for a kernel made with:
make allnoconfig
echo -e "CONFIG_MODULES=y\nCONFIG_SERIAL_8250=m\nCONFIG_SERIAL_8250_EXTENDED=y\nCONFIG_SERIAL_8250_RSA=y" >> .config
make olddefconfig
...due to a dependency loop:
depmod: ERROR: Cycle detected: 8250 -> 8250_base -> 8250
depmod: ERROR: Found 2 modules in dependency cycles!
This is caused by the move of 8250 RSA code from 8250_port.c (in
8250_base.ko) into 8250_rsa.c (in 8250.ko) by the commit 5a128fb475fb
("serial: 8250: move RSA functions to 8250_rsa.c"). The commit
b20d6576cdb3 ("serial: 8250: export RSA functions") tried to fix a
missing symbol issue with EXPORTs but those then cause this dependency
cycle.
Break dependency loop by moving 8250_rsa.o from 8250.ko to 8250_base.ko
and by passing univ8250_port_base_ops to univ8250_rsa_support() that
can make a local copy of it.
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Reported-by: Alex Davis <alex47794@gmail.com>
Fixes: 5a128fb475fb ("serial: 8250: move RSA functions to 8250_rsa.c")
Fixes: b20d6576cdb3 ("serial: 8250: export RSA functions")
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/all/87frc3sd8d.fsf@posteo.net/
Link: https://lore.kernel.org/all/CADiockCvM6v+d+UoFZpJSMoLAdpy99_h-hJdzUsdfaWGn3W7-g@mail.gmail.com/
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://patch.msgid.link/20251110105043.4062-1-ilpo.jarvinen@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250.h | 4 ++--
drivers/tty/serial/8250/8250_platform.c | 2 +-
drivers/tty/serial/8250/8250_rsa.c | 26 +++++++++++++++++---------
drivers/tty/serial/8250/Makefile | 2 +-
4 files changed, 21 insertions(+), 13 deletions(-)
--- a/drivers/tty/serial/8250/8250.h
+++ b/drivers/tty/serial/8250/8250.h
@@ -317,13 +317,13 @@ static inline void serial8250_pnp_exit(v
#endif
#ifdef CONFIG_SERIAL_8250_RSA
-void univ8250_rsa_support(struct uart_ops *ops);
+void univ8250_rsa_support(struct uart_ops *ops, const struct uart_ops *core_ops);
void rsa_enable(struct uart_8250_port *up);
void rsa_disable(struct uart_8250_port *up);
void rsa_autoconfig(struct uart_8250_port *up);
void rsa_reset(struct uart_8250_port *up);
#else
-static inline void univ8250_rsa_support(struct uart_ops *ops) { }
+static inline void univ8250_rsa_support(struct uart_ops *ops, const struct uart_ops *core_ops) { }
static inline void rsa_enable(struct uart_8250_port *up) {}
static inline void rsa_disable(struct uart_8250_port *up) {}
static inline void rsa_autoconfig(struct uart_8250_port *up) {}
--- a/drivers/tty/serial/8250/8250_platform.c
+++ b/drivers/tty/serial/8250/8250_platform.c
@@ -74,7 +74,7 @@ static void __init __serial8250_isa_init
/* chain base port ops to support Remote Supervisor Adapter */
univ8250_port_ops = *univ8250_port_base_ops;
- univ8250_rsa_support(&univ8250_port_ops);
+ univ8250_rsa_support(&univ8250_port_ops, univ8250_port_base_ops);
if (share_irqs)
irqflag = IRQF_SHARED;
--- a/drivers/tty/serial/8250/8250_rsa.c
+++ b/drivers/tty/serial/8250/8250_rsa.c
@@ -14,6 +14,8 @@
static unsigned long probe_rsa[PORT_RSA_MAX];
static unsigned int probe_rsa_count;
+static const struct uart_ops *core_port_base_ops;
+
static int rsa8250_request_resource(struct uart_8250_port *up)
{
struct uart_port *port = &up->port;
@@ -67,7 +69,7 @@ static void univ8250_config_port(struct
}
}
- univ8250_port_base_ops->config_port(port, flags);
+ core_port_base_ops->config_port(port, flags);
if (port->type != PORT_RSA && up->probe & UART_PROBE_RSA)
rsa8250_release_resource(up);
@@ -78,11 +80,11 @@ static int univ8250_request_port(struct
struct uart_8250_port *up = up_to_u8250p(port);
int ret;
- ret = univ8250_port_base_ops->request_port(port);
+ ret = core_port_base_ops->request_port(port);
if (ret == 0 && port->type == PORT_RSA) {
ret = rsa8250_request_resource(up);
if (ret < 0)
- univ8250_port_base_ops->release_port(port);
+ core_port_base_ops->release_port(port);
}
return ret;
@@ -94,15 +96,25 @@ static void univ8250_release_port(struct
if (port->type == PORT_RSA)
rsa8250_release_resource(up);
- univ8250_port_base_ops->release_port(port);
+ core_port_base_ops->release_port(port);
}
-void univ8250_rsa_support(struct uart_ops *ops)
+/*
+ * It is not allowed to directly reference any symbols from 8250.ko here as
+ * that would result in a dependency loop between the 8250.ko and
+ * 8250_base.ko modules. This function is called from 8250.ko and is used to
+ * break the symbolic dependency cycle. Anything that is needed from 8250.ko
+ * has to be passed as pointers to this function which then can adjust those
+ * variables on 8250.ko side or store them locally as needed.
+ */
+void univ8250_rsa_support(struct uart_ops *ops, const struct uart_ops *core_ops)
{
+ core_port_base_ops = core_ops;
ops->config_port = univ8250_config_port;
ops->request_port = univ8250_request_port;
ops->release_port = univ8250_release_port;
}
+EXPORT_SYMBOL_FOR_MODULES(univ8250_rsa_support, "8250");
module_param_hw_array(probe_rsa, ulong, ioport, &probe_rsa_count, 0444);
MODULE_PARM_DESC(probe_rsa, "Probe I/O ports for RSA");
@@ -147,7 +159,6 @@ void rsa_enable(struct uart_8250_port *u
if (up->port.uartclk == SERIAL_RSA_BAUD_BASE * 16)
serial_out(up, UART_RSA_FRR, 0);
}
-EXPORT_SYMBOL_FOR_MODULES(rsa_enable, "8250_base");
/*
* Attempts to turn off the RSA FIFO and resets the RSA board back to 115kbps compat mode. It is
@@ -179,7 +190,6 @@ void rsa_disable(struct uart_8250_port *
up->port.uartclk = SERIAL_RSA_BAUD_BASE_LO * 16;
uart_port_unlock_irq(&up->port);
}
-EXPORT_SYMBOL_FOR_MODULES(rsa_disable, "8250_base");
void rsa_autoconfig(struct uart_8250_port *up)
{
@@ -192,7 +202,6 @@ void rsa_autoconfig(struct uart_8250_por
if (__rsa_enable(up))
up->port.type = PORT_RSA;
}
-EXPORT_SYMBOL_FOR_MODULES(rsa_autoconfig, "8250_base");
void rsa_reset(struct uart_8250_port *up)
{
@@ -201,7 +210,6 @@ void rsa_reset(struct uart_8250_port *up
serial_out(up, UART_RSA_FRR, 0);
}
-EXPORT_SYMBOL_FOR_MODULES(rsa_reset, "8250_base");
#ifdef CONFIG_SERIAL_8250_DEPRECATED_OPTIONS
#ifndef MODULE
--- a/drivers/tty/serial/8250/Makefile
+++ b/drivers/tty/serial/8250/Makefile
@@ -7,7 +7,6 @@ obj-$(CONFIG_SERIAL_8250) += 8250.o
8250-y := 8250_core.o
8250-y += 8250_platform.o
8250-$(CONFIG_SERIAL_8250_PNP) += 8250_pnp.o
-8250-$(CONFIG_SERIAL_8250_RSA) += 8250_rsa.o
obj-$(CONFIG_SERIAL_8250) += 8250_base.o
8250_base-y := 8250_port.o
@@ -15,6 +14,7 @@ obj-$(CONFIG_SERIAL_8250) += 8250_base.
8250_base-$(CONFIG_SERIAL_8250_DWLIB) += 8250_dwlib.o
8250_base-$(CONFIG_SERIAL_8250_FINTEK) += 8250_fintek.o
8250_base-$(CONFIG_SERIAL_8250_PCILIB) += 8250_pcilib.o
+8250_base-$(CONFIG_SERIAL_8250_RSA) += 8250_rsa.o
obj-$(CONFIG_SERIAL_8250_CONSOLE) += 8250_early.o
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 108/146] serial: amba-pl011: prefer dma_mapping_error() over explicit address checking
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 107/146] serial: 8250: Fix 8250_rsa symbol loop Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 109/146] most: usb: fix double free on late probe failure Greg Kroah-Hartman
` (51 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Miaoqian Lin,
Gregory CLEMENT
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit eb4917f557d43c7a1c805dd73ffcdfddb2aba39a upstream.
Check for returned DMA addresses using specialized dma_mapping_error()
helper which is generally recommended for this purpose by
Documentation/core-api/dma-api.rst:
"In some circumstances dma_map_single(), ...
will fail to create a mapping. A driver can check for these errors
by testing the returned DMA address with dma_mapping_error()."
Found via static analysis and this is similar to commit fa0308134d26
("ALSA: memalloc: prefer dma_mapping_error() over explicit address checking")
Fixes: 58ac1b379979 ("ARM: PL011: Fix DMA support")
Cc: stable <stable@kernel.org>
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Link: https://patch.msgid.link/20251027092053.87937-1-linmq006@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/amba-pl011.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c
index 22939841b1de..7f17d288c807 100644
--- a/drivers/tty/serial/amba-pl011.c
+++ b/drivers/tty/serial/amba-pl011.c
@@ -628,7 +628,7 @@ static int pl011_dma_tx_refill(struct uart_amba_port *uap)
dmatx->len = count;
dmatx->dma = dma_map_single(dma_dev->dev, dmatx->buf, count,
DMA_TO_DEVICE);
- if (dmatx->dma == DMA_MAPPING_ERROR) {
+ if (dma_mapping_error(dma_dev->dev, dmatx->dma)) {
uap->dmatx.queued = false;
dev_dbg(uap->port.dev, "unable to map TX DMA\n");
return -EBUSY;
--
2.52.0
^ permalink raw reply related [flat|nested] 173+ messages in thread* [PATCH 6.17 109/146] most: usb: fix double free on late probe failure
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 108/146] serial: amba-pl011: prefer dma_mapping_error() over explicit address checking Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 110/146] usb: cdns3: Fix double resource release in cdns3_pci_probe Greg Kroah-Hartman
` (50 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Gromm, Victoria Votokina,
Johan Hovold
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit baadf2a5c26e802a46573eaad331b427b49aaa36 upstream.
The MOST subsystem has a non-standard registration function which frees
the interface on registration failures and on deregistration.
This unsurprisingly leads to bugs in the MOST drivers, and a couple of
recent changes turned a reference underflow and use-after-free in the
USB driver into several double free and a use-after-free on late probe
failures.
Fixes: 723de0f9171e ("staging: most: remove device from interface structure")
Fixes: 4b1270902609 ("most: usb: Fix use-after-free in hdm_disconnect")
Fixes: a8cc9e5fcb0e ("most: usb: hdm_probe: Fix calling put_device() before device initialization")
Cc: stable@vger.kernel.org
Cc: Christian Gromm <christian.gromm@microchip.com>
Cc: Victoria Votokina <Victoria.Votokina@kaspersky.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251029093029.28922-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/most/most_usb.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
--- a/drivers/most/most_usb.c
+++ b/drivers/most/most_usb.c
@@ -1058,7 +1058,7 @@ hdm_probe(struct usb_interface *interfac
ret = most_register_interface(&mdev->iface);
if (ret)
- goto err_free_busy_urbs;
+ return ret;
mutex_lock(&mdev->io_mutex);
if (le16_to_cpu(usb_dev->descriptor.idProduct) == USB_DEV_ID_OS81118 ||
@@ -1068,8 +1068,7 @@ hdm_probe(struct usb_interface *interfac
if (!mdev->dci) {
mutex_unlock(&mdev->io_mutex);
most_deregister_interface(&mdev->iface);
- ret = -ENOMEM;
- goto err_free_busy_urbs;
+ return -ENOMEM;
}
mdev->dci->dev.init_name = "dci";
@@ -1078,18 +1077,15 @@ hdm_probe(struct usb_interface *interfac
mdev->dci->dev.release = release_dci;
if (device_register(&mdev->dci->dev)) {
mutex_unlock(&mdev->io_mutex);
+ put_device(&mdev->dci->dev);
most_deregister_interface(&mdev->iface);
- ret = -ENOMEM;
- goto err_free_dci;
+ return -ENOMEM;
}
mdev->dci->usb_device = mdev->usb_device;
}
mutex_unlock(&mdev->io_mutex);
return 0;
-err_free_dci:
- put_device(&mdev->dci->dev);
-err_free_busy_urbs:
- kfree(mdev->busy_urbs);
+
err_free_ep_address:
kfree(mdev->ep_address);
err_free_cap:
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 110/146] usb: cdns3: Fix double resource release in cdns3_pci_probe
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 109/146] most: usb: fix double free on late probe failure Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 111/146] usb: gadget: f_eem: Fix memory leak in eem_unwrap Greg Kroah-Hartman
` (49 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Miaoqian Lin, Peter Chen
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 1ec39d2cd88dac2e7cdbac248762f1f057971c5d upstream.
The driver uses pcim_enable_device() to enable the PCI device,
the device will be automatically disabled on driver detach through
the managed device framework. The manual pci_disable_device() calls
in the error paths are therefore redundant and should be removed.
Found via static anlaysis and this is similar to commit 99ca0b57e49f
("thermal: intel: int340x: processor: Fix warning during module unload").
Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://patch.msgid.link/20251026090859.33107-1-linmq006@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdns3-pci-wrap.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/usb/cdns3/cdns3-pci-wrap.c
+++ b/drivers/usb/cdns3/cdns3-pci-wrap.c
@@ -98,10 +98,8 @@ static int cdns3_pci_probe(struct pci_de
wrap = pci_get_drvdata(func);
} else {
wrap = kzalloc(sizeof(*wrap), GFP_KERNEL);
- if (!wrap) {
- pci_disable_device(pdev);
+ if (!wrap)
return -ENOMEM;
- }
}
res = wrap->dev_res;
@@ -160,7 +158,6 @@ static int cdns3_pci_probe(struct pci_de
/* register platform device */
wrap->plat_dev = platform_device_register_full(&plat_info);
if (IS_ERR(wrap->plat_dev)) {
- pci_disable_device(pdev);
err = PTR_ERR(wrap->plat_dev);
kfree(wrap);
return err;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 111/146] usb: gadget: f_eem: Fix memory leak in eem_unwrap
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 110/146] usb: cdns3: Fix double resource release in cdns3_pci_probe Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 112/146] usb: renesas_usbhs: Fix synchronous external abort on unbind Greg Kroah-Hartman
` (48 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Kuen-Han Tsai
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuen-Han Tsai <khtsai@google.com>
commit e4f5ce990818d37930cd9fb0be29eee0553c59d9 upstream.
The existing code did not handle the failure case of usb_ep_queue in the
command path, potentially leading to memory leaks.
Improve error handling to free all allocated resources on usb_ep_queue
failure. This patch continues to use goto logic for error handling, as the
existing error handling is complex and not easily adaptable to auto-cleanup
helpers.
kmemleak results:
unreferenced object 0xffffff895a512300 (size 240):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
kmem_cache_alloc+0x1b4/0x358
skb_clone+0x90/0xd8
eem_unwrap+0x1cc/0x36c
unreferenced object 0xffffff8a157f4000 (size 256):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
__kmem_cache_alloc_node+0x1b4/0x2dc
kmalloc_trace+0x48/0x140
dwc3_gadget_ep_alloc_request+0x58/0x11c
usb_ep_alloc_request+0x40/0xe4
eem_unwrap+0x204/0x36c
unreferenced object 0xffffff8aadbaac00 (size 128):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
__kmem_cache_alloc_node+0x1b4/0x2dc
__kmalloc+0x64/0x1a8
eem_unwrap+0x218/0x36c
unreferenced object 0xffffff89ccef3500 (size 64):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
__kmem_cache_alloc_node+0x1b4/0x2dc
kmalloc_trace+0x48/0x140
eem_unwrap+0x238/0x36c
Fixes: 4249d6fbc10f ("usb: gadget: eem: fix echo command packet response issue")
Cc: stable@kernel.org
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://patch.msgid.link/20251103121814.1559719-1-khtsai@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_eem.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/function/f_eem.c
+++ b/drivers/usb/gadget/function/f_eem.c
@@ -477,8 +477,13 @@ static int eem_unwrap(struct gether *por
req->complete = eem_cmd_complete;
req->zero = 1;
req->context = ctx;
- if (usb_ep_queue(port->in_ep, req, GFP_ATOMIC))
+ if (usb_ep_queue(port->in_ep, req, GFP_ATOMIC)) {
DBG(cdev, "echo response queue fail\n");
+ kfree(ctx);
+ kfree(req->buf);
+ usb_ep_free_request(ep, req);
+ dev_kfree_skb_any(skb2);
+ }
break;
case 1: /* echo response */
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 112/146] usb: renesas_usbhs: Fix synchronous external abort on unbind
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 111/146] usb: gadget: f_eem: Fix memory leak in eem_unwrap Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 113/146] usb: storage: Fix memory leak in USB bulk transport Greg Kroah-Hartman
` (47 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Claudiu Beznea
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
commit eb9ac779830b2235847b72cb15cf07c7e3333c5e upstream.
A synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is
executed after the configuration sequence described above:
modprobe usb_f_ecm
modprobe libcomposite
modprobe configfs
cd /sys/kernel/config/usb_gadget
mkdir -p g1
cd g1
echo "0x1d6b" > idVendor
echo "0x0104" > idProduct
mkdir -p strings/0x409
echo "0123456789" > strings/0x409/serialnumber
echo "Renesas." > strings/0x409/manufacturer
echo "Ethernet Gadget" > strings/0x409/product
mkdir -p functions/ecm.usb0
mkdir -p configs/c.1
mkdir -p configs/c.1/strings/0x409
echo "ECM" > configs/c.1/strings/0x409/configuration
if [ ! -L configs/c.1/ecm.usb0 ]; then
ln -s functions/ecm.usb0 configs/c.1
fi
echo 11e20000.usb > UDC
echo 11e20000.usb > /sys/bus/platform/drivers/renesas_usbhs/unbind
The displayed trace is as follows:
Internal error: synchronous external abort: 0000000096000010 [#1] SMP
CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT
Tainted: [M]=MACHINE_CHECK
Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT)
pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs]
lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs]
sp : ffff8000838b3920
x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000
x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810
x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000
x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020
x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344
x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000
x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418
x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d
x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000
x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80
Call trace:
usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P)
usbhsg_pullup+0x4c/0x7c [renesas_usbhs]
usb_gadget_disconnect_locked+0x48/0xd4
gadget_unbind_driver+0x44/0x114
device_remove+0x4c/0x80
device_release_driver_internal+0x1c8/0x224
device_release_driver+0x18/0x24
bus_remove_device+0xcc/0x10c
device_del+0x14c/0x404
usb_del_gadget+0x88/0xc0
usb_del_gadget_udc+0x18/0x30
usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs]
usbhs_mod_remove+0x20/0x30 [renesas_usbhs]
usbhs_remove+0x98/0xdc [renesas_usbhs]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
device_release_driver_internal+0x1c8/0x224
device_driver_detach+0x18/0x24
unbind_store+0xb4/0xb8
drv_attr_store+0x24/0x38
sysfs_kf_write+0x7c/0x94
kernfs_fop_write_iter+0x128/0x1b8
vfs_write+0x2ac/0x350
ksys_write+0x68/0xfc
__arm64_sys_write+0x1c/0x28
invoke_syscall+0x48/0x110
el0_svc_common.constprop.0+0xc0/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x34/0xf0
el0t_64_sync_handler+0xa0/0xe4
el0t_64_sync+0x198/0x19c
Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021)
---[ end trace 0000000000000000 ]---
note: sh[188] exited with irqs disabled
note: sh[188] exited with preempt_count 1
The issue occurs because usbhs_sys_function_pullup(), which accesses the IP
registers, is executed after the USBHS clocks have been disabled. The
problem is reproducible on the Renesas RZ/G3S SoC starting with the
addition of module stop in the clock enable/disable APIs. With module stop
functionality enabled, a bus error is expected if a master accesses a
module whose clock has been stopped and module stop activated.
Disable the IP clocks at the end of remove.
Cc: stable <stable@kernel.org>
Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code")
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Link: https://patch.msgid.link/20251027140741.557198-1-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/renesas_usbhs/common.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/usb/renesas_usbhs/common.c
+++ b/drivers/usb/renesas_usbhs/common.c
@@ -809,18 +809,18 @@ static void usbhs_remove(struct platform
flush_delayed_work(&priv->notify_hotplug_work);
- /* power off */
- if (!usbhs_get_dparam(priv, runtime_pwctrl))
- usbhsc_power_ctrl(priv, 0);
-
- pm_runtime_disable(&pdev->dev);
-
usbhs_platform_call(priv, hardware_exit, pdev);
- usbhsc_clk_put(priv);
reset_control_assert(priv->rsts);
usbhs_mod_remove(priv);
usbhs_fifo_remove(priv);
usbhs_pipe_remove(priv);
+
+ /* power off */
+ if (!usbhs_get_dparam(priv, runtime_pwctrl))
+ usbhsc_power_ctrl(priv, 0);
+
+ usbhsc_clk_put(priv);
+ pm_runtime_disable(&pdev->dev);
}
static int usbhsc_suspend(struct device *dev)
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 113/146] usb: storage: Fix memory leak in USB bulk transport
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 112/146] usb: renesas_usbhs: Fix synchronous external abort on unbind Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 114/146] USB: storage: Remove subclass and protocol overrides from Novatek quirk Greg Kroah-Hartman
` (46 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Desnes Nunes, Alan Stern
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Desnes Nunes <desnesn@redhat.com>
commit 41e99fe2005182139b1058db71f0d241f8f0078c upstream.
A kernel memory leak was identified by the 'ioctl_sg01' test from Linux
Test Project (LTP). The following bytes were mainly observed: 0x53425355.
When USB storage devices incorrectly skip the data phase with status data,
the code extracts/validates the CSW from the sg buffer, but fails to clear
it afterwards. This leaves status protocol data in srb's transfer buffer,
such as the US_BULK_CS_SIGN 'USBS' signature observed here. Thus, this can
lead to USB protocols leaks to user space through SCSI generic (/dev/sg*)
interfaces, such as the one seen here when the LTP test requested 512 KiB.
Fix the leak by zeroing the CSW data in srb's transfer buffer immediately
after the validation of devices that skip data phase.
Note: Differently from CVE-2018-1000204, which fixed a big leak by zero-
ing pages at allocation time, this leak occurs after allocation, when USB
protocol data is written to already-allocated sg pages.
Fixes: a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()")
Cc: stable <stable@kernel.org>
Signed-off-by: Desnes Nunes <desnesn@redhat.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20251031043436.55929-1-desnesn@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/transport.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/usb/storage/transport.c
+++ b/drivers/usb/storage/transport.c
@@ -1200,7 +1200,23 @@ int usb_stor_Bulk_transport(struct scsi_
US_BULK_CS_WRAP_LEN &&
bcs->Signature ==
cpu_to_le32(US_BULK_CS_SIGN)) {
+ unsigned char buf[US_BULK_CS_WRAP_LEN];
+
usb_stor_dbg(us, "Device skipped data phase\n");
+
+ /*
+ * Devices skipping data phase might leave CSW data in srb's
+ * transfer buffer. Zero it to prevent USB protocol leakage.
+ */
+ sg = NULL;
+ offset = 0;
+ memset(buf, 0, sizeof(buf));
+ if (usb_stor_access_xfer_buf(buf,
+ US_BULK_CS_WRAP_LEN, srb, &sg,
+ &offset, TO_XFER_BUF) !=
+ US_BULK_CS_WRAP_LEN)
+ usb_stor_dbg(us, "Failed to clear CSW data\n");
+
scsi_set_resid(srb, transfer_length);
goto skipped_data_phase;
}
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 114/146] USB: storage: Remove subclass and protocol overrides from Novatek quirk
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 113/146] usb: storage: Fix memory leak in USB bulk transport Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 115/146] usb: storage: sddr55: Reject out-of-bound new_pba Greg Kroah-Hartman
` (45 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stealth, Alan Stern, stable
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit df5fde297e617041449f603ed5f646861c80000b upstream.
A report from Oleg Smirnov indicates that the unusual_devs quirks
entry for the Novatek camera does not need to override the subclass
and protocol parameters:
[3266355.209532] usb 1-3: new high-speed USB device number 10 using xhci_hcd
[3266355.333031] usb 1-3: New USB device found, idVendor=0603, idProduct=8611, bcdDevice= 1.00
[3266355.333040] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[3266355.333043] usb 1-3: Product: YICARCAM
[3266355.333045] usb 1-3: Manufacturer: XIAO-YI
[3266355.333047] usb 1-3: SerialNumber: 966110000000100
[3266355.338621] usb-storage 1-3:1.0: USB Mass Storage device detected
[3266355.338817] usb-storage 1-3:1.0: Quirks match for vid 0603 pid 8611: 4000
[3266355.338821] usb-storage 1-3:1.0: This device (0603,8611,0100 S 06 P 50) has unneeded SubClass and Protocol entries in unusual_devs.h (kernel 6.16.10-arch1-1)
Please send a copy of this message to
<linux-usb@vger.kernel.org> and <usb-storage@lists.one-eyed-alien.net>
The overrides are harmless but they do provoke the driver into logging
this annoying message. Update the entry to remove the unneeded entries.
Reported-by: stealth <oleg.smirnov.1988@gmail.com>
Closes: https://lore.kernel.org/CAKxjRRxhC0s19iEWoN=pEMqXJ_z8w_moC0GCXSqSKCcOddnWjQ@mail.gmail.com/
Fixes: 6ca8af3c8fb5 ("USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera")
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/b440f177-f0b8-4d5a-8f7b-10855d4424ee@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_devs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -938,7 +938,7 @@ UNUSUAL_DEV( 0x05e3, 0x0723, 0x9451, 0x
UNUSUAL_DEV( 0x0603, 0x8611, 0x0000, 0xffff,
"Novatek",
"NTK96550-based camera",
- USB_SC_SCSI, USB_PR_BULK, NULL,
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_BULK_IGNORE_TAG ),
/*
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 115/146] usb: storage: sddr55: Reject out-of-bound new_pba
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 114/146] USB: storage: Remove subclass and protocol overrides from Novatek quirk Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 116/146] usb: typec: ucsi: psy: Set max current to zero when disconnected Greg Kroah-Hartman
` (44 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tianchu Chen, stable
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tianchu Chen <flynnnchen@tencent.com>
commit b59d4fda7e7d0aff1043a7f742487cb829f5aac1 upstream.
Discovered by Atuin - Automated Vulnerability Discovery Engine.
new_pba comes from the status packet returned after each write.
A bogus device could report values beyond the block count derived
from info->capacity, letting the driver walk off the end of
pba_to_lba[] and corrupt heap memory.
Reject PBAs that exceed the computed block count and fail the
transfer so we avoid touching out-of-range mapping entries.
Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/B2DC73A3EE1E3A1D+202511161322001664687@tencent.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/sddr55.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/storage/sddr55.c
+++ b/drivers/usb/storage/sddr55.c
@@ -469,6 +469,12 @@ static int sddr55_write_data(struct us_d
new_pba = (status[3] + (status[4] << 8) + (status[5] << 16))
>> info->blockshift;
+ /* check if device-reported new_pba is out of range */
+ if (new_pba >= (info->capacity >> (info->blockshift + info->pageshift))) {
+ result = USB_STOR_TRANSPORT_FAILED;
+ goto leave;
+ }
+
/* check status for error */
if (status[0] == 0xff && status[1] == 0x4) {
info->pba_to_lba[new_pba] = BAD_BLOCK;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 116/146] usb: typec: ucsi: psy: Set max current to zero when disconnected
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 115/146] usb: storage: sddr55: Reject out-of-bound new_pba Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 117/146] usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer Greg Kroah-Hartman
` (43 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jameson Thies, Benson Leung,
Heikki Krogerus, Sebastian Reichel, Kenneth R. Crudup
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jameson Thies <jthies@google.com>
commit 23379a17334fc24c4a9cbd9967d33dcd9323cc7c upstream.
The ucsi_psy_get_current_max function defaults to 0.1A when it is not
clear how much current the partner device can support. But this does
not check the port is connected, and will report 0.1A max current when
nothing is connected. Update ucsi_psy_get_current_max to report 0A when
there is no connection.
Fixes: af833e7f7db3 ("usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default")
Cc: stable@vger.kernel.org
Signed-off-by: Jameson Thies <jthies@google.com>
Reviewed-by: Benson Leung <bleung@chromium.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Tested-by: Kenneth R. Crudup <kenny@panix.com>
Rule: add
Link: https://lore.kernel.org/stable/20251017000051.2094101-1-jthies%40google.com
Link: https://patch.msgid.link/20251106011446.2052583-1-jthies@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/psy.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/typec/ucsi/psy.c
+++ b/drivers/usb/typec/ucsi/psy.c
@@ -145,6 +145,11 @@ static int ucsi_psy_get_current_max(stru
{
u32 pdo;
+ if (!UCSI_CONSTAT(con, CONNECTED)) {
+ val->intval = 0;
+ return 0;
+ }
+
switch (UCSI_CONSTAT(con, PWR_OPMODE)) {
case UCSI_CONSTAT_PWR_OPMODE_PD:
if (con->num_pdos > 0) {
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 117/146] usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 116/146] usb: typec: ucsi: psy: Set max current to zero when disconnected Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 118/146] usb: dwc3: pci: add support for the Intel Nova Lake -S Greg Kroah-Hartman
` (42 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Yu Chen, Owen Gu,
Oliver Neukum
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Owen Gu <guhuinan@xiaomi.com>
commit 26d56a9fcb2014b99e654127960aa0a48a391e3c upstream.
When a UAS device is unplugged during data transfer, there is
a probability of a system panic occurring. The root cause is
an access to an invalid memory address during URB callback handling.
Specifically, this happens when the dma_direct_unmap_sg() function
is called within the usb_hcd_unmap_urb_for_dma() interface, but the
sg->dma_address field is 0 and the sg data structure has already been
freed.
The SCSI driver sends transfer commands by invoking uas_queuecommand_lck()
in uas.c, using the uas_submit_urbs() function to submit requests to USB.
Within the uas_submit_urbs() implementation, three URBs (sense_urb,
data_urb, and cmd_urb) are sequentially submitted. Device removal may
occur at any point during uas_submit_urbs execution, which may result
in URB submission failure. However, some URBs might have been successfully
submitted before the failure, and uas_submit_urbs will return the -ENODEV
error code in this case. The current error handling directly calls
scsi_done(). In the SCSI driver, this eventually triggers scsi_complete()
to invoke scsi_end_request() for releasing the sgtable. The successfully
submitted URBs, when being unlinked to giveback, call
usb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg
unmapping operations since the sg data structure has already been freed.
This patch modifies the error condition check in the uas_submit_urbs()
function. When a UAS device is removed but one or more URBs have already
been successfully submitted to USB, it avoids immediately invoking
scsi_done() and save the cmnd to devinfo->cmnd array. If the successfully
submitted URBs is completed before devinfo->resetting being set, then
the scsi_done() function will be called within uas_try_complete() after
all pending URB operations are finalized. Otherwise, the scsi_done()
function will be called within uas_zap_pending(), which is executed after
usb_kill_anchored_urbs().
The error handling only takes effect when uas_queuecommand_lck() calls
uas_submit_urbs() and returns the error value -ENODEV . In this case,
the device is disconnected, and the flow proceeds to uas_disconnect(),
where uas_zap_pending() is invoked to call uas_try_complete().
Fixes: eb2a86ae8c54 ("USB: UAS: fix disconnect by unplugging a hub")
Cc: stable <stable@kernel.org>
Signed-off-by: Yu Chen <chenyu45@xiaomi.com>
Signed-off-by: Owen Gu <guhuinan@xiaomi.com>
Acked-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20251120123336.3328-1-guhuinan@xiaomi.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/uas.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/storage/uas.c
+++ b/drivers/usb/storage/uas.c
@@ -698,6 +698,10 @@ static int uas_queuecommand_lck(struct s
* of queueing, no matter how fatal the error
*/
if (err == -ENODEV) {
+ if (cmdinfo->state & (COMMAND_INFLIGHT | DATA_IN_URB_INFLIGHT |
+ DATA_OUT_URB_INFLIGHT))
+ goto out;
+
set_host_byte(cmnd, DID_NO_CONNECT);
scsi_done(cmnd);
goto zombie;
@@ -711,6 +715,7 @@ static int uas_queuecommand_lck(struct s
uas_add_work(cmnd);
}
+out:
devinfo->cmnd[idx] = cmnd;
zombie:
spin_unlock_irqrestore(&devinfo->lock, flags);
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 118/146] usb: dwc3: pci: add support for the Intel Nova Lake -S
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 117/146] usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 119/146] usb: dwc3: pci: Sort out the Intel device IDs Greg Kroah-Hartman
` (41 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, stable,
Thinh Nguyen
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
commit c57ce99ec6cb55b53910b6b3d7437f80159ff9d8 upstream.
This patch adds the necessary PCI ID for Intel Nova Lake -S
devices.
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: stable <stable@kernel.org>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20251106115926.2317877-1-heikki.krogerus@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-pci.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/dwc3/dwc3-pci.c
+++ b/drivers/usb/dwc3/dwc3-pci.c
@@ -53,6 +53,7 @@
#define PCI_DEVICE_ID_INTEL_MTLP 0x7ec1
#define PCI_DEVICE_ID_INTEL_MTLS 0x7f6f
#define PCI_DEVICE_ID_INTEL_MTL 0x7e7e
+#define PCI_DEVICE_ID_INTEL_NVLS_PCH 0x6e6f
#define PCI_DEVICE_ID_INTEL_ARLH_PCH 0x777e
#define PCI_DEVICE_ID_INTEL_TGL 0x9a15
#define PCI_DEVICE_ID_INTEL_PTLH 0xe332
@@ -443,6 +444,7 @@ static const struct pci_device_id dwc3_p
{ PCI_DEVICE_DATA(INTEL, MTLM, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, MTLP, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, MTL, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, NVLS_PCH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, MTLS, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, ARLH_PCH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, TGL, &dwc3_pci_intel_swnode) },
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 119/146] usb: dwc3: pci: Sort out the Intel device IDs
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 118/146] usb: dwc3: pci: add support for the Intel Nova Lake -S Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 120/146] usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths Greg Kroah-Hartman
` (40 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, stable,
Heikki Krogerus
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
commit 46b28d2fbd13148981d91246bc0e13f4fc055987 upstream.
The PCI device IDs were organised based on the Intel
architecture generation in most cases, but not with every
ID. That left the device ID table with no real order.
Sorting the table based on the device ID.
Suggested-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20251107121548.2702900-1-heikki.krogerus@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-pci.c | 82 ++++++++++++++++++++++----------------------
1 file changed, 41 insertions(+), 41 deletions(-)
--- a/drivers/usb/dwc3/dwc3-pci.c
+++ b/drivers/usb/dwc3/dwc3-pci.c
@@ -21,41 +21,41 @@
#include <linux/acpi.h>
#include <linux/delay.h>
+#define PCI_DEVICE_ID_INTEL_CMLLP 0x02ee
+#define PCI_DEVICE_ID_INTEL_CMLH 0x06ee
+#define PCI_DEVICE_ID_INTEL_BXT 0x0aaa
#define PCI_DEVICE_ID_INTEL_BYT 0x0f37
#define PCI_DEVICE_ID_INTEL_MRFLD 0x119e
-#define PCI_DEVICE_ID_INTEL_BSW 0x22b7
-#define PCI_DEVICE_ID_INTEL_SPTLP 0x9d30
-#define PCI_DEVICE_ID_INTEL_SPTH 0xa130
-#define PCI_DEVICE_ID_INTEL_BXT 0x0aaa
#define PCI_DEVICE_ID_INTEL_BXT_M 0x1aaa
-#define PCI_DEVICE_ID_INTEL_APL 0x5aaa
-#define PCI_DEVICE_ID_INTEL_KBP 0xa2b0
-#define PCI_DEVICE_ID_INTEL_CMLLP 0x02ee
-#define PCI_DEVICE_ID_INTEL_CMLH 0x06ee
+#define PCI_DEVICE_ID_INTEL_BSW 0x22b7
#define PCI_DEVICE_ID_INTEL_GLK 0x31aa
-#define PCI_DEVICE_ID_INTEL_CNPLP 0x9dee
-#define PCI_DEVICE_ID_INTEL_CNPH 0xa36e
-#define PCI_DEVICE_ID_INTEL_CNPV 0xa3b0
#define PCI_DEVICE_ID_INTEL_ICLLP 0x34ee
-#define PCI_DEVICE_ID_INTEL_EHL 0x4b7e
-#define PCI_DEVICE_ID_INTEL_TGPLP 0xa0ee
#define PCI_DEVICE_ID_INTEL_TGPH 0x43ee
-#define PCI_DEVICE_ID_INTEL_JSP 0x4dee
-#define PCI_DEVICE_ID_INTEL_WCL 0x4d7e
#define PCI_DEVICE_ID_INTEL_ADL 0x460e
-#define PCI_DEVICE_ID_INTEL_ADL_PCH 0x51ee
#define PCI_DEVICE_ID_INTEL_ADLN 0x465e
+#define PCI_DEVICE_ID_INTEL_EHL 0x4b7e
+#define PCI_DEVICE_ID_INTEL_WCL 0x4d7e
+#define PCI_DEVICE_ID_INTEL_JSP 0x4dee
+#define PCI_DEVICE_ID_INTEL_ADL_PCH 0x51ee
#define PCI_DEVICE_ID_INTEL_ADLN_PCH 0x54ee
-#define PCI_DEVICE_ID_INTEL_ADLS 0x7ae1
-#define PCI_DEVICE_ID_INTEL_RPL 0xa70e
+#define PCI_DEVICE_ID_INTEL_APL 0x5aaa
+#define PCI_DEVICE_ID_INTEL_NVLS_PCH 0x6e6f
+#define PCI_DEVICE_ID_INTEL_ARLH_PCH 0x777e
#define PCI_DEVICE_ID_INTEL_RPLS 0x7a61
+#define PCI_DEVICE_ID_INTEL_MTL 0x7e7e
+#define PCI_DEVICE_ID_INTEL_ADLS 0x7ae1
#define PCI_DEVICE_ID_INTEL_MTLM 0x7eb1
#define PCI_DEVICE_ID_INTEL_MTLP 0x7ec1
#define PCI_DEVICE_ID_INTEL_MTLS 0x7f6f
-#define PCI_DEVICE_ID_INTEL_MTL 0x7e7e
-#define PCI_DEVICE_ID_INTEL_NVLS_PCH 0x6e6f
-#define PCI_DEVICE_ID_INTEL_ARLH_PCH 0x777e
#define PCI_DEVICE_ID_INTEL_TGL 0x9a15
+#define PCI_DEVICE_ID_INTEL_SPTLP 0x9d30
+#define PCI_DEVICE_ID_INTEL_CNPLP 0x9dee
+#define PCI_DEVICE_ID_INTEL_TGPLP 0xa0ee
+#define PCI_DEVICE_ID_INTEL_SPTH 0xa130
+#define PCI_DEVICE_ID_INTEL_KBP 0xa2b0
+#define PCI_DEVICE_ID_INTEL_CNPH 0xa36e
+#define PCI_DEVICE_ID_INTEL_CNPV 0xa3b0
+#define PCI_DEVICE_ID_INTEL_RPL 0xa70e
#define PCI_DEVICE_ID_INTEL_PTLH 0xe332
#define PCI_DEVICE_ID_INTEL_PTLH_PCH 0xe37e
#define PCI_DEVICE_ID_INTEL_PTLU 0xe432
@@ -413,41 +413,41 @@ static void dwc3_pci_remove(struct pci_d
}
static const struct pci_device_id dwc3_pci_id_table[] = {
- { PCI_DEVICE_DATA(INTEL, BSW, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, BYT, &dwc3_pci_intel_byt_swnode) },
- { PCI_DEVICE_DATA(INTEL, MRFLD, &dwc3_pci_intel_mrfld_swnode) },
{ PCI_DEVICE_DATA(INTEL, CMLLP, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, CMLH, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, SPTLP, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, SPTH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, BXT, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, BYT, &dwc3_pci_intel_byt_swnode) },
+ { PCI_DEVICE_DATA(INTEL, MRFLD, &dwc3_pci_intel_mrfld_swnode) },
{ PCI_DEVICE_DATA(INTEL, BXT_M, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, APL, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, KBP, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, BSW, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, GLK, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, CNPLP, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, CNPH, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, CNPV, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, ICLLP, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, EHL, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, TGPLP, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, TGPH, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, JSP, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, WCL, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, ADL, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, ADL_PCH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, ADLN, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, EHL, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, WCL, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, JSP, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, ADL_PCH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, ADLN_PCH, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, ADLS, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, RPL, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, APL, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, NVLS_PCH, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, ARLH_PCH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, RPLS, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, MTL, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, ADLS, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, MTLM, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, MTLP, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, MTL, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, NVLS_PCH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, MTLS, &dwc3_pci_intel_swnode) },
- { PCI_DEVICE_DATA(INTEL, ARLH_PCH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, TGL, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, SPTLP, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, CNPLP, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, TGPLP, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, SPTH, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, KBP, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, CNPH, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, CNPV, &dwc3_pci_intel_swnode) },
+ { PCI_DEVICE_DATA(INTEL, RPL, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, PTLH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, PTLH_PCH, &dwc3_pci_intel_swnode) },
{ PCI_DEVICE_DATA(INTEL, PTLU, &dwc3_pci_intel_swnode) },
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 120/146] usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 119/146] usb: dwc3: pci: Sort out the Intel device IDs Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 121/146] xhci: fix stale flag preventig URBs after link state error is cleared Greg Kroah-Hartman
` (39 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Thinh Nguyen, Manish Nagar
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manish Nagar <manish.nagar@oss.qualcomm.com>
commit e4037689a366743c4233966f0e74bc455820d316 upstream.
This patch addresses a race condition caused by unsynchronized
execution of multiple call paths invoking `dwc3_remove_requests()`,
leading to premature freeing of USB requests and subsequent crashes.
Three distinct execution paths interact with `dwc3_remove_requests()`:
Path 1:
Triggered via `dwc3_gadget_reset_interrupt()` during USB reset
handling. The call stack includes:
- `dwc3_ep0_reset_state()`
- `dwc3_ep0_stall_and_restart()`
- `dwc3_ep0_out_start()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 2:
Also initiated from `dwc3_gadget_reset_interrupt()`, but through
`dwc3_stop_active_transfers()`. The call stack includes:
- `dwc3_stop_active_transfers()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 3:
Occurs independently during `adb root` execution, which triggers
USB function unbind and bind operations. The sequence includes:
- `gserial_disconnect()`
- `usb_ep_disable()`
- `dwc3_gadget_ep_disable()`
- `dwc3_remove_requests()` with `-ESHUTDOWN` status
Path 3 operates asynchronously and lacks synchronization with Paths
1 and 2. When Path 3 completes, it disables endpoints and frees 'out'
requests. If Paths 1 or 2 are still processing these requests,
accessing freed memory leads to a crash due to use-after-free conditions.
To fix this added check for request completion and skip processing
if already completed and added the request status for ep0 while queue.
Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
Cc: stable <stable@kernel.org>
Suggested-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Manish Nagar <manish.nagar@oss.qualcomm.com>
Link: https://patch.msgid.link/20251120074435.1983091-1-manish.nagar@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/ep0.c | 1 +
drivers/usb/dwc3/gadget.c | 7 +++++++
2 files changed, 8 insertions(+)
--- a/drivers/usb/dwc3/ep0.c
+++ b/drivers/usb/dwc3/ep0.c
@@ -94,6 +94,7 @@ static int __dwc3_gadget_ep0_queue(struc
req->request.actual = 0;
req->request.status = -EINPROGRESS;
req->epnum = dep->number;
+ req->status = DWC3_REQUEST_STATUS_QUEUED;
list_add_tail(&req->list, &dep->pending_list);
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -228,6 +228,13 @@ void dwc3_gadget_giveback(struct dwc3_ep
{
struct dwc3 *dwc = dep->dwc;
+ /*
+ * The request might have been processed and completed while the
+ * spinlock was released. Skip processing if already completed.
+ */
+ if (req->status == DWC3_REQUEST_STATUS_COMPLETED)
+ return;
+
dwc3_gadget_del_and_unmap_request(dep, req, status);
req->status = DWC3_REQUEST_STATUS_COMPLETED;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 121/146] xhci: fix stale flag preventig URBs after link state error is cleared
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 120/146] usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 122/146] xhci: dbgtty: Fix data corruption when transmitting data form DbC to host Greg Kroah-Hartman
` (38 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mathias Nyman
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit b69dfcab6894b1fed5362a364411502a7469fce3 upstream.
A usb device caught behind a link in ss.Inactive error state needs to
be reset to recover. A VDEV_PORT_ERROR flag is used to track this state,
preventing new transfers from being queued until error is cleared.
This flag may be left uncleared if link goes to error state between two
resets, and print the following message:
"xhci_hcd 0000:00:14.0: Can't queue urb, port error, link inactive"
Fix setting and clearing the flag.
The flag is cleared after hub driver has successfully reset the device
when hcd->reset_device is called. xhci-hcd issues an internal "reset
device" command in this callback, and clear all flags once the command
completes successfully.
This command may complete with a context state error if slot was recently
reset and is already in the defauilt state. This is treated as a success
but flag was left uncleared.
The link state field is also unreliable if port is currently in reset,
so don't set the flag in active reset cases.
Also clear the flag immediately when link is no longer in ss.Inactive
state and port event handler detects a completed reset.
This issue was discovered while debugging kernel bugzilla issue 220491.
It is likely one small part of the problem, causing some of the failures,
but root cause remains unknown
Link: https://bugzilla.kernel.org/show_bug.cgi?id=220491
Fixes: b8c3b718087b ("usb: xhci: Don't try to recover an endpoint if port is in error state.")
Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20251107162819.1362579-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-ring.c | 15 ++++++++++-----
drivers/usb/host/xhci.c | 1 +
2 files changed, 11 insertions(+), 5 deletions(-)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1984,6 +1984,7 @@ static void xhci_cavium_reset_phy_quirk(
static void handle_port_status(struct xhci_hcd *xhci, union xhci_trb *event)
{
+ struct xhci_virt_device *vdev = NULL;
struct usb_hcd *hcd;
u32 port_id;
u32 portsc, cmd_reg;
@@ -2015,6 +2016,9 @@ static void handle_port_status(struct xh
goto cleanup;
}
+ if (port->slot_id)
+ vdev = xhci->devs[port->slot_id];
+
/* We might get interrupts after shared_hcd is removed */
if (port->rhub == &xhci->usb3_rhub && xhci->shared_hcd == NULL) {
xhci_dbg(xhci, "ignore port event for removed USB3 hcd\n");
@@ -2037,10 +2041,11 @@ static void handle_port_status(struct xh
usb_hcd_resume_root_hub(hcd);
}
- if (hcd->speed >= HCD_USB3 &&
- (portsc & PORT_PLS_MASK) == XDEV_INACTIVE) {
- if (port->slot_id && xhci->devs[port->slot_id])
- xhci->devs[port->slot_id]->flags |= VDEV_PORT_ERROR;
+ if (vdev && (portsc & PORT_PLS_MASK) == XDEV_INACTIVE) {
+ if (!(portsc & PORT_RESET))
+ vdev->flags |= VDEV_PORT_ERROR;
+ } else if (vdev && portsc & PORT_RC) {
+ vdev->flags &= ~VDEV_PORT_ERROR;
}
if ((portsc & PORT_PLC) && (portsc & PORT_PLS_MASK) == XDEV_RESUME) {
@@ -2098,7 +2103,7 @@ static void handle_port_status(struct xh
* so the roothub behavior is consistent with external
* USB 3.0 hub behavior.
*/
- if (port->slot_id && xhci->devs[port->slot_id])
+ if (vdev)
xhci_ring_device(xhci, port->slot_id);
if (bus_state->port_remote_wakeup & (1 << hcd_portnum)) {
xhci_test_and_clear_bit(xhci, port, PORT_PLC);
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3993,6 +3993,7 @@ static int xhci_discover_or_reset_device
xhci_get_slot_state(xhci, virt_dev->out_ctx));
xhci_dbg(xhci, "Not freeing device rings.\n");
/* Don't treat this as an error. May change my mind later. */
+ virt_dev->flags = 0;
ret = 0;
goto command_cleanup;
case COMP_SUCCESS:
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 122/146] xhci: dbgtty: Fix data corruption when transmitting data form DbC to host
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 121/146] xhci: fix stale flag preventig URBs after link state error is cleared Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 123/146] xhci: dbgtty: fix device unregister Greg Kroah-Hartman
` (37 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Łukasz Bartosik, Mathias Nyman
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit f6bb3b67be9af0cfb90075c60850b6af5338a508 upstream.
Data read from a DbC device may be corrupted due to a race between
ongoing write and write request completion handler both queuing new
transfer blocks (TRBs) if there are remining data in the kfifo.
TRBs may be in incorrct order compared to the data in the kfifo.
Driver fails to keep lock between reading data from kfifo into a
dbc request buffer, and queuing the request to the transfer ring.
This allows completed request to re-queue itself in the middle of
an ongoing transfer loop, forcing itself between a kfifo read and
request TRB write of another request
cpu0 cpu1 (re-queue completed req2)
lock(port_lock)
dbc_start_tx()
kfifo_out(fifo, req1->buffer)
unlock(port_lock)
lock(port_lock)
dbc_write_complete(req2)
dbc_start_tx()
kfifo_out(fifo, req2->buffer)
unlock(port_lock)
lock(port_lock)
req2->trb = ring->enqueue;
ring->enqueue++
unlock(port_lock)
lock(port_lock)
req1->trb = ring->enqueue;
ring->enqueue++
unlock(port_lock)
In the above scenario a kfifo containing "12345678" would read "1234" to
req1 and "5678" to req2, but req2 is queued before req1 leading to
data being transmitted as "56781234"
Solve this by adding a flag that prevents starting a new tx if we
are already mid dbc_start_tx() during the unlocked part.
The already running dbc_do_start_tx() will make sure the newly completed
request gets re-queued as it is added to the request write_pool while
holding the lock.
Cc: stable@vger.kernel.org
Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver")
Tested-by: Łukasz Bartosik <ukaszb@chromium.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20251107162819.1362579-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-dbgcap.h | 1 +
drivers/usb/host/xhci-dbgtty.c | 17 ++++++++++++++++-
2 files changed, 17 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-dbgcap.h
+++ b/drivers/usb/host/xhci-dbgcap.h
@@ -114,6 +114,7 @@ struct dbc_port {
unsigned int tx_boundary;
bool registered;
+ bool tx_running;
};
struct dbc_driver {
--- a/drivers/usb/host/xhci-dbgtty.c
+++ b/drivers/usb/host/xhci-dbgtty.c
@@ -47,7 +47,7 @@ dbc_kfifo_to_req(struct dbc_port *port,
return len;
}
-static int dbc_start_tx(struct dbc_port *port)
+static int dbc_do_start_tx(struct dbc_port *port)
__releases(&port->port_lock)
__acquires(&port->port_lock)
{
@@ -57,6 +57,8 @@ static int dbc_start_tx(struct dbc_port
bool do_tty_wake = false;
struct list_head *pool = &port->write_pool;
+ port->tx_running = true;
+
while (!list_empty(pool)) {
req = list_entry(pool->next, struct dbc_request, list_pool);
len = dbc_kfifo_to_req(port, req->buf);
@@ -77,12 +79,25 @@ static int dbc_start_tx(struct dbc_port
}
}
+ port->tx_running = false;
+
if (do_tty_wake && port->port.tty)
tty_wakeup(port->port.tty);
return status;
}
+/* must be called with port->port_lock held */
+static int dbc_start_tx(struct dbc_port *port)
+{
+ lockdep_assert_held(&port->port_lock);
+
+ if (port->tx_running)
+ return -EBUSY;
+
+ return dbc_do_start_tx(port);
+}
+
static void dbc_start_rx(struct dbc_port *port)
__releases(&port->port_lock)
__acquires(&port->port_lock)
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 123/146] xhci: dbgtty: fix device unregister
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 122/146] xhci: dbgtty: Fix data corruption when transmitting data form DbC to host Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 124/146] USB: serial: ftdi_sio: add support for u-blox EVK-M101 Greg Kroah-Hartman
` (36 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Łukasz Bartosik
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Łukasz Bartosik <ukaszb@chromium.org>
commit 1f73b8b56cf35de29a433aee7bfff26cea98be3f upstream.
When DbC is disconnected then xhci_dbc_tty_unregister_device()
is called. However if there is any user space process blocked
on write to DbC terminal device then it will never be signalled
and thus stay blocked indifinitely.
This fix adds a tty_vhangup() call in xhci_dbc_tty_unregister_device().
The tty_vhangup() wakes up any blocked writers and causes subsequent
write attempts to DbC terminal device to fail.
Cc: stable <stable@kernel.org>
Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver")
Signed-off-by: Łukasz Bartosik <ukaszb@chromium.org>
Link: https://patch.msgid.link/20251119212910.1245694-1-ukaszb@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-dbgtty.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/host/xhci-dbgtty.c
+++ b/drivers/usb/host/xhci-dbgtty.c
@@ -550,6 +550,12 @@ static void xhci_dbc_tty_unregister_devi
if (!port->registered)
return;
+ /*
+ * Hang up the TTY. This wakes up any blocked
+ * writers and causes subsequent writes to fail.
+ */
+ tty_vhangup(port->port.tty);
+
tty_unregister_device(dbc_tty_driver, port->minor);
xhci_dbc_tty_exit_port(port);
port->registered = false;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 124/146] USB: serial: ftdi_sio: add support for u-blox EVK-M101
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 123/146] xhci: dbgtty: fix device unregister Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 125/146] USB: serial: option: add support for Rolling RW101R-GL Greg Kroah-Hartman
` (35 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oleksandr Suvorov, Johan Hovold
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleksandr Suvorov <cryosay@gmail.com>
commit 2d8ab771d5316de64f3bb920b82575c58eb00b1b upstream.
The U-Blox EVK-M101 enumerates as 1546:0506 [1] with four FTDI interfaces:
- EVK-M101 current sensors
- EVK-M101 I2C
- EVK-M101 UART
- EVK-M101 port D
Only the third USB interface is a UART. This change lets ftdi_sio probe
the VID/PID and registers only interface #3 as a TTY, leaving the rest
available for other drivers.
[1]
usb 5-1.3: new high-speed USB device number 11 using xhci_hcd
usb 5-1.3: New USB device found, idVendor=1546, idProduct=0506, bcdDevice= 8.00
usb 5-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 5-1.3: Product: EVK-M101
usb 5-1.3: Manufacturer: u-blox AG
Datasheet: https://content.u-blox.com/sites/default/files/documents/EVK-M10_UserGuide_UBX-21003949.pdf
Signed-off-by: Oleksandr Suvorov <cryosay@gmail.com>
Link: https://lore.kernel.org/20250926060235.3442748-1-cryosay@gmail.com/
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 1 +
2 files changed, 2 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1074,6 +1074,7 @@ static const struct usb_device_id id_tab
/* U-Blox devices */
{ USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ZED_PID) },
{ USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) },
+ { USB_DEVICE_INTERFACE_NUMBER(UBLOX_VID, UBLOX_EVK_M101_PID, 2) },
/* FreeCalypso USB adapters */
{ USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_BUF_PID),
.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -1614,6 +1614,7 @@
#define UBLOX_VID 0x1546
#define UBLOX_C099F9P_ZED_PID 0x0502
#define UBLOX_C099F9P_ODIN_PID 0x0503
+#define UBLOX_EVK_M101_PID 0x0506
/*
* GMC devices
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 125/146] USB: serial: option: add support for Rolling RW101R-GL
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 124/146] USB: serial: ftdi_sio: add support for u-blox EVK-M101 Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 126/146] drm: sti: fix device leaks at component probe Greg Kroah-Hartman
` (34 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vanillan Wang, Johan Hovold
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vanillan Wang <vanillanwang@163.com>
commit 523bf0a59e674b52e4b5607a2aba655fbfa20ff2 upstream.
- VID:PID 33f8:0301, RW101R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x0301: mbim, pipe
T: Bus=04 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0
D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
P: Vendor=33f8 ProdID=0301 Rev=05.04
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW101R-GL Module
S: SerialNumber=3ec4efdf
C: #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=896mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
- VID:PID 33f8:01a8, RW101R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x01a8: mbim, diag, AT, ADB, pipe1, pipe2
T: Bus=04 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0
D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
P: Vendor=33f8 ProdID=01a8 Rev=05.04
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW101R-GL Module
S: SerialNumber=3ec4efdf
C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=896mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=88(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=89(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
- VID:PID 33f8:0302, RW101R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x0302: mbim, pipe
T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 6 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=33f8 ProdID=0302 Rev=05.04
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW101R-GL Module
S: SerialNumber=3ec4efdf
C: #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
- VID:PID 33f8:01a9, RW101R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x01a9: mbim, diag, AT, ADB, pipe1, pipe2
T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=33f8 ProdID=01a9 Rev=05.04
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW101R-GL Module
S: SerialNumber=3ec4efdf
C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
Signed-off-by: Vanillan Wang <vanillanwang@163.com>
Cc: stable@vger.kernel.org
[ johan: sort vendor entries, edit commit message slightly ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2424,12 +2424,18 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1406, 0xff) }, /* GosunCn GM500 ECM/NCM */
{ USB_DEVICE(0x33f8, 0x0104), /* Rolling RW101-GL (laptop RMNET) */
.driver_info = RSVD(4) | RSVD(5) },
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0115, 0xff), /* Rolling RW135-GL (laptop MBIM) */
+ .driver_info = RSVD(5) },
{ USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x01a2, 0xff) }, /* Rolling RW101-GL (laptop MBIM) */
{ USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x01a3, 0xff) }, /* Rolling RW101-GL (laptop MBIM) */
{ USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x01a4, 0xff), /* Rolling RW101-GL (laptop MBIM) */
.driver_info = RSVD(4) },
- { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0115, 0xff), /* Rolling RW135-GL (laptop MBIM) */
- .driver_info = RSVD(5) },
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x01a8, 0xff), /* Rolling RW101R-GL (laptop MBIM) */
+ .driver_info = RSVD(4) },
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x01a9, 0xff), /* Rolling RW101R-GL (laptop MBIM) */
+ .driver_info = RSVD(4) },
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0301, 0xff) }, /* Rolling RW101R-GL (laptop MBIM) */
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0302, 0xff) }, /* Rolling RW101R-GL (laptop MBIM) */
{ USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0802, 0xff), /* Rolling RW350-GL (laptop MBIM) */
.driver_info = RSVD(5) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for Global */
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 126/146] drm: sti: fix device leaks at component probe
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 125/146] USB: serial: option: add support for Rolling RW101R-GL Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 127/146] drm/i915/psr: Reject async flips when selective fetch is enabled Greg Kroah-Hartman
` (33 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Gaignard, Johan Hovold,
Raphael Gallais-Pou
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 620a8f131154250f6a64a07d049a4f235d6451a5 upstream.
Make sure to drop the references taken to the vtg devices by
of_find_device_by_node() when looking up their driver data during
component probe.
Note that holding a reference to a platform device does not prevent its
driver data from going away so there is no point in keeping the
reference after the lookup helper returns.
Fixes: cc6b741c6f63 ("drm: sti: remove useless fields from vtg structure")
Cc: stable@vger.kernel.org # 4.16
Cc: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20250922122012.27407-1-johan@kernel.org
Signed-off-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/sti/sti_vtg.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/sti/sti_vtg.c
+++ b/drivers/gpu/drm/sti/sti_vtg.c
@@ -143,12 +143,17 @@ struct sti_vtg {
struct sti_vtg *of_vtg_find(struct device_node *np)
{
struct platform_device *pdev;
+ struct sti_vtg *vtg;
pdev = of_find_device_by_node(np);
if (!pdev)
return NULL;
- return (struct sti_vtg *)platform_get_drvdata(pdev);
+ vtg = platform_get_drvdata(pdev);
+
+ put_device(&pdev->dev);
+
+ return vtg;
}
static void vtg_reset(struct sti_vtg *vtg)
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 127/146] drm/i915/psr: Reject async flips when selective fetch is enabled
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 126/146] drm: sti: fix device leaks at component probe Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 128/146] drm/xe/guc: Fix stack_depot usage Greg Kroah-Hartman
` (32 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ville Syrjälä,
Jouni Högander, Rodrigo Vivi
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
commit 7c373b3bd03c77fe8f6ea206ed49375eb4d43d13 upstream.
The selective fetch code doesn't handle asycn flips correctly.
There is a nonsense check for async flips in
intel_psr2_sel_fetch_config_valid() but that only gets called
for modesets/fastsets and thus does nothing for async flips.
Currently intel_async_flip_check_hw() is very unhappy as the
selective fetch code pulls in planes that are not even async
flips capable.
Reject async flips when selective fetch is enabled, until
someone fixes this properly (ie. disable selective fetch while
async flips are being issued).
Cc: stable@vger.kernel.org
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patch.msgid.link/20251105171015.22234-1-ville.syrjala@linux.intel.com
Reviewed-by: Jouni Högander <jouni.hogander@intel.com>
(cherry picked from commit a5f0cc8e0cd4007370af6985cb152001310cf20c)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_display.c | 8 ++++++++
drivers/gpu/drm/i915/display/intel_psr.c | 6 ------
2 files changed, 8 insertions(+), 6 deletions(-)
--- a/drivers/gpu/drm/i915/display/intel_display.c
+++ b/drivers/gpu/drm/i915/display/intel_display.c
@@ -5958,6 +5958,14 @@ static int intel_async_flip_check_uapi(s
return -EINVAL;
}
+ /* FIXME: selective fetch should be disabled for async flips */
+ if (new_crtc_state->enable_psr2_sel_fetch) {
+ drm_dbg_kms(display->drm,
+ "[CRTC:%d:%s] async flip disallowed with PSR2 selective fetch\n",
+ crtc->base.base.id, crtc->base.name);
+ return -EINVAL;
+ }
+
for_each_oldnew_intel_plane_in_state(state, plane, old_plane_state,
new_plane_state, i) {
if (plane->pipe != crtc->pipe)
--- a/drivers/gpu/drm/i915/display/intel_psr.c
+++ b/drivers/gpu/drm/i915/display/intel_psr.c
@@ -1274,12 +1274,6 @@ static bool intel_psr2_sel_fetch_config_
return false;
}
- if (crtc_state->uapi.async_flip) {
- drm_dbg_kms(display->drm,
- "PSR2 sel fetch not enabled, async flip enabled\n");
- return false;
- }
-
return crtc_state->enable_psr2_sel_fetch = true;
}
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 128/146] drm/xe/guc: Fix stack_depot usage
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 127/146] drm/i915/psr: Reject async flips when selective fetch is enabled Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the PTs update Greg Kroah-Hartman
` (31 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sagar Ghuge, Stuart Summers,
Lucas De Marchi
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lucas De Marchi <lucas.demarchi@intel.com>
commit 0e234632e39bd21dd28ffc9ba3ae8eec4deb949c upstream.
Add missing stack_depot_init() call when CONFIG_DRM_XE_DEBUG_GUC is
enabled to fix the following call stack:
[] BUG: kernel NULL pointer dereference, address: 0000000000000000
[] Workqueue: drm_sched_run_job_work [gpu_sched]
[] RIP: 0010:stack_depot_save_flags+0x172/0x870
[] Call Trace:
[] <TASK>
[] fast_req_track+0x58/0xb0 [xe]
Fixes: 16b7e65d299d ("drm/xe/guc: Track FAST_REQ H2Gs to report where errors came from")
Tested-by: Sagar Ghuge <sagar.ghuge@intel.com>
Cc: stable@vger.kernel.org # v6.17+
Reviewed-by: Stuart Summers <stuart.summers@intel.com>
Link: https://patch.msgid.link/20251118-fix-debug-guc-v1-1-9f780c6bedf8@intel.com
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
(cherry picked from commit 64fdf496a6929a0a194387d2bb5efaf5da2b542f)
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_guc_ct.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/xe/xe_guc_ct.c
+++ b/drivers/gpu/drm/xe/xe_guc_ct.c
@@ -237,6 +237,9 @@ int xe_guc_ct_init_noalloc(struct xe_guc
#if IS_ENABLED(CONFIG_DRM_XE_DEBUG)
spin_lock_init(&ct->dead.lock);
INIT_WORK(&ct->dead.worker, ct_dead_worker_func);
+#if IS_ENABLED(CONFIG_DRM_XE_DEBUG_GUC)
+ stack_depot_init();
+#endif
#endif
init_waitqueue_head(&ct->wq);
init_waitqueue_head(&ct->g2h_fence_wq);
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the PTs update
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 128/146] drm/xe/guc: Fix stack_depot usage Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 16:03 ` Christian König
2025-12-03 15:28 ` [PATCH 6.17 130/146] drm/amd/amdgpu: reserve vm invalidation engine for uni_mes Greg Kroah-Hartman
` (30 subsequent siblings)
159 siblings, 1 reply; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Prike Liang,
Alex Deucher
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prike Liang <Prike.Liang@amd.com>
commit b4a7f4e7ad2b120a94f3111f92a11520052c762d upstream.
Ensure the userq TLB flush is emitted only after
the VM update finishes and the PT BOs have been
annotated with bookkeeping fences.
Suggested-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Prike Liang <Prike.Liang@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit f3854e04b708d73276c4488231a8bd66d30b4671)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
@@ -1056,7 +1056,7 @@ amdgpu_vm_tlb_flush(struct amdgpu_vm_upd
}
/* Prepare a TLB flush fence to be attached to PTs */
- if (!params->unlocked && vm->is_compute_context) {
+ if (!params->unlocked) {
amdgpu_vm_tlb_fence_create(params->adev, vm, fence);
/* Makes sure no PD/PT is freed before the flush */
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the PTs update
2025-12-03 15:28 ` [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the PTs update Greg Kroah-Hartman
@ 2025-12-03 16:03 ` Christian König
2025-12-03 16:24 ` Greg Kroah-Hartman
2025-12-03 16:48 ` Deucher, Alexander
0 siblings, 2 replies; 173+ messages in thread
From: Christian König @ 2025-12-03 16:03 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable; +Cc: patches, Prike Liang, Alex Deucher
Oh, wait a second, that one should clearly *not* be backported!
@Alex or do we have userqueue support working on 6.17? I don't think so.
Regards,
Christian.
On 12/3/25 16:28, Greg Kroah-Hartman wrote:
> 6.17-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Prike Liang <Prike.Liang@amd.com>
>
> commit b4a7f4e7ad2b120a94f3111f92a11520052c762d upstream.
>
> Ensure the userq TLB flush is emitted only after
> the VM update finishes and the PT BOs have been
> annotated with bookkeeping fences.
>
> Suggested-by: Christian König <christian.koenig@amd.com>
> Signed-off-by: Prike Liang <Prike.Liang@amd.com>
> Reviewed-by: Christian König <christian.koenig@amd.com>
> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
> (cherry picked from commit f3854e04b708d73276c4488231a8bd66d30b4671)
> Cc: stable@vger.kernel.org
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
> @@ -1056,7 +1056,7 @@ amdgpu_vm_tlb_flush(struct amdgpu_vm_upd
> }
>
> /* Prepare a TLB flush fence to be attached to PTs */
> - if (!params->unlocked && vm->is_compute_context) {
> + if (!params->unlocked) {
> amdgpu_vm_tlb_fence_create(params->adev, vm, fence);
>
> /* Makes sure no PD/PT is freed before the flush */
>
>
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the PTs update
2025-12-03 16:03 ` Christian König
@ 2025-12-03 16:24 ` Greg Kroah-Hartman
2025-12-04 8:07 ` Christian König
2025-12-03 16:48 ` Deucher, Alexander
1 sibling, 1 reply; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 16:24 UTC (permalink / raw)
To: Christian König; +Cc: stable, patches, Prike Liang, Alex Deucher
On Wed, Dec 03, 2025 at 05:03:11PM +0100, Christian König wrote:
> Oh, wait a second, that one should clearly *not* be backported!
Why not, it was explictly asked to be backported:
> > Cc: stable@vger.kernel.org
Did someone add this incorrectly?
confused,
greg k-h
^ permalink raw reply [flat|nested] 173+ messages in thread
* Re: [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the PTs update
2025-12-03 16:24 ` Greg Kroah-Hartman
@ 2025-12-04 8:07 ` Christian König
2025-12-04 16:14 ` Greg Kroah-Hartman
0 siblings, 1 reply; 173+ messages in thread
From: Christian König @ 2025-12-04 8:07 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: stable, patches, Prike Liang, Alex Deucher
On 12/3/25 17:24, Greg Kroah-Hartman wrote:
> On Wed, Dec 03, 2025 at 05:03:11PM +0100, Christian König wrote:
>> Oh, wait a second, that one should clearly *not* be backported!
>
> Why not, it was explictly asked to be backported:
>
>>> Cc: stable@vger.kernel.org
>
> Did someone add this incorrectly?
Yes, most likely.
The patch should be backported to 6.17, but not older kernels.
Regards,
Christian.
>
> confused,
>
> greg k-h
^ permalink raw reply [flat|nested] 173+ messages in thread
* Re: [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the PTs update
2025-12-04 8:07 ` Christian König
@ 2025-12-04 16:14 ` Greg Kroah-Hartman
0 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-04 16:14 UTC (permalink / raw)
To: Christian König; +Cc: stable, patches, Prike Liang, Alex Deucher
On Thu, Dec 04, 2025 at 09:07:32AM +0100, Christian König wrote:
> On 12/3/25 17:24, Greg Kroah-Hartman wrote:
> > On Wed, Dec 03, 2025 at 05:03:11PM +0100, Christian König wrote:
> >> Oh, wait a second, that one should clearly *not* be backported!
> >
> > Why not, it was explictly asked to be backported:
> >
> >>> Cc: stable@vger.kernel.org
> >
> > Did someone add this incorrectly?
>
> Yes, most likely.
>
> The patch should be backported to 6.17, but not older kernels.
Ok, I'll go drop it from 6.12.y now, thanks.
greg k-h
^ permalink raw reply [flat|nested] 173+ messages in thread
* RE: [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the PTs update
2025-12-03 16:03 ` Christian König
2025-12-03 16:24 ` Greg Kroah-Hartman
@ 2025-12-03 16:48 ` Deucher, Alexander
2025-12-08 15:31 ` Deucher, Alexander
1 sibling, 1 reply; 173+ messages in thread
From: Deucher, Alexander @ 2025-12-03 16:48 UTC (permalink / raw)
To: Koenig, Christian, Greg Kroah-Hartman, stable@vger.kernel.org
Cc: patches@lists.linux.dev, Liang, Prike
[Public]
> -----Original Message-----
> From: Koenig, Christian <Christian.Koenig@amd.com>
> Sent: Wednesday, December 3, 2025 11:03 AM
> To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>;
> stable@vger.kernel.org
> Cc: patches@lists.linux.dev; Liang, Prike <Prike.Liang@amd.com>; Deucher,
> Alexander <Alexander.Deucher@amd.com>
> Subject: Re: [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the PTs
> update
>
> Oh, wait a second, that one should clearly *not* be backported!
>
> @Alex or do we have userqueue support working on 6.17? I don't think so.
>
Yes, userq support is available in 6.17. That said, this patch did end up causing a regression on SI parts. I've got a fix for that which will land soon.
Alex
> Regards,
> Christian.
>
> On 12/3/25 16:28, Greg Kroah-Hartman wrote:
> > 6.17-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Prike Liang <Prike.Liang@amd.com>
> >
> > commit b4a7f4e7ad2b120a94f3111f92a11520052c762d upstream.
> >
> > Ensure the userq TLB flush is emitted only after the VM update
> > finishes and the PT BOs have been annotated with bookkeeping fences.
> >
> > Suggested-by: Christian König <christian.koenig@amd.com>
> > Signed-off-by: Prike Liang <Prike.Liang@amd.com>
> > Reviewed-by: Christian König <christian.koenig@amd.com>
> > Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked
> > from commit f3854e04b708d73276c4488231a8bd66d30b4671)
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> > drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
> > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
> > @@ -1056,7 +1056,7 @@ amdgpu_vm_tlb_flush(struct amdgpu_vm_upd
> > }
> >
> > /* Prepare a TLB flush fence to be attached to PTs */
> > - if (!params->unlocked && vm->is_compute_context) {
> > + if (!params->unlocked) {
> > amdgpu_vm_tlb_fence_create(params->adev, vm, fence);
> >
> > /* Makes sure no PD/PT is freed before the flush */
> >
> >
^ permalink raw reply [flat|nested] 173+ messages in thread* RE: [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the PTs update
2025-12-03 16:48 ` Deucher, Alexander
@ 2025-12-08 15:31 ` Deucher, Alexander
2025-12-08 23:13 ` Greg Kroah-Hartman
0 siblings, 1 reply; 173+ messages in thread
From: Deucher, Alexander @ 2025-12-08 15:31 UTC (permalink / raw)
To: Koenig, Christian, Greg Kroah-Hartman, stable@vger.kernel.org
Cc: patches@lists.linux.dev, Liang, Prike
[Public]
> -----Original Message-----
> From: Deucher, Alexander
> Sent: Wednesday, December 3, 2025 11:48 AM
> To: Koenig, Christian <Christian.Koenig@amd.com>; Greg Kroah-Hartman
> <gregkh@linuxfoundation.org>; stable@vger.kernel.org
> Cc: patches@lists.linux.dev; Liang, Prike <Prike.Liang@amd.com>
> Subject: RE: [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the PTs
> update
>
> > -----Original Message-----
> > From: Koenig, Christian <Christian.Koenig@amd.com>
> > Sent: Wednesday, December 3, 2025 11:03 AM
> > To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>;
> > stable@vger.kernel.org
> > Cc: patches@lists.linux.dev; Liang, Prike <Prike.Liang@amd.com>;
> > Deucher, Alexander <Alexander.Deucher@amd.com>
> > Subject: Re: [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the
> > PTs update
> >
> > Oh, wait a second, that one should clearly *not* be backported!
> >
> > @Alex or do we have userqueue support working on 6.17? I don't think so.
> >
>
> Yes, userq support is available in 6.17. That said, this patch did end up causing
> a regression on SI parts. I've got a fix for that which will land soon.
After further investigation this patch and it's upcoming fix should only go to 6.17. Please drop from older stable kernels if it's been queued up on those.
Thanks,
Alex
>
> Alex
>
> > Regards,
> > Christian.
> >
> > On 12/3/25 16:28, Greg Kroah-Hartman wrote:
> > > 6.17-stable review patch. If anyone has any objections, please let me
> know.
> > >
> > > ------------------
> > >
> > > From: Prike Liang <Prike.Liang@amd.com>
> > >
> > > commit b4a7f4e7ad2b120a94f3111f92a11520052c762d upstream.
> > >
> > > Ensure the userq TLB flush is emitted only after the VM update
> > > finishes and the PT BOs have been annotated with bookkeeping fences.
> > >
> > > Suggested-by: Christian König <christian.koenig@amd.com>
> > > Signed-off-by: Prike Liang <Prike.Liang@amd.com>
> > > Reviewed-by: Christian König <christian.koenig@amd.com>
> > > Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry
> > > picked from commit f3854e04b708d73276c4488231a8bd66d30b4671)
> > > Cc: stable@vger.kernel.org
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > ---
> > > drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
> > > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
> > > @@ -1056,7 +1056,7 @@ amdgpu_vm_tlb_flush(struct amdgpu_vm_upd
> > > }
> > >
> > > /* Prepare a TLB flush fence to be attached to PTs */
> > > - if (!params->unlocked && vm->is_compute_context) {
> > > + if (!params->unlocked) {
> > > amdgpu_vm_tlb_fence_create(params->adev, vm, fence);
> > >
> > > /* Makes sure no PD/PT is freed before the flush */
> > >
> > >
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the PTs update
2025-12-08 15:31 ` Deucher, Alexander
@ 2025-12-08 23:13 ` Greg Kroah-Hartman
0 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-08 23:13 UTC (permalink / raw)
To: Deucher, Alexander
Cc: Koenig, Christian, stable@vger.kernel.org,
patches@lists.linux.dev, Liang, Prike
On Mon, Dec 08, 2025 at 03:31:05PM +0000, Deucher, Alexander wrote:
> [Public]
>
> > -----Original Message-----
> > From: Deucher, Alexander
> > Sent: Wednesday, December 3, 2025 11:48 AM
> > To: Koenig, Christian <Christian.Koenig@amd.com>; Greg Kroah-Hartman
> > <gregkh@linuxfoundation.org>; stable@vger.kernel.org
> > Cc: patches@lists.linux.dev; Liang, Prike <Prike.Liang@amd.com>
> > Subject: RE: [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the PTs
> > update
> >
> > > -----Original Message-----
> > > From: Koenig, Christian <Christian.Koenig@amd.com>
> > > Sent: Wednesday, December 3, 2025 11:03 AM
> > > To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>;
> > > stable@vger.kernel.org
> > > Cc: patches@lists.linux.dev; Liang, Prike <Prike.Liang@amd.com>;
> > > Deucher, Alexander <Alexander.Deucher@amd.com>
> > > Subject: Re: [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the
> > > PTs update
> > >
> > > Oh, wait a second, that one should clearly *not* be backported!
> > >
> > > @Alex or do we have userqueue support working on 6.17? I don't think so.
> > >
> >
> > Yes, userq support is available in 6.17. That said, this patch did end up causing
> > a regression on SI parts. I've got a fix for that which will land soon.
>
> After further investigation this patch and it's upcoming fix should
> only go to 6.17. Please drop from older stable kernels if it's been
> queued up on those.
It didn't go anywhere else, so no need to worry :)
thanks for the review.
greg k-h
^ permalink raw reply [flat|nested] 173+ messages in thread
* [PATCH 6.17 130/146] drm/amd/amdgpu: reserve vm invalidation engine for uni_mes
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 129/146] drm/amdgpu: attach tlb fence to the PTs update Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 131/146] drm/amd/display: Check NULL before accessing Greg Kroah-Hartman
` (29 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Chen, Alex Deucher,
Shaoyun liu
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Chen <michael.chen@amd.com>
commit 971fb57429df5aa4e6efc796f7841e0d10b1e83c upstream.
Reserve vm invalidation engine 6 when uni_mes enabled. It
is used in processing tlb flush request from host.
Signed-off-by: Michael Chen <michael.chen@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Shaoyun liu <Shaoyun.liu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 873373739b9b150720ea2c5390b4e904a4d21505)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
@@ -597,6 +597,9 @@ int amdgpu_gmc_allocate_vm_inv_eng(struc
/* reserve engine 5 for firmware */
if (adev->enable_mes)
vm_inv_engs[i] &= ~(1 << 5);
+ /* reserve engine 6 for uni mes */
+ if (adev->enable_uni_mes)
+ vm_inv_engs[i] &= ~(1 << 6);
/* reserve mmhub engine 3 for firmware */
if (adev->enable_umsch_mm)
vm_inv_engs[i] &= ~(1 << 3);
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 131/146] drm/amd/display: Check NULL before accessing
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 130/146] drm/amd/amdgpu: reserve vm invalidation engine for uni_mes Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 132/146] drm/amd/display: Dont change brightness for disabled connectors Greg Kroah-Hartman
` (28 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Aurabindo Pillai, Alex Hung
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@amd.com>
commit 3ce62c189693e8ed7b3abe551802bbc67f3ace54 upstream.
[WHAT]
IGT kms_cursor_legacy's long-nonblocking-modeset-vs-cursor-atomic
fails with NULL pointer dereference. This can be reproduced with
both an eDP panel and a DP monitors connected.
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted
6.16.0-99-custom #8 PREEMPT(voluntary)
Hardware name: AMD ........
RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu]
Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49
89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30
c2 <48> 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02
RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668
RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000
RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760
R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000
R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c
FS: 000071f631b68700(0000) GS:ffff8b399f114000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0
PKRU: 55555554
Call Trace:
<TASK>
dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu]
amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu]
? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu]
amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu]
drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400
drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30
drm_crtc_get_last_vbltimestamp+0x55/0x90
drm_crtc_next_vblank_start+0x45/0xa0
drm_atomic_helper_wait_for_fences+0x81/0x1f0
...
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
@@ -705,9 +705,14 @@ bool dc_stream_get_scanoutpos(const stru
{
uint8_t i;
bool ret = false;
- struct dc *dc = stream->ctx->dc;
- struct resource_context *res_ctx =
- &dc->current_state->res_ctx;
+ struct dc *dc;
+ struct resource_context *res_ctx;
+
+ if (!stream->ctx)
+ return false;
+
+ dc = stream->ctx->dc;
+ res_ctx = &dc->current_state->res_ctx;
dc_exit_ips_for_hw_access(dc);
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 132/146] drm/amd/display: Dont change brightness for disabled connectors
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 131/146] drm/amd/display: Check NULL before accessing Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 133/146] drm/amd/display: Increase EDID read retries Greg Kroah-Hartman
` (27 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Ray Wu, Mario Limonciello (AMD), Alex Hung
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello (AMD) <superm1@kernel.org>
commit 81f4d4ba509522596143fd5d7dc2fc3495296b0a upstream.
[WHY]
When a laptop lid is closed the connector is disabled but userspace
can still try to change brightness. This doesn't work because the
panel is turned off. It will eventually time out, but there is a lot
of stutter along the way.
[How]
Iterate all connectors to check whether the matching one for the backlight
index is enabled.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4675
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Ray Wu <ray.wu@amd.com>
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit f6eeab30323d1174a4cc022e769d248fe8241304)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -4898,6 +4898,21 @@ static void amdgpu_dm_backlight_set_leve
struct dc_link *link;
u32 brightness;
bool rc, reallow_idle = false;
+ struct drm_connector *connector;
+
+ list_for_each_entry(connector, &dm->ddev->mode_config.connector_list, head) {
+ struct amdgpu_dm_connector *aconnector = to_amdgpu_dm_connector(connector);
+
+ if (aconnector->bl_idx != bl_idx)
+ continue;
+
+ /* if connector is off, save the brightness for next time it's on */
+ if (!aconnector->base.encoder) {
+ dm->brightness[bl_idx] = user_brightness;
+ dm->actual_brightness[bl_idx] = 0;
+ return;
+ }
+ }
amdgpu_dm_update_backlight_caps(dm, bl_idx);
caps = &dm->backlight_caps[bl_idx];
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 133/146] drm/amd/display: Increase EDID read retries
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 132/146] drm/amd/display: Dont change brightness for disabled connectors Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 134/146] net: dsa: microchip: common: Fix checks on irq_find_mapping() Greg Kroah-Hartman
` (26 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Alex Hung, Mario Limonciello (AMD), Dan Wheeler
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello (AMD) <superm1@kernel.org>
commit 8ea902361734c87b82122f9c17830f168ebfc65a upstream.
[WHY]
When monitor is still booting EDID read can fail while DPCD read
is successful. In this case no EDID data will be returned, and this
could happen for a while.
[HOW]
Increase number of attempts to read EDID in dm_helpers_read_local_edid()
to 25.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4672
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit a76d6f2c76c3abac519ba753e2723e6ffe8e461c)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c
@@ -996,8 +996,8 @@ enum dc_edid_status dm_helpers_read_loca
struct amdgpu_dm_connector *aconnector = link->priv;
struct drm_connector *connector = &aconnector->base;
struct i2c_adapter *ddc;
- int retry = 3;
- enum dc_edid_status edid_status;
+ int retry = 25;
+ enum dc_edid_status edid_status = EDID_NO_RESPONSE;
const struct drm_edid *drm_edid;
const struct edid *edid;
@@ -1027,7 +1027,7 @@ enum dc_edid_status dm_helpers_read_loca
}
if (!drm_edid)
- return EDID_NO_RESPONSE;
+ continue;
edid = drm_edid_raw(drm_edid); // FIXME: Get rid of drm_edid_raw()
if (!edid ||
@@ -1045,7 +1045,7 @@ enum dc_edid_status dm_helpers_read_loca
&sink->dc_edid,
&sink->edid_caps);
- } while (edid_status == EDID_BAD_CHECKSUM && --retry > 0);
+ } while ((edid_status == EDID_BAD_CHECKSUM || edid_status == EDID_NO_RESPONSE) && --retry > 0);
if (edid_status != EDID_OK)
DRM_ERROR("EDID err: %d, on connector: %s",
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 134/146] net: dsa: microchip: common: Fix checks on irq_find_mapping()
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 133/146] drm/amd/display: Increase EDID read retries Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 135/146] net: dsa: microchip: ptp: " Greg Kroah-Hartman
` (25 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn,
Bastien Curutchet (Schneider Electric), Paolo Abeni
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
commit 7b3c09e1667977edee11de94a85e2593a7c15e87 upstream.
irq_find_mapping() returns a positive IRQ number or 0 if no IRQ is found
but it never returns a negative value. However, on each
irq_find_mapping() call, we verify that the returned value isn't
negative.
Fix the irq_find_mapping() checks to enter error paths when 0 is
returned. Return -EINVAL in such cases.
CC: stable@vger.kernel.org
Fixes: c9cd961c0d43 ("net: dsa: microchip: lan937x: add interrupt support for port phy link")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
Link: https://patch.msgid.link/20251120-ksz-fix-v6-1-891f80ae7f8f@bootlin.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/microchip/ksz_common.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/net/dsa/microchip/ksz_common.c
+++ b/drivers/net/dsa/microchip/ksz_common.c
@@ -2587,8 +2587,8 @@ static int ksz_irq_phy_setup(struct ksz_
irq = irq_find_mapping(dev->ports[port].pirq.domain,
PORT_SRC_PHY_INT);
- if (irq < 0) {
- ret = irq;
+ if (!irq) {
+ ret = -EINVAL;
goto out;
}
ds->user_mii_bus->irq[phy] = irq;
@@ -2952,8 +2952,8 @@ static int ksz_pirq_setup(struct ksz_dev
snprintf(pirq->name, sizeof(pirq->name), "port_irq-%d", p);
pirq->irq_num = irq_find_mapping(dev->girq.domain, p);
- if (pirq->irq_num < 0)
- return pirq->irq_num;
+ if (!pirq->irq_num)
+ return -EINVAL;
return ksz_irq_common_setup(dev, pirq);
}
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 135/146] net: dsa: microchip: ptp: Fix checks on irq_find_mapping()
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 134/146] net: dsa: microchip: common: Fix checks on irq_find_mapping() Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 136/146] net: dsa: microchip: Dont free uninitialized ksz_irq Greg Kroah-Hartman
` (24 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn,
Bastien Curutchet (Schneider Electric), Paolo Abeni
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
commit 9e059305be41a5bd27e03458d8333cf30d70be34 upstream.
irq_find_mapping() returns a positive IRQ number or 0 if no IRQ is found
but it never returns a negative value. However, during the PTP IRQ setup,
we verify that its returned value isn't negative.
Fix the irq_find_mapping() check to enter the error path when 0 is
returned. Return -EINVAL in such case.
Cc: stable@vger.kernel.org
Fixes: cc13ab18b201 ("net: dsa: microchip: ptp: enable interrupt for timestamping")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
Link: https://patch.msgid.link/20251120-ksz-fix-v6-2-891f80ae7f8f@bootlin.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/microchip/ksz_ptp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/dsa/microchip/ksz_ptp.c
+++ b/drivers/net/dsa/microchip/ksz_ptp.c
@@ -1139,8 +1139,8 @@ int ksz_ptp_irq_setup(struct dsa_switch
irq_create_mapping(ptpirq->domain, irq);
ptpirq->irq_num = irq_find_mapping(port->pirq.domain, PORT_SRC_PTP_INT);
- if (ptpirq->irq_num < 0) {
- ret = ptpirq->irq_num;
+ if (!ptpirq->irq_num) {
+ ret = -EINVAL;
goto out;
}
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 136/146] net: dsa: microchip: Dont free uninitialized ksz_irq
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 135/146] net: dsa: microchip: ptp: " Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 137/146] net: dsa: microchip: Free previously initialized ports on init failures Greg Kroah-Hartman
` (23 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
Bastien Curutchet (Schneider Electric), Paolo Abeni
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
commit 25b62cc5b22c45face094ae3e8717258e46d1d19 upstream.
If something goes wrong at setup, ksz_irq_free() can be called on
uninitialized ksz_irq (for example when ksz_ptp_irq_setup() fails). It
leads to freeing uninitialized IRQ numbers and/or domains.
Use dsa_switch_for_each_user_port_continue_reverse() in the error path
to iterate only over the fully initialized ports.
Cc: stable@vger.kernel.org
Fixes: cc13ab18b201 ("net: dsa: microchip: ptp: enable interrupt for timestamping")
Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
Link: https://patch.msgid.link/20251120-ksz-fix-v6-3-891f80ae7f8f@bootlin.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/microchip/ksz_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/dsa/microchip/ksz_common.c
+++ b/drivers/net/dsa/microchip/ksz_common.c
@@ -3082,7 +3082,7 @@ out_ptpirq:
ksz_ptp_irq_free(ds, dp->index);
out_pirq:
if (dev->irq > 0)
- dsa_switch_for_each_user_port(dp, dev->ds)
+ dsa_switch_for_each_user_port_continue_reverse(dp, dev->ds)
ksz_irq_free(&dev->ports[dp->index].pirq);
out_girq:
if (dev->irq > 0)
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 137/146] net: dsa: microchip: Free previously initialized ports on init failures
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 136/146] net: dsa: microchip: Dont free uninitialized ksz_irq Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 138/146] net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}() Greg Kroah-Hartman
` (22 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
Bastien Curutchet (Schneider Electric), Paolo Abeni
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
commit 0f80e21bf6229637e193248fbd284c0ec44bc0fd upstream.
If a port interrupt setup fails after at least one port has already been
successfully initialized, the gotos miss some resource releasing:
- the already initialized PTP IRQs aren't released
- the already initialized port IRQs aren't released if the failure
occurs in ksz_pirq_setup().
Merge 'out_girq' and 'out_ptpirq' into a single 'port_release' label.
Behind this label, use the reverse loop to release all IRQ resources
for all initialized ports.
Jump in the middle of the reverse loop if an error occurs in
ksz_ptp_irq_setup() to only release the port IRQ of the current
iteration.
Cc: stable@vger.kernel.org
Fixes: c9cd961c0d43 ("net: dsa: microchip: lan937x: add interrupt support for port phy link")
Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
Link: https://patch.msgid.link/20251120-ksz-fix-v6-4-891f80ae7f8f@bootlin.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/microchip/ksz_common.c | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
--- a/drivers/net/dsa/microchip/ksz_common.c
+++ b/drivers/net/dsa/microchip/ksz_common.c
@@ -3038,12 +3038,12 @@ static int ksz_setup(struct dsa_switch *
dsa_switch_for_each_user_port(dp, dev->ds) {
ret = ksz_pirq_setup(dev, dp->index);
if (ret)
- goto out_girq;
+ goto port_release;
if (dev->info->ptp_capable) {
ret = ksz_ptp_irq_setup(ds, dp->index);
if (ret)
- goto out_pirq;
+ goto pirq_release;
}
}
}
@@ -3053,7 +3053,7 @@ static int ksz_setup(struct dsa_switch *
if (ret) {
dev_err(dev->dev, "Failed to register PTP clock: %d\n",
ret);
- goto out_ptpirq;
+ goto port_release;
}
}
@@ -3076,17 +3076,16 @@ static int ksz_setup(struct dsa_switch *
out_ptp_clock_unregister:
if (dev->info->ptp_capable)
ksz_ptp_clock_unregister(ds);
-out_ptpirq:
- if (dev->irq > 0 && dev->info->ptp_capable)
- dsa_switch_for_each_user_port(dp, dev->ds)
- ksz_ptp_irq_free(ds, dp->index);
-out_pirq:
- if (dev->irq > 0)
- dsa_switch_for_each_user_port_continue_reverse(dp, dev->ds)
+port_release:
+ if (dev->irq > 0) {
+ dsa_switch_for_each_user_port_continue_reverse(dp, dev->ds) {
+ if (dev->info->ptp_capable)
+ ksz_ptp_irq_free(ds, dp->index);
+pirq_release:
ksz_irq_free(&dev->ports[dp->index].pirq);
-out_girq:
- if (dev->irq > 0)
+ }
ksz_irq_free(&dev->girq);
+ }
return ret;
}
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 138/146] net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}()
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 137/146] net: dsa: microchip: Free previously initialized ports on init failures Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 139/146] libceph: fix potential use-after-free in have_mon_and_osd_map() Greg Kroah-Hartman
` (21 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn,
Bastien Curutchet (Schneider Electric), Paolo Abeni
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
commit d0b8fec8ae50525b57139393d0bb1f446e82ff7e upstream.
The IRQ numbers created through irq_create_mapping() are only assigned
to ptpmsg_irq[n].num at the end of the IRQ setup. So if an error occurs
between their creation and their assignment (for instance during the
request_threaded_irq() step), we enter the error path and fail to
release the newly created virtual IRQs because they aren't yet assigned
to ptpmsg_irq[n].num.
Move the mapping creation to ksz_ptp_msg_irq_setup() to ensure symetry
with what's released by ksz_ptp_msg_irq_free().
In the error path, move the irq_dispose_mapping to the out_ptp_msg label
so it will be called only on created IRQs.
Cc: stable@vger.kernel.org
Fixes: cc13ab18b201 ("net: dsa: microchip: ptp: enable interrupt for timestamping")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com>
Link: https://patch.msgid.link/20251120-ksz-fix-v6-5-891f80ae7f8f@bootlin.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/microchip/ksz_ptp.c | 18 +++++++-----------
1 file changed, 7 insertions(+), 11 deletions(-)
--- a/drivers/net/dsa/microchip/ksz_ptp.c
+++ b/drivers/net/dsa/microchip/ksz_ptp.c
@@ -1093,19 +1093,19 @@ static int ksz_ptp_msg_irq_setup(struct
static const char * const name[] = {"pdresp-msg", "xdreq-msg",
"sync-msg"};
const struct ksz_dev_ops *ops = port->ksz_dev->dev_ops;
+ struct ksz_irq *ptpirq = &port->ptpirq;
struct ksz_ptp_irq *ptpmsg_irq;
ptpmsg_irq = &port->ptpmsg_irq[n];
+ ptpmsg_irq->num = irq_create_mapping(ptpirq->domain, n);
+ if (!ptpmsg_irq->num)
+ return -EINVAL;
ptpmsg_irq->port = port;
ptpmsg_irq->ts_reg = ops->get_port_addr(port->num, ts_reg[n]);
strscpy(ptpmsg_irq->name, name[n]);
- ptpmsg_irq->num = irq_find_mapping(port->ptpirq.domain, n);
- if (ptpmsg_irq->num < 0)
- return ptpmsg_irq->num;
-
return request_threaded_irq(ptpmsg_irq->num, NULL,
ksz_ptp_msg_thread_fn, IRQF_ONESHOT,
ptpmsg_irq->name, ptpmsg_irq);
@@ -1135,9 +1135,6 @@ int ksz_ptp_irq_setup(struct dsa_switch
if (!ptpirq->domain)
return -ENOMEM;
- for (irq = 0; irq < ptpirq->nirqs; irq++)
- irq_create_mapping(ptpirq->domain, irq);
-
ptpirq->irq_num = irq_find_mapping(port->pirq.domain, PORT_SRC_PTP_INT);
if (!ptpirq->irq_num) {
ret = -EINVAL;
@@ -1159,12 +1156,11 @@ int ksz_ptp_irq_setup(struct dsa_switch
out_ptp_msg:
free_irq(ptpirq->irq_num, ptpirq);
- while (irq--)
+ while (irq--) {
free_irq(port->ptpmsg_irq[irq].num, &port->ptpmsg_irq[irq]);
-out:
- for (irq = 0; irq < ptpirq->nirqs; irq++)
irq_dispose_mapping(port->ptpmsg_irq[irq].num);
-
+ }
+out:
irq_domain_remove(ptpirq->domain);
return ret;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 139/146] libceph: fix potential use-after-free in have_mon_and_osd_map()
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 138/146] net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}() Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 140/146] libceph: prevent potential out-of-bounds writes in handle_auth_session_key() Greg Kroah-Hartman
` (20 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Ilya Dryomov,
Viacheslav Dubeyko
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 076381c261374c587700b3accf410bdd2dba334e upstream.
The wait loop in __ceph_open_session() can race with the client
receiving a new monmap or osdmap shortly after the initial map is
received. Both ceph_monc_handle_map() and handle_one_map() install
a new map immediately after freeing the old one
kfree(monc->monmap);
monc->monmap = monmap;
ceph_osdmap_destroy(osdc->osdmap);
osdc->osdmap = newmap;
under client->monc.mutex and client->osdc.lock respectively, but
because neither is taken in have_mon_and_osd_map() it's possible for
client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in
client->monc.monmap && client->monc.monmap->epoch &&
client->osdc.osdmap && client->osdc.osdmap->epoch;
condition to dereference an already freed map. This happens to be
reproducible with generic/395 and generic/397 with KASAN enabled:
BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70
Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305
CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266
...
Call Trace:
<TASK>
have_mon_and_osd_map+0x56/0x70
ceph_open_session+0x182/0x290
ceph_get_tree+0x333/0x680
vfs_get_tree+0x49/0x180
do_new_mount+0x1a3/0x2d0
path_mount+0x6dd/0x730
do_mount+0x99/0xe0
__do_sys_mount+0x141/0x180
do_syscall_64+0x9f/0x100
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Allocated by task 13305:
ceph_osdmap_alloc+0x16/0x130
ceph_osdc_init+0x27a/0x4c0
ceph_create_client+0x153/0x190
create_fs_client+0x50/0x2a0
ceph_get_tree+0xff/0x680
vfs_get_tree+0x49/0x180
do_new_mount+0x1a3/0x2d0
path_mount+0x6dd/0x730
do_mount+0x99/0xe0
__do_sys_mount+0x141/0x180
do_syscall_64+0x9f/0x100
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 9475:
kfree+0x212/0x290
handle_one_map+0x23c/0x3b0
ceph_osdc_handle_map+0x3c9/0x590
mon_dispatch+0x655/0x6f0
ceph_con_process_message+0xc3/0xe0
ceph_con_v1_try_read+0x614/0x760
ceph_con_workfn+0x2de/0x650
process_one_work+0x486/0x7c0
process_scheduled_works+0x73/0x90
worker_thread+0x1c8/0x2a0
kthread+0x2ec/0x300
ret_from_fork+0x24/0x40
ret_from_fork_asm+0x1a/0x30
Rewrite the wait loop to check the above condition directly with
client->monc.mutex and client->osdc.lock taken as appropriate. While
at it, improve the timeout handling (previously mount_timeout could be
exceeded in case wait_event_interruptible_timeout() slept more than
once) and access client->auth_err under client->monc.mutex to match
how it's set in finish_auth().
monmap_show() and osdmap_show() now take the respective lock before
accessing the map as well.
Cc: stable@vger.kernel.org
Reported-by: David Howells <dhowells@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/ceph_common.c | 53 +++++++++++++++++++++++++++++--------------------
net/ceph/debugfs.c | 14 +++++++++---
2 files changed, 42 insertions(+), 25 deletions(-)
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -786,41 +786,52 @@ void ceph_reset_client_addr(struct ceph_
EXPORT_SYMBOL(ceph_reset_client_addr);
/*
- * true if we have the mon map (and have thus joined the cluster)
- */
-static bool have_mon_and_osd_map(struct ceph_client *client)
-{
- return client->monc.monmap && client->monc.monmap->epoch &&
- client->osdc.osdmap && client->osdc.osdmap->epoch;
-}
-
-/*
* mount: join the ceph cluster, and open root directory.
*/
int __ceph_open_session(struct ceph_client *client, unsigned long started)
{
- unsigned long timeout = client->options->mount_timeout;
- long err;
+ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ long timeout = ceph_timeout_jiffies(client->options->mount_timeout);
+ bool have_monmap, have_osdmap;
+ int err;
/* open session, and wait for mon and osd maps */
err = ceph_monc_open_session(&client->monc);
if (err < 0)
return err;
- while (!have_mon_and_osd_map(client)) {
- if (timeout && time_after_eq(jiffies, started + timeout))
- return -ETIMEDOUT;
+ add_wait_queue(&client->auth_wq, &wait);
+ for (;;) {
+ mutex_lock(&client->monc.mutex);
+ err = client->auth_err;
+ have_monmap = client->monc.monmap && client->monc.monmap->epoch;
+ mutex_unlock(&client->monc.mutex);
+
+ down_read(&client->osdc.lock);
+ have_osdmap = client->osdc.osdmap && client->osdc.osdmap->epoch;
+ up_read(&client->osdc.lock);
+
+ if (err || (have_monmap && have_osdmap))
+ break;
+
+ if (signal_pending(current)) {
+ err = -ERESTARTSYS;
+ break;
+ }
+
+ if (!timeout) {
+ err = -ETIMEDOUT;
+ break;
+ }
/* wait */
dout("mount waiting for mon_map\n");
- err = wait_event_interruptible_timeout(client->auth_wq,
- have_mon_and_osd_map(client) || (client->auth_err < 0),
- ceph_timeout_jiffies(timeout));
- if (err < 0)
- return err;
- if (client->auth_err < 0)
- return client->auth_err;
+ timeout = wait_woken(&wait, TASK_INTERRUPTIBLE, timeout);
}
+ remove_wait_queue(&client->auth_wq, &wait);
+
+ if (err)
+ return err;
pr_info("client%llu fsid %pU\n", ceph_client_gid(client),
&client->fsid);
--- a/net/ceph/debugfs.c
+++ b/net/ceph/debugfs.c
@@ -36,8 +36,9 @@ static int monmap_show(struct seq_file *
int i;
struct ceph_client *client = s->private;
+ mutex_lock(&client->monc.mutex);
if (client->monc.monmap == NULL)
- return 0;
+ goto out_unlock;
seq_printf(s, "epoch %d\n", client->monc.monmap->epoch);
for (i = 0; i < client->monc.monmap->num_mon; i++) {
@@ -48,6 +49,9 @@ static int monmap_show(struct seq_file *
ENTITY_NAME(inst->name),
ceph_pr_addr(&inst->addr));
}
+
+out_unlock:
+ mutex_unlock(&client->monc.mutex);
return 0;
}
@@ -56,13 +60,14 @@ static int osdmap_show(struct seq_file *
int i;
struct ceph_client *client = s->private;
struct ceph_osd_client *osdc = &client->osdc;
- struct ceph_osdmap *map = osdc->osdmap;
+ struct ceph_osdmap *map;
struct rb_node *n;
+ down_read(&osdc->lock);
+ map = osdc->osdmap;
if (map == NULL)
- return 0;
+ goto out_unlock;
- down_read(&osdc->lock);
seq_printf(s, "epoch %u barrier %u flags 0x%x\n", map->epoch,
osdc->epoch_barrier, map->flags);
@@ -131,6 +136,7 @@ static int osdmap_show(struct seq_file *
seq_printf(s, "]\n");
}
+out_unlock:
up_read(&osdc->lock);
return 0;
}
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 140/146] libceph: prevent potential out-of-bounds writes in handle_auth_session_key()
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 139/146] libceph: fix potential use-after-free in have_mon_and_osd_map() Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 141/146] libceph: replace BUG_ON with bounds check for map->max_osd Greg Kroah-Hartman
` (19 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ziming zhang, Ilya Dryomov
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: ziming zhang <ezrakiez@gmail.com>
commit 7fce830ecd0a0256590ee37eb65a39cbad3d64fc upstream.
The len field originates from untrusted network packets. Boundary
checks have been added to prevent potential out-of-bounds writes when
decrypting the connection secret or processing service tickets.
[ idryomov: changelog ]
Cc: stable@vger.kernel.org
Signed-off-by: ziming zhang <ezrakiez@gmail.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/auth_x.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ceph/auth_x.c
+++ b/net/ceph/auth_x.c
@@ -631,6 +631,7 @@ static int handle_auth_session_key(struc
/* connection secret */
ceph_decode_32_safe(p, end, len, e_inval);
+ ceph_decode_need(p, end, len, e_inval);
dout("%s connection secret blob len %d\n", __func__, len);
if (len > 0) {
dp = *p + ceph_x_encrypt_offset();
@@ -648,6 +649,7 @@ static int handle_auth_session_key(struc
/* service tickets */
ceph_decode_32_safe(p, end, len, e_inval);
+ ceph_decode_need(p, end, len, e_inval);
dout("%s service tickets blob len %d\n", __func__, len);
if (len > 0) {
ret = ceph_x_proc_ticket_reply(ac, &th->session_key,
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 141/146] libceph: replace BUG_ON with bounds check for map->max_osd
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 140/146] libceph: prevent potential out-of-bounds writes in handle_auth_session_key() Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 142/146] mm: swap: remove duplicate nr_swap_pages decrement in get_swap_page_of_type() Greg Kroah-Hartman
` (18 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ziming zhang, Ilya Dryomov
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: ziming zhang <ezrakiez@gmail.com>
commit ec3797f043756a94ea2d0f106022e14ac4946c02 upstream.
OSD indexes come from untrusted network packets. Boundary checks are
added to validate these against map->max_osd.
[ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic
edits ]
Cc: stable@vger.kernel.org
Signed-off-by: ziming zhang <ezrakiez@gmail.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -1504,8 +1504,6 @@ static int decode_new_primary_temp(void
u32 ceph_get_primary_affinity(struct ceph_osdmap *map, int osd)
{
- BUG_ON(osd >= map->max_osd);
-
if (!map->osd_primary_affinity)
return CEPH_OSD_DEFAULT_PRIMARY_AFFINITY;
@@ -1514,8 +1512,6 @@ u32 ceph_get_primary_affinity(struct cep
static int set_primary_affinity(struct ceph_osdmap *map, int osd, u32 aff)
{
- BUG_ON(osd >= map->max_osd);
-
if (!map->osd_primary_affinity) {
int i;
@@ -1577,6 +1573,8 @@ static int decode_new_primary_affinity(v
ceph_decode_32_safe(p, end, osd, e_inval);
ceph_decode_32_safe(p, end, aff, e_inval);
+ if (osd >= map->max_osd)
+ goto e_inval;
ret = set_primary_affinity(map, osd, aff);
if (ret)
@@ -1879,7 +1877,9 @@ static int decode_new_up_state_weight(vo
ceph_decode_need(p, end, 2*sizeof(u32), e_inval);
osd = ceph_decode_32(p);
w = ceph_decode_32(p);
- BUG_ON(osd >= map->max_osd);
+ if (osd >= map->max_osd)
+ goto e_inval;
+
osdmap_info(map, "osd%d weight 0x%x %s\n", osd, w,
w == CEPH_OSD_IN ? "(in)" :
(w == CEPH_OSD_OUT ? "(out)" : ""));
@@ -1905,13 +1905,15 @@ static int decode_new_up_state_weight(vo
u32 xorstate;
osd = ceph_decode_32(p);
+ if (osd >= map->max_osd)
+ goto e_inval;
+
if (struct_v >= 5)
xorstate = ceph_decode_32(p);
else
xorstate = ceph_decode_8(p);
if (xorstate == 0)
xorstate = CEPH_OSD_UP;
- BUG_ON(osd >= map->max_osd);
if ((map->osd_state[osd] & CEPH_OSD_UP) &&
(xorstate & CEPH_OSD_UP))
osdmap_info(map, "osd%d down\n", osd);
@@ -1937,7 +1939,9 @@ static int decode_new_up_state_weight(vo
struct ceph_entity_addr addr;
osd = ceph_decode_32(p);
- BUG_ON(osd >= map->max_osd);
+ if (osd >= map->max_osd)
+ goto e_inval;
+
if (struct_v >= 7)
ret = ceph_decode_entity_addrvec(p, end, msgr2, &addr);
else
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 142/146] mm: swap: remove duplicate nr_swap_pages decrement in get_swap_page_of_type()
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 141/146] libceph: replace BUG_ON with bounds check for map->max_osd Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 143/146] usb: udc: Add trace event for usb_gadget_set_state Greg Kroah-Hartman
` (17 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Youngjun Park, Chris Li, Barry Song,
Kairui Song, Nhat Pham, Baoquan He, Kemeng Shi, Andrew Morton,
Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Youngjun Park <youngjun.park@lge.com>
[ Upstream commit f5e31a196edcd1f1bb44f26b6f9299b9a5b9b3c4 ]
After commit 4f78252da887, nr_swap_pages is decremented in
swap_range_alloc(). Since cluster_alloc_swap_entry() calls
swap_range_alloc() internally, the decrement in get_swap_page_of_type()
causes double-decrementing.
As a representative userspace-visible runtime example of the impact,
/proc/meminfo reports increasingly inaccurate SwapFree values. The
discrepancy grows with each swap allocation, and during hibernation
when large amounts of memory are written to swap, the reported value
can deviate significantly from actual available swap space, misleading
users and monitoring tools.
Remove the duplicate decrement.
Link: https://lkml.kernel.org/r/20251102082456.79807-1-youngjun.park@lge.com
Fixes: 4f78252da887 ("mm: swap: move nr_swap_pages counter decrement from folio_alloc_swap() to swap_range_alloc()")
Signed-off-by: Youngjun Park <youngjun.park@lge.com>
Acked-by: Chris Li <chrisl@kernel.org>
Reviewed-by: Barry Song <baohua@kernel.org>
Reviewed-by: Kairui Song <kasong@tencent.com>
Acked-by: Nhat Pham <nphamcs@gmail.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Kemeng Shi <shikemeng@huaweicloud.com>
Cc: <stable@vger.kernel.org> [6.17+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ adjusted context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/swapfile.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -1866,10 +1866,8 @@ swp_entry_t get_swap_page_of_type(int ty
if (get_swap_device_info(si)) {
if (si->flags & SWP_WRITEOK) {
offset = cluster_alloc_swap_entry(si, 0, 1);
- if (offset) {
+ if (offset)
entry = swp_entry(si->type, offset);
- atomic_long_dec(&nr_swap_pages);
- }
}
put_swap_device(si);
}
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 143/146] usb: udc: Add trace event for usb_gadget_set_state
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 142/146] mm: swap: remove duplicate nr_swap_pages decrement in get_swap_page_of_type() Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 144/146] usb: gadget: udc: fix use-after-free in usb_gadget_state_work Greg Kroah-Hartman
` (16 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kuen-Han Tsai, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuen-Han Tsai <khtsai@google.com>
[ Upstream commit 7bf1158514e410310aec975e630cec99d4e4092f ]
While the userspace program can be notified of gadget state changes,
timing issue can lead to missed transitions when reading the state
value.
Introduce a trace event for usb_gadget_set_state to reliably track state
transitions.
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://lore.kernel.org/r/20250818082722.2952867-1-khtsai@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: baeb66fbd420 ("usb: gadget: udc: fix use-after-free in usb_gadget_state_work")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/core.c | 1 +
drivers/usb/gadget/udc/trace.h | 5 +++++
2 files changed, 6 insertions(+)
--- a/drivers/usb/gadget/udc/core.c
+++ b/drivers/usb/gadget/udc/core.c
@@ -1128,6 +1128,7 @@ void usb_gadget_set_state(struct usb_gad
{
gadget->state = state;
schedule_work(&gadget->work);
+ trace_usb_gadget_set_state(gadget, 0);
}
EXPORT_SYMBOL_GPL(usb_gadget_set_state);
--- a/drivers/usb/gadget/udc/trace.h
+++ b/drivers/usb/gadget/udc/trace.h
@@ -81,6 +81,11 @@ DECLARE_EVENT_CLASS(udc_log_gadget,
__entry->ret)
);
+DEFINE_EVENT(udc_log_gadget, usb_gadget_set_state,
+ TP_PROTO(struct usb_gadget *g, int ret),
+ TP_ARGS(g, ret)
+);
+
DEFINE_EVENT(udc_log_gadget, usb_gadget_frame_number,
TP_PROTO(struct usb_gadget *g, int ret),
TP_ARGS(g, ret)
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 144/146] usb: gadget: udc: fix use-after-free in usb_gadget_state_work
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 143/146] usb: udc: Add trace event for usb_gadget_set_state Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 145/146] Revert "ACPI: Suppress misleading SPCR console message when SPCR table is absent" Greg Kroah-Hartman
` (15 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jimmy Hu, Sasha Levin
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jimmy Hu <hhhuuu@google.com>
[ Upstream commit baeb66fbd4201d1c4325074e78b1f557dff89b5b ]
A race condition during gadget teardown can lead to a use-after-free
in usb_gadget_state_work(), as reported by KASAN:
BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0
Workqueue: events usb_gadget_state_work
The fundamental race occurs because a concurrent event (e.g., an
interrupt) can call usb_gadget_set_state() and schedule gadget->work
at any time during the cleanup process in usb_del_gadget().
Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after
device removal") attempted to fix this by moving flush_work() to after
device_del(). However, this does not fully solve the race, as a new
work item can still be scheduled *after* flush_work() completes but
before the gadget's memory is freed, leading to the same use-after-free.
This patch fixes the race condition robustly by introducing a 'teardown'
flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is
set during cleanup in usb_del_gadget() *before* calling flush_work() to
prevent any new work from being scheduled once cleanup has commenced.
The scheduling site, usb_gadget_set_state(), now checks this flag under
the lock before queueing the work, thus safely closing the race window.
Fixes: 5702f75375aa9 ("usb: gadget: udc-core: move sysfs_notify() to a workqueue")
Cc: stable <stable@kernel.org>
Signed-off-by: Jimmy Hu <hhhuuu@google.com>
Link: https://patch.msgid.link/20251023054945.233861-1-hhhuuu@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/core.c | 17 ++++++++++++++++-
include/linux/usb/gadget.h | 5 +++++
2 files changed, 21 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/udc/core.c
+++ b/drivers/usb/gadget/udc/core.c
@@ -1126,8 +1126,13 @@ static void usb_gadget_state_work(struct
void usb_gadget_set_state(struct usb_gadget *gadget,
enum usb_device_state state)
{
+ unsigned long flags;
+
+ spin_lock_irqsave(&gadget->state_lock, flags);
gadget->state = state;
- schedule_work(&gadget->work);
+ if (!gadget->teardown)
+ schedule_work(&gadget->work);
+ spin_unlock_irqrestore(&gadget->state_lock, flags);
trace_usb_gadget_set_state(gadget, 0);
}
EXPORT_SYMBOL_GPL(usb_gadget_set_state);
@@ -1361,6 +1366,8 @@ static void usb_udc_nop_release(struct d
void usb_initialize_gadget(struct device *parent, struct usb_gadget *gadget,
void (*release)(struct device *dev))
{
+ spin_lock_init(&gadget->state_lock);
+ gadget->teardown = false;
INIT_WORK(&gadget->work, usb_gadget_state_work);
gadget->dev.parent = parent;
@@ -1535,6 +1542,7 @@ EXPORT_SYMBOL_GPL(usb_add_gadget_udc);
void usb_del_gadget(struct usb_gadget *gadget)
{
struct usb_udc *udc = gadget->udc;
+ unsigned long flags;
if (!udc)
return;
@@ -1548,6 +1556,13 @@ void usb_del_gadget(struct usb_gadget *g
kobject_uevent(&udc->dev.kobj, KOBJ_REMOVE);
sysfs_remove_link(&udc->dev.kobj, "gadget");
device_del(&gadget->dev);
+ /*
+ * Set the teardown flag before flushing the work to prevent new work
+ * from being scheduled while we are cleaning up.
+ */
+ spin_lock_irqsave(&gadget->state_lock, flags);
+ gadget->teardown = true;
+ spin_unlock_irqrestore(&gadget->state_lock, flags);
flush_work(&gadget->work);
ida_free(&gadget_id_numbers, gadget->id_number);
cancel_work_sync(&udc->vbus_work);
--- a/include/linux/usb/gadget.h
+++ b/include/linux/usb/gadget.h
@@ -376,6 +376,9 @@ struct usb_gadget_ops {
* can handle. The UDC must support this and all slower speeds and lower
* number of lanes.
* @state: the state we are now (attached, suspended, configured, etc)
+ * @state_lock: Spinlock protecting the `state` and `teardown` members.
+ * @teardown: True if the device is undergoing teardown, used to prevent
+ * new work from being scheduled during cleanup.
* @name: Identifies the controller hardware type. Used in diagnostics
* and sometimes configuration.
* @dev: Driver model state for this abstract device.
@@ -451,6 +454,8 @@ struct usb_gadget {
enum usb_ssp_rate max_ssp_rate;
enum usb_device_state state;
+ spinlock_t state_lock;
+ bool teardown;
const char *name;
struct device dev;
unsigned isoch_delay;
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 145/146] Revert "ACPI: Suppress misleading SPCR console message when SPCR table is absent"
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 144/146] usb: gadget: udc: fix use-after-free in usb_gadget_state_work Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 15:28 ` [PATCH 6.17 146/146] spi: cadence-quadspi: Fix cqspi_probe() error handling for runtime pm Greg Kroah-Hartman
` (14 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Punit Agrawal, Will Deacon
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Punit Agrawal <punit.agrawal@oss.qualcomm.com>
commit eeb8c19896952e18fb538ec76e603884070a6c6a upstream.
This reverts commit bad3fa2fb9206f4dcec6ddef094ec2fbf6e8dcb2.
Commit bad3fa2fb920 ("ACPI: Suppress misleading SPCR console message
when SPCR table is absent") mistakenly assumes acpi_parse_spcr()
returning 0 to indicate a failure to parse SPCR. While addressing the
resultant incorrect logging it was deemed that dropping the message is
a better approach as it is not particularly useful.
Roll back the commit introducing the bug as a step towards dropping
the log message.
Link: https://lore.kernel.org/all/aQN0YWUYaPYWpgJM@willie-the-truck/
Signed-off-by: Punit Agrawal <punit.agrawal@oss.qualcomm.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/acpi.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
--- a/arch/arm64/kernel/acpi.c
+++ b/arch/arm64/kernel/acpi.c
@@ -197,8 +197,6 @@ out:
*/
void __init acpi_boot_table_init(void)
{
- int ret;
-
/*
* Enable ACPI instead of device tree unless
* - ACPI has been disabled explicitly (acpi=off), or
@@ -252,12 +250,10 @@ done:
* behaviour, use acpi=nospcr to disable console in ACPI SPCR
* table as default serial console.
*/
- ret = acpi_parse_spcr(earlycon_acpi_spcr_enable,
+ acpi_parse_spcr(earlycon_acpi_spcr_enable,
!param_acpi_nospcr);
- if (!ret || param_acpi_nospcr || !IS_ENABLED(CONFIG_ACPI_SPCR_TABLE))
- pr_info("Use ACPI SPCR as default console: No\n");
- else
- pr_info("Use ACPI SPCR as default console: Yes\n");
+ pr_info("Use ACPI SPCR as default console: %s\n",
+ param_acpi_nospcr ? "No" : "Yes");
if (IS_ENABLED(CONFIG_ACPI_BGRT))
acpi_table_parse(ACPI_SIG_BGRT, acpi_parse_bgrt);
^ permalink raw reply [flat|nested] 173+ messages in thread* [PATCH 6.17 146/146] spi: cadence-quadspi: Fix cqspi_probe() error handling for runtime pm
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 145/146] Revert "ACPI: Suppress misleading SPCR console message when SPCR table is absent" Greg Kroah-Hartman
@ 2025-12-03 15:28 ` Greg Kroah-Hartman
2025-12-03 17:23 ` [PATCH 6.17 000/146] 6.17.11-rc1 review Ronald Warsow
` (13 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-03 15:28 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Siddharth Vadapalli, Mark Brown
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siddharth Vadapalli <s-vadapalli@ti.com>
commit 295fe8406a357bc0abb901a21d1a554fd4dd1d05 upstream.
Commit f1eb4e792bb1 ("spi: spi-cadence-quadspi: Enable pm runtime earlier
to avoid imbalance") relocated code but missed updating the error handling
path associated with it.
Prior to the relocation, runtime pm was enabled after the code-block
associated with 'cqspi_request_mmap_dma()', due to which, the error
handling for the same didn't require invoking 'pm_runtime_disable()'.
Post refactoring, runtime pm has been enabled before the code-block and
when an error is encountered, jumping to 'probe_dma_failed' doesn't
invoke 'pm_runtime_disable()'. This leads to a race condition wherein
'cqspi_runtime_suspend()' is invoked while the error handling path executes
in parallel. The resulting error is the following:
clk:103:0 already disabled
WARNING: drivers/clk/clk.c:1188 at clk_core_disable+0x80/0xa0, CPU#1: kworker/u8:0/12
[TRIMMED]
pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : clk_core_disable+0x80/0xa0
lr : clk_core_disable+0x80/0xa0
[TRIMMED]
Call trace:
clk_core_disable+0x80/0xa0 (P)
clk_core_disable_lock+0x88/0x10c
clk_disable+0x24/0x30
cqspi_probe+0xa3c/0xae8
[TRIMMED]
The error is due to the second invocation of 'clk_disable_unprepare()' on
'cqspi->clk' in the error handling within 'cqspi_probe()', with the first
invocation being within 'cqspi_runtime_suspend()'.
Fix this by correcting the error handling.
Fixes: f1eb4e792bb1 ("spi: spi-cadence-quadspi: Enable pm runtime earlier to avoid imbalance")
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Link: https://patch.msgid.link/20251119152545.2591651-1-s-vadapalli@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-cadence-quadspi.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/spi/spi-cadence-quadspi.c
+++ b/drivers/spi/spi-cadence-quadspi.c
@@ -2002,7 +2002,7 @@ static int cqspi_probe(struct platform_d
if (cqspi->use_direct_mode) {
ret = cqspi_request_mmap_dma(cqspi);
if (ret == -EPROBE_DEFER)
- goto probe_dma_failed;
+ goto probe_setup_failed;
}
ret = spi_register_controller(host);
@@ -2020,7 +2020,6 @@ static int cqspi_probe(struct platform_d
probe_setup_failed:
if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM)))
pm_runtime_disable(dev);
-probe_dma_failed:
cqspi_controller_enable(cqspi, 0);
probe_reset_failed:
if (cqspi->is_jh7110)
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2025-12-03 15:28 ` [PATCH 6.17 146/146] spi: cadence-quadspi: Fix cqspi_probe() error handling for runtime pm Greg Kroah-Hartman
@ 2025-12-03 17:23 ` Ronald Warsow
2025-12-03 19:02 ` Florian Fainelli
` (12 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Ronald Warsow @ 2025-12-03 17:23 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
conor, hargar, broonie, achill, sr
Hi
no regressions here on x86_64 (RKL, Intel 11th Gen. CPU)
Thanks
Tested-by: Ronald Warsow <rwarsow@gmx.de>
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2025-12-03 17:23 ` [PATCH 6.17 000/146] 6.17.11-rc1 review Ronald Warsow
@ 2025-12-03 19:02 ` Florian Fainelli
2025-12-03 20:36 ` Achill Gilgenast
` (11 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Florian Fainelli @ 2025-12-03 19:02 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr
On 12/3/25 07:26, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.17.11 release.
> There are 146 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Dec 2025 15:23:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2025-12-03 19:02 ` Florian Fainelli
@ 2025-12-03 20:36 ` Achill Gilgenast
2025-12-03 20:56 ` Takeshi Ogasawara
` (10 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Achill Gilgenast @ 2025-12-03 20:36 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
On Wed Dec 3, 2025 at 4:26 PM CET, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.17.11 release.
> There are 146 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Dec 2025 15:23:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Thanks! Builded on all Alpine architectures & boot-tested on x86_64.
Tested-By: Achill Gilgenast <achill@achill.org>
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2025-12-03 20:36 ` Achill Gilgenast
@ 2025-12-03 20:56 ` Takeshi Ogasawara
2025-12-03 23:43 ` Shuah Khan
` (9 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Takeshi Ogasawara @ 2025-12-03 20:56 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
Hi Greg
On Thu, Dec 4, 2025 at 1:45 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.17.11 release.
> There are 146 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Dec 2025 15:23:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
6.17.11-rc1 tested.
Build successfully completed.
Boot successfully completed.
No dmesg regressions.
Video output normal.
Sound output normal.
Lenovo ThinkPad X1 Carbon Gen10(Intel i7-1260P(x86_64) arch linux)
[ 0.000000] Linux version 6.17.11-rc1rv-gc434a9350a1d
(takeshi@ThinkPadX1Gen10J0764) (gcc (GCC) 15.2.1 20251112, GNU ld (GNU
Binutils) 2.45.1) #1 SMP PREEMPT_DYNAMIC Thu Dec 4 05:27:29 JST 2025
Thanks
Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com>
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2025-12-03 20:56 ` Takeshi Ogasawara
@ 2025-12-03 23:43 ` Shuah Khan
2025-12-04 9:08 ` Jeffrin Thalakkottoor
` (8 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Shuah Khan @ 2025-12-03 23:43 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr, Shuah Khan
On 12/3/25 08:26, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.17.11 release.
> There are 146 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Dec 2025 15:23:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2025-12-03 23:43 ` Shuah Khan
@ 2025-12-04 9:08 ` Jeffrin Thalakkottoor
2025-12-04 16:16 ` Greg Kroah-Hartman
2025-12-04 9:50 ` Naresh Kamboju
` (7 subsequent siblings)
159 siblings, 1 reply; 173+ messages in thread
From: Jeffrin Thalakkottoor @ 2025-12-04 9:08 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
hello
Compiled and booted 6.17.11-rc1+
dmesg shows err and warn
-----err-------------
[ 5.422899] UBSAN: array-index-out-of-bounds in
drivers/gpu/drm/radeon/radeon_atombios.c:2720:34
[ 5.422909] index 16 is out of range for type 'UCHAR [*]'
[ 5.424099] UBSAN: array-index-out-of-bounds in
drivers/gpu/drm/radeon/trinity_dpm.c:1763:32
[ 5.424106] index 16 is out of range for type 'UCHAR [*]'
[ 35.833950] systemd[1]: bpf-restrict-fs: Failed to load BPF object:
No such process
--------err-----------------
----------------warn---------------
[ 0.007594] ACPI BIOS Warning (bug): Optional FADT field
Pm2ControlBlock has valid Length but zero Address:
0x0000000000000000/0x1 (20250404/tbfadt-611)
[ 0.486793] Could not retrieve perf counters (-19)
[ 0.491808] amd_pstate: the _CPC object is not present in SBIOS or
ACPI disabled
[ 5.422897] ------------[ cut here ]------------
[ 5.422917] CPU: 1 UID: 0 PID: 174 Comm: (udev-worker) Not tainted
6.17.11-rc1+ #1 PREEMPT(lazy)
[ 5.422921] Hardware name: System manufacturer System Product
Name/F2A55-M LK2 PLUS, BIOS 0403 12/06/2012
[ 5.422923] Call Trace:
[ 5.422926] <TASK>
[ 5.422930] dump_stack_lvl+0x5d/0x80
[ 5.422937] ubsan_epilogue+0x5/0x2b
[ 5.422942] __ubsan_handle_out_of_bounds.cold+0x54/0x59
[ 5.422949] radeon_atombios_get_power_modes+0x8d6/0x900 [radeon]
[ 5.423086] radeon_pm_init+0x142/0x760 [radeon]
[ 5.423212] cayman_init+0xec/0x2b0 [radeon]
[ 5.423342] radeon_device_init+0x563/0xba0 [radeon]
[ 5.423442] ? pci_find_capability+0x79/0xb0
[ 5.423448] radeon_driver_load_kms+0xa1/0x260 [radeon]
[ 5.423548] radeon_pci_probe+0xf6/0x1c0 [radeon]
[ 5.423647] local_pci_probe+0x42/0x90
[ 5.423652] pci_device_probe+0xda/0x2b0
[ 5.423656] ? sysfs_do_create_link_sd+0x6d/0xd0
[ 5.423662] really_probe+0xde/0x340
[ 5.423666] ? pm_runtime_barrier+0x55/0x90
[ 5.423670] __driver_probe_device+0x78/0x140
[ 5.423674] driver_probe_device+0x1f/0xa0
[ 5.423677] ? __pfx___driver_attach+0x10/0x10
[ 5.423680] __driver_attach+0xcb/0x1e0
[ 5.423684] bus_for_each_dev+0x85/0xd0
[ 5.423689] bus_add_driver+0x10b/0x1f0
[ 5.423695] ? __pfx_radeon_module_init+0x10/0x10 [radeon]
[ 5.423785] driver_register+0x75/0xe0
[ 5.423789] ? radeon_register_atpx_handler+0xe/0x30 [radeon]
[ 5.423898] do_one_initcall+0x5b/0x300
[ 5.423903] do_init_module+0x62/0x240
[ 5.423908] ? init_module_from_file+0x8a/0xe0
[ 5.423911] init_module_from_file+0x8a/0xe0
[ 5.423916] idempotent_init_module+0x114/0x310
[ 5.423921] __x64_sys_finit_module+0x6d/0xd0
[ 5.423925] do_syscall_64+0x81/0x970
[ 5.423931] ? __x64_sys_pread64+0x9c/0xd0
[ 5.423936] ? do_syscall_64+0xb9/0x970
[ 5.423939] ? alloc_fd+0x12e/0x190
[ 5.423944] ? do_sys_openat2+0xa2/0xe0
[ 5.423949] ? __x64_sys_openat+0x61/0xa0
[ 5.423953] ? do_syscall_64+0xb9/0x970
[ 5.423956] ? __x64_sys_openat+0x61/0xa0
[ 5.423960] ? do_syscall_64+0xb9/0x970
[ 5.423964] ? do_syscall_64+0xb9/0x970
[ 5.423967] ? restore_fpregs_from_fpstate+0x46/0xa0
[ 5.423973] ? switch_fpu_return+0x5b/0xe0
[ 5.423977] ? do_syscall_64+0x233/0x970
[ 5.423980] ? do_syscall_64+0xb9/0x970
[ 5.423983] ? do_user_addr_fault+0x21a/0x690
[ 5.423988] ? exc_page_fault+0x7e/0x1a0
[ 5.423992] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 5.423996] RIP: 0033:0x7f95a0a75779
[ 5.424000] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00
00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24
08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 86 0d 00 f7 d8 64 89
01 48
[ 5.424003] RSP: 002b:00007ffd7a6a4738 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[ 5.424007] RAX: ffffffffffffffda RBX: 0000557d39210560 RCX: 00007f95a0a75779
[ 5.424009] RDX: 0000000000000004 RSI: 00007f959ffd344d RDI: 0000000000000044
[ 5.424011] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000557d39193500
[ 5.424013] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f959ffd344d
[ 5.424014] R13: 0000000000020000 R14: 0000557d39197fb0 R15: 0000000000000000
[ 5.424018] </TASK>
[ 5.424019] ---[ end trace ]---
[ 5.424096] ------------[ cut here ]------------
[ 5.424112] CPU: 1 UID: 0 PID: 174 Comm: (udev-worker) Not tainted
6.17.11-rc1+ #1 PREEMPT(lazy)
[ 5.424116] Hardware name: System manufacturer System Product
Name/F2A55-M LK2 PLUS, BIOS 0403 12/06/2012
[ 5.424117] Call Trace:
[ 5.424119] <TASK>
[ 5.424120] dump_stack_lvl+0x5d/0x80
[ 5.424124] ubsan_epilogue+0x5/0x2b
[ 5.424128] __ubsan_handle_out_of_bounds.cold+0x54/0x59
[ 5.424133] trinity_dpm_init+0x94c/0x9c0 [radeon]
[ 5.424254] radeon_pm_init+0x53c/0x760 [radeon]
[ 5.424378] cayman_init+0xec/0x2b0 [radeon]
[ 5.424506] radeon_device_init+0x563/0xba0 [radeon]
[ 5.424600] ? pci_find_capability+0x79/0xb0
[ 5.424607] radeon_driver_load_kms+0xa1/0x260 [radeon]
[ 5.424705] radeon_pci_probe+0xf6/0x1c0 [radeon]
[ 5.424795] local_pci_probe+0x42/0x90
[ 5.424799] pci_device_probe+0xda/0x2b0
[ 5.424802] ? sysfs_do_create_link_sd+0x6d/0xd0
[ 5.424806] really_probe+0xde/0x340
[ 5.424809] ? pm_runtime_barrier+0x55/0x90
[ 5.424812] __driver_probe_device+0x78/0x140
[ 5.424814] driver_probe_device+0x1f/0xa0
[ 5.424817] ? __pfx___driver_attach+0x10/0x10
[ 5.424819] __driver_attach+0xcb/0x1e0
[ 5.424821] bus_for_each_dev+0x85/0xd0
[ 5.424825] bus_add_driver+0x10b/0x1f0
[ 5.424829] ? __pfx_radeon_module_init+0x10/0x10 [radeon]
[ 5.424907] driver_register+0x75/0xe0
[ 5.424910] ? radeon_register_atpx_handler+0xe/0x30 [radeon]
[ 5.425004] do_one_initcall+0x5b/0x300
[ 5.425009] do_init_module+0x62/0x240
[ 5.425012] ? init_module_from_file+0x8a/0xe0
[ 5.425015] init_module_from_file+0x8a/0xe0
[ 5.425018] idempotent_init_module+0x114/0x310
[ 5.425021] __x64_sys_finit_module+0x6d/0xd0
[ 5.425024] do_syscall_64+0x81/0x970
[ 5.425028] ? __x64_sys_pread64+0x9c/0xd0
[ 5.425032] ? do_syscall_64+0xb9/0x970
[ 5.425034] ? alloc_fd+0x12e/0x190
[ 5.425036] ? do_sys_openat2+0xa2/0xe0
[ 5.425040] ? __x64_sys_openat+0x61/0xa0
[ 5.425043] ? do_syscall_64+0xb9/0x970
[ 5.425045] ? __x64_sys_openat+0x61/0xa0
[ 5.425048] ? do_syscall_64+0xb9/0x970
[ 5.425051] ? do_syscall_64+0xb9/0x970
[ 5.425053] ? restore_fpregs_from_fpstate+0x46/0xa0
[ 5.425057] ? switch_fpu_return+0x5b/0xe0
[ 5.425060] ? do_syscall_64+0x233/0x970
[ 5.425062] ? do_syscall_64+0xb9/0x970
[ 5.425064] ? do_user_addr_fault+0x21a/0x690
[ 5.425067] ? exc_page_fault+0x7e/0x1a0
[ 5.425070] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 5.425073] RIP: 0033:0x7f95a0a75779
[ 5.425076] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00
00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24
08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 86 0d 00 f7 d8 64 89
01 48
[ 5.425079] RSP: 002b:00007ffd7a6a4738 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[ 5.425082] RAX: ffffffffffffffda RBX: 0000557d39210560 RCX: 00007f95a0a75779
[ 5.425083] RDX: 0000000000000004 RSI: 00007f959ffd344d RDI: 0000000000000044
[ 5.425085] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000557d39193500
[ 5.425086] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f959ffd344d
[ 5.425087] R13: 0000000000020000 R14: 0000557d39197fb0 R15: 0000000000000000
[ 5.425089] </TASK>
[ 5.425114] ---[ end trace ]---
[ 25.822123] clocksource: Long readout interval, skipping watchdog
check: cs_nsec: 5685587027 wd_nsec: 5685584899
[ 38.585559] at24 0-0050: supply vcc not found, using dummy regulator
[ 38.789287] at24 0-0051: supply vcc not found, using dummy regulator
[ 39.678107] asus_wmi: failed to register LPS0 sleep handler in a
---------------warn---------------------------
Version: AMD A4-4000 APU with Radeon(tm) HD Graphics
00:01.0 VGA compatible controller: Advanced Micro Devices, Inc.
[AMD/ATI] Trinity 2 [Radeon HD 7480D]
Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
--
software engineer
rajagiri school of engineering and technology
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-04 9:08 ` Jeffrin Thalakkottoor
@ 2025-12-04 16:16 ` Greg Kroah-Hartman
2025-12-05 8:20 ` Jeffrin Thalakkottoor
2025-12-05 11:51 ` Jeffrin Thalakkottoor
0 siblings, 2 replies; 173+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-04 16:16 UTC (permalink / raw)
To: Jeffrin Thalakkottoor
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Thu, Dec 04, 2025 at 02:38:10PM +0530, Jeffrin Thalakkottoor wrote:
> hello
>
> Compiled and booted 6.17.11-rc1+
>
> dmesg shows err and warn
Are these new from 6.17.10? if so, can you bisect to find the offending
commit?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 173+ messages in thread
* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-04 16:16 ` Greg Kroah-Hartman
@ 2025-12-05 8:20 ` Jeffrin Thalakkottoor
2025-12-05 11:51 ` Jeffrin Thalakkottoor
1 sibling, 0 replies; 173+ messages in thread
From: Jeffrin Thalakkottoor @ 2025-12-05 8:20 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Thu, Dec 4, 2025 at 9:46 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> Are these new from 6.17.10? if so, can you bisect to find the offending
> commit?
>
> thanks,
>
> greg k-h
i Have not compiled 6.17.10
This machine is not the normal machine i compile for kernek testin
THis is a typically old processor and motherboard
But let me try to compile 6.17.10.
and see if i can do git bisec ( i kind of forgot .. i have to learn again)
anyway THANKSt
--
software engineer
rajagiri school of engineering and technology
^ permalink raw reply [flat|nested] 173+ messages in thread
* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-04 16:16 ` Greg Kroah-Hartman
2025-12-05 8:20 ` Jeffrin Thalakkottoor
@ 2025-12-05 11:51 ` Jeffrin Thalakkottoor
2025-12-05 12:11 ` Slade Watkins
1 sibling, 1 reply; 173+ messages in thread
From: Jeffrin Thalakkottoor @ 2025-12-05 11:51 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Thu, Dec 4, 2025 at 9:46 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> On Thu, Dec 04, 2025 at 02:38:10PM +0530, Jeffrin Thalakkottoor wrote:
> > hello
> >
> > Compiled and booted 6.17.11-rc1+
> >
> > dmesg shows err and warn
>
> Are these new from 6.17.10? if so, can you bisect to find the offending
> commit?
>
> thanks,
>
> greg k-h
hello
6.17.10 has the same dmesg err and warn .
--
software engineer
rajagiri school of engineering and technology
^ permalink raw reply [flat|nested] 173+ messages in thread
* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-05 11:51 ` Jeffrin Thalakkottoor
@ 2025-12-05 12:11 ` Slade Watkins
2025-12-05 16:19 ` Jeffrin Thalakkottoor
0 siblings, 1 reply; 173+ messages in thread
From: Slade Watkins @ 2025-12-05 12:11 UTC (permalink / raw)
To: Jeffrin Thalakkottoor, Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill
On December 5, 2025 6:51:36 AM EST, Jeffrin Thalakkottoor <jeffrin@rajagiritech.edu.in> wrote:
>On Thu, Dec 4, 2025 at 9:46 PM Greg Kroah-Hartman
><gregkh@linuxfoundation.org> wrote:
>>
>> On Thu, Dec 04, 2025 at 02:38:10PM +0530, Jeffrin Thalakkottoor wrote:
>> > hello
>> >
>> > Compiled and booted 6.17.11-rc1+
>> >
>> > dmesg shows err and warn
>>
>> Are these new from 6.17.10? if so, can you bisect to find the offending
>> commit?
>>
>> thanks,
>>
>> greg k-h
>
>hello
>
>6.17.10 has the same dmesg err and warn .
>
Hey Jeffrin,
Can you please bisect and find the offending commit? We'd love to figure this out, but can't do much of anything with no information from you.
Reading your previous emails on this, it seems like you're using a different machine. Have you run this on your usual machine to see if it builds?
Thanks,
Slade
Sent from my Pixel 10 Pro XL
^ permalink raw reply [flat|nested] 173+ messages in thread
* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-05 12:11 ` Slade Watkins
@ 2025-12-05 16:19 ` Jeffrin Thalakkottoor
0 siblings, 0 replies; 173+ messages in thread
From: Jeffrin Thalakkottoor @ 2025-12-05 16:19 UTC (permalink / raw)
To: Slade Watkins
Cc: Greg Kroah-Hartman, stable, patches, linux-kernel, torvalds, akpm,
linux, shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill
On Fri, Dec 5, 2025 at 5:41 PM Slade Watkins <sr@sladewatkins.com> wrote:
>
>
>
> On December 5, 2025 6:51:36 AM EST, Jeffrin Thalakkottoor <jeffrin@rajagiritech.edu.in> wrote:
> >On Thu, Dec 4, 2025 at 9:46 PM Greg Kroah-Hartman
> ><gregkh@linuxfoundation.org> wrote:
> >>
> >> On Thu, Dec 04, 2025 at 02:38:10PM +0530, Jeffrin Thalakkottoor wrote:
> >> > hello
> >> >
> >> > Compiled and booted 6.17.11-rc1+
> >> >
> >> > dmesg shows err and warn
> >>
> >> Are these new from 6.17.10? if so, can you bisect to find the offending
> >> commit?
> >>
> >> thanks,
> >>
> >> greg k-h
> >
> >hello
> >
> >6.17.10 has the same dmesg err and warn .
> >
>
> Hey Jeffrin,
>
> Can you please bisect and find the offending commit? We'd love to figure this out, but can't do much of anything with no information from you.
>
> Reading your previous emails on this, it seems like you're using a different machine. Have you run this on your usual machine to see if it builds?
compiled and booted 6.17.11-rc1 on my laptop (typical usual machine)
no typical errors and typical warnings .
so the error has something to do with my Desktop
one thing i want to say is that my onboard graphics is connected to a vga port
which is converted to hdmi using a converter. video=VGA-1:1366x768@144.
--------my desktop ------------------
jeffrin@debian:~/kernel/linux-stable-rc$ sudo dmesg -l debug
[sudo] password for jeffrin:
[ 0.000000] e820: remove [mem 0xff000000-0xffffffff] reserved
[ 0.001421] e820: update [mem 0x00000000-0x00000fff] usable ==> reserved
[ 0.001425] e820: remove [mem 0x000a0000-0x000fffff] usable
[ 0.001653] e820: update [mem 0x9f800000-0xffffffff] usable ==> reserved
[ 0.025796] pcpu-alloc: s212992 r8192 d28672 u1048576 alloc=1*2097152
[ 0.025799] pcpu-alloc: [0] 0 1
[ 0.361824] PCI: pci_cache_line_size set to 64 bytes
[ 0.361824] e820: reserve RAM buffer [mem 0x9e5e4000-0x9fffffff]
[ 0.361824] e820: reserve RAM buffer [mem 0x9eeb7000-0x9fffffff]
[ 0.361824] e820: reserve RAM buffer [mem 0x9f4d3000-0x9fffffff]
[ 0.361824] e820: reserve RAM buffer [mem 0x9f800000-0x9fffffff]
[ 0.361824] e820: reserve RAM buffer [mem 0x23f000000-0x23fffffff]
[ 0.364954] pnp 00:06: [dma 0 disabled]
[ 1.132492] with arguments:
[ 1.132494] /init
[ 1.132496] with environment:
[ 1.132498] HOME=/
[ 1.132500] TERM=linux
[ 2.382115] QUIRK: Enable AMD PLL fix
[ 2.560086] libata version 3.00 loaded.
[ 3.420789] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
[ 3.648703] sr 1:0:0:0: Attached scsi CD-ROM sr0
[ 34.329828] PM: Image not found (code -22)
[ 49.778876] rfkill: input handler disabled
[ 61.785074] rfkill: input handler enabled
jeffrin@debian:~/kernel/linux-stable-rc$
-------------------my desktop---------------------
i have to find a kernel that works without the given err and warn related
please explain to me how to do git bisect with two sources( kernel x
and kernel y)
--
software engineer
rajagiri school of engineering and technology
^ permalink raw reply [flat|nested] 173+ messages in thread
* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2025-12-04 9:08 ` Jeffrin Thalakkottoor
@ 2025-12-04 9:50 ` Naresh Kamboju
2025-12-04 9:50 ` Peter Schneider
` (6 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Naresh Kamboju @ 2025-12-04 9:50 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Wed, 3 Dec 2025 at 21:19, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.17.11 release.
> There are 146 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Dec 2025 15:23:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build
* kernel: 6.17.11-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git commit: c434a9350a1d08ea6dff3ed87c9a6104e0641ecf
* git describe: v6.17.10-147-gc434a9350a1d
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.17.y/build/v6.17.10-147-gc434a9350a1d
## Test Regressions (compared to v6.17.9-177-g6c8c6a34f518)
## Metric Regressions (compared to v6.17.9-177-g6c8c6a34f518)
## Test Fixes (compared to v6.17.9-177-g6c8c6a34f518)
## Metric Fixes (compared to v6.17.9-177-g6c8c6a34f518)
## Test result summary
total: 123996, pass: 104773, fail: 4209, skip: 15014, xfail: 0
## Build Summary
* arc: 5 total, 5 passed, 0 failed
* arm: 139 total, 139 passed, 0 failed
* arm64: 57 total, 54 passed, 3 failed
* i386: 18 total, 18 passed, 0 failed
* mips: 34 total, 33 passed, 1 failed
* parisc: 4 total, 4 passed, 0 failed
* powerpc: 40 total, 39 passed, 1 failed
* riscv: 25 total, 25 passed, 0 failed
* s390: 22 total, 22 passed, 0 failed
* sh: 5 total, 5 passed, 0 failed
* sparc: 4 total, 3 passed, 1 failed
* x86_64: 49 total, 48 passed, 1 failed
## Test suites summary
* boot
* commands
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-efivarfs
* kselftest-exec
* kselftest-fpu
* kselftest-ftrace
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-kcmp
* kselftest-kvm
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-mincore
* kselftest-mm
* kselftest-mqueue
* kselftest-net
* kselftest-net-mptcp
* kselftest-openat2
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-rust
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-tc-testing
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user_events
* kselftest-vDSO
* kselftest-x86
* kunit
* kvm-unit-tests
* lava
* libgpiod
* libhugetlbfs
* log-parser-boot
* log-parser-build-clang
* log-parser-build-gcc
* log-parser-test
* ltp-capability
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-hugetlb
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-pty
* ltp-sched
* ltp-smoke
* ltp-syscalls
* ltp-tracing
* perf
* rcutorture
* rt-tests-cyclicdeadline
* rt-tests-pi-stress
* rt-tests-pmqtest
* rt-tests-rt-migrate-test
* rt-tests-signaltest
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2025-12-04 9:50 ` Naresh Kamboju
@ 2025-12-04 9:50 ` Peter Schneider
2025-12-04 10:00 ` Jon Hunter
` (5 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Peter Schneider @ 2025-12-04 9:50 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Am 03.12.2025 um 16:26 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.17.11 release.
> There are 146 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2025-12-04 9:50 ` Peter Schneider
@ 2025-12-04 10:00 ` Jon Hunter
2025-12-04 10:27 ` Ron Economos
` (4 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Jon Hunter @ 2025-12-04 10:00 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
linux-tegra, stable
On Wed, 03 Dec 2025 16:26:18 +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.17.11 release.
> There are 146 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Dec 2025 15:23:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.17:
10 builds: 10 pass, 0 fail
28 boots: 28 pass, 0 fail
120 tests: 120 pass, 0 fail
Linux version: 6.17.11-rc1-gc434a9350a1d
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
tegra194-p3509-0000+p3668-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2025-12-04 10:00 ` Jon Hunter
@ 2025-12-04 10:27 ` Ron Economos
2025-12-04 10:36 ` Dileep malepu
` (3 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Ron Economos @ 2025-12-04 10:27 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
On 12/3/25 07:26, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.17.11 release.
> There are 146 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Dec 2025 15:23:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2025-12-04 10:27 ` Ron Economos
@ 2025-12-04 10:36 ` Dileep malepu
2025-12-04 11:29 ` Mark Brown
` (2 subsequent siblings)
159 siblings, 0 replies; 173+ messages in thread
From: Dileep malepu @ 2025-12-04 10:36 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Wed, Dec 3, 2025 at 9:44 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.17.11 release.
> There are 146 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Dec 2025 15:23:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.11-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Build and Boot Report for 6.17.11-rc1
The kernel version 6.17.11 was built and boot-tested using qemu-x86_64
and qemu-arm64 with the default configuration (defconfig). The build and boot
processes completed successfully, and the kernel operated as expected
in the virtualized environments without any issues.
No dmesg regressions found.
Build Details :
Builds : arm64, x86_64
Kernel Version: 6.17.11
Configuration : defconfig
Source: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
Commit :
Tested-by: Dileep Malepu <dileep.debian@gmail.com>
Best regards,
Dileep Malepu.
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2025-12-04 10:36 ` Dileep malepu
@ 2025-12-04 11:29 ` Mark Brown
2025-12-05 9:35 ` Miguel Ojeda
2025-12-05 10:51 ` Brett A C Sheffield
159 siblings, 0 replies; 173+ messages in thread
From: Mark Brown @ 2025-12-04 11:29 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, achill, sr
[-- Attachment #1: Type: text/plain, Size: 346 bytes --]
On Wed, Dec 03, 2025 at 04:26:18PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.17.11 release.
> There are 146 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2025-12-04 11:29 ` Mark Brown
@ 2025-12-05 9:35 ` Miguel Ojeda
2025-12-05 10:51 ` Brett A C Sheffield
159 siblings, 0 replies; 173+ messages in thread
From: Miguel Ojeda @ 2025-12-05 9:35 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Wed, 03 Dec 2025 16:26:18 +0100 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.17.11 release.
> There are 146 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 05 Dec 2025 15:23:16 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64, arm64 and riscv64; built-tested
for arm and loongarch64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 173+ messages in thread* Re: [PATCH 6.17 000/146] 6.17.11-rc1 review
2025-12-03 15:26 [PATCH 6.17 000/146] 6.17.11-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2025-12-05 9:35 ` Miguel Ojeda
@ 2025-12-05 10:51 ` Brett A C Sheffield
159 siblings, 0 replies; 173+ messages in thread
From: Brett A C Sheffield @ 2025-12-05 10:51 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.17.11-rc1-gc434a9350a1d #3 SMP PREEMPT_DYNAMIC Fri Dec 5 10:49:28 -00 2025 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 173+ messages in thread