* [PATCH 6.14 000/449] 6.14.3-rc1 review
@ 2025-04-17 17:44 Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 001/449] ASoC: Intel: adl: add 2xrt1316 audio configuration Greg Kroah-Hartman
` (455 more replies)
0 siblings, 456 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie
This is the start of the stable review cycle for the 6.14.3 release.
There are 449 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 19 Apr 2025 17:49:48 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.14.3-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.14.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.14.3-rc1
Arseniy Krasnov <avkrasnov@salutedevices.com>
Bluetooth: hci_uart: Fix another race during initialization
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions()
Yi Liu <yi.l.liu@intel.com>
iommufd: Fail replace if device has not been attached
Nicolin Chen <nicolinc@nvidia.com>
iommufd: Make attach_handle generic than fault specific
Douglas Anderson <dianders@chromium.org>
arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists
Wen Gong <quic_wgong@quicinc.com>
wifi: ath11k: update channel list in worker when wait flag is set
Nícolas F. R. A. Prado <nfraprado@collabora.com>
thermal/drivers/mediatek/lvts: Disable Stage 3 thermal threshold
Nícolas F. R. A. Prado <nfraprado@collabora.com>
thermal/drivers/mediatek/lvts: Disable monitor mode during suspend
Kevin Hao <haokexin@gmail.com>
spi: fsl-qspi: Fix double cleanup in probe error path
Han Xu <han.xu@nxp.com>
spi: fsl-qspi: use devm function instead of driver remove
Cong Liu <liucong2@kylinos.cn>
selftests: mptcp: fix incorrect fd checks in main_loop
Geliang Tang <geliang@kernel.org>
selftests: mptcp: close fd_in before returning in main_loop
Jake Hillion <jake@hillion.co.uk>
sched_ext: create_dsq: Return -EEXIST on duplicate request
Sumanth Korikkar <sumanthk@linux.ibm.com>
s390: Fix linker error when -no-pie option is unavailable
David Hildenbrand <david@redhat.com>
s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues
Niklas Schnelle <schnelle@linux.ibm.com>
s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs
Steven Rostedt <rostedt@goodmis.org>
ring-buffer: Use flush_kernel_vmap_range() over flush_dcache_folio()
Peter Griffin <peter.griffin@linaro.org>
pinctrl: samsung: add support for eint_fltcon_offset
Stephan Gerhold <stephan.gerhold@linaro.org>
pinctrl: qcom: Clear latched interrupt status when changing IRQ type
Stefan Eichenberger <stefan.eichenberger@toradex.com>
phy: freescale: imx8m-pcie: assert phy reset and perst in power off
Philipp Stanner <phasta@kernel.org>
PCI: Fix wrong length of devres array
Ma Ke <make24@iscas.ac.cn>
PCI: Fix reference leak in pci_register_host_bridge()
Ma Ke <make24@iscas.ac.cn>
PCI: Fix reference leak in pci_alloc_child_bus()
Lukas Wunner <lukas@wunner.de>
PCI: pciehp: Avoid unnecessary device replacement check
Ioana Ciornei <ioana.ciornei@nxp.com>
PCI: layerscape: Fix arg_count to syscon_regmap_lookup_by_phandle_args()
Siddharth Vadapalli <s-vadapalli@ti.com>
PCI: j721e: Fix the value of .linkdown_irq_regfield for J784S4
Stanimir Varbanov <svarbanov@suse.de>
PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe()
Zijun Hu <quic_zijuhu@quicinc.com>
of/irq: Fix device node refcount leakages in of_irq_init()
Zijun Hu <quic_zijuhu@quicinc.com>
of/irq: Fix device node refcount leakage in API irq_of_parse_and_map()
Zijun Hu <quic_zijuhu@quicinc.com>
of/irq: Fix device node refcount leakages in of_irq_count()
Zijun Hu <quic_zijuhu@quicinc.com>
of/irq: Fix device node refcount leakage in API of_irq_parse_raw()
Zijun Hu <quic_zijuhu@quicinc.com>
of/irq: Fix device node refcount leakage in API of_irq_parse_one()
Fedor Pchelkin <pchelkin@ispras.ru>
ntb: use 64-bit arithmetic for the MSI doorbell mask
Haiyang Zhang <haiyangz@microsoft.com>
net: mana: Switch to page pool for jumbo frames
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error
Mickaël Salaün <mic@digikod.net>
selftests/landlock: Add a new test for setuid()
Mickaël Salaün <mic@digikod.net>
selftests/landlock: Split signal_scoping_threads tests
Mickaël Salaün <mic@digikod.net>
landlock: Prepare to add second errata
Mickaël Salaün <mic@digikod.net>
landlock: Always allow signals between threads of the same process
Mickaël Salaün <mic@digikod.net>
landlock: Add erratum for TCP fix
Mickaël Salaün <mic@digikod.net>
landlock: Add the errata interface
Mickaël Salaün <mic@digikod.net>
landlock: Move code to ease future backports
Tudor Ambarus <tudor.ambarus@linaro.org>
scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get
Sean Christopherson <seanjc@google.com>
KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses
Sean Christopherson <seanjc@google.com>
KVM: x86: Explicitly zero-initialize on-stack CPUID unions
Amit Machhiwal <amachhiw@linux.ibm.com>
KVM: PPC: Enable CAP_SPAPR_TCE_VFIO on pSeries KVM guests
Sean Christopherson <seanjc@google.com>
KVM: Allow building irqbypass.ko as as module when kvm.ko is a module
Joshua Washington <joshwash@google.com>
gve: handle overflow when reporting TX consumed descriptors
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
gpio: zynq: Fix wakeup source leaks on device unbind
Guixin Liu <kanie@linux.alibaba.com>
gpio: tegra186: fix resource handling in ACPI probe path
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
gpio: mpc8xxx: Fix wakeup source leaks on device unbind
Bernd Schubert <bschubert@ddn.com>
fuse: {io-uring} Fix a possible req cancellation race
Andy Chiu <andybnac@gmail.com>
ftrace: Properly merge notrace hashes
zhoumin <teczm@foxmail.com>
ftrace: Add cond_resched() to ftrace_graph_set_hash()
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
firmware: cs_dsp: test_control_parse: null-terminate test strings
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
dt-bindings: coresight: qcom,coresight-tpdm: Fix too many 'reg'
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
dt-bindings: coresight: qcom,coresight-tpda: Fix too many 'reg'
Mikulas Patocka <mpatocka@redhat.com>
dm-verity: fix prefetch-vs-suspend race
Jo Van Bulck <jo.vanbulck@kuleuven.be>
dm-integrity: fix non-constant-time tag verification
Mikulas Patocka <mpatocka@redhat.com>
dm-integrity: set ti->error on memory allocation failure
Mikulas Patocka <mpatocka@redhat.com>
dm-ebs: fix prefetch-vs-suspend race
Alexander Aring <aahringo@redhat.com>
dlm: fix error if active rsb is not hashed
Alexander Aring <aahringo@redhat.com>
dlm: fix error if inactive rsb is not hashed
Dionna Glaze <dionnaglaze@google.com>
crypto: ccp - Fix uAPI definitions of PSP errors
Tom Lendacky <thomas.lendacky@amd.com>
crypto: ccp - Fix check for the primary ASP device
Taniya Das <quic_tdas@quicinc.com>
clk: qcom: gdsc: Set retain_ff before moving to HW CTRL
Bryan O'Donoghue <bryan.odonoghue@linaro.org>
clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code
Bryan O'Donoghue <bryan.odonoghue@linaro.org>
clk: qcom: gdsc: Release pm subdomains in reverse add order
Ajit Pandey <quic_ajipan@quicinc.com>
clk: qcom: clk-branch: Fix invert halt status bit check for votable clocks
Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
clk: renesas: r9a07g043: Fix HP clock source for RZ/Five
Pali Rohár <pali@kernel.org>
cifs: Ensure that all non-client-specific reparse points are processed by the server
Roman Smirnov <r.smirnov@omp.ru>
cifs: fix integer overflow in match_server()
Alexandra Diupina <adiupina@astralinux.ru>
cifs: avoid NULL pointer dereference in dbg call
Aman <aman1@microsoft.com>
CIFS: Propagate min offload along with other parameters from primary to secondary channels.
Trevor Woerner <twoerner@gmail.com>
thermal/drivers/rockchip: Add missing rk3328 mapping entry
Steven Rostedt <rostedt@goodmis.org>
tracing: Do not add length to print format in synthetic events
Masami Hiramatsu (Google) <mhiramat@kernel.org>
tracing: fprobe events: Fix possible UAF on modules
Masami Hiramatsu (Google) <mhiramat@kernel.org>
tracing: fprobe: Fix to lock module while registering fprobe
Andrii Nakryiko <andrii@kernel.org>
uprobes: Avoid false-positive lockdep splat on CONFIG_PREEMPT_RT=y in the ri_timer() uprobe timer callback, use raw_write_seqcount_*()
Roger Pau Monne <roger.pau@citrix.com>
x86/xen: fix balloon target initialization for PVH dom0
Ricardo Cañuelo Navarro <rcn@igalia.com>
sctp: detect and prevent references to a freed transport in sendmsg
Jinjiang Tu <tujinjiang@huawei.com>
mm/hwpoison: introduce folio_contain_hwpoisoned_page() helper
Marc Herbert <Marc.Herbert@linux.intel.com>
mm/hugetlb: move hugetlb_sysctl_init() to the __init section
Shuai Xue <xueshuai@linux.alibaba.com>
mm/hwpoison: do not send SIGBUS to processes with recovered clean pages
Peter Xu <peterx@redhat.com>
mm/userfaultfd: fix release hang over concurrent GUP
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
mm/mremap: correctly handle partial mremap() of VMA starting at 0
Ryan Roberts <ryan.roberts@arm.com>
mm: fix lazy mmu docs and usage
Jane Chu <jane.chu@oracle.com>
mm: make page_mapped_in_vma() hugetlb walk aware
David Hildenbrand <david@redhat.com>
mm/rmap: reject hugetlb folios in folio_make_device_exclusive()
SeongJae Park <sj@kernel.org>
mm/damon: avoid applying DAMOS action to same entity multiple times
Usama Arif <usamaarif642@gmail.com>
mm/damon/ops: have damon_get_folio return folio even for tail pages
Kuniyuki Iwashima <kuniyu@amazon.com>
net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.
Ryan Roberts <ryan.roberts@arm.com>
sparc/mm: avoid calling arch_enter/leave_lazy_mmu() in set_ptes
Ryan Roberts <ryan.roberts@arm.com>
sparc/mm: disable preemption in lazy mmu mode
Sean Christopherson <seanjc@google.com>
iommu/vt-d: Wire up irq_ack() to irq_move_irq() for posted MSIs
Lu Baolu <baolu.lu@linux.intel.com>
iommu/vt-d: Fix possible circular locking dependency
Sean Christopherson <seanjc@google.com>
iommu/vt-d: Don't clobber posted vCPU IRTE when host IRQ affinity changes
Sean Christopherson <seanjc@google.com>
iommu/vt-d: Put IRTE back into posted MSI mode if vCPU posting is disabled
Nicolin Chen <nicolinc@nvidia.com>
iommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent()
Nicolin Chen <nicolinc@nvidia.com>
iommufd: Fix uninitialized rc in iommufd_access_rw()
Johannes Thumshirn <johannes.thumshirn@wdc.com>
btrfs: zoned: fix zone finishing with missing devices
Johannes Thumshirn <johannes.thumshirn@wdc.com>
btrfs: zoned: fix zone activation with missing devices
Filipe Manana <fdmanana@suse.com>
btrfs: tests: fix chunk map leak after failure to add it to the tree
Filipe Manana <fdmanana@suse.com>
btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers
Herve Codina <herve.codina@bootlin.com>
backlight: led_bl: Hold led_access lock when calling led_sysfs_disable()
Peter Griffin <peter.griffin@linaro.org>
arm64: dts: exynos: gs101: disable pinctrl_gsacore node
Chen-Yu Tsai <wenst@chromium.org>
arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string
Nícolas F. R. A. Prado <nfraprado@collabora.com>
arm64: dts: mediatek: mt8188: Assign apll1 clock as parent to avoid hang
Siddharth Vadapalli <s-vadapalli@ti.com>
arm64: dts: ti: k3-j784s4-j742s2-main-common: Fix serdes_ln_ctrl reg-masks
Keerthy <j-keerthy@ti.com>
arm64: dts: ti: k3-j784s4-j742s2-main-common: Correct the GICD size
Zhenhua Huang <quic_zhenhuah@quicinc.com>
arm64: mm: Correct the update of max_pfn
Ninad Malwade <nmalwade@nvidia.com>
arm64: tegra: Remove the Orin NX/Nano suspend key
Keir Fraser <keirf@google.com>
arm64: mops: Do not dereference src reg for a set operation
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spinand: Fix build with gcc < 7.5
Wentao Liang <vulab@iscas.ac.cn>
mtd: rawnand: Add status chack in r852_ready()
Wentao Liang <vulab@iscas.ac.cn>
mtd: inftlcore: Add error check for inftl_read_oob()
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: only inc MPJoinAckHMacFailure for HMAC failures
Gang Yan <yangang@kylinos.cn>
mptcp: fix NULL pointer in can_accept_new_subflow
T Pratham <t-pratham@ti.com>
lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets
Boqun Feng <boqun.feng@gmail.com>
locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class()
Kartik Rajput <kkartik@nvidia.com>
mailbox: tegra-hsp: Define dimensioning masks in SoC data
Chenyuan Yang <chenyuan0y@gmail.com>
mfd: ene-kb3930: Fix a potential NULL pointer dereference
Abel Vesa <abel.vesa@linaro.org>
leds: rgb: leds-qcom-lpg: Fix calculation of best period Hi-Res PWMs
Abel Vesa <abel.vesa@linaro.org>
leds: rgb: leds-qcom-lpg: Fix pwm resolution max for Hi-Res PWMs
Nathan Chancellor <nathan@kernel.org>
kbuild: Add '-fno-builtin-wcslen'
Kris Van Hees <kris.van.hees@oracle.com>
kbuild: exclude .rodata.(cst|str)* when building ranges
Jan Kara <jack@suse.cz>
jbd2: remove wrong sb->s_sequence check
Manjunatha Venkatesh <manjunatha.venkatesh@nxp.com>
i3c: Add NULL pointer check in i3c_master_queue_ibi()
Stanley Chu <yschu@nuvoton.com>
i3c: master: svc: Use readsb helper for reading MDB
Joe Damato <jdamato@fastly.com>
igc: Fix XSK queue NAPI ID mapping
Mimi Zohar <zohar@linux.ibm.com>
ima: limit the number of ToMToU integrity violations
Mimi Zohar <zohar@linux.ibm.com>
ima: limit the number of open-writers integrity violations
Steve French <stfrench@microsoft.com>
smb311 client: fix missing tcon check when mounting with linux/posix extensions
Chenyuan Yang <chenyuan0y@gmail.com>
soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()
Olga Kornievskaia <okorniev@redhat.com>
svcrdma: do not unregister device for listeners
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
tpm: do not start chip while suspended
Jan Kara <jack@suse.cz>
udf: Fix inode_getblk() return value
Si-Wei Liu <si-wei.liu@oracle.com>
vdpa/mlx5: Fix oversized null mkey longer than 32bit
Yeongjin Gil <youngjin.gil@samsung.com>
f2fs: fix to avoid atomicity corruption of atomic file
Jaegeuk Kim <jaegeuk@kernel.org>
f2fs: fix the missing write pointer correction
Artem Sadovnikov <a.sadovnikov@ispras.ru>
ext4: fix off-by-one error in do_split
Jeff Hugo <quic_jhugo@quicinc.com>
bus: mhi: host: Fix race between unprepare and queue_buf
Eric Biggers <ebiggers@google.com>
arm64/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()
Eric Biggers <ebiggers@google.com>
arm/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()
Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
accel/ivpu: Fix deadlock in ivpu_ms_cleanup()
Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
accel/ivpu: Fix warning in ivpu_ipc_send_receive_internal()
Sharan Kumar M <sharweshraajan@gmail.com>
ALSA: hda/realtek: Enable Mute LED on HP OMEN 16 Laptop xd000xx
Alexey Klimov <alexey.klimov@linaro.org>
ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns.
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment.
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
ASoC: q6apm-dai: make use of q6apm_get_hw_pointer
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
ASoC: q6apm: add q6apm_get_hw_pointer helper
Haoxiang Li <haoxiang_li2024@163.com>
ASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe()
Jens Axboe <axboe@kernel.dk>
io_uring/kbuf: reject zero sized provided buffers
Pavel Begunkov <asml.silence@gmail.com>
io_uring/net: fix io_req_post_cqe abuse by send bundle
Pavel Begunkov <asml.silence@gmail.com>
io_uring/net: fix accept multishot handling
Qingfang Deng <dqfext@gmail.com>
net: stmmac: Fix accessing freed irq affinity_hint
Ewan D. Milne <emilne@redhat.com>
scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag
Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
wifi: mt76: mt7925: update the power-saving flow
Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
wifi: mt76: mt7925: integrate *mlo_sta_cmd and *sta_cmd
Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
wifi: mt76: mt7925: adjust rm BSS flow to prevent next connection failure
Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
wifi: mt76: mt7925: fix the wrong simultaneous cap for MLO
Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
wifi: mt76: mt7925: fix the wrong link_idx when a p2p_device is present
Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
wifi: mt76: mt7925: fix country count limitation for CLC
Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
wifi: mt76: mt7925: ensure wow pattern command align fw format
Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
wifi: mac80211: fix integer overflow in hwmp_route_info_get()
Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
wifi: mt76: mt792x: re-register CHANCTX_STA_CSA only for the mt7921 series
Haoxiang Li <haoxiang_li2024@163.com>
wifi: mt76: Add check for devm_kstrdup()
Sean Wang <sean.wang@mediatek.com>
Revert "wifi: mt76: mt7925: Update mt7925_mcu_uni_[tx,rx]_ba for MLO"
Alexandre Torgue <alexandre.torgue@foss.st.com>
clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup
Jiasheng Jiang <jiashengjiangcool@gmail.com>
mtd: Replace kcalloc() with devm_kcalloc()
Marek Behún <kabel@kernel.org>
net: dsa: mv88e6xxx: fix internal PHYs for 6320 family
Marek Behún <kabel@kernel.org>
net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family
Jiasheng Jiang <jiashengjiangcool@gmail.com>
mtd: Add check for devm_kcalloc()
Ming Lei <ming.lei@redhat.com>
block: make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: sockopt: fix getting freebind & transparent
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: sockopt: fix getting IPV6_V6ONLY
Harshitha Ramamurthy <hramamurthy@google.com>
gve: unlink old napi only if page pool exists
Biju Das <biju.das.jz@bp.renesas.com>
irqchip/renesas-rzv2h: Fix wrong variable usage in rzv2h_tint_set_type()
Jackson.lee <jackson.lee@chipsnmedia.com>
media: chips-media: wave5: Fix timeout while testing 10bit hevc fluster
Jackson.lee <jackson.lee@chipsnmedia.com>
media: chips-media: wave5: Fix a hang after seeking
Jackson.lee <jackson.lee@chipsnmedia.com>
media: chips-media: wave5: Avoid race condition in the interrupt handler
Jackson.lee <jackson.lee@chipsnmedia.com>
media: chips-media: wave5: Fix gray color on screen
Sakari Ailus <sakari.ailus@linux.intel.com>
media: i2c: imx214: Rectify probe error handling related to runtime PM
Sakari Ailus <sakari.ailus@linux.intel.com>
media: i2c: imx219: Rectify runtime PM handling in probe and remove
Sakari Ailus <sakari.ailus@linux.intel.com>
media: i2c: imx319: Rectify runtime PM handling probe and remove
Vikash Garodia <quic_vgarodia@quicinc.com>
media: venus: hfi_parser: refactor hfi packet parsing logic
Vikash Garodia <quic_vgarodia@quicinc.com>
media: venus: hfi_parser: add check to avoid out of bound access
Ricardo Ribalda <ribalda@chromium.org>
media: nuvoton: Fix reference handling of ece_pdev
Ricardo Ribalda <ribalda@chromium.org>
media: nuvoton: Fix reference handling of ece_node
Sakari Ailus <sakari.ailus@linux.intel.com>
media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO
Sakari Ailus <sakari.ailus@linux.intel.com>
media: i2c: ov7251: Set enable GPIO low in probe
Sakari Ailus <sakari.ailus@linux.intel.com>
media: i2c: ccs: Set the device's runtime PM status correctly in probe
Sakari Ailus <sakari.ailus@linux.intel.com>
media: i2c: ccs: Set the device's runtime PM status correctly in remove
Sakari Ailus <sakari.ailus@linux.intel.com>
Revert "media: imx214: Fix the error handling in imx214_probe()"
Karina Yankevich <k.yankevich@omp.ru>
media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf()
Dave Stevenson <dave.stevenson@raspberrypi.com>
media: imx219: Adjust PLL settings based on the number of MIPI lanes
Dan Carpenter <dan.carpenter@linaro.org>
media: xilinx-tpg: fix double put in xtpg_parse_of()
Jiasheng Jiang <jiashengjiangcool@gmail.com>
media: platform: stm32: Add check for clk_enable()
Nicolas Dufresne <nicolas.dufresne@collabora.com>
media: visl: Fix ERANGE error when setting enum controls
Hans de Goede <hdegoede@redhat.com>
media: hi556: Fix memory leak (on error) in hi556_check_hwcfg()
Murad Masimov <m.masimov@mt-integration.ru>
media: streamzap: prevent processing IR data on URB failure
Hans de Goede <hdegoede@redhat.com>
media: ov08x40: Properly turn sensor on/off when runtime-suspended
Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
accel/ivpu: Fix PM related deadlocks in MS IOCTLs
Jonathan McDowell <noodles@meta.com>
tpm, tpm_tis: Fix timeout handling when waiting for TPM status
Kamal Dasu <kamal.dasu@broadcom.com>
mtd: rawnand: brcmnand: fix PM resume warning
Miquel Raynal <miquel.raynal@bootlin.com>
spi: cadence-qspi: Fix probe on AM62A LP SK
Oliver Upton <oliver.upton@linux.dev>
KVM: arm64: Set HCR_EL2.TID1 unconditionally
Will Deacon <will@kernel.org>
KVM: arm64: Tear down vGIC on failed vCPU creation
Douglas Anderson <dianders@chromium.org>
arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list
Douglas Anderson <dianders@chromium.org>
arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB
Douglas Anderson <dianders@chromium.org>
arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list
Douglas Anderson <dianders@chromium.org>
arm64: cputype: Add MIDR_CORTEX_A76AE
Akihiko Odaki <akihiko.odaki@daynix.com>
KVM: arm64: PMU: Set raw values from user to PM{C,I}NTEN{SET,CLR}, PMOVS{SET,CLR}
Jan Beulich <jbeulich@suse.com>
xenfs/xensyms: respect hypervisor's "next" indication
John Keeping <jkeeping@inmusicbrands.com>
media: rockchip: rga: fix rga offset lookup
Yuan Can <yuancan@huawei.com>
media: siano: Fix error handling in smsdvb_module_init()
Matthew Majewski <mattwmajewski@gmail.com>
media: vim2m: print device name after registering device
Vikash Garodia <quic_vgarodia@quicinc.com>
media: venus: hfi: add check to handle incorrect queue size
Vikash Garodia <quic_vgarodia@quicinc.com>
media: venus: hfi: add a check to handle OOB in sfr region
Bingbu Cao <bingbu.cao@intel.com>
media: intel/ipu6: set the dev_parent of video device to pdev
Martin Tůma <martin.tuma@digiteqautomotive.com>
media: mgb4: Fix switched CMT frequency range "magic values" sets
Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
media: i2c: adv748x: Fix test pattern selection mask
Martin Tůma <martin.tuma@digiteqautomotive.com>
media: mgb4: Fix CMT registers update logic
Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
media: uapi: rkisp1-config: Fix typo in extensible params example
Arnd Bergmann <arnd@arndb.de>
media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning
Jiasheng Jiang <jiashengjiangcool@gmail.com>
media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization
Alain Volmat <alain.volmat@foss.st.com>
dt-bindings: media: st,stmipid02: correct lane-polarities maxItems
Haoxiang Li <haoxiang_li2024@163.com>
auxdisplay: hd44780: Fix an API misuse in hd44780.c
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Fix set_device_control()
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Fix 90 degrees direction name North -> East
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Compute INFINITE value instead of using hardcoded 0xffff
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Clamp effect playback LOOP_COUNT value
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Rename two functions to align them with naming convention
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Remove redundant call to pidff_find_special_keys
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Support device error response from PID_BLOCK_LOAD
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Comment and code style update
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: hid-universal-pidff: Add Asetek wheelbases support
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Make sure to fetch pool before checking SIMULTANEOUS_MAX
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Factor out pool report fetch and remove excess declaration
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Use macros instead of hardcoded min/max values for shorts
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Simplify pidff_rescale_signed
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Move all hid-pidff definitions to a dedicated header
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Factor out code for setting gain
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Rescale time values to match field units
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Define values used in pidff_find_special_fields
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Simplify pidff_upload_effect function
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Completely rework and fix pidff_reset function
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Stop all effects before enabling actuators
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Clamp PERIODIC effect period to device's logical range
Niklas Schnelle <schnelle@linux.ibm.com>
s390/pci: Fix s390_mmio_read/write syscall page fault handling
Jann Horn <jannh@google.com>
ext4: don't treat fhandle lookup of ea_inode as FS corruption
Willem de Bruijn <willemb@google.com>
bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags
Sheng Yong <shengyong1@xiaomi.com>
erofs: set error to bio if file-backed IO fails
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: stm32: Search an appropriate duty_cycle if period cannot be modified
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: fsl-ftm: Handle clk_get_rate() returning 0
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: rcar: Improve register calculation
Josh Poimboeuf <jpoimboe@kernel.org>
pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()
Jonathan McDowell <noodles@meta.com>
tpm: End any active auth session before shutdown
Jonathan McDowell <noodles@meta.com>
tpm, tpm_tis: Workaround failed command reception on Infineon devices
Ayush Jain <Ayush.jain3@amd.com>
ktest: Fix Test Failures Due to Missing LOG_FILE Directories
Masami Hiramatsu (Google) <mhiramat@kernel.org>
tracing: probe-events: Add comments about entry data storing code
Masami Hiramatsu (Google) <mhiramat@kernel.org>
tracing: probe-events: Log error for exceeding the number of arguments
Leonid Arapov <arapovl839@gmail.com>
fbdev: omapfb: Add 'plane' value check
Niklas Schnelle <schnelle@linux.ibm.com>
s390/pci: Support mmap() of PCI resources except for ISM devices
Christian König <christian.koenig@amd.com>
drm/amdgpu: grab an additional reference on the gang fence v2
Ryo Takakura <ryotkkr98@gmail.com>
PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type
Philipp Stanner <phasta@kernel.org>
PCI: Check BAR index for validity
Emily Deng <Emily.Deng@amd.com>
drm/amdgpu: Fix the race condition for draining retry fault
Bjorn Helgaas <bhelgaas@google.com>
PCI: Enable Configuration RRS SV early
Ryan Seto <ryanseto@amd.com>
drm/amd/display: Prevent VStartup Overflow
Wentao Liang <vulab@iscas.ac.cn>
drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create()
Shawn Lin <shawn.lin@rock-chips.com>
PCI: Add Rockchip Vendor ID
Jani Nikula <jani.nikula@intel.com>
drm/rockchip: stop passing non struct drm_device to drm_err() and friends
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data
Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
drm/xe/xelp: Move Wa_16011163337 from tunings to workarounds
Philip Yang <Philip.Yang@amd.com>
drm/amdkfd: debugfs hang_hws skip GPU with MES
Philip Yang <Philip.Yang@amd.com>
drm/amdkfd: Fix pqm_destroy_queue race with GPU reset
Philip Yang <Philip.Yang@amd.com>
drm/amdkfd: Fix mode1 reset crash issue
David Yat Sin <David.YatSin@amd.com>
drm/amdkfd: clamp queue size to minimum
Lucas De Marchi <lucas.demarchi@intel.com>
drivers: base: devres: Allow to release group on device release
Mike Katsnelson <mike.katsnelson@amd.com>
drm/amd/display: stop DML2 from removing pipes based on planes
Michael Strauss <michael.strauss@amd.com>
drm/amd/display: Update FIXED_VS Link Rate Toggle Workaround Usage
Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/bridge: panel: forbid initializing a panel with unknown connector type
Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/debugfs: fix printk format for bridge index
Andrew Wyatt <fewtarius@steamfork.org>
drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel)
Andrew Wyatt <fewtarius@steamfork.org>
drm: panel-orientation-quirks: Add new quirk for GPD Win 2
Andrew Wyatt <fewtarius@steamfork.org>
drm: panel-orientation-quirks: Add quirk for AYA NEO Slide
Andrew Wyatt <fewtarius@steamfork.org>
drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB
Andrew Wyatt <fewtarius@steamfork.org>
drm: panel-orientation-quirks: Add support for AYANEO 2S
Philip Yang <Philip.Yang@amd.com>
drm/amdgpu: Unlocked unmap only clear page table leaves
Brendan Tam <Brendan.Tam@amd.com>
drm/amd/display: add workaround flag to link to force FFE preset
Sung Lee <Sung.Lee@amd.com>
drm/amd/display: Guard Possible Null Pointer Dereference
Zhikai Zhai <zhikai.zhai@amd.com>
drm/amd/display: Update Cursor request mode to the beginning prefetch always
Michal Wajdeczko <michal.wajdeczko@intel.com>
drm/xe/vf: Don't try to trigger a full GT reset if VF
Michal Wajdeczko <michal.wajdeczko@intel.com>
drm/xe/pf: Don't send BEGIN_ID if VF has no context/doorbells
Matt Atwood <matthew.s.atwood@intel.com>
drm/xe/ptl: Update the PTL pci id table
Shekhar Chauhan <shekhar.chauhan@intel.com>
drm/xe/bmg: Add new PCI IDs
Derek Foreman <derek.foreman@collabora.com>
drm/rockchip: Don't change hdmi reference clock rate
Dmitry Osipenko <dmitry.osipenko@collabora.com>
drm/virtio: Set missing bo->attached flag
Abhinav Kumar <quic_abhinavk@quicinc.com>
drm: allow encoder mode_set even when connectors change for crtc
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Bluetooth: qca: add WCN3950 support
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Bluetooth: qca: simplify WCN399x NVM loading
Janaki Ramaiah Thota <quic_janathot@quicinc.com>
Bluetooth: hci_qca: use the power sequencer for wcn6750
Jiande Lu <jiande.lu@mediatek.com>
Bluetooth: btusb: Add 2 HWIDs for MT7922
Arseniy Krasnov <avkrasnov@salutedevices.com>
Bluetooth: hci_uart: fix race during initialization
Zijun Hu <quic_zijuhu@quicinc.com>
Bluetooth: btusb: Add 13 USB device IDs for Qualcomm WCN785x
Kiran K <kiran.k@intel.com>
Bluetooth: btintel_pcie: Add device id of Whale Peak
Dorian Cruveiller <doriancruveiller@gmail.com>
Bluetooth: btusb: Add new VID/PID for WCN785x
Gabriele Paoloni <gpaoloni@redhat.com>
tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER
Stanislav Fomichev <sdf@fomichev.me>
net: vlan: don't propagate flags on open
Icenowy Zheng <uwu@icenowy.me>
wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table
Boris Burkov <boris@bur.io>
btrfs: harden block_group::bg_list against list_del() races
Huacai Chen <chenhuacai@kernel.org>
ahci: Marvell 88SE9215 controllers prefer DMA for ATAPI
Kai Mäkisara <Kai.Makisara@kolumbus.fi>
scsi: st: Fix array overflow in st_setup()
Philipp Hahn <phahn-oss@avm.de>
cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk
Bhupesh <bhupesh@igalia.com>
ext4: ignore xattrs past end
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: fix userspace_selectors corruption
Chao Yu <chao@kernel.org>
Revert "f2fs: rebuild nat_bits during umount"
Ojaswin Mujoo <ojaswin@linux.ibm.com>
ext4: protect ext4_release_dquot against freezing
Daniel Kral <d.kral@proxmox.com>
ahci: add PCI ID for Marvell 88SE9215 SATA Controller
Martin Schiller <ms@dev.tdt.de>
net: sfp: add quirk for FS SFP-10GM-T copper SFP+ module
Chao Yu <chao@kernel.org>
f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()
Manish Dharanenthiran <quic_mdharane@quicinc.com>
wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi
Birger Koblitz <mail@birger-koblitz.de>
net: sfp: add quirk for 2.5G OEM BX SFP
Niklas Cassel <cassel@kernel.org>
ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode
Zenm Chen <zenmchen@gmail.com>
wifi: rtw88: Add support for Mercusys MA30N and D-Link DWA-T185 rev. A1
Edward Adam Davis <eadavis@qq.com>
jfs: add sanity check for agwidth in dbMount
Edward Adam Davis <eadavis@qq.com>
jfs: Prevent copying of nlink with value 0 from disk inode
Rand Deeb <rand.sec96@gmail.com>
fs/jfs: Prevent integer overflow in AG size calculation
Rand Deeb <rand.sec96@gmail.com>
fs/jfs: cast inactags to s64 to prevent potential overflow
Zhongqiu Han <quic_zhonhan@quicinc.com>
jfs: Fix uninit-value access of imap allocated in the diMount() function
Ciprian Marian Costea <ciprianmarian.costea@oss.nxp.com>
can: flexcan: add NXP S32G2/S32G3 SoC support
Ciprian Marian Costea <ciprianmarian.costea@oss.nxp.com>
can: flexcan: Add quirk to handle separate interrupt lines for mailboxes
Jason Xing <kerneljasonxing@gmail.com>
page_pool: avoid infinite loop to schedule delayed worker
Max Schulze <max.schulze@online.de>
net: usb: asix_devices: add FiberGecko DeviceID
Chaohai Chen <wdhh66@163.com>
scsi: target: spc: Fix RSOC parameter data header size
Miri Korenblit <miriam.rachel.korenblit@intel.com>
wifi: mac80211: ensure sdata->work is canceled before initialized.
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: add strict mode disabling workarounds
Chao Yu <chao@kernel.org>
f2fs: don't retry IO for corrupted data scenario
Pavel Begunkov <asml.silence@gmail.com>
net: page_pool: don't cast mp param to devmem
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: mpi3mr: Avoid reply queue full condition
Niklas Cassel <cassel@kernel.org>
ata: libata-core: Add 'external' to the libata.force kernel parameter
P Praneesh <quic_ppranees@quicinc.com>
wifi: ath12k: Avoid memory leak while enabling statistics
P Praneesh <quic_ppranees@quicinc.com>
wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process
Miaoqing Pan <quic_miaoqing@quicinc.com>
wifi: ath12k: fix memory leak in ath12k_pci_remove()
Miaoqing Pan <quic_miaoqing@quicinc.com>
wifi: ath11k: fix memory leak in ath11k_xxx_remove()
P Praneesh <quic_ppranees@quicinc.com>
wifi: ath11k: Fix DMA buffer allocation to resolve SWIOTLB issues
Dmitry Antipov <dmantipov@yandex.ru>
wifi: ath9k: use unsigned long for activity check timestamp
Hans de Goede <hdegoede@redhat.com>
platform/x86: x86-android-tablets: Add select POWER_SUPPLY to Kconfig
Syed Saba kareem <syed.sabakareem@amd.com>
ASoC: amd: yc: update quirk data for new Lenovo model
Chris Chiu <chris.chiu@canonical.com>
ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3247
Chris Chiu <chris.chiu@canonical.com>
ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3315
keenplify <keenplify@gmail.com>
ASoC: amd: Add DMI quirk for ACP6X mic support
Ricard Wanderlof <ricard2013@butoba.net>
ALSA: usb-audio: Fix CME quirk for UF series keyboards
Kaustabh Chakraborty <kauschluss@disroot.org>
mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves
Aakarsh Jain <aakarsh.jain@samsung.com>
media: s5p-mfc: Corrected NV12M/NV21M plane-sizes
Vishnu Sankar <vishnuocv@gmail.com>
HID: lenovo: Fix to ensure the data as __le32 instead of u32
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Add quirk for Actions UVC05
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_audmix: register card device depends on 'dais' property
Maxim Mikityanskiy <maxtram95@gmail.com>
ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist
Maxim Mikityanskiy <maxtram95@gmail.com>
ALSA: hda: intel: Fix Optimus when GPU has no sound
Vijendar Mukunda <Vijendar.Mukunda@amd.com>
ASoC: amd: amd_sdw: Add quirks for Dell SKU's
Vijendar Mukunda <Vijendar.Mukunda@amd.com>
ASoC: amd: ps: use macro for ACP6.3 pci revision id
Tomasz Pakuła <forest10pl@gmail.com>
HID: pidff: Fix null pointer dereference in pidff_find_fields
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Add PERIODIC_SINE_ONLY quirk
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: Add hid-universal-pidff driver and supported device ids
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Add FIX_WHEEL_DIRECTION quirk
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Add hid_pidff_init_with_quirks and export as GPL symbol
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Add PERMISSIVE_CONTROL quirk
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Add MISSING_PBO quirk and its detection
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Add MISSING_DELAY quirk and its detection
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Do not send effect envelope if it's empty
Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
HID: pidff: Convert infinite length from Linux API to PID standard
Zhang Heng <zhangheng@kylinos.cn>
ASoC: SOF: topology: Use krealloc_array() to replace krealloc()
Daniel Schaefer <dhs@frame.work>
platform/chrome: cros_ec_lpc: Match on Framework ACPI device
Josh Poimboeuf <jpoimboe@kernel.org>
tracing: Disable branch profiling in noinstr code
Ingo Molnar <mingo@kernel.org>
zstd: Increase DYNAMIC_BMI2 GCC version cutoff from 4.8 to 11.0 to work around compiler segfault
Kees Cook <kees@kernel.org>
xen/mcelog: Add __nonstring annotations for unterminated strings
Douglas Anderson <dianders@chromium.org>
arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD
Mario Limonciello <mario.limonciello@amd.com>
cpufreq/amd-pstate: Invalidate cppc_req_cached during suspend
Paul E. McKenney <paulmck@kernel.org>
Flush console log from kernel_power_off()
Lizhi Xu <lizhi.xu@windriver.com>
PM: hibernate: Avoid deadlock in hibernate_compressor_param_set()
Yunhui Cui <cuiyunhui@bytedance.com>
perf/dwc_pcie: fix duplicate pci_dev devices
Yunhui Cui <cuiyunhui@bytedance.com>
perf/dwc_pcie: fix some unreleased resources
Mark Rutland <mark.rutland@arm.com>
perf: arm_pmu: Don't disable counter in armpmu_add()
Max Grobecker <max@grobecker.info>
x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine
Xin Li (Intel) <xin@zytor.com>
x86/ia32: Leave NULL selector values 0~3 unchanged
Uros Bizjak <ubizjak@gmail.com>
x86/percpu: Disable named address spaces for UBSAN_BOOL with KASAN for GCC < 14.2
Matthew Wilcox (Oracle) <willy@infradead.org>
x86/mm: Clear _PAGE_DIRTY for kernel mappings when we clear _PAGE_RW
Dmitry Osipenko <dmitry.osipenko@collabora.com>
irqchip/gic-v3: Add Rockchip 3568002 erratum workaround
Zhongqiu Han <quic_zhonhan@quicinc.com>
pm: cpupower: bench: Prevent NULL dereference on malloc failure
Paul E. McKenney <paulmck@kernel.org>
srcu: Force synchronization for srcu_get_delay()
Trond Myklebust <trond.myklebust@hammerspace.com>
umount: Allow superblock owners to force umount
Mateusz Guzik <mjguzik@gmail.com>
fs: consistently deref the files table with rcu_dereference_raw()
Frederic Weisbecker <frederic@kernel.org>
perf: Fix hang while freeing sigtrap event
Peter Zijlstra <peterz@infradead.org>
perf/core: Simplify the perf_event_alloc() error path
Jiawen Wu <jiawenwu@trustnetic.com>
net: libwx: Fix the wrong Rx descriptor field
Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group
Marek Szyprowski <m.szyprowski@samsung.com>
iommu/exynos: Fix suspend/resume with IDENTITY domain
Ido Schimmel <idosch@nvidia.com>
ethtool: cmis_cdb: Fix incorrect read / write length extension
Florian Westphal <fw@strlen.de>
nft_set_pipapo: fix incorrect avx2 match of 5th field octet
Arnaud Lecomte <contact@arnaud-lcm.com>
net: ppp: Add bound checking for skb data on ppp_sync_txmung
Ido Schimmel <idosch@nvidia.com>
ipv6: Align behavior across nexthops during path selection
Vladimir Oltean <vladimir.oltean@nxp.com>
net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY
Vladimir Oltean <vladimir.oltean@nxp.com>
net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend()
Paulo Alcantara <pc@manguebit.com>
smb: client: fix UAF in decryption with multichannel
Dave Hansen <dave.hansen@linux.intel.com>
x86/cpu: Avoid running off the end of an AMD erratum table
Octavian Purdila <tavip@google.com>
net_sched: sch_sfq: move the limit validation
Octavian Purdila <tavip@google.com>
net_sched: sch_sfq: use a temporary work area for validating configuration
Daniel Wagner <wagi@kernel.org>
nvmet-fcloop: swap list_add_tail arguments
Thomas Richter <tmricht@linux.ibm.com>
s390/cpumf: Fix double free on error in cpumf_pmu_event_init()
Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
drm/i915/huc: Fix fence not released on early probe errors
Wentao Liang <vulab@iscas.ac.cn>
ata: sata_sx4: Add error handling in pdc20621_i2c_read()
Pali Rohár <pali@kernel.org>
cifs: Fix support for WSL-style symlinks
Chenyuan Yang <chenyuan0y@gmail.com>
net: libwx: handle page_pool_dev_alloc_pages error
Maxime Ripard <mripard@kernel.org>
drm/tests: probe-helper: Fix drm_display_mode memory leak
Maxime Ripard <mripard@kernel.org>
drm/tests: modes: Fix drm_display_mode memory leak
Maxime Ripard <mripard@kernel.org>
drm/tests: cmdline: Fix drm_display_mode memory leak
Maxime Ripard <mripard@kernel.org>
drm/tests: helpers: Create kunit helper to destroy a drm_display_mode
Maxime Ripard <mripard@kernel.org>
drm/tests: modeset: Fix drm_display_mode memory leak
Maxime Chevallier <maxime.chevallier@bootlin.com>
net: ethtool: Don't call .cleanup_data when prepare_data fails
Toke Høiland-Jørgensen <toke@redhat.com>
tc: Ensure we have enough buffer space when sending filter netlink notifications
Hariprasad Kelam <hkelam@marvell.com>
octeontx2-pf: qos: fix VF root node parent queue index
Jakub Kicinski <kuba@kernel.org>
net: tls: explicitly disallow disconnect
Cong Wang <xiyou.wangcong@gmail.com>
codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()
Tung Nguyen <tung.quang.nguyen@est.tech>
tipc: fix memory leak in tipc_link_xmit
Josh Poimboeuf <jpoimboe@kernel.org>
objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret()
Henry Martin <bsdhenrymartin@gmail.com>
ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe()
Rodrigo Vivi <rodrigo.vivi@intel.com>
drm/xe: Restore EIO errno return when GuC PC start fails
Tejas Upadhyay <tejas.upadhyay@intel.com>
drm/xe/hw_engine: define sysfs_ops on all directories
Taehee Yoo <ap420073@gmail.com>
net: ethtool: fix ethtool_ringparam_get_cfg() returns a hds_thresh value always as 0.
Petr Vaněk <arkamar@atlas.cz>
x86/acpi: Don't limit CPUs to 1 for Xen PV guests due to disabled ACPI
Badal Nilawar <badal.nilawar@intel.com>
drm/i915: Disable RPG during live selftest
Vivek Kasireddy <vivek.kasireddy@intel.com>
drm/virtio: Fix flickering issue seen with imported dmabufs
Ming Lei <ming.lei@redhat.com>
ublk: fix handling recovery & reissue in ublk_abort_queue()
Edward Liaw <edliaw@google.com>
selftests/futex: futex_waitv wouldblock test should fail
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
gpiolib: of: Fix the choice for Ingenic NAND quirk
Masami Hiramatsu (Google) <mhiramat@kernel.org>
tracing: fprobe: Cleanup fprobe hash when module unloading
Waiman Long <longman@redhat.com>
cgroup/cpuset: Fix race between newly created partition and dying one
Waiman Long <longman@redhat.com>
cgroup/cpuset: Fix error handling in remote_partition_disable()
Waiman Long <longman@redhat.com>
cgroup/cpuset: Fix incorrect isolated_cpus update in update_parent_effective_cpumask()
Bard Liao <yung-chuan.liao@linux.intel.com>
ASoC: Intel: adl: add 2xrt1316 audio configuration
-------------
Diffstat:
Documentation/admin-guide/kernel-parameters.txt | 2 +
Documentation/arch/arm64/silicon-errata.rst | 2 +
.../bindings/arm/qcom,coresight-tpda.yaml | 3 +-
.../bindings/arm/qcom,coresight-tpdm.yaml | 3 +-
.../bindings/media/i2c/st,st-mipid02.yaml | 2 +-
Makefile | 7 +-
arch/arm/lib/crc-t10dif-glue.c | 4 +-
arch/arm64/Kconfig | 9 +
arch/arm64/boot/dts/exynos/google/gs101.dtsi | 1 +
arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 +-
arch/arm64/boot/dts/mediatek/mt8188.dtsi | 2 +-
.../boot/dts/nvidia/tegra234-p3768-0000+p3767.dtsi | 7 -
.../boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi | 6 +-
arch/arm64/include/asm/cputype.h | 4 +
arch/arm64/include/asm/kvm_arm.h | 4 +-
arch/arm64/include/asm/spectre.h | 1 -
arch/arm64/include/asm/traps.h | 4 +-
arch/arm64/kernel/proton-pack.c | 208 ++++----
arch/arm64/kvm/arm.c | 6 +-
arch/arm64/kvm/sys_regs.c | 204 ++++----
arch/arm64/lib/crc-t10dif-glue.c | 4 +-
arch/arm64/mm/mmu.c | 3 +-
arch/powerpc/kvm/powerpc.c | 5 +-
arch/s390/Kconfig | 4 +-
arch/s390/Makefile | 2 +-
arch/s390/include/asm/pci.h | 3 +
arch/s390/kernel/perf_cpum_cf.c | 9 +-
arch/s390/kernel/perf_cpum_sf.c | 3 -
arch/s390/pci/Makefile | 2 +-
arch/s390/pci/pci_bus.c | 3 +
arch/s390/pci/pci_fixup.c | 23 +
arch/s390/pci/pci_mmio.c | 18 +-
arch/sparc/include/asm/pgtable_64.h | 2 -
arch/sparc/mm/tlb.c | 5 +-
arch/x86/Kbuild | 4 +
arch/x86/Kconfig | 20 +-
arch/x86/coco/sev/core.c | 2 -
arch/x86/kernel/acpi/boot.c | 11 +
arch/x86/kernel/cpu/amd.c | 3 +-
arch/x86/kernel/e820.c | 17 +-
arch/x86/kernel/head64.c | 2 -
arch/x86/kernel/signal_32.c | 62 ++-
arch/x86/kvm/cpuid.c | 8 +-
arch/x86/kvm/x86.c | 4 +
arch/x86/mm/kasan_init_64.c | 1 -
arch/x86/mm/mem_encrypt_amd.c | 2 -
arch/x86/mm/mem_encrypt_identity.c | 2 -
arch/x86/mm/pat/set_memory.c | 6 +-
arch/x86/xen/enlighten.c | 10 +
arch/x86/xen/setup.c | 3 -
block/blk-mq.c | 1 +
drivers/accel/ivpu/ivpu_debugfs.c | 4 +-
drivers/accel/ivpu/ivpu_ipc.c | 3 +-
drivers/accel/ivpu/ivpu_ms.c | 24 +
drivers/acpi/Makefile | 4 +
drivers/ata/ahci.c | 11 +
drivers/ata/ahci.h | 1 +
drivers/ata/libahci.c | 4 +
drivers/ata/libata-core.c | 38 ++
drivers/ata/libata-eh.c | 11 +-
drivers/ata/pata_pxa.c | 6 +
drivers/ata/sata_sx4.c | 13 +-
drivers/auxdisplay/hd44780.c | 4 +-
drivers/base/devres.c | 7 +
drivers/block/ublk_drv.c | 30 +-
drivers/bluetooth/btintel_pcie.c | 1 +
drivers/bluetooth/btqca.c | 27 +-
drivers/bluetooth/btqca.h | 4 +
drivers/bluetooth/btusb.c | 32 ++
drivers/bluetooth/hci_ldisc.c | 19 +-
drivers/bluetooth/hci_qca.c | 27 +-
drivers/bluetooth/hci_uart.h | 1 +
drivers/bus/mhi/host/main.c | 16 +-
drivers/char/tpm/tpm-chip.c | 6 +
drivers/char/tpm/tpm-interface.c | 7 -
drivers/char/tpm/tpm_tis_core.c | 20 +-
drivers/char/tpm/tpm_tis_core.h | 1 +
drivers/clk/qcom/clk-branch.c | 4 +-
drivers/clk/qcom/gdsc.c | 61 ++-
drivers/clk/renesas/r9a07g043-cpg.c | 7 +
drivers/clocksource/timer-stm32-lp.c | 4 +-
drivers/cpufreq/amd-pstate.c | 5 +-
drivers/cpuidle/Makefile | 3 +
drivers/crypto/ccp/sp-pci.c | 15 +-
.../cirrus/test/cs_dsp_test_control_parse.c | 51 +-
drivers/gpio/gpio-mpc8xxx.c | 4 +-
drivers/gpio/gpio-tegra186.c | 25 +-
drivers/gpio/gpio-zynq.c | 1 +
drivers/gpio/gpiolib-of.c | 2 +
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 10 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 4 -
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h | 4 -
drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c | 43 +-
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 +
drivers/gpu/drm/amd/amdkfd/kfd_device.c | 5 +
drivers/gpu/drm/amd/amdkfd/kfd_process.c | 17 +
.../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 31 +-
drivers/gpu/drm/amd/display/dc/core/dc.c | 8 +-
drivers/gpu/drm/amd/display/dc/dc.h | 2 +
drivers/gpu/drm/amd/display/dc/dc_dp_types.h | 8 +
.../dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 2 +
.../amd/display/dc/dml2/dml2_dc_resource_mgmt.c | 26 -
.../gpu/drm/amd/display/dc/hubp/dcn31/dcn31_hubp.c | 2 +-
.../drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 22 +-
.../display/dc/link/protocols/link_dp_capability.c | 12 +-
.../display/dc/link/protocols/link_dp_training.c | 2 +
.../link_dp_training_fixed_vs_pe_retimer.c | 3 +-
drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 5 +
drivers/gpu/drm/drm_atomic_helper.c | 2 +-
drivers/gpu/drm/drm_debugfs.c | 2 +-
drivers/gpu/drm/drm_panel.c | 5 +-
drivers/gpu/drm/drm_panel_orientation_quirks.c | 46 +-
drivers/gpu/drm/i915/gt/intel_rc6.c | 19 +-
drivers/gpu/drm/i915/gt/uc/intel_huc.c | 11 +-
drivers/gpu/drm/i915/gt/uc/intel_huc.h | 1 +
drivers/gpu/drm/i915/gt/uc/intel_uc.c | 1 +
drivers/gpu/drm/i915/selftests/i915_selftest.c | 18 +
drivers/gpu/drm/mediatek/mtk_dpi.c | 23 +-
drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c | 16 +-
drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c | 29 +-
drivers/gpu/drm/tests/drm_client_modeset_test.c | 3 +
drivers/gpu/drm/tests/drm_cmdline_parser_test.c | 10 +-
drivers/gpu/drm/tests/drm_kunit_helpers.c | 22 +
drivers/gpu/drm/tests/drm_modes_test.c | 22 +
drivers/gpu/drm/tests/drm_probe_helper_test.c | 8 +-
drivers/gpu/drm/virtio/virtgpu_prime.c | 2 +-
drivers/gpu/drm/virtio/virtgpu_vq.c | 3 +
drivers/gpu/drm/xe/xe_gt.c | 4 +
drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 4 +-
drivers/gpu/drm/xe/xe_gt_sriov_vf.c | 16 +
drivers/gpu/drm/xe/xe_gt_sriov_vf.h | 1 +
drivers/gpu/drm/xe/xe_guc_pc.c | 1 +
drivers/gpu/drm/xe/xe_hw_engine_class_sysfs.c | 108 ++--
drivers/gpu/drm/xe/xe_tuning.c | 8 -
drivers/gpu/drm/xe/xe_wa.c | 7 +
drivers/hid/Kconfig | 14 +
drivers/hid/Makefile | 1 +
drivers/hid/hid-ids.h | 37 ++
drivers/hid/hid-lenovo.c | 2 +-
drivers/hid/hid-universal-pidff.c | 202 ++++++++
drivers/hid/usbhid/hid-core.c | 1 +
drivers/hid/usbhid/hid-pidff.c | 571 ++++++++++++++-------
drivers/hid/usbhid/hid-pidff.h | 33 ++
drivers/i3c/master.c | 3 +
drivers/i3c/master/svc-i3c-master.c | 2 +-
drivers/idle/Makefile | 5 +-
drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c | 32 +-
drivers/iommu/exynos-iommu.c | 4 +-
drivers/iommu/intel/iommu.c | 2 +
drivers/iommu/intel/irq_remapping.c | 71 +--
drivers/iommu/iommufd/device.c | 123 ++++-
drivers/iommu/iommufd/fault.c | 8 +-
drivers/iommu/iommufd/iommufd_private.h | 33 +-
drivers/iommu/mtk_iommu.c | 26 +-
drivers/irqchip/irq-gic-v3-its.c | 23 +-
drivers/irqchip/irq-renesas-rzv2h.c | 2 +-
drivers/leds/rgb/leds-qcom-lpg.c | 8 +-
drivers/mailbox/tegra-hsp.c | 72 ++-
drivers/md/dm-ebs-target.c | 7 +
drivers/md/dm-integrity.c | 48 +-
drivers/md/dm-verity-target.c | 8 +
drivers/media/common/siano/smsdvb-main.c | 2 +
drivers/media/i2c/adv748x/adv748x.h | 2 +-
drivers/media/i2c/ccs/ccs-core.c | 6 +-
drivers/media/i2c/hi556.c | 5 +-
drivers/media/i2c/imx214.c | 25 +-
drivers/media/i2c/imx219.c | 106 ++--
drivers/media/i2c/imx319.c | 9 +-
drivers/media/i2c/ov08x40.c | 8 +-
drivers/media/i2c/ov7251.c | 4 +-
drivers/media/pci/intel/ipu6/ipu6-isys-video.c | 1 +
drivers/media/pci/mgb4/mgb4_cmt.c | 8 +-
.../media/platform/chips-media/wave5/wave5-hw.c | 2 +-
.../platform/chips-media/wave5/wave5-vpu-dec.c | 31 +-
.../media/platform/chips-media/wave5/wave5-vpu.c | 4 +-
.../platform/chips-media/wave5/wave5-vpuapi.c | 10 +
.../mediatek/vcodec/common/mtk_vcodec_fw_scp.c | 5 +-
.../mediatek/vcodec/encoder/venc/venc_h264_if.c | 6 +-
drivers/media/platform/nuvoton/npcm-video.c | 6 +-
drivers/media/platform/qcom/venus/hfi_parser.c | 100 +++-
drivers/media/platform/qcom/venus/hfi_venus.c | 18 +-
drivers/media/platform/rockchip/rga/rga-hw.c | 2 +-
.../platform/samsung/s5p-mfc/s5p_mfc_opr_v6.c | 5 +-
drivers/media/platform/st/stm32/dma2d/dma2d.c | 3 +-
drivers/media/platform/xilinx/xilinx-tpg.c | 2 -
drivers/media/rc/streamzap.c | 68 +--
drivers/media/test-drivers/vim2m.c | 6 +-
drivers/media/test-drivers/visl/visl-core.c | 12 +
drivers/media/usb/uvc/uvc_driver.c | 9 +
drivers/media/v4l2-core/v4l2-dv-timings.c | 4 +-
drivers/mfd/ene-kb3930.c | 2 +-
drivers/misc/pci_endpoint_test.c | 7 +-
drivers/mmc/host/dw_mmc.c | 94 +++-
drivers/mmc/host/dw_mmc.h | 27 +
drivers/mtd/inftlcore.c | 9 +-
drivers/mtd/mtdpstore.c | 12 +-
drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +-
drivers/mtd/nand/raw/r852.c | 3 +
drivers/net/can/flexcan/flexcan-core.c | 35 +-
drivers/net/can/flexcan/flexcan.h | 5 +
drivers/net/dsa/mv88e6xxx/chip.c | 23 +-
drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +-
drivers/net/ethernet/google/gve/gve_rx_dqo.c | 3 +-
drivers/net/ethernet/intel/igc/igc.h | 2 -
drivers/net/ethernet/intel/igc/igc_main.c | 4 +-
drivers/net/ethernet/intel/igc/igc_xdp.c | 2 -
drivers/net/ethernet/marvell/octeontx2/nic/qos.c | 5 +
drivers/net/ethernet/microsoft/mana/mana_en.c | 46 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 11 +-
drivers/net/ethernet/wangxun/libwx/wx_lib.c | 6 +-
drivers/net/ethernet/wangxun/libwx/wx_type.h | 3 +-
drivers/net/phy/phy_device.c | 57 +-
drivers/net/phy/sfp.c | 13 +-
drivers/net/ppp/ppp_synctty.c | 5 +
drivers/net/usb/asix_devices.c | 17 +
drivers/net/usb/cdc_ether.c | 7 +
drivers/net/usb/r8152.c | 6 +
drivers/net/usb/r8153_ecm.c | 6 +
drivers/net/wireless/ath/ath11k/ahb.c | 4 +-
drivers/net/wireless/ath/ath11k/core.c | 4 +-
drivers/net/wireless/ath/ath11k/core.h | 5 +-
drivers/net/wireless/ath/ath11k/dp.c | 35 +-
drivers/net/wireless/ath/ath11k/fw.c | 3 +-
drivers/net/wireless/ath/ath11k/mac.c | 14 +
drivers/net/wireless/ath/ath11k/pci.c | 3 +-
drivers/net/wireless/ath/ath11k/reg.c | 85 ++-
drivers/net/wireless/ath/ath11k/reg.h | 3 +-
drivers/net/wireless/ath/ath11k/wmi.h | 1 +
drivers/net/wireless/ath/ath12k/dp_mon.c | 66 +--
drivers/net/wireless/ath/ath12k/dp_rx.c | 42 +-
drivers/net/wireless/ath/ath12k/hal_rx.h | 3 +
drivers/net/wireless/ath/ath12k/pci.c | 2 +-
drivers/net/wireless/ath/ath9k/ath9k.h | 2 +-
drivers/net/wireless/mediatek/mt76/eeprom.c | 4 +
drivers/net/wireless/mediatek/mt76/mt76.h | 1 +
.../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 +-
drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 +
drivers/net/wireless/mediatek/mt76/mt7925/init.c | 1 +
drivers/net/wireless/mediatek/mt76/mt7925/main.c | 160 ++++--
drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 170 +++---
drivers/net/wireless/mediatek/mt76/mt7925/mcu.h | 6 +-
drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h | 3 +-
drivers/net/wireless/mediatek/mt76/mt792x.h | 9 +
drivers/net/wireless/mediatek/mt76/mt792x_core.c | 3 +-
drivers/net/wireless/realtek/rtw88/rtw8822bu.c | 4 +
drivers/ntb/ntb_transport.c | 2 +-
drivers/nvme/target/fcloop.c | 2 +-
drivers/of/irq.c | 78 +--
drivers/pci/controller/cadence/pci-j721e.c | 5 +-
drivers/pci/controller/dwc/pci-layerscape.c | 2 +-
drivers/pci/controller/pcie-brcmstb.c | 13 +-
drivers/pci/controller/pcie-rockchip-host.c | 2 +-
drivers/pci/controller/pcie-rockchip.h | 1 -
drivers/pci/controller/vmd.c | 12 +-
drivers/pci/devres.c | 18 +-
drivers/pci/hotplug/pciehp_core.c | 5 +-
drivers/pci/iomap.c | 29 +-
drivers/pci/pci.c | 6 +
drivers/pci/pci.h | 16 +
drivers/pci/probe.c | 22 +-
drivers/perf/arm_pmu.c | 8 +-
drivers/perf/dwc_pcie_pmu.c | 51 +-
drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 11 +
drivers/pinctrl/qcom/pinctrl-msm.c | 12 +-
drivers/pinctrl/samsung/pinctrl-exynos-arm64.c | 98 ++--
drivers/pinctrl/samsung/pinctrl-exynos.h | 22 +
drivers/pinctrl/samsung/pinctrl-samsung.c | 1 +
drivers/pinctrl/samsung/pinctrl-samsung.h | 4 +
drivers/platform/chrome/cros_ec_lpc.c | 22 +-
drivers/platform/x86/x86-android-tablets/Kconfig | 1 +
drivers/pwm/pwm-fsl-ftm.c | 6 +
drivers/pwm/pwm-mediatek.c | 8 +-
drivers/pwm/pwm-rcar.c | 24 +-
drivers/pwm/pwm-stm32.c | 12 +-
drivers/s390/net/ism_drv.c | 1 -
drivers/s390/virtio/virtio_ccw.c | 16 +-
drivers/scsi/lpfc/lpfc_sli.c | 2 +
drivers/scsi/mpi3mr/mpi3mr.h | 14 +-
drivers/scsi/mpi3mr/mpi3mr_app.c | 24 +
drivers/scsi/mpi3mr/mpi3mr_fw.c | 99 +++-
drivers/scsi/st.c | 2 +-
drivers/soc/samsung/exynos-chipid.c | 2 +
drivers/spi/spi-cadence-quadspi.c | 6 +
drivers/spi/spi-fsl-qspi.c | 36 +-
drivers/target/target_core_spc.c | 2 +-
drivers/thermal/mediatek/lvts_thermal.c | 52 +-
drivers/thermal/rockchip_thermal.c | 1 +
drivers/ufs/host/ufs-qcom.c | 2 +-
drivers/vdpa/mlx5/core/mr.c | 7 +-
drivers/video/backlight/led_bl.c | 5 +-
drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +-
drivers/xen/balloon.c | 34 +-
drivers/xen/xenfs/xensyms.c | 4 +-
fs/btrfs/disk-io.c | 12 +
fs/btrfs/extent-tree.c | 8 +
fs/btrfs/tests/extent-map-tests.c | 1 +
fs/btrfs/transaction.c | 12 +
fs/btrfs/zoned.c | 6 +
fs/dlm/lock.c | 2 +
fs/erofs/fileio.c | 2 +
fs/ext4/inode.c | 68 ++-
fs/ext4/namei.c | 2 +-
fs/ext4/super.c | 17 +
fs/ext4/xattr.c | 11 +-
fs/f2fs/checkpoint.c | 21 +-
fs/f2fs/f2fs.h | 32 +-
fs/f2fs/inode.c | 8 +-
fs/f2fs/node.c | 110 ++--
fs/f2fs/super.c | 8 +-
fs/file.c | 26 +-
fs/fuse/dev.c | 34 +-
fs/fuse/dev_uring.c | 15 +-
fs/fuse/dev_uring_i.h | 6 +
fs/fuse/fuse_dev_i.h | 1 +
fs/fuse/fuse_i.h | 3 +
fs/jbd2/journal.c | 1 -
fs/jfs/jfs_dmap.c | 10 +-
fs/jfs/jfs_imap.c | 4 +-
fs/namespace.c | 3 +-
fs/smb/client/cifsencrypt.c | 16 +-
fs/smb/client/connect.c | 3 +
fs/smb/client/fs_context.c | 5 +
fs/smb/client/inode.c | 10 +
fs/smb/client/reparse.c | 29 +-
fs/smb/client/sess.c | 7 +
fs/smb/client/smb2misc.c | 9 +-
fs/smb/client/smb2ops.c | 6 +-
fs/smb/client/smb2pdu.c | 11 +-
fs/smb/common/smb2pdu.h | 6 +-
fs/udf/inode.c | 1 +
fs/userfaultfd.c | 51 +-
include/drm/drm_kunit_helpers.h | 3 +
include/drm/intel/pciids.h | 11 +-
include/linux/cgroup-defs.h | 1 +
include/linux/cgroup.h | 2 +-
include/linux/damon.h | 11 +
include/linux/hid.h | 6 -
include/linux/io_uring_types.h | 3 +
include/linux/kvm_host.h | 2 +-
include/linux/mtd/spinand.h | 2 +-
include/linux/page-flags.h | 6 +
include/linux/pci_ids.h | 3 +
include/linux/perf_event.h | 17 +-
include/linux/pgtable.h | 14 +-
include/linux/printk.h | 6 +
include/linux/tpm.h | 1 +
include/net/mac80211.h | 6 +
include/net/sctp/structs.h | 3 +-
include/net/sock.h | 40 +-
include/uapi/linux/kfd_ioctl.h | 2 +
include/uapi/linux/landlock.h | 2 +
include/uapi/linux/psp-sev.h | 21 +-
include/uapi/linux/rkisp1-config.h | 2 +-
include/xen/interface/xen-mca.h | 2 +-
io_uring/io_uring.c | 4 +-
io_uring/kbuf.c | 2 +
io_uring/net.c | 3 +
kernel/Makefile | 5 +
kernel/cgroup/cgroup.c | 6 +
kernel/cgroup/cpuset.c | 55 +-
kernel/entry/Makefile | 3 +
kernel/events/core.c | 184 +++----
kernel/events/uprobes.c | 15 +-
kernel/locking/lockdep.c | 3 +
kernel/power/hibernate.c | 6 +-
kernel/printk/printk.c | 4 +-
kernel/rcu/srcutree.c | 11 +-
kernel/reboot.c | 1 +
kernel/sched/Makefile | 5 +
kernel/sched/ext.c | 4 +-
kernel/time/Makefile | 6 +
kernel/trace/fprobe.c | 170 +++++-
kernel/trace/ftrace.c | 9 +-
kernel/trace/ring_buffer.c | 5 +-
kernel/trace/trace_eprobe.c | 2 +
kernel/trace/trace_events.c | 4 +-
kernel/trace/trace_events_synth.c | 1 -
kernel/trace/trace_fprobe.c | 31 +-
kernel/trace/trace_kprobe.c | 5 +-
kernel/trace/trace_probe.c | 28 +
kernel/trace/trace_probe.h | 1 +
kernel/trace/trace_uprobe.c | 9 +-
lib/Makefile | 5 +
lib/sg_split.c | 2 -
lib/zstd/common/portability_macros.h | 2 +-
mm/damon/core.c | 1 +
mm/damon/ops-common.c | 2 +-
mm/damon/paddr.c | 57 +-
mm/hugetlb.c | 2 +-
mm/memory-failure.c | 11 +-
mm/memory_hotplug.c | 3 +-
mm/mremap.c | 10 +-
mm/page_vma_mapped.c | 13 +-
mm/rmap.c | 2 +-
mm/shmem.c | 3 +-
mm/vmscan.c | 2 +-
net/8021q/vlan_dev.c | 31 +-
net/core/filter.c | 80 +--
net/core/page_pool.c | 8 +-
net/core/page_pool_user.c | 2 +-
net/core/sock.c | 5 +
net/ethtool/cmis.h | 1 -
net/ethtool/cmis_cdb.c | 18 +-
net/ethtool/common.c | 1 +
net/ethtool/netlink.c | 8 +-
net/ipv6/route.c | 8 +-
net/mac80211/debugfs.c | 44 +-
net/mac80211/iface.c | 5 +-
net/mac80211/mesh_hwmp.c | 14 +-
net/mac80211/mlme.c | 59 ++-
net/mptcp/sockopt.c | 28 +
net/mptcp/subflow.c | 19 +-
net/netfilter/nft_set_pipapo_avx2.c | 3 +-
net/sched/cls_api.c | 66 ++-
net/sched/sch_codel.c | 5 +-
net/sched/sch_fq_codel.c | 6 +-
net/sched/sch_sfq.c | 66 ++-
net/sctp/socket.c | 22 +-
net/sctp/transport.c | 2 +
net/sunrpc/xprtrdma/svc_rdma_transport.c | 3 +-
net/tipc/link.c | 1 +
net/tls/tls_main.c | 6 +
scripts/generate_builtin_ranges.awk | 5 +
security/integrity/ima/ima.h | 3 +-
security/integrity/ima/ima_main.c | 18 +-
security/landlock/errata.h | 99 ++++
security/landlock/errata/abi-4.h | 15 +
security/landlock/errata/abi-6.h | 19 +
security/landlock/fs.c | 39 +-
security/landlock/setup.c | 38 +-
security/landlock/setup.h | 3 +
security/landlock/syscalls.c | 22 +-
security/landlock/task.c | 12 +
sound/pci/hda/hda_intel.c | 44 +-
sound/pci/hda/patch_realtek.c | 41 ++
sound/soc/amd/acp/acp-sdw-legacy-mach.c | 34 ++
sound/soc/amd/acp/soc_amd_sdw_common.h | 1 +
sound/soc/amd/ps/acp63.h | 1 +
sound/soc/amd/ps/pci-ps.c | 2 +-
sound/soc/amd/yc/acp6x-mach.c | 14 +
sound/soc/codecs/wcd937x.c | 2 +
sound/soc/fsl/fsl_audmix.c | 16 +-
sound/soc/intel/common/soc-acpi-intel-adl-match.c | 29 ++
sound/soc/qcom/qdsp6/q6apm-dai.c | 60 ++-
sound/soc/qcom/qdsp6/q6apm.c | 18 +-
sound/soc/qcom/qdsp6/q6apm.h | 3 +
sound/soc/qcom/qdsp6/q6asm-dai.c | 19 +-
sound/soc/sof/topology.c | 4 +-
sound/usb/midi.c | 80 ++-
tools/objtool/check.c | 5 +
tools/power/cpupower/bench/parse.c | 4 +
tools/testing/ktest/ktest.pl | 8 +
.../futex/functional/futex_wait_wouldblock.c | 2 +-
tools/testing/selftests/landlock/base_test.c | 46 +-
tools/testing/selftests/landlock/common.h | 1 +
.../selftests/landlock/scoped_signal_test.c | 108 +++-
tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +-
virt/kvm/Kconfig | 2 +-
virt/kvm/eventfd.c | 10 +-
460 files changed, 5785 insertions(+), 2515 deletions(-)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 001/449] ASoC: Intel: adl: add 2xrt1316 audio configuration
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
@ 2025-04-17 17:44 ` Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 002/449] cgroup/cpuset: Fix incorrect isolated_cpus update in update_parent_effective_cpumask() Greg Kroah-Hartman
` (454 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bard Liao, Liam Girdwood,
Péter Ujfalusi, Mark Brown
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bard Liao <yung-chuan.liao@linux.intel.com>
commit 8b36447c9ae102539d82d6278971b23b20d87629 upstream.
That is a speaker only configuration and 2 rt1316 are on link 0 and 2.
Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://patch.msgid.link/20250305135443.201884-2-yung-chuan.liao@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/intel/common/soc-acpi-intel-adl-match.c | 29 ++++++++++++++++++++++
1 file changed, 29 insertions(+)
--- a/sound/soc/intel/common/soc-acpi-intel-adl-match.c
+++ b/sound/soc/intel/common/soc-acpi-intel-adl-match.c
@@ -214,6 +214,15 @@ static const struct snd_soc_acpi_adr_dev
}
};
+static const struct snd_soc_acpi_adr_device rt1316_2_group2_adr[] = {
+ {
+ .adr = 0x000232025D131601ull,
+ .num_endpoints = 1,
+ .endpoints = &spk_r_endpoint,
+ .name_prefix = "rt1316-2"
+ }
+};
+
static const struct snd_soc_acpi_adr_device rt1316_1_single_adr[] = {
{
.adr = 0x000130025D131601ull,
@@ -547,6 +556,20 @@ static const struct snd_soc_acpi_link_ad
{}
};
+static const struct snd_soc_acpi_link_adr adl_sdw_rt1316_link02[] = {
+ {
+ .mask = BIT(0),
+ .num_adr = ARRAY_SIZE(rt1316_0_group2_adr),
+ .adr_d = rt1316_0_group2_adr,
+ },
+ {
+ .mask = BIT(2),
+ .num_adr = ARRAY_SIZE(rt1316_2_group2_adr),
+ .adr_d = rt1316_2_group2_adr,
+ },
+ {}
+};
+
static const struct snd_soc_acpi_codecs adl_max98357a_amp = {
.num_codecs = 1,
.codecs = {"MX98357A"}
@@ -749,6 +772,12 @@ struct snd_soc_acpi_mach snd_soc_acpi_in
.drv_name = "sof_sdw",
.sof_tplg_filename = "sof-adl-sdw-max98373-rt5682.tplg",
},
+ {
+ .link_mask = BIT(0) | BIT(2),
+ .links = adl_sdw_rt1316_link02,
+ .drv_name = "sof_sdw",
+ .sof_tplg_filename = "sof-adl-rt1316-l02.tplg",
+ },
{},
};
EXPORT_SYMBOL_GPL(snd_soc_acpi_intel_adl_sdw_machines);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 002/449] cgroup/cpuset: Fix incorrect isolated_cpus update in update_parent_effective_cpumask()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 001/449] ASoC: Intel: adl: add 2xrt1316 audio configuration Greg Kroah-Hartman
@ 2025-04-17 17:44 ` Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 003/449] cgroup/cpuset: Fix error handling in remote_partition_disable() Greg Kroah-Hartman
` (453 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Waiman Long, Tejun Heo, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
[ Upstream commit 668e041662e92ab3ebcb9eb606d3ec01884546ab ]
Before commit f0af1bfc27b5 ("cgroup/cpuset: Relax constraints to
partition & cpus changes"), a cpuset partition cannot be enabled if not
all the requested CPUs can be granted from the parent cpuset. After
that commit, a cpuset partition can be created even if the requested
exclusive CPUs contain CPUs not allowed its parent. The delmask
containing exclusive CPUs to be removed from its parent wasn't
adjusted accordingly.
That is not a problem until the introduction of a new isolated_cpus
mask in commit 11e5f407b64a ("cgroup/cpuset: Keep track of CPUs in
isolated partitions") as the CPUs in the delmask may be added directly
into isolated_cpus.
As a result, isolated_cpus may incorrectly contain CPUs that are not
isolated leading to incorrect data reporting. Fix this by adjusting
the delmask to reflect the actual exclusive CPUs for the creation of
the partition.
Fixes: 11e5f407b64a ("cgroup/cpuset: Keep track of CPUs in isolated partitions")
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cgroup/cpuset.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
index 1892dc8cd2119..0a7ec0f1ce4e7 100644
--- a/kernel/cgroup/cpuset.c
+++ b/kernel/cgroup/cpuset.c
@@ -1689,9 +1689,9 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd,
if (nocpu)
return PERR_NOCPUS;
- cpumask_copy(tmp->delmask, xcpus);
- deleting = true;
- subparts_delta++;
+ deleting = cpumask_and(tmp->delmask, xcpus, parent->effective_xcpus);
+ if (deleting)
+ subparts_delta++;
new_prs = (cmd == partcmd_enable) ? PRS_ROOT : PRS_ISOLATED;
} else if (cmd == partcmd_disable) {
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 003/449] cgroup/cpuset: Fix error handling in remote_partition_disable()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 001/449] ASoC: Intel: adl: add 2xrt1316 audio configuration Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 002/449] cgroup/cpuset: Fix incorrect isolated_cpus update in update_parent_effective_cpumask() Greg Kroah-Hartman
@ 2025-04-17 17:44 ` Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 004/449] cgroup/cpuset: Fix race between newly created partition and dying one Greg Kroah-Hartman
` (452 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Waiman Long, Tejun Heo, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
[ Upstream commit 8bf450f3aec3d1bbd725d179502c64b8992588e4 ]
When remote_partition_disable() is called to disable a remote partition,
it always sets the partition to an invalid partition state. It should
only do so if an error code (prs_err) has been set. Correct that and
add proper error code in places where remote_partition_disable() is
called due to error.
Fixes: 181c8e091aae ("cgroup/cpuset: Introduce remote partition")
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cgroup/cpuset.c | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)
diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
index 0a7ec0f1ce4e7..e8ab1a16076fb 100644
--- a/kernel/cgroup/cpuset.c
+++ b/kernel/cgroup/cpuset.c
@@ -1416,6 +1416,7 @@ static int remote_partition_enable(struct cpuset *cs, int new_prs,
list_add(&cs->remote_sibling, &remote_children);
spin_unlock_irq(&callback_lock);
update_unbound_workqueue_cpumask(isolcpus_updated);
+ cs->prs_err = 0;
/*
* Propagate changes in top_cpuset's effective_cpus down the hierarchy.
@@ -1446,9 +1447,11 @@ static void remote_partition_disable(struct cpuset *cs, struct tmpmasks *tmp)
list_del_init(&cs->remote_sibling);
isolcpus_updated = partition_xcpus_del(cs->partition_root_state,
NULL, tmp->new_cpus);
- cs->partition_root_state = -cs->partition_root_state;
- if (!cs->prs_err)
- cs->prs_err = PERR_INVCPUS;
+ if (cs->prs_err)
+ cs->partition_root_state = -cs->partition_root_state;
+ else
+ cs->partition_root_state = PRS_MEMBER;
+
reset_partition_data(cs);
spin_unlock_irq(&callback_lock);
update_unbound_workqueue_cpumask(isolcpus_updated);
@@ -1481,8 +1484,10 @@ static void remote_cpus_update(struct cpuset *cs, struct cpumask *newmask,
WARN_ON_ONCE(!cpumask_subset(cs->effective_xcpus, subpartitions_cpus));
- if (cpumask_empty(newmask))
+ if (cpumask_empty(newmask)) {
+ cs->prs_err = PERR_CPUSEMPTY;
goto invalidate;
+ }
adding = cpumask_andnot(tmp->addmask, newmask, cs->effective_xcpus);
deleting = cpumask_andnot(tmp->delmask, cs->effective_xcpus, newmask);
@@ -1492,10 +1497,15 @@ static void remote_cpus_update(struct cpuset *cs, struct cpumask *newmask,
* not allocated to other partitions and there are effective_cpus
* left in the top cpuset.
*/
- if (adding && (!capable(CAP_SYS_ADMIN) ||
- cpumask_intersects(tmp->addmask, subpartitions_cpus) ||
- cpumask_subset(top_cpuset.effective_cpus, tmp->addmask)))
- goto invalidate;
+ if (adding) {
+ if (!capable(CAP_SYS_ADMIN))
+ cs->prs_err = PERR_ACCESS;
+ else if (cpumask_intersects(tmp->addmask, subpartitions_cpus) ||
+ cpumask_subset(top_cpuset.effective_cpus, tmp->addmask))
+ cs->prs_err = PERR_NOCPUS;
+ if (cs->prs_err)
+ goto invalidate;
+ }
spin_lock_irq(&callback_lock);
if (adding)
@@ -1611,7 +1621,7 @@ static bool prstate_housekeeping_conflict(int prstate, struct cpumask *new_cpus)
* The partcmd_update command is used by update_cpumasks_hier() with newmask
* NULL and update_cpumask() with newmask set. The partcmd_invalidate is used
* by update_cpumask() with NULL newmask. In both cases, the callers won't
- * check for error and so partition_root_state and prs_error will be updated
+ * check for error and so partition_root_state and prs_err will be updated
* directly.
*/
static int update_parent_effective_cpumask(struct cpuset *cs, int cmd,
@@ -3749,6 +3759,7 @@ static void cpuset_hotplug_update_tasks(struct cpuset *cs, struct tmpmasks *tmp)
if (remote && cpumask_empty(&new_cpus) &&
partition_is_populated(cs, NULL)) {
+ cs->prs_err = PERR_HOTPLUG;
remote_partition_disable(cs, tmp);
compute_effective_cpumask(&new_cpus, cs, parent);
remote = false;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 004/449] cgroup/cpuset: Fix race between newly created partition and dying one
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2025-04-17 17:44 ` [PATCH 6.14 003/449] cgroup/cpuset: Fix error handling in remote_partition_disable() Greg Kroah-Hartman
@ 2025-04-17 17:44 ` Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 005/449] tracing: fprobe: Cleanup fprobe hash when module unloading Greg Kroah-Hartman
` (451 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Waiman Long, Tejun Heo, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
[ Upstream commit a22b3d54de94f82ca057cc2ebf9496fa91ebf698 ]
There is a possible race between removing a cgroup diectory that is
a partition root and the creation of a new partition. The partition
to be removed can be dying but still online, it doesn't not currently
participate in checking for exclusive CPUs conflict, but the exclusive
CPUs are still there in subpartitions_cpus and isolated_cpus. These
two cpumasks are global states that affect the operation of cpuset
partitions. The exclusive CPUs in dying cpusets will only be removed
when cpuset_css_offline() function is called after an RCU delay.
As a result, it is possible that a new partition can be created with
exclusive CPUs that overlap with those of a dying one. When that dying
partition is finally offlined, it removes those overlapping exclusive
CPUs from subpartitions_cpus and maybe isolated_cpus resulting in an
incorrect CPU configuration.
This bug was found when a warning was triggered in
remote_partition_disable() during testing because the subpartitions_cpus
mask was empty.
One possible way to fix this is to iterate the dying cpusets as well and
avoid using the exclusive CPUs in those dying cpusets. However, this
can still cause random partition creation failures or other anomalies
due to racing. A better way to fix this race is to reset the partition
state at the moment when a cpuset is being killed.
Introduce a new css_killed() CSS function pointer and call it, if
defined, before setting CSS_DYING flag in kill_css(). Also update the
css_is_dying() helper to use the CSS_DYING flag introduced by commit
33c35aa48178 ("cgroup: Prevent kill_css() from being called more than
once") for proper synchronization.
Add a new cpuset_css_killed() function to reset the partition state of
a valid partition root if it is being killed.
Fixes: ee8dde0cd2ce ("cpuset: Add new v2 cpuset.sched.partition flag")
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/cgroup-defs.h | 1 +
include/linux/cgroup.h | 2 +-
kernel/cgroup/cgroup.c | 6 ++++++
kernel/cgroup/cpuset.c | 20 +++++++++++++++++---
4 files changed, 25 insertions(+), 4 deletions(-)
diff --git a/include/linux/cgroup-defs.h b/include/linux/cgroup-defs.h
index 17960a1e858db..d1aee2d3e189e 100644
--- a/include/linux/cgroup-defs.h
+++ b/include/linux/cgroup-defs.h
@@ -711,6 +711,7 @@ struct cgroup_subsys {
void (*css_released)(struct cgroup_subsys_state *css);
void (*css_free)(struct cgroup_subsys_state *css);
void (*css_reset)(struct cgroup_subsys_state *css);
+ void (*css_killed)(struct cgroup_subsys_state *css);
void (*css_rstat_flush)(struct cgroup_subsys_state *css, int cpu);
int (*css_extra_stat_show)(struct seq_file *seq,
struct cgroup_subsys_state *css);
diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
index f8ef47f8a634d..fc1324ed597d6 100644
--- a/include/linux/cgroup.h
+++ b/include/linux/cgroup.h
@@ -343,7 +343,7 @@ static inline u64 cgroup_id(const struct cgroup *cgrp)
*/
static inline bool css_is_dying(struct cgroup_subsys_state *css)
{
- return !(css->flags & CSS_NO_REF) && percpu_ref_is_dying(&css->refcnt);
+ return css->flags & CSS_DYING;
}
static inline void cgroup_get(struct cgroup *cgrp)
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index afc665b7b1fe5..81f078c059e86 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -5909,6 +5909,12 @@ static void kill_css(struct cgroup_subsys_state *css)
if (css->flags & CSS_DYING)
return;
+ /*
+ * Call css_killed(), if defined, before setting the CSS_DYING flag
+ */
+ if (css->ss->css_killed)
+ css->ss->css_killed(css);
+
css->flags |= CSS_DYING;
/*
diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
index e8ab1a16076fb..d72f843d9feeb 100644
--- a/kernel/cgroup/cpuset.c
+++ b/kernel/cgroup/cpuset.c
@@ -3495,9 +3495,6 @@ static void cpuset_css_offline(struct cgroup_subsys_state *css)
cpus_read_lock();
mutex_lock(&cpuset_mutex);
- if (is_partition_valid(cs))
- update_prstate(cs, 0);
-
if (!cpuset_v2() && is_sched_load_balance(cs))
cpuset_update_flag(CS_SCHED_LOAD_BALANCE, cs, 0);
@@ -3508,6 +3505,22 @@ static void cpuset_css_offline(struct cgroup_subsys_state *css)
cpus_read_unlock();
}
+static void cpuset_css_killed(struct cgroup_subsys_state *css)
+{
+ struct cpuset *cs = css_cs(css);
+
+ cpus_read_lock();
+ mutex_lock(&cpuset_mutex);
+
+ /* Reset valid partition back to member */
+ if (is_partition_valid(cs))
+ update_prstate(cs, PRS_MEMBER);
+
+ mutex_unlock(&cpuset_mutex);
+ cpus_read_unlock();
+
+}
+
static void cpuset_css_free(struct cgroup_subsys_state *css)
{
struct cpuset *cs = css_cs(css);
@@ -3629,6 +3642,7 @@ struct cgroup_subsys cpuset_cgrp_subsys = {
.css_alloc = cpuset_css_alloc,
.css_online = cpuset_css_online,
.css_offline = cpuset_css_offline,
+ .css_killed = cpuset_css_killed,
.css_free = cpuset_css_free,
.can_attach = cpuset_can_attach,
.cancel_attach = cpuset_cancel_attach,
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 005/449] tracing: fprobe: Cleanup fprobe hash when module unloading
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2025-04-17 17:44 ` [PATCH 6.14 004/449] cgroup/cpuset: Fix race between newly created partition and dying one Greg Kroah-Hartman
@ 2025-04-17 17:44 ` Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 006/449] gpiolib: of: Fix the choice for Ingenic NAND quirk Greg Kroah-Hartman
` (450 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu (Google),
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
[ Upstream commit a3dc2983ca7b90fd35f978502de6d4664d965cfb ]
Cleanup fprobe address hash table on module unloading because the
target symbols will be disappeared when unloading module and not
sure the same symbol is mapped on the same address.
Note that this is at least disables the fprobes if a part of target
symbols on the unloaded modules. Unlike kprobes, fprobe does not
re-enable the probe point by itself. To do that, the caller should
take care register/unregister fprobe when loading/unloading modules.
This simplifies the fprobe state managememt related to the module
loading/unloading.
Link: https://lore.kernel.org/all/174343534473.843280.13988101014957210732.stgit@devnote2/
Fixes: 4346ba160409 ("fprobe: Rewrite fprobe on function-graph tracer")
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/fprobe.c | 103 +++++++++++++++++++++++++++++++++++++++++-
1 file changed, 101 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/fprobe.c b/kernel/trace/fprobe.c
index 33082c4e8154e..c4bf59d625f75 100644
--- a/kernel/trace/fprobe.c
+++ b/kernel/trace/fprobe.c
@@ -89,8 +89,11 @@ static bool delete_fprobe_node(struct fprobe_hlist_node *node)
{
lockdep_assert_held(&fprobe_mutex);
- WRITE_ONCE(node->fp, NULL);
- hlist_del_rcu(&node->hlist);
+ /* Avoid double deleting */
+ if (READ_ONCE(node->fp) != NULL) {
+ WRITE_ONCE(node->fp, NULL);
+ hlist_del_rcu(&node->hlist);
+ }
return !!find_first_fprobe_node(node->addr);
}
@@ -411,6 +414,102 @@ static void fprobe_graph_remove_ips(unsigned long *addrs, int num)
ftrace_set_filter_ips(&fprobe_graph_ops.ops, addrs, num, 1, 0);
}
+#ifdef CONFIG_MODULES
+
+#define FPROBE_IPS_BATCH_INIT 8
+/* instruction pointer address list */
+struct fprobe_addr_list {
+ int index;
+ int size;
+ unsigned long *addrs;
+};
+
+static int fprobe_addr_list_add(struct fprobe_addr_list *alist, unsigned long addr)
+{
+ unsigned long *addrs;
+
+ if (alist->index >= alist->size)
+ return -ENOMEM;
+
+ alist->addrs[alist->index++] = addr;
+ if (alist->index < alist->size)
+ return 0;
+
+ /* Expand the address list */
+ addrs = kcalloc(alist->size * 2, sizeof(*addrs), GFP_KERNEL);
+ if (!addrs)
+ return -ENOMEM;
+
+ memcpy(addrs, alist->addrs, alist->size * sizeof(*addrs));
+ alist->size *= 2;
+ kfree(alist->addrs);
+ alist->addrs = addrs;
+
+ return 0;
+}
+
+static void fprobe_remove_node_in_module(struct module *mod, struct hlist_head *head,
+ struct fprobe_addr_list *alist)
+{
+ struct fprobe_hlist_node *node;
+ int ret = 0;
+
+ hlist_for_each_entry_rcu(node, head, hlist) {
+ if (!within_module(node->addr, mod))
+ continue;
+ if (delete_fprobe_node(node))
+ continue;
+ /*
+ * If failed to update alist, just continue to update hlist.
+ * Therefore, at list user handler will not hit anymore.
+ */
+ if (!ret)
+ ret = fprobe_addr_list_add(alist, node->addr);
+ }
+}
+
+/* Handle module unloading to manage fprobe_ip_table. */
+static int fprobe_module_callback(struct notifier_block *nb,
+ unsigned long val, void *data)
+{
+ struct fprobe_addr_list alist = {.size = FPROBE_IPS_BATCH_INIT};
+ struct module *mod = data;
+ int i;
+
+ if (val != MODULE_STATE_GOING)
+ return NOTIFY_DONE;
+
+ alist.addrs = kcalloc(alist.size, sizeof(*alist.addrs), GFP_KERNEL);
+ /* If failed to alloc memory, we can not remove ips from hash. */
+ if (!alist.addrs)
+ return NOTIFY_DONE;
+
+ mutex_lock(&fprobe_mutex);
+ for (i = 0; i < FPROBE_IP_TABLE_SIZE; i++)
+ fprobe_remove_node_in_module(mod, &fprobe_ip_table[i], &alist);
+
+ if (alist.index < alist.size && alist.index > 0)
+ ftrace_set_filter_ips(&fprobe_graph_ops.ops,
+ alist.addrs, alist.index, 1, 0);
+ mutex_unlock(&fprobe_mutex);
+
+ kfree(alist.addrs);
+
+ return NOTIFY_DONE;
+}
+
+static struct notifier_block fprobe_module_nb = {
+ .notifier_call = fprobe_module_callback,
+ .priority = 0,
+};
+
+static int __init init_fprobe_module(void)
+{
+ return register_module_notifier(&fprobe_module_nb);
+}
+early_initcall(init_fprobe_module);
+#endif
+
static int symbols_cmp(const void *a, const void *b)
{
const char **str_a = (const char **) a;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 006/449] gpiolib: of: Fix the choice for Ingenic NAND quirk
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2025-04-17 17:44 ` [PATCH 6.14 005/449] tracing: fprobe: Cleanup fprobe hash when module unloading Greg Kroah-Hartman
@ 2025-04-17 17:44 ` Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 007/449] selftests/futex: futex_waitv wouldblock test should fail Greg Kroah-Hartman
` (449 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Bartosz Golaszewski,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 2b9c536430126c233552cdcd6ec9d5077454ece4 ]
The Ingenic NAND quirk has been added under CONFIG_LCD_HX8357 ifdeffery
which sounds quite wrong. Fix the choice for Ingenic NAND quirk
by wrapping it into own ifdeffery related to the respective driver.
Fixes: 3a7fd473bd5d ("mtd: rawnand: ingenic: move the GPIO quirk to gpiolib-of.c")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20250402122058.1517393-2-andriy.shevchenko@linux.intel.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib-of.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c
index 2e537ee979f3e..176e9142fd8f8 100644
--- a/drivers/gpio/gpiolib-of.c
+++ b/drivers/gpio/gpiolib-of.c
@@ -193,6 +193,8 @@ static void of_gpio_try_fixup_polarity(const struct device_node *np,
*/
{ "himax,hx8357", "gpios-reset", false },
{ "himax,hx8369", "gpios-reset", false },
+#endif
+#if IS_ENABLED(CONFIG_MTD_NAND_JZ4780)
/*
* The rb-gpios semantics was undocumented and qi,lb60 (along with
* the ingenic driver) got it wrong. The active state encodes the
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 007/449] selftests/futex: futex_waitv wouldblock test should fail
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2025-04-17 17:44 ` [PATCH 6.14 006/449] gpiolib: of: Fix the choice for Ingenic NAND quirk Greg Kroah-Hartman
@ 2025-04-17 17:44 ` Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 008/449] ublk: fix handling recovery & reissue in ublk_abort_queue() Greg Kroah-Hartman
` (448 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Liaw, Thomas Gleixner,
André Almeida, Shuah Khan, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Liaw <edliaw@google.com>
[ Upstream commit 7d50e00fef2832e98d7e06bbfc85c1d66ee110ca ]
Testcase should fail if -EWOULDBLOCK is not returned when expected value
differs from actual value from the waiter.
Link: https://lore.kernel.org/r/20250404221225.1596324-1-edliaw@google.com
Fixes: 9d57f7c79748920636f8293d2f01192d702fe390 ("selftests: futex: Test sys_futex_waitv() wouldblock")
Signed-off-by: Edward Liaw <edliaw@google.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: André Almeida <andrealmeid@igalia.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../testing/selftests/futex/functional/futex_wait_wouldblock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c b/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c
index 7d7a6a06cdb75..2d8230da90642 100644
--- a/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c
+++ b/tools/testing/selftests/futex/functional/futex_wait_wouldblock.c
@@ -98,7 +98,7 @@ int main(int argc, char *argv[])
info("Calling futex_waitv on f1: %u @ %p with val=%u\n", f1, &f1, f1+1);
res = futex_waitv(&waitv, 1, 0, &to, CLOCK_MONOTONIC);
if (!res || errno != EWOULDBLOCK) {
- ksft_test_result_pass("futex_waitv returned: %d %s\n",
+ ksft_test_result_fail("futex_waitv returned: %d %s\n",
res ? errno : res,
res ? strerror(errno) : "");
ret = RET_FAIL;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 008/449] ublk: fix handling recovery & reissue in ublk_abort_queue()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2025-04-17 17:44 ` [PATCH 6.14 007/449] selftests/futex: futex_waitv wouldblock test should fail Greg Kroah-Hartman
@ 2025-04-17 17:44 ` Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 009/449] drm/virtio: Fix flickering issue seen with imported dmabufs Greg Kroah-Hartman
` (447 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Caleb Sander Mateos, Ming Lei,
Jens Axboe, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit 6ee6bd5d4fce502a5b5a2ea805e9ff16e6aa890f ]
Commit 8284066946e6 ("ublk: grab request reference when the request is handled
by userspace") doesn't grab request reference in case of recovery reissue.
Then the request can be requeued & re-dispatch & failed when canceling
uring command.
If it is one zc request, the request can be freed before io_uring
returns the zc buffer back, then cause kernel panic:
[ 126.773061] BUG: kernel NULL pointer dereference, address: 00000000000000c8
[ 126.773657] #PF: supervisor read access in kernel mode
[ 126.774052] #PF: error_code(0x0000) - not-present page
[ 126.774455] PGD 0 P4D 0
[ 126.774698] Oops: Oops: 0000 [#1] SMP NOPTI
[ 126.775034] CPU: 13 UID: 0 PID: 1612 Comm: kworker/u64:55 Not tainted 6.14.0_blk+ #182 PREEMPT(full)
[ 126.775676] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014
[ 126.776275] Workqueue: iou_exit io_ring_exit_work
[ 126.776651] RIP: 0010:ublk_io_release+0x14/0x130 [ublk_drv]
Fixes it by always grabbing request reference for aborting the request.
Reported-by: Caleb Sander Mateos <csander@purestorage.com>
Closes: https://lore.kernel.org/linux-block/CADUfDZodKfOGUeWrnAxcZiLT+puaZX8jDHoj_sfHZCOZwhzz6A@mail.gmail.com/
Fixes: 8284066946e6 ("ublk: grab request reference when the request is handled by userspace")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20250409011444.2142010-2-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/ublk_drv.c | 30 ++++++++++++++++++++++++++----
1 file changed, 26 insertions(+), 4 deletions(-)
diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index b7adfaddc3abb..971b793dedd03 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -1094,6 +1094,25 @@ static void ublk_complete_rq(struct kref *ref)
__ublk_complete_rq(req);
}
+static void ublk_do_fail_rq(struct request *req)
+{
+ struct ublk_queue *ubq = req->mq_hctx->driver_data;
+
+ if (ublk_nosrv_should_reissue_outstanding(ubq->dev))
+ blk_mq_requeue_request(req, false);
+ else
+ __ublk_complete_rq(req);
+}
+
+static void ublk_fail_rq_fn(struct kref *ref)
+{
+ struct ublk_rq_data *data = container_of(ref, struct ublk_rq_data,
+ ref);
+ struct request *req = blk_mq_rq_from_pdu(data);
+
+ ublk_do_fail_rq(req);
+}
+
/*
* Since __ublk_rq_task_work always fails requests immediately during
* exiting, __ublk_fail_req() is only called from abort context during
@@ -1107,10 +1126,13 @@ static void __ublk_fail_req(struct ublk_queue *ubq, struct ublk_io *io,
{
WARN_ON_ONCE(io->flags & UBLK_IO_FLAG_ACTIVE);
- if (ublk_nosrv_should_reissue_outstanding(ubq->dev))
- blk_mq_requeue_request(req, false);
- else
- ublk_put_req_ref(ubq, req);
+ if (ublk_need_req_ref(ubq)) {
+ struct ublk_rq_data *data = blk_mq_rq_to_pdu(req);
+
+ kref_put(&data->ref, ublk_fail_rq_fn);
+ } else {
+ ublk_do_fail_rq(req);
+ }
}
static void ubq_complete_io_cmd(struct ublk_io *io, int res,
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 009/449] drm/virtio: Fix flickering issue seen with imported dmabufs
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2025-04-17 17:44 ` [PATCH 6.14 008/449] ublk: fix handling recovery & reissue in ublk_abort_queue() Greg Kroah-Hartman
@ 2025-04-17 17:44 ` Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 010/449] drm/i915: Disable RPG during live selftest Greg Kroah-Hartman
` (446 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerd Hoffmann, Dmitry Osipenko,
Gurchetan Singh, Chia-I Wu, Vivek Kasireddy, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vivek Kasireddy <vivek.kasireddy@intel.com>
[ Upstream commit 3d50e61a17b642af060566acb0eabe3c0eb3ef1f ]
We need to save the reservation object pointer associated with the
imported dmabuf in the newly created GEM object to allow
drm_gem_plane_helper_prepare_fb() to extract the exclusive fence
from it and attach it to the plane state during prepare phase.
This is needed to ensure that drm_atomic_helper_wait_for_fences()
correctly waits for the relevant fences (move, etc) associated with
the reservation object, thereby implementing proper synchronization.
Otherwise, artifacts or slight flickering can be seen when apps
are dragged across the screen when running Gnome (Wayland). This
problem is mostly seen with dGPUs in the case where the FBs are
allocated in VRAM but need to be migrated to System RAM as they
are shared with virtio-gpu.
Fixes: ca77f27a2665 ("drm/virtio: Import prime buffers from other devices as guest blobs")
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Cc: Gurchetan Singh <gurchetansingh@chromium.org>
Cc: Chia-I Wu <olvaffe@gmail.com>
Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
[dmitry.osipenko@collabora.com: Moved assignment before object_init()]
Link: https://patchwork.freedesktop.org/patch/msgid/20250325201021.1315080-1-vivek.kasireddy@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/virtio/virtgpu_prime.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/virtio/virtgpu_prime.c b/drivers/gpu/drm/virtio/virtgpu_prime.c
index f92133a01195a..d28d1c45a703b 100644
--- a/drivers/gpu/drm/virtio/virtgpu_prime.c
+++ b/drivers/gpu/drm/virtio/virtgpu_prime.c
@@ -319,6 +319,7 @@ struct drm_gem_object *virtgpu_gem_prime_import(struct drm_device *dev,
return ERR_PTR(-ENOMEM);
obj = &bo->base.base;
+ obj->resv = buf->resv;
obj->funcs = &virtgpu_gem_dma_buf_funcs;
drm_gem_private_object_init(dev, obj, buf->size);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 010/449] drm/i915: Disable RPG during live selftest
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2025-04-17 17:44 ` [PATCH 6.14 009/449] drm/virtio: Fix flickering issue seen with imported dmabufs Greg Kroah-Hartman
@ 2025-04-17 17:44 ` Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 011/449] x86/acpi: Dont limit CPUs to 1 for Xen PV guests due to disabled ACPI Greg Kroah-Hartman
` (445 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Vivi, Andi Shyti,
Andrzej Hajda, Badal Nilawar, Sk Anirban, Karthik Poosa,
Anshuman Gupta, Jani Nikula, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Badal Nilawar <badal.nilawar@intel.com>
[ Upstream commit 9d3d9776bd3bd9c32d460dfe6c3363134de578bc ]
The Forcewake timeout issue has been observed on Gen 12.0 and above.
To address this, disable Render Power-Gating (RPG) during live self-tests
for these generations. The temporary workaround 'drm/i915/mtl: do not
enable render power-gating on MTL' disables RPG globally, which is
unnecessary since the issues were only seen during self-tests.
v2: take runtime pm wakeref
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/9413
Fixes: 25e7976db86b ("drm/i915/mtl: do not enable render power-gating on MTL")
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: Andi Shyti <andi.shyti@intel.com>
Cc: Andrzej Hajda <andrzej.hajda@intel.com>
Signed-off-by: Badal Nilawar <badal.nilawar@intel.com>
Signed-off-by: Sk Anirban <sk.anirban@intel.com>
Reviewed-by: Karthik Poosa <karthik.poosa@intel.com>
Signed-off-by: Anshuman Gupta <anshuman.gupta@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250310152821.2931678-1-sk.anirban@intel.com
(cherry picked from commit 0a4ae87706c6d15d14648e428c3a76351f823e48)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/gt/intel_rc6.c | 19 ++++---------------
.../gpu/drm/i915/selftests/i915_selftest.c | 18 ++++++++++++++++++
2 files changed, 22 insertions(+), 15 deletions(-)
diff --git a/drivers/gpu/drm/i915/gt/intel_rc6.c b/drivers/gpu/drm/i915/gt/intel_rc6.c
index 9378d5901c493..9ca42589da4da 100644
--- a/drivers/gpu/drm/i915/gt/intel_rc6.c
+++ b/drivers/gpu/drm/i915/gt/intel_rc6.c
@@ -117,21 +117,10 @@ static void gen11_rc6_enable(struct intel_rc6 *rc6)
GEN6_RC_CTL_RC6_ENABLE |
GEN6_RC_CTL_EI_MODE(1);
- /*
- * BSpec 52698 - Render powergating must be off.
- * FIXME BSpec is outdated, disabling powergating for MTL is just
- * temporary wa and should be removed after fixing real cause
- * of forcewake timeouts.
- */
- if (IS_GFX_GT_IP_RANGE(gt, IP_VER(12, 70), IP_VER(12, 74)))
- pg_enable =
- GEN9_MEDIA_PG_ENABLE |
- GEN11_MEDIA_SAMPLER_PG_ENABLE;
- else
- pg_enable =
- GEN9_RENDER_PG_ENABLE |
- GEN9_MEDIA_PG_ENABLE |
- GEN11_MEDIA_SAMPLER_PG_ENABLE;
+ pg_enable =
+ GEN9_RENDER_PG_ENABLE |
+ GEN9_MEDIA_PG_ENABLE |
+ GEN11_MEDIA_SAMPLER_PG_ENABLE;
if (GRAPHICS_VER(gt->i915) >= 12 && !IS_DG1(gt->i915)) {
for (i = 0; i < I915_MAX_VCS; i++)
diff --git a/drivers/gpu/drm/i915/selftests/i915_selftest.c b/drivers/gpu/drm/i915/selftests/i915_selftest.c
index fee76c1d2f450..889281819c5b1 100644
--- a/drivers/gpu/drm/i915/selftests/i915_selftest.c
+++ b/drivers/gpu/drm/i915/selftests/i915_selftest.c
@@ -23,7 +23,9 @@
#include <linux/random.h>
+#include "gt/intel_gt.h"
#include "gt/intel_gt_pm.h"
+#include "gt/intel_gt_regs.h"
#include "gt/uc/intel_gsc_fw.h"
#include "i915_driver.h"
@@ -253,11 +255,27 @@ int i915_mock_selftests(void)
int i915_live_selftests(struct pci_dev *pdev)
{
struct drm_i915_private *i915 = pdev_to_i915(pdev);
+ struct intel_uncore *uncore = &i915->uncore;
int err;
+ u32 pg_enable;
+ intel_wakeref_t wakeref;
if (!i915_selftest.live)
return 0;
+ /*
+ * FIXME Disable render powergating, this is temporary wa and should be removed
+ * after fixing real cause of forcewake timeouts.
+ */
+ with_intel_runtime_pm(uncore->rpm, wakeref) {
+ if (IS_GFX_GT_IP_RANGE(to_gt(i915), IP_VER(12, 00), IP_VER(12, 74))) {
+ pg_enable = intel_uncore_read(uncore, GEN9_PG_ENABLE);
+ if (pg_enable & GEN9_RENDER_PG_ENABLE)
+ intel_uncore_write_fw(uncore, GEN9_PG_ENABLE,
+ pg_enable & ~GEN9_RENDER_PG_ENABLE);
+ }
+ }
+
__wait_gsc_proxy_completed(i915);
__wait_gsc_huc_load_completed(i915);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 011/449] x86/acpi: Dont limit CPUs to 1 for Xen PV guests due to disabled ACPI
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2025-04-17 17:44 ` [PATCH 6.14 010/449] drm/i915: Disable RPG during live selftest Greg Kroah-Hartman
@ 2025-04-17 17:44 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 012/449] net: ethtool: fix ethtool_ringparam_get_cfg() returns a hds_thresh value always as 0 Greg Kroah-Hartman
` (444 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Vaněk, Thomas Gleixner,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Vaněk <arkamar@atlas.cz>
[ Upstream commit 8b37357a78d7fa13d88ea822b35b40137da1c85e ]
Xen disables ACPI for PV guests in DomU, which causes acpi_mps_check() to
return 1 when CONFIG_X86_MPPARSE is not set. As a result, the local APIC is
disabled and the guest is later limited to a single vCPU, despite being
configured with more.
This regression was introduced in version 6.9 in commit 7c0edad3643f
("x86/cpu/topology: Rework possible CPU management"), which added an
early check that limits CPUs to 1 if apic_is_disabled.
Update the acpi_mps_check() logic to return 0 early when running as a Xen
PV guest in DomU, preventing APIC from being disabled in this specific case
and restoring correct multi-vCPU behaviour.
Fixes: 7c0edad3643f ("x86/cpu/topology: Rework possible CPU management")
Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/20250407132445.6732-2-arkamar@atlas.cz
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/acpi/boot.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
index dae6a73be40e1..9fa321a95eb33 100644
--- a/arch/x86/kernel/acpi/boot.c
+++ b/arch/x86/kernel/acpi/boot.c
@@ -23,6 +23,8 @@
#include <linux/serial_core.h>
#include <linux/pgtable.h>
+#include <xen/xen.h>
+
#include <asm/e820/api.h>
#include <asm/irqdomain.h>
#include <asm/pci_x86.h>
@@ -1729,6 +1731,15 @@ int __init acpi_mps_check(void)
{
#if defined(CONFIG_X86_LOCAL_APIC) && !defined(CONFIG_X86_MPPARSE)
/* mptable code is not built-in*/
+
+ /*
+ * Xen disables ACPI in PV DomU guests but it still emulates APIC and
+ * supports SMP. Returning early here ensures that APIC is not disabled
+ * unnecessarily and the guest is not limited to a single vCPU.
+ */
+ if (xen_pv_domain() && !xen_initial_domain())
+ return 0;
+
if (acpi_disabled || acpi_noirq) {
pr_warn("MPS support code is not built-in, using acpi=off or acpi=noirq or pci=noacpi may have problem\n");
return 1;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 012/449] net: ethtool: fix ethtool_ringparam_get_cfg() returns a hds_thresh value always as 0.
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2025-04-17 17:44 ` [PATCH 6.14 011/449] x86/acpi: Dont limit CPUs to 1 for Xen PV guests due to disabled ACPI Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 013/449] drm/xe/hw_engine: define sysfs_ops on all directories Greg Kroah-Hartman
` (443 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Taehee Yoo, Jakub Kicinski,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taehee Yoo <ap420073@gmail.com>
[ Upstream commit 216a61d33c0728a8cf1650aaed2c523c6ce16354 ]
When hds-thresh is configured, ethnl_set_rings() is called, and it calls
ethtool_ringparam_get_cfg() to get ringparameters from .get_ringparam()
callback and dev->cfg.
Both hds_config and hds_thresh values should be set from dev->cfg, not
from .get_ringparam().
But ethtool_ringparam_get_cfg() sets only hds_config from dev->cfg.
So, ethtool_ringparam_get_cfg() returns always a hds_thresh as 0.
If an input value of hds-thresh is 0, a hds_thresh value from
ethtool_ringparam_get_cfg() are same. So ethnl_set_rings() does
nothing and returns immediately.
It causes a bug that setting a hds-thresh value to 0 is not working.
Reproducer:
modprobe netdevsim
echo 1 > /sys/bus/netdevsim/new_device
ethtool -G eth0 hds-thresh 100
ethtool -G eth0 hds-thresh 0
ethtool -g eth0
#hds-thresh value should be 0, but it shows 100.
The tools/testing/selftests/drivers/net/hds.py can test it too with
applying a following patch for hds.py.
Fixes: 928459bbda19 ("net: ethtool: populate the default HDS params in the core")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Link: https://patch.msgid.link/20250404122126.1555648-2-ap420073@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/common.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ethtool/common.c b/net/ethtool/common.c
index b97374b508f67..e2f8a41cc1084 100644
--- a/net/ethtool/common.c
+++ b/net/ethtool/common.c
@@ -785,6 +785,7 @@ void ethtool_ringparam_get_cfg(struct net_device *dev,
/* Driver gives us current state, we want to return current config */
kparam->tcp_data_split = dev->cfg->hds_config;
+ kparam->hds_thresh = dev->cfg->hds_thresh;
}
static void ethtool_init_tsinfo(struct kernel_ethtool_ts_info *info)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 013/449] drm/xe/hw_engine: define sysfs_ops on all directories
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 012/449] net: ethtool: fix ethtool_ringparam_get_cfg() returns a hds_thresh value always as 0 Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 014/449] drm/xe: Restore EIO errno return when GuC PC start fails Greg Kroah-Hartman
` (442 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Himal Prasad Ghimiray,
Tejas Upadhyay, Lucas De Marchi, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejas Upadhyay <tejas.upadhyay@intel.com>
[ Upstream commit a5c71fd5b69b9da77e5e0b268e69e256932ba49c ]
Sysfs_ops needs to be defined on all directories which
can have attr files with set/get method. Add sysfs_ops
to even those directories which is currently empty but
would have attr files with set/get method in future.
Leave .default with default sysfs_ops as it will never
have setter method.
V2(Himal/Rodrigo):
- use single sysfs_ops for all dir and attr with set/get
- add default ops as ./default does not need runtime pm at all
Fixes: 3f0e14651ab0 ("drm/xe: Runtime PM wake on every sysfs call")
Reviewed-by: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250327122647.886637-1-tejas.upadhyay@intel.com
Signed-off-by: Tejas Upadhyay <tejas.upadhyay@intel.com>
(cherry picked from commit 40780b9760b561e093508d07b8b9b06c94ab201e)
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_hw_engine_class_sysfs.c | 108 +++++++++---------
1 file changed, 52 insertions(+), 56 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_hw_engine_class_sysfs.c b/drivers/gpu/drm/xe/xe_hw_engine_class_sysfs.c
index b53e8d2accdbd..a440442b4d727 100644
--- a/drivers/gpu/drm/xe/xe_hw_engine_class_sysfs.c
+++ b/drivers/gpu/drm/xe/xe_hw_engine_class_sysfs.c
@@ -32,14 +32,61 @@ bool xe_hw_engine_timeout_in_range(u64 timeout, u64 min, u64 max)
return timeout >= min && timeout <= max;
}
-static void kobj_xe_hw_engine_release(struct kobject *kobj)
+static void xe_hw_engine_sysfs_kobj_release(struct kobject *kobj)
{
kfree(kobj);
}
+static ssize_t xe_hw_engine_class_sysfs_attr_show(struct kobject *kobj,
+ struct attribute *attr,
+ char *buf)
+{
+ struct xe_device *xe = kobj_to_xe(kobj);
+ struct kobj_attribute *kattr;
+ ssize_t ret = -EIO;
+
+ kattr = container_of(attr, struct kobj_attribute, attr);
+ if (kattr->show) {
+ xe_pm_runtime_get(xe);
+ ret = kattr->show(kobj, kattr, buf);
+ xe_pm_runtime_put(xe);
+ }
+
+ return ret;
+}
+
+static ssize_t xe_hw_engine_class_sysfs_attr_store(struct kobject *kobj,
+ struct attribute *attr,
+ const char *buf,
+ size_t count)
+{
+ struct xe_device *xe = kobj_to_xe(kobj);
+ struct kobj_attribute *kattr;
+ ssize_t ret = -EIO;
+
+ kattr = container_of(attr, struct kobj_attribute, attr);
+ if (kattr->store) {
+ xe_pm_runtime_get(xe);
+ ret = kattr->store(kobj, kattr, buf, count);
+ xe_pm_runtime_put(xe);
+ }
+
+ return ret;
+}
+
+static const struct sysfs_ops xe_hw_engine_class_sysfs_ops = {
+ .show = xe_hw_engine_class_sysfs_attr_show,
+ .store = xe_hw_engine_class_sysfs_attr_store,
+};
+
static const struct kobj_type kobj_xe_hw_engine_type = {
- .release = kobj_xe_hw_engine_release,
- .sysfs_ops = &kobj_sysfs_ops
+ .release = xe_hw_engine_sysfs_kobj_release,
+ .sysfs_ops = &xe_hw_engine_class_sysfs_ops,
+};
+
+static const struct kobj_type kobj_xe_hw_engine_type_def = {
+ .release = xe_hw_engine_sysfs_kobj_release,
+ .sysfs_ops = &kobj_sysfs_ops,
};
static ssize_t job_timeout_max_store(struct kobject *kobj,
@@ -543,7 +590,7 @@ static int xe_add_hw_engine_class_defaults(struct xe_device *xe,
if (!kobj)
return -ENOMEM;
- kobject_init(kobj, &kobj_xe_hw_engine_type);
+ kobject_init(kobj, &kobj_xe_hw_engine_type_def);
err = kobject_add(kobj, parent, "%s", ".defaults");
if (err)
goto err_object;
@@ -559,57 +606,6 @@ static int xe_add_hw_engine_class_defaults(struct xe_device *xe,
return err;
}
-static void xe_hw_engine_sysfs_kobj_release(struct kobject *kobj)
-{
- kfree(kobj);
-}
-
-static ssize_t xe_hw_engine_class_sysfs_attr_show(struct kobject *kobj,
- struct attribute *attr,
- char *buf)
-{
- struct xe_device *xe = kobj_to_xe(kobj);
- struct kobj_attribute *kattr;
- ssize_t ret = -EIO;
-
- kattr = container_of(attr, struct kobj_attribute, attr);
- if (kattr->show) {
- xe_pm_runtime_get(xe);
- ret = kattr->show(kobj, kattr, buf);
- xe_pm_runtime_put(xe);
- }
-
- return ret;
-}
-
-static ssize_t xe_hw_engine_class_sysfs_attr_store(struct kobject *kobj,
- struct attribute *attr,
- const char *buf,
- size_t count)
-{
- struct xe_device *xe = kobj_to_xe(kobj);
- struct kobj_attribute *kattr;
- ssize_t ret = -EIO;
-
- kattr = container_of(attr, struct kobj_attribute, attr);
- if (kattr->store) {
- xe_pm_runtime_get(xe);
- ret = kattr->store(kobj, kattr, buf, count);
- xe_pm_runtime_put(xe);
- }
-
- return ret;
-}
-
-static const struct sysfs_ops xe_hw_engine_class_sysfs_ops = {
- .show = xe_hw_engine_class_sysfs_attr_show,
- .store = xe_hw_engine_class_sysfs_attr_store,
-};
-
-static const struct kobj_type xe_hw_engine_sysfs_kobj_type = {
- .release = xe_hw_engine_sysfs_kobj_release,
- .sysfs_ops = &xe_hw_engine_class_sysfs_ops,
-};
static void hw_engine_class_sysfs_fini(void *arg)
{
@@ -640,7 +636,7 @@ int xe_hw_engine_class_sysfs_init(struct xe_gt *gt)
if (!kobj)
return -ENOMEM;
- kobject_init(kobj, &xe_hw_engine_sysfs_kobj_type);
+ kobject_init(kobj, &kobj_xe_hw_engine_type);
err = kobject_add(kobj, gt->sysfs, "engines");
if (err)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 014/449] drm/xe: Restore EIO errno return when GuC PC start fails
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 013/449] drm/xe/hw_engine: define sysfs_ops on all directories Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 015/449] ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Greg Kroah-Hartman
` (441 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Lucas De Marchi,
Rodrigo Vivi, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Vivi <rodrigo.vivi@intel.com>
[ Upstream commit 88ecb66b9956a14577d513a6c8c28bb2e7989703 ]
Commit b4b05e53b550 ("drm/xe/guc_pc: Retry and wait longer for GuC PC
start"), leads to the following Smatch static checker warning:
drivers/gpu/drm/xe/xe_guc_pc.c:1073 xe_guc_pc_start()
warn: missing error code here? '_dev_err()' failed. 'ret' = '0'
Fixes: c605acb53f44 ("drm/xe/guc_pc: Retry and wait longer for GuC PC start")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/intel-xe/1454a5f1-ee18-4df1-a6b2-a4a3dddcd1cb@stanley.mountain/
Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
Link: https://lore.kernel.org/r/20250328181752.26677-1-rodrigo.vivi@intel.com
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
(cherry picked from commit 3f2bdccbccdcb53b0d316474eafff2e3462a51ad)
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_guc_pc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/xe/xe_guc_pc.c b/drivers/gpu/drm/xe/xe_guc_pc.c
index b995d1d51aed0..f382f5d53ca8b 100644
--- a/drivers/gpu/drm/xe/xe_guc_pc.c
+++ b/drivers/gpu/drm/xe/xe_guc_pc.c
@@ -1056,6 +1056,7 @@ int xe_guc_pc_start(struct xe_guc_pc *pc)
if (wait_for_pc_state(pc, SLPC_GLOBAL_STATE_RUNNING,
SLPC_RESET_EXTENDED_TIMEOUT_MS)) {
xe_gt_err(gt, "GuC PC Start failed: Dynamic GT frequency control and GT sleep states are now disabled.\n");
+ ret = -EIO;
goto out;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 015/449] ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 014/449] drm/xe: Restore EIO errno return when GuC PC start fails Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 016/449] objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() Greg Kroah-Hartman
` (440 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, Damien Le Moal,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit ad320e408a8c95a282ab9c05cdf0c9b95e317985 ]
devm_ioremap() returns NULL on error. Currently, pxa_ata_probe() does
not check for this case, which can result in a NULL pointer dereference.
Add NULL check after devm_ioremap() to prevent this issue.
Fixes: 2dc6c6f15da9 ("[ARM] pata_pxa: DMA-capable PATA driver")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/pata_pxa.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/ata/pata_pxa.c b/drivers/ata/pata_pxa.c
index 434f380114af0..03dbaf4a13a75 100644
--- a/drivers/ata/pata_pxa.c
+++ b/drivers/ata/pata_pxa.c
@@ -223,10 +223,16 @@ static int pxa_ata_probe(struct platform_device *pdev)
ap->ioaddr.cmd_addr = devm_ioremap(&pdev->dev, cmd_res->start,
resource_size(cmd_res));
+ if (!ap->ioaddr.cmd_addr)
+ return -ENOMEM;
ap->ioaddr.ctl_addr = devm_ioremap(&pdev->dev, ctl_res->start,
resource_size(ctl_res));
+ if (!ap->ioaddr.ctl_addr)
+ return -ENOMEM;
ap->ioaddr.bmdma_addr = devm_ioremap(&pdev->dev, dma_res->start,
resource_size(dma_res));
+ if (!ap->ioaddr.bmdma_addr)
+ return -ENOMEM;
/*
* Adjust register offsets
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 016/449] objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 015/449] ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 017/449] tipc: fix memory leak in tipc_link_xmit Greg Kroah-Hartman
` (439 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Cooper, Josh Poimboeuf,
Ingo Molnar, Linus Torvalds, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit a8df7d0ef92eca28c610206c6748daf537ac0586 ]
The !CONFIG_IA32_EMULATION version of xen_entry_SYSCALL_compat() ends
with a SYSCALL instruction which is classified by objtool as
INSN_CONTEXT_SWITCH.
Unlike validate_branch(), validate_unret() doesn't consider
INSN_CONTEXT_SWITCH in a non-function to be a dead end, so it keeps
going past the end of xen_entry_SYSCALL_compat(), resulting in the
following warning:
vmlinux.o: warning: objtool: xen_reschedule_interrupt+0x2a: RET before UNTRAIN
Fix that by adding INSN_CONTEXT_SWITCH handling to validate_unret() to
match what validate_branch() is already doing.
Fixes: a09a6e2399ba ("objtool: Add entry UNRET validation")
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/r/f5eda46fd09f15b1f5cde3d9ae3b92b958342add.1744095216.git.jpoimboe@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/objtool/check.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/objtool/check.c b/tools/objtool/check.c
index 159fb130e2827..9f4c54fe6f56f 100644
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -3846,6 +3846,11 @@ static int validate_unret(struct objtool_file *file, struct instruction *insn)
WARN_INSN(insn, "RET before UNTRAIN");
return 1;
+ case INSN_CONTEXT_SWITCH:
+ if (insn_func(insn))
+ break;
+ return 0;
+
case INSN_NOP:
if (insn->retpoline_safe)
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 017/449] tipc: fix memory leak in tipc_link_xmit
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 016/449] objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 018/449] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Greg Kroah-Hartman
` (438 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tung Nguyen, Paolo Abeni,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tung Nguyen <tung.quang.nguyen@est.tech>
[ Upstream commit 69ae94725f4fc9e75219d2d69022029c5b24bc9a ]
In case the backlog transmit queue for system-importance messages is overloaded,
tipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to
memory leak and failure when a skb is allocated.
This commit fixes this issue by purging the skb list before tipc_link_xmit()
returns.
Fixes: 365ad353c256 ("tipc: reduce risk of user starvation during link congestion")
Signed-off-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Link: https://patch.msgid.link/20250403092431.514063-1-tung.quang.nguyen@est.tech
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/link.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/tipc/link.c b/net/tipc/link.c
index 5c2088a469cea..5689e1f485479 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -1046,6 +1046,7 @@ int tipc_link_xmit(struct tipc_link *l, struct sk_buff_head *list,
if (unlikely(l->backlog[imp].len >= l->backlog[imp].limit)) {
if (imp == TIPC_SYSTEM_IMPORTANCE) {
pr_warn("%s<%s>, link overflow", link_rst_msg, l->name);
+ __skb_queue_purge(list);
return -ENOBUFS;
}
rc = link_schedule_user(l, hdr);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 018/449] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 017/449] tipc: fix memory leak in tipc_link_xmit Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 019/449] net: tls: explicitly disallow disconnect Greg Kroah-Hartman
` (437 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Cong Wang, Simon Horman,
Jamal Hadi Salim, Paolo Abeni, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
[ Upstream commit 342debc12183b51773b3345ba267e9263bdfaaef ]
After making all ->qlen_notify() callbacks idempotent, now it is safe to
remove the check of qlen!=0 from both fq_codel_dequeue() and
codel_qdisc_dequeue().
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM")
Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250403211636.166257-1-xiyou.wangcong@gmail.com
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_codel.c | 5 +----
net/sched/sch_fq_codel.c | 6 ++----
2 files changed, 3 insertions(+), 8 deletions(-)
diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c
index 81189d02fee76..12dd71139da39 100644
--- a/net/sched/sch_codel.c
+++ b/net/sched/sch_codel.c
@@ -65,10 +65,7 @@ static struct sk_buff *codel_qdisc_dequeue(struct Qdisc *sch)
&q->stats, qdisc_pkt_len, codel_get_enqueue_time,
drop_func, dequeue_func);
- /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0,
- * or HTB crashes. Defer it for next round.
- */
- if (q->stats.drop_count && sch->q.qlen) {
+ if (q->stats.drop_count) {
qdisc_tree_reduce_backlog(sch, q->stats.drop_count, q->stats.drop_len);
q->stats.drop_count = 0;
q->stats.drop_len = 0;
diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
index 799f5397ad4c1..6c9029f71e88d 100644
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -315,10 +315,8 @@ static struct sk_buff *fq_codel_dequeue(struct Qdisc *sch)
}
qdisc_bstats_update(sch, skb);
flow->deficit -= qdisc_pkt_len(skb);
- /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0,
- * or HTB crashes. Defer it for next round.
- */
- if (q->cstats.drop_count && sch->q.qlen) {
+
+ if (q->cstats.drop_count) {
qdisc_tree_reduce_backlog(sch, q->cstats.drop_count,
q->cstats.drop_len);
q->cstats.drop_count = 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 019/449] net: tls: explicitly disallow disconnect
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 018/449] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 020/449] octeontx2-pf: qos: fix VF root node parent queue index Greg Kroah-Hartman
` (436 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b4cd76826045a1eb93c1,
Jakub Kicinski, Eric Dumazet, Sabrina Dubroca, Paolo Abeni,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 5071a1e606b30c0c11278d3c6620cd6a24724cf6 ]
syzbot discovered that it can disconnect a TLS socket and then
run into all sort of unexpected corner cases. I have a vague
recollection of Eric pointing this out to us a long time ago.
Supporting disconnect is really hard, for one thing if offload
is enabled we'd need to wait for all packets to be _acked_.
Disconnect is not commonly used, disallow it.
The immediate problem syzbot run into is the warning in the strp,
but that's just the easiest bug to trigger:
WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486
RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486
Call Trace:
<TASK>
tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363
tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043
inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678
sock_recvmsg_nosec net/socket.c:1023 [inline]
sock_recvmsg+0x109/0x280 net/socket.c:1045
__sys_recvfrom+0x202/0x380 net/socket.c:2237
Fixes: 3c4d7559159b ("tls: kernel TLS support")
Reported-by: syzbot+b4cd76826045a1eb93c1@syzkaller.appspotmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/20250404180334.3224206-1-kuba@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_main.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 99ca4465f7021..4d7702ce17c06 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -852,6 +852,11 @@ static int tls_setsockopt(struct sock *sk, int level, int optname,
return do_tls_setsockopt(sk, optname, optval, optlen);
}
+static int tls_disconnect(struct sock *sk, int flags)
+{
+ return -EOPNOTSUPP;
+}
+
struct tls_context *tls_ctx_create(struct sock *sk)
{
struct inet_connection_sock *icsk = inet_csk(sk);
@@ -947,6 +952,7 @@ static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
prot[TLS_BASE][TLS_BASE] = *base;
prot[TLS_BASE][TLS_BASE].setsockopt = tls_setsockopt;
prot[TLS_BASE][TLS_BASE].getsockopt = tls_getsockopt;
+ prot[TLS_BASE][TLS_BASE].disconnect = tls_disconnect;
prot[TLS_BASE][TLS_BASE].close = tls_sk_proto_close;
prot[TLS_SW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 020/449] octeontx2-pf: qos: fix VF root node parent queue index
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 019/449] net: tls: explicitly disallow disconnect Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 021/449] tc: Ensure we have enough buffer space when sending filter netlink notifications Greg Kroah-Hartman
` (435 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hariprasad Kelam, Simon Horman,
Paolo Abeni, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hariprasad Kelam <hkelam@marvell.com>
[ Upstream commit b7db94734e785e380b0db0f9295e07024f4d42a0 ]
The current code configures the Physical Function (PF) root node at TL1
and the Virtual Function (VF) root node at TL2.
This ensure at any given point of time PF traffic gets more priority.
PF root node
TL1
/ \
TL2 TL2 VF root node
/ \
TL3 TL3
/ \
TL4 TL4
/ \
SMQ SMQ
Due to a bug in the current code, the TL2 parent queue index on the
VF interface is not being configured, leading to 'SMQ Flush' errors
Fixes: 5e6808b4c68d ("octeontx2-pf: Add support for HTB offload")
Signed-off-by: Hariprasad Kelam <hkelam@marvell.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250407070341.2765426-1-hkelam@marvell.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/qos.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/qos.c b/drivers/net/ethernet/marvell/octeontx2/nic/qos.c
index 0f844c14485a0..35acc07bd9648 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/qos.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/qos.c
@@ -165,6 +165,11 @@ static void __otx2_qos_txschq_cfg(struct otx2_nic *pfvf,
otx2_config_sched_shaping(pfvf, node, cfg, &num_regs);
} else if (level == NIX_TXSCH_LVL_TL2) {
+ /* configure parent txschq */
+ cfg->reg[num_regs] = NIX_AF_TL2X_PARENT(node->schq);
+ cfg->regval[num_regs] = (u64)hw->tx_link << 16;
+ num_regs++;
+
/* configure link cfg */
if (level == pfvf->qos.link_cfg_lvl) {
cfg->reg[num_regs] = NIX_AF_TL3_TL2X_LINKX_CFG(node->schq, hw->tx_link);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 021/449] tc: Ensure we have enough buffer space when sending filter netlink notifications
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 020/449] octeontx2-pf: qos: fix VF root node parent queue index Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 022/449] net: ethtool: Dont call .cleanup_data when prepare_data fails Greg Kroah-Hartman
` (434 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frode Nordahl,
Toke Høiland-Jørgensen, Jiri Pirko, Paolo Abeni,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Toke Høiland-Jørgensen <toke@redhat.com>
[ Upstream commit 369609fc6272c2f6ad666ba4fd913f3baf32908f ]
The tfilter_notify() and tfilter_del_notify() functions assume that
NLMSG_GOODSIZE is always enough to dump the filter chain. This is not
always the case, which can lead to silent notify failures (because the
return code of tfilter_notify() is not always checked). In particular,
this can lead to NLM_F_ECHO not being honoured even though an action
succeeds, which forces userspace to create workarounds[0].
Fix this by increasing the message size if dumping the filter chain into
the allocated skb fails. Use the size of the incoming skb as a size hint
if set, so we can start at a larger value when appropriate.
To trigger this, run the following commands:
# ip link add type veth
# tc qdisc replace dev veth0 root handle 1: fq_codel
# tc -echo filter add dev veth0 parent 1: u32 match u32 0 0 $(for i in $(seq 32); do echo action pedit munge ip dport set 22; done)
Before this fix, tc just returns:
Not a filter(cmd 2)
After the fix, we get the correct echo:
added filter dev veth0 parent 1: protocol all pref 49152 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 terminal flowid not_in_hw
match 00000000/00000000 at 0
action order 1: pedit action pass keys 1
index 1 ref 1 bind 1
key #0 at 20: val 00000016 mask ffff0000
[repeated 32 times]
[0] https://github.com/openvswitch/ovs/commit/106ef21860c935e5e0017a88bf42b94025c4e511
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Frode Nordahl <frode.nordahl@canonical.com>
Closes: https://bugs.launchpad.net/ubuntu/+source/openvswitch/+bug/2018500
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://patch.msgid.link/20250407105542.16601-1-toke@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/cls_api.c | 66 ++++++++++++++++++++++++++++++---------------
1 file changed, 45 insertions(+), 21 deletions(-)
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 4f648af8cfaaf..ecec0a1e1c1a0 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -2057,6 +2057,7 @@ static int tcf_fill_node(struct net *net, struct sk_buff *skb,
struct tcmsg *tcm;
struct nlmsghdr *nlh;
unsigned char *b = skb_tail_pointer(skb);
+ int ret = -EMSGSIZE;
nlh = nlmsg_put(skb, portid, seq, event, sizeof(*tcm), flags);
if (!nlh)
@@ -2101,11 +2102,45 @@ static int tcf_fill_node(struct net *net, struct sk_buff *skb,
return skb->len;
+cls_op_not_supp:
+ ret = -EOPNOTSUPP;
out_nlmsg_trim:
nla_put_failure:
-cls_op_not_supp:
nlmsg_trim(skb, b);
- return -1;
+ return ret;
+}
+
+static struct sk_buff *tfilter_notify_prep(struct net *net,
+ struct sk_buff *oskb,
+ struct nlmsghdr *n,
+ struct tcf_proto *tp,
+ struct tcf_block *block,
+ struct Qdisc *q, u32 parent,
+ void *fh, int event,
+ u32 portid, bool rtnl_held,
+ struct netlink_ext_ack *extack)
+{
+ unsigned int size = oskb ? max(NLMSG_GOODSIZE, oskb->len) : NLMSG_GOODSIZE;
+ struct sk_buff *skb;
+ int ret;
+
+retry:
+ skb = alloc_skb(size, GFP_KERNEL);
+ if (!skb)
+ return ERR_PTR(-ENOBUFS);
+
+ ret = tcf_fill_node(net, skb, tp, block, q, parent, fh, portid,
+ n->nlmsg_seq, n->nlmsg_flags, event, false,
+ rtnl_held, extack);
+ if (ret <= 0) {
+ kfree_skb(skb);
+ if (ret == -EMSGSIZE) {
+ size += NLMSG_GOODSIZE;
+ goto retry;
+ }
+ return ERR_PTR(-EINVAL);
+ }
+ return skb;
}
static int tfilter_notify(struct net *net, struct sk_buff *oskb,
@@ -2121,16 +2156,10 @@ static int tfilter_notify(struct net *net, struct sk_buff *oskb,
if (!unicast && !rtnl_notify_needed(net, n->nlmsg_flags, RTNLGRP_TC))
return 0;
- skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
- if (!skb)
- return -ENOBUFS;
-
- if (tcf_fill_node(net, skb, tp, block, q, parent, fh, portid,
- n->nlmsg_seq, n->nlmsg_flags, event,
- false, rtnl_held, extack) <= 0) {
- kfree_skb(skb);
- return -EINVAL;
- }
+ skb = tfilter_notify_prep(net, oskb, n, tp, block, q, parent, fh, event,
+ portid, rtnl_held, extack);
+ if (IS_ERR(skb))
+ return PTR_ERR(skb);
if (unicast)
err = rtnl_unicast(skb, net, portid);
@@ -2153,16 +2182,11 @@ static int tfilter_del_notify(struct net *net, struct sk_buff *oskb,
if (!rtnl_notify_needed(net, n->nlmsg_flags, RTNLGRP_TC))
return tp->ops->delete(tp, fh, last, rtnl_held, extack);
- skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
- if (!skb)
- return -ENOBUFS;
-
- if (tcf_fill_node(net, skb, tp, block, q, parent, fh, portid,
- n->nlmsg_seq, n->nlmsg_flags, RTM_DELTFILTER,
- false, rtnl_held, extack) <= 0) {
+ skb = tfilter_notify_prep(net, oskb, n, tp, block, q, parent, fh,
+ RTM_DELTFILTER, portid, rtnl_held, extack);
+ if (IS_ERR(skb)) {
NL_SET_ERR_MSG(extack, "Failed to build del event notification");
- kfree_skb(skb);
- return -EINVAL;
+ return PTR_ERR(skb);
}
err = tp->ops->delete(tp, fh, last, rtnl_held, extack);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 022/449] net: ethtool: Dont call .cleanup_data when prepare_data fails
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 021/449] tc: Ensure we have enough buffer space when sending filter netlink notifications Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 023/449] drm/tests: modeset: Fix drm_display_mode memory leak Greg Kroah-Hartman
` (433 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kory Maincent, Simon Horman,
Michal Kubecek, Maxime Chevallier, Paolo Abeni, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Chevallier <maxime.chevallier@bootlin.com>
[ Upstream commit 4f038a6a02d20859a3479293cbf172b0f14cbdd6 ]
There's a consistent pattern where the .cleanup_data() callback is
called when .prepare_data() fails, when it should really be called to
clean after a successful .prepare_data() as per the documentation.
Rewrite the error-handling paths to make sure we don't cleanup
un-prepared data.
Fixes: c781ff12a2f3 ("ethtool: Allow network drivers to dump arbitrary EEPROM data")
Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20250407130511.75621-1-maxime.chevallier@bootlin.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/netlink.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/ethtool/netlink.c b/net/ethtool/netlink.c
index 734849a573691..e088a30d1dd26 100644
--- a/net/ethtool/netlink.c
+++ b/net/ethtool/netlink.c
@@ -493,7 +493,7 @@ static int ethnl_default_doit(struct sk_buff *skb, struct genl_info *info)
ret = ops->prepare_data(req_info, reply_data, info);
rtnl_unlock();
if (ret < 0)
- goto err_cleanup;
+ goto err_dev;
ret = ops->reply_size(req_info, reply_data);
if (ret < 0)
goto err_cleanup;
@@ -551,7 +551,7 @@ static int ethnl_default_dump_one(struct sk_buff *skb, struct net_device *dev,
ret = ctx->ops->prepare_data(ctx->req_info, ctx->reply_data, info);
rtnl_unlock();
if (ret < 0)
- goto out;
+ goto out_cancel;
ret = ethnl_fill_reply_header(skb, dev, ctx->ops->hdr_attr);
if (ret < 0)
goto out;
@@ -560,6 +560,7 @@ static int ethnl_default_dump_one(struct sk_buff *skb, struct net_device *dev,
out:
if (ctx->ops->cleanup_data)
ctx->ops->cleanup_data(ctx->reply_data);
+out_cancel:
ctx->reply_data->dev = NULL;
if (ret < 0)
genlmsg_cancel(skb, ehdr);
@@ -780,7 +781,7 @@ static void ethnl_default_notify(struct net_device *dev, unsigned int cmd,
ethnl_init_reply_data(reply_data, ops, dev);
ret = ops->prepare_data(req_info, reply_data, &info);
if (ret < 0)
- goto err_cleanup;
+ goto err_rep;
ret = ops->reply_size(req_info, reply_data);
if (ret < 0)
goto err_cleanup;
@@ -815,6 +816,7 @@ static void ethnl_default_notify(struct net_device *dev, unsigned int cmd,
err_cleanup:
if (ops->cleanup_data)
ops->cleanup_data(reply_data);
+err_rep:
kfree(reply_data);
kfree(req_info);
return;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 023/449] drm/tests: modeset: Fix drm_display_mode memory leak
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 022/449] net: ethtool: Dont call .cleanup_data when prepare_data fails Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 024/449] drm/tests: helpers: Create kunit helper to destroy a drm_display_mode Greg Kroah-Hartman
` (432 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philipp Stanner, Thomas Zimmermann,
Maxime Ripard, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Ripard <mripard@kernel.org>
[ Upstream commit dacafdcc7789cfeb0f0552716db56f210238225d ]
drm_mode_find_dmt() returns a drm_display_mode that needs to be
destroyed later one. The drm_test_pick_cmdline_res_1920_1080_60() test
never does however, which leads to a memory leak.
Let's make sure it's freed.
Reported-by: Philipp Stanner <phasta@mailbox.org>
Closes: https://lore.kernel.org/dri-devel/a7655158a6367ac46194d57f4b7433ef0772a73e.camel@mailbox.org/
Fixes: 8fc0380f6ba7 ("drm/client: Add some tests for drm_connector_pick_cmdline_mode()")
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://lore.kernel.org/r/20250408-drm-kunit-drm-display-mode-memleak-v1-2-996305a2e75a@kernel.org
Signed-off-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/tests/drm_client_modeset_test.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/tests/drm_client_modeset_test.c b/drivers/gpu/drm/tests/drm_client_modeset_test.c
index 7516f6cb36e4e..3e9518d7b8b7e 100644
--- a/drivers/gpu/drm/tests/drm_client_modeset_test.c
+++ b/drivers/gpu/drm/tests/drm_client_modeset_test.c
@@ -95,6 +95,9 @@ static void drm_test_pick_cmdline_res_1920_1080_60(struct kunit *test)
expected_mode = drm_mode_find_dmt(priv->drm, 1920, 1080, 60, false);
KUNIT_ASSERT_NOT_NULL(test, expected_mode);
+ ret = drm_kunit_add_mode_destroy_action(test, expected_mode);
+ KUNIT_ASSERT_EQ(test, ret, 0);
+
KUNIT_ASSERT_TRUE(test,
drm_mode_parse_command_line_for_connector(cmdline,
connector,
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 024/449] drm/tests: helpers: Create kunit helper to destroy a drm_display_mode
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 023/449] drm/tests: modeset: Fix drm_display_mode memory leak Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 025/449] drm/tests: cmdline: Fix drm_display_mode memory leak Greg Kroah-Hartman
` (431 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Maxime Ripard,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Ripard <mripard@kernel.org>
[ Upstream commit 13c1d5f3a7fa7b55a26e73bb9e95342374a489b2 ]
A number of test suites call functions that expect the returned
drm_display_mode to be destroyed eventually.
However, none of the tests called drm_mode_destroy, which results in a
memory leak.
Since drm_mode_destroy takes two pointers as argument, we can't use a
kunit wrapper. Let's just create a helper every test suite can use.
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://lore.kernel.org/r/20250408-drm-kunit-drm-display-mode-memleak-v1-1-996305a2e75a@kernel.org
Signed-off-by: Maxime Ripard <mripard@kernel.org>
Stable-dep-of: 70f29ca3117a ("drm/tests: cmdline: Fix drm_display_mode memory leak")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/tests/drm_kunit_helpers.c | 22 ++++++++++++++++++++++
include/drm/drm_kunit_helpers.h | 3 +++
2 files changed, 25 insertions(+)
diff --git a/drivers/gpu/drm/tests/drm_kunit_helpers.c b/drivers/gpu/drm/tests/drm_kunit_helpers.c
index 3c0b7824c0be3..922c4b6ed1dc9 100644
--- a/drivers/gpu/drm/tests/drm_kunit_helpers.c
+++ b/drivers/gpu/drm/tests/drm_kunit_helpers.c
@@ -319,6 +319,28 @@ static void kunit_action_drm_mode_destroy(void *ptr)
drm_mode_destroy(NULL, mode);
}
+/**
+ * drm_kunit_add_mode_destroy_action() - Add a drm_destroy_mode kunit action
+ * @test: The test context object
+ * @mode: The drm_display_mode to destroy eventually
+ *
+ * Registers a kunit action that will destroy the drm_display_mode at
+ * the end of the test.
+ *
+ * If an error occurs, the drm_display_mode will be destroyed.
+ *
+ * Returns:
+ * 0 on success, an error code otherwise.
+ */
+int drm_kunit_add_mode_destroy_action(struct kunit *test,
+ struct drm_display_mode *mode)
+{
+ return kunit_add_action_or_reset(test,
+ kunit_action_drm_mode_destroy,
+ mode);
+}
+EXPORT_SYMBOL_GPL(drm_kunit_add_mode_destroy_action);
+
/**
* drm_kunit_display_mode_from_cea_vic() - return a mode for CEA VIC for a KUnit test
* @test: The test context object
diff --git a/include/drm/drm_kunit_helpers.h b/include/drm/drm_kunit_helpers.h
index afdd46ef04f70..c835f113055dc 100644
--- a/include/drm/drm_kunit_helpers.h
+++ b/include/drm/drm_kunit_helpers.h
@@ -120,6 +120,9 @@ drm_kunit_helper_create_crtc(struct kunit *test,
const struct drm_crtc_funcs *funcs,
const struct drm_crtc_helper_funcs *helper_funcs);
+int drm_kunit_add_mode_destroy_action(struct kunit *test,
+ struct drm_display_mode *mode);
+
struct drm_display_mode *
drm_kunit_display_mode_from_cea_vic(struct kunit *test, struct drm_device *dev,
u8 video_code);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 025/449] drm/tests: cmdline: Fix drm_display_mode memory leak
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 024/449] drm/tests: helpers: Create kunit helper to destroy a drm_display_mode Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 026/449] drm/tests: modes: " Greg Kroah-Hartman
` (430 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philipp Stanner, Thomas Zimmermann,
Maxime Ripard, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Ripard <mripard@kernel.org>
[ Upstream commit 70f29ca3117a8796cd6bde7612a3ded96d0f2dde ]
drm_analog_tv_mode() and its variants return a drm_display_mode that
needs to be destroyed later one. The drm_test_cmdline_tv_options() test
never does however, which leads to a memory leak.
Let's make sure it's freed.
Reported-by: Philipp Stanner <phasta@mailbox.org>
Closes: https://lore.kernel.org/dri-devel/a7655158a6367ac46194d57f4b7433ef0772a73e.camel@mailbox.org/
Fixes: e691c9992ae1 ("drm/modes: Introduce the tv_mode property as a command-line option")
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://lore.kernel.org/r/20250408-drm-kunit-drm-display-mode-memleak-v1-4-996305a2e75a@kernel.org
Signed-off-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/tests/drm_cmdline_parser_test.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/tests/drm_cmdline_parser_test.c b/drivers/gpu/drm/tests/drm_cmdline_parser_test.c
index 59c8408c453c2..1cfcb597b088b 100644
--- a/drivers/gpu/drm/tests/drm_cmdline_parser_test.c
+++ b/drivers/gpu/drm/tests/drm_cmdline_parser_test.c
@@ -7,6 +7,7 @@
#include <kunit/test.h>
#include <drm/drm_connector.h>
+#include <drm/drm_kunit_helpers.h>
#include <drm/drm_modes.h>
static const struct drm_connector no_connector = {};
@@ -955,8 +956,15 @@ struct drm_cmdline_tv_option_test {
static void drm_test_cmdline_tv_options(struct kunit *test)
{
const struct drm_cmdline_tv_option_test *params = test->param_value;
- const struct drm_display_mode *expected_mode = params->mode_fn(NULL);
+ struct drm_display_mode *expected_mode;
struct drm_cmdline_mode mode = { };
+ int ret;
+
+ expected_mode = params->mode_fn(NULL);
+ KUNIT_ASSERT_NOT_NULL(test, expected_mode);
+
+ ret = drm_kunit_add_mode_destroy_action(test, expected_mode);
+ KUNIT_ASSERT_EQ(test, ret, 0);
KUNIT_EXPECT_TRUE(test, drm_mode_parse_command_line_for_connector(params->cmdline,
&no_connector, &mode));
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 026/449] drm/tests: modes: Fix drm_display_mode memory leak
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 025/449] drm/tests: cmdline: Fix drm_display_mode memory leak Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 027/449] drm/tests: probe-helper: " Greg Kroah-Hartman
` (429 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philipp Stanner, Thomas Zimmermann,
Maxime Ripard, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Ripard <mripard@kernel.org>
[ Upstream commit d34146340f95cd9bf06d4ce71cca72127dc0b7cd ]
drm_analog_tv_mode() and its variants return a drm_display_mode that
needs to be destroyed later one. The drm_modes_analog_tv tests never
do however, which leads to a memory leak.
Let's make sure it's freed.
Reported-by: Philipp Stanner <phasta@mailbox.org>
Closes: https://lore.kernel.org/dri-devel/a7655158a6367ac46194d57f4b7433ef0772a73e.camel@mailbox.org/
Fixes: 4fcd238560ee ("drm/modes: Add a function to generate analog display modes")
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://lore.kernel.org/r/20250408-drm-kunit-drm-display-mode-memleak-v1-5-996305a2e75a@kernel.org
Signed-off-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/tests/drm_modes_test.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/drivers/gpu/drm/tests/drm_modes_test.c b/drivers/gpu/drm/tests/drm_modes_test.c
index 6ed51f99e133c..7ba646d87856f 100644
--- a/drivers/gpu/drm/tests/drm_modes_test.c
+++ b/drivers/gpu/drm/tests/drm_modes_test.c
@@ -40,6 +40,7 @@ static void drm_test_modes_analog_tv_ntsc_480i(struct kunit *test)
{
struct drm_test_modes_priv *priv = test->priv;
struct drm_display_mode *mode;
+ int ret;
mode = drm_analog_tv_mode(priv->drm,
DRM_MODE_TV_MODE_NTSC,
@@ -47,6 +48,9 @@ static void drm_test_modes_analog_tv_ntsc_480i(struct kunit *test)
true);
KUNIT_ASSERT_NOT_NULL(test, mode);
+ ret = drm_kunit_add_mode_destroy_action(test, mode);
+ KUNIT_ASSERT_EQ(test, ret, 0);
+
KUNIT_EXPECT_EQ(test, drm_mode_vrefresh(mode), 60);
KUNIT_EXPECT_EQ(test, mode->hdisplay, 720);
@@ -70,6 +74,7 @@ static void drm_test_modes_analog_tv_ntsc_480i_inlined(struct kunit *test)
{
struct drm_test_modes_priv *priv = test->priv;
struct drm_display_mode *expected, *mode;
+ int ret;
expected = drm_analog_tv_mode(priv->drm,
DRM_MODE_TV_MODE_NTSC,
@@ -77,9 +82,15 @@ static void drm_test_modes_analog_tv_ntsc_480i_inlined(struct kunit *test)
true);
KUNIT_ASSERT_NOT_NULL(test, expected);
+ ret = drm_kunit_add_mode_destroy_action(test, expected);
+ KUNIT_ASSERT_EQ(test, ret, 0);
+
mode = drm_mode_analog_ntsc_480i(priv->drm);
KUNIT_ASSERT_NOT_NULL(test, mode);
+ ret = drm_kunit_add_mode_destroy_action(test, mode);
+ KUNIT_ASSERT_EQ(test, ret, 0);
+
KUNIT_EXPECT_TRUE(test, drm_mode_equal(expected, mode));
}
@@ -87,6 +98,7 @@ static void drm_test_modes_analog_tv_pal_576i(struct kunit *test)
{
struct drm_test_modes_priv *priv = test->priv;
struct drm_display_mode *mode;
+ int ret;
mode = drm_analog_tv_mode(priv->drm,
DRM_MODE_TV_MODE_PAL,
@@ -94,6 +106,9 @@ static void drm_test_modes_analog_tv_pal_576i(struct kunit *test)
true);
KUNIT_ASSERT_NOT_NULL(test, mode);
+ ret = drm_kunit_add_mode_destroy_action(test, mode);
+ KUNIT_ASSERT_EQ(test, ret, 0);
+
KUNIT_EXPECT_EQ(test, drm_mode_vrefresh(mode), 50);
KUNIT_EXPECT_EQ(test, mode->hdisplay, 720);
@@ -117,6 +132,7 @@ static void drm_test_modes_analog_tv_pal_576i_inlined(struct kunit *test)
{
struct drm_test_modes_priv *priv = test->priv;
struct drm_display_mode *expected, *mode;
+ int ret;
expected = drm_analog_tv_mode(priv->drm,
DRM_MODE_TV_MODE_PAL,
@@ -124,9 +140,15 @@ static void drm_test_modes_analog_tv_pal_576i_inlined(struct kunit *test)
true);
KUNIT_ASSERT_NOT_NULL(test, expected);
+ ret = drm_kunit_add_mode_destroy_action(test, expected);
+ KUNIT_ASSERT_EQ(test, ret, 0);
+
mode = drm_mode_analog_pal_576i(priv->drm);
KUNIT_ASSERT_NOT_NULL(test, mode);
+ ret = drm_kunit_add_mode_destroy_action(test, mode);
+ KUNIT_ASSERT_EQ(test, ret, 0);
+
KUNIT_EXPECT_TRUE(test, drm_mode_equal(expected, mode));
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 027/449] drm/tests: probe-helper: Fix drm_display_mode memory leak
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 026/449] drm/tests: modes: " Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 028/449] net: libwx: handle page_pool_dev_alloc_pages error Greg Kroah-Hartman
` (428 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philipp Stanner, Thomas Zimmermann,
Maxime Ripard, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Ripard <mripard@kernel.org>
[ Upstream commit 8b6f2e28431b2f9f84073bff50353aeaf25559d0 ]
drm_analog_tv_mode() and its variants return a drm_display_mode that
needs to be destroyed later one. The
drm_test_connector_helper_tv_get_modes_check() test never does however,
which leads to a memory leak.
Let's make sure it's freed.
Reported-by: Philipp Stanner <phasta@mailbox.org>
Closes: https://lore.kernel.org/dri-devel/a7655158a6367ac46194d57f4b7433ef0772a73e.camel@mailbox.org/
Fixes: 1e4a91db109f ("drm/probe-helper: Provide a TV get_modes helper")
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://lore.kernel.org/r/20250408-drm-kunit-drm-display-mode-memleak-v1-7-996305a2e75a@kernel.org
Signed-off-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/tests/drm_probe_helper_test.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/tests/drm_probe_helper_test.c b/drivers/gpu/drm/tests/drm_probe_helper_test.c
index bc09ff38aca18..db0e4f5df275e 100644
--- a/drivers/gpu/drm/tests/drm_probe_helper_test.c
+++ b/drivers/gpu/drm/tests/drm_probe_helper_test.c
@@ -98,7 +98,7 @@ drm_test_connector_helper_tv_get_modes_check(struct kunit *test)
struct drm_connector *connector = &priv->connector;
struct drm_cmdline_mode *cmdline = &connector->cmdline_mode;
struct drm_display_mode *mode;
- const struct drm_display_mode *expected;
+ struct drm_display_mode *expected;
size_t len;
int ret;
@@ -134,6 +134,9 @@ drm_test_connector_helper_tv_get_modes_check(struct kunit *test)
KUNIT_EXPECT_TRUE(test, drm_mode_equal(mode, expected));
KUNIT_EXPECT_TRUE(test, mode->type & DRM_MODE_TYPE_PREFERRED);
+
+ ret = drm_kunit_add_mode_destroy_action(test, expected);
+ KUNIT_ASSERT_EQ(test, ret, 0);
}
if (params->num_expected_modes >= 2) {
@@ -145,6 +148,9 @@ drm_test_connector_helper_tv_get_modes_check(struct kunit *test)
KUNIT_EXPECT_TRUE(test, drm_mode_equal(mode, expected));
KUNIT_EXPECT_FALSE(test, mode->type & DRM_MODE_TYPE_PREFERRED);
+
+ ret = drm_kunit_add_mode_destroy_action(test, expected);
+ KUNIT_ASSERT_EQ(test, ret, 0);
}
mutex_unlock(&priv->drm->mode_config.mutex);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 028/449] net: libwx: handle page_pool_dev_alloc_pages error
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 027/449] drm/tests: probe-helper: " Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 029/449] cifs: Fix support for WSL-style symlinks Greg Kroah-Hartman
` (427 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Joe Damato,
Jakub Kicinski, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenyuan Yang <chenyuan0y@gmail.com>
[ Upstream commit 7f1ff1b38a7c8b872382b796023419d87d78c47e ]
page_pool_dev_alloc_pages could return NULL. There was a WARN_ON(!page)
but it would still proceed to use the NULL pointer and then crash.
This is similar to commit 001ba0902046
("net: fec: handle page_pool_dev_alloc_pages error").
This is found by our static analysis tool KNighter.
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
Fixes: 3c47e8ae113a ("net: libwx: Support to receive packets in NAPI")
Reviewed-by: Joe Damato <jdamato@fastly.com>
Link: https://patch.msgid.link/20250407184952.2111299-1-chenyuan0y@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/wangxun/libwx/wx_lib.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c
index 497abf2723a5e..43b89509d0fe5 100644
--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c
+++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c
@@ -309,7 +309,8 @@ static bool wx_alloc_mapped_page(struct wx_ring *rx_ring,
return true;
page = page_pool_dev_alloc_pages(rx_ring->page_pool);
- WARN_ON(!page);
+ if (unlikely(!page))
+ return false;
dma = page_pool_get_dma_addr(page);
bi->page_dma = dma;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 029/449] cifs: Fix support for WSL-style symlinks
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 028/449] net: libwx: handle page_pool_dev_alloc_pages error Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 030/449] ata: sata_sx4: Add error handling in pdc20621_i2c_read() Greg Kroah-Hartman
` (426 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Steve French,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pali Rohár <pali@kernel.org>
[ Upstream commit c7efac7f1c71470ecd9b1a9a49b1b8164583c7dc ]
MS-FSCC in section 2.1.2.7 LX SYMLINK REPARSE_DATA_BUFFER now contains
documentation about WSL symlink reparse point buffers.
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/68337353-9153-4ee1-ac6b-419839c3b7ad
Fix the struct reparse_wsl_symlink_data_buffer to reflect buffer fields
according to the MS-FSCC documentation.
Fix the Linux SMB client to correctly fill the WSL symlink reparse point
buffer when creaing new WSL-style symlink. There was a mistake during
filling the data part of the reparse point buffer. It should starts with
bytes "\x02\x00\x00\x00" (which represents version 2) but this constant was
written as number 0x02000000 encoded in little endian, which resulted bytes
"\x00\x00\x00\x02". This change is fixing this mistake.
Fixes: 4e2043be5c14 ("cifs: Add support for creating WSL-style symlinks")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/reparse.c | 25 ++++++++++++++++---------
fs/smb/common/smb2pdu.h | 6 +++---
2 files changed, 19 insertions(+), 12 deletions(-)
diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
index 2b9e9885dc425..7a01f5def58fb 100644
--- a/fs/smb/client/reparse.c
+++ b/fs/smb/client/reparse.c
@@ -542,12 +542,12 @@ static int wsl_set_reparse_buf(struct reparse_data_buffer **buf,
kfree(symname_utf16);
return -ENOMEM;
}
- /* Flag 0x02000000 is unknown, but all wsl symlinks have this value */
- symlink_buf->Flags = cpu_to_le32(0x02000000);
- /* PathBuffer is in UTF-8 but without trailing null-term byte */
+ /* Version field must be set to 2 (MS-FSCC 2.1.2.7) */
+ symlink_buf->Version = cpu_to_le32(2);
+ /* Target for Version 2 is in UTF-8 but without trailing null-term byte */
symname_utf8_len = utf16s_to_utf8s((wchar_t *)symname_utf16, symname_utf16_len/2,
UTF16_LITTLE_ENDIAN,
- symlink_buf->PathBuffer,
+ symlink_buf->Target,
symname_utf8_maxlen);
*buf = (struct reparse_data_buffer *)symlink_buf;
buf_len = sizeof(struct reparse_wsl_symlink_data_buffer) + symname_utf8_len;
@@ -1016,29 +1016,36 @@ static int parse_reparse_wsl_symlink(struct reparse_wsl_symlink_data_buffer *buf
struct cifs_open_info_data *data)
{
int len = le16_to_cpu(buf->ReparseDataLength);
+ int data_offset = offsetof(typeof(*buf), Target) - offsetof(typeof(*buf), Version);
int symname_utf8_len;
__le16 *symname_utf16;
int symname_utf16_len;
- if (len <= sizeof(buf->Flags)) {
+ if (len <= data_offset) {
cifs_dbg(VFS, "srv returned malformed wsl symlink buffer\n");
return -EIO;
}
- /* PathBuffer is in UTF-8 but without trailing null-term byte */
- symname_utf8_len = len - sizeof(buf->Flags);
+ /* MS-FSCC 2.1.2.7 defines layout of the Target field only for Version 2. */
+ if (le32_to_cpu(buf->Version) != 2) {
+ cifs_dbg(VFS, "srv returned unsupported wsl symlink version %u\n", le32_to_cpu(buf->Version));
+ return -EIO;
+ }
+
+ /* Target for Version 2 is in UTF-8 but without trailing null-term byte */
+ symname_utf8_len = len - data_offset;
/*
* Check that buffer does not contain null byte
* because Linux cannot process symlink with null byte.
*/
- if (strnlen(buf->PathBuffer, symname_utf8_len) != symname_utf8_len) {
+ if (strnlen(buf->Target, symname_utf8_len) != symname_utf8_len) {
cifs_dbg(VFS, "srv returned null byte in wsl symlink target location\n");
return -EIO;
}
symname_utf16 = kzalloc(symname_utf8_len * 2, GFP_KERNEL);
if (!symname_utf16)
return -ENOMEM;
- symname_utf16_len = utf8s_to_utf16s(buf->PathBuffer, symname_utf8_len,
+ symname_utf16_len = utf8s_to_utf16s(buf->Target, symname_utf8_len,
UTF16_LITTLE_ENDIAN,
(wchar_t *) symname_utf16, symname_utf8_len * 2);
if (symname_utf16_len < 0) {
diff --git a/fs/smb/common/smb2pdu.h b/fs/smb/common/smb2pdu.h
index c7a0efda44036..12f0013334057 100644
--- a/fs/smb/common/smb2pdu.h
+++ b/fs/smb/common/smb2pdu.h
@@ -1564,13 +1564,13 @@ struct reparse_nfs_data_buffer {
__u8 DataBuffer[];
} __packed;
-/* For IO_REPARSE_TAG_LX_SYMLINK */
+/* For IO_REPARSE_TAG_LX_SYMLINK - see MS-FSCC 2.1.2.7 */
struct reparse_wsl_symlink_data_buffer {
__le32 ReparseTag;
__le16 ReparseDataLength;
__u16 Reserved;
- __le32 Flags;
- __u8 PathBuffer[]; /* Variable Length UTF-8 string without nul-term */
+ __le32 Version; /* Always 2 */
+ __u8 Target[]; /* Variable Length UTF-8 string without nul-term */
} __packed;
struct validate_negotiate_info_req {
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 030/449] ata: sata_sx4: Add error handling in pdc20621_i2c_read()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 029/449] cifs: Fix support for WSL-style symlinks Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 031/449] drm/i915/huc: Fix fence not released on early probe errors Greg Kroah-Hartman
` (425 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Liang, Niklas Cassel,
Damien Le Moal, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
[ Upstream commit 8d46a27085039158eb5e253ab8a35a0e33b5e864 ]
The function pdc20621_prog_dimm0() calls the function pdc20621_i2c_read()
but does not handle the error if the read fails. This could lead to
process with invalid data. A proper implementation can be found in
/source/drivers/ata/sata_sx4.c, pdc20621_prog_dimm_global(). As mentioned
in its commit: bb44e154e25125bef31fa956785e90fccd24610b, the variable spd0
might be used uninitialized when pdc20621_i2c_read() fails.
Add error handling to pdc20621_i2c_read(). If a read operation fails,
an error message is logged via dev_err(), and return a negative error
code.
Add error handling to pdc20621_prog_dimm0() in pdc20621_dimm_init(), and
return a negative error code if pdc20621_prog_dimm0() fails.
Fixes: 4447d3515616 ("libata: convert the remaining SATA drivers to new init model")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/sata_sx4.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c
index a482741eb181f..c3042eca6332d 100644
--- a/drivers/ata/sata_sx4.c
+++ b/drivers/ata/sata_sx4.c
@@ -1117,9 +1117,14 @@ static int pdc20621_prog_dimm0(struct ata_host *host)
mmio += PDC_CHIP0_OFS;
for (i = 0; i < ARRAY_SIZE(pdc_i2c_read_data); i++)
- pdc20621_i2c_read(host, PDC_DIMM0_SPD_DEV_ADDRESS,
- pdc_i2c_read_data[i].reg,
- &spd0[pdc_i2c_read_data[i].ofs]);
+ if (!pdc20621_i2c_read(host, PDC_DIMM0_SPD_DEV_ADDRESS,
+ pdc_i2c_read_data[i].reg,
+ &spd0[pdc_i2c_read_data[i].ofs])) {
+ dev_err(host->dev,
+ "Failed in i2c read at index %d: device=%#x, reg=%#x\n",
+ i, PDC_DIMM0_SPD_DEV_ADDRESS, pdc_i2c_read_data[i].reg);
+ return -EIO;
+ }
data |= (spd0[4] - 8) | ((spd0[21] != 0) << 3) | ((spd0[3]-11) << 4);
data |= ((spd0[17] / 4) << 6) | ((spd0[5] / 2) << 7) |
@@ -1284,6 +1289,8 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
/* Programming DIMM0 Module Control Register (index_CID0:80h) */
size = pdc20621_prog_dimm0(host);
+ if (size < 0)
+ return size;
dev_dbg(host->dev, "Local DIMM Size = %dMB\n", size);
/* Programming DIMM Module Global Control Register (index_CID0:88h) */
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 031/449] drm/i915/huc: Fix fence not released on early probe errors
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 030/449] ata: sata_sx4: Add error handling in pdc20621_i2c_read() Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 032/449] s390/cpumf: Fix double free on error in cpumf_pmu_event_init() Greg Kroah-Hartman
` (424 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniele Ceraolo Spurio, Alan Previn,
Janusz Krzysztofik, Krzysztof Karas, Jani Nikula, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
[ Upstream commit e3ea2eae70692a455e256787e4f54153fb739b90 ]
HuC delayed loading fence, introduced with commit 27536e03271da
("drm/i915/huc: track delayed HuC load with a fence"), is registered with
object tracker early on driver probe but unregistered only from driver
remove, which is not called on early probe errors. Since its memory is
allocated under devres, then released anyway, it may happen to be
allocated again to the fence and reused on future driver probes, resulting
in kernel warnings that taint the kernel:
<4> [309.731371] ------------[ cut here ]------------
<3> [309.731373] ODEBUG: init destroyed (active state 0) object: ffff88813d7dd2e0 object type: i915_sw_fence hint: sw_fence_dummy_notify+0x0/0x20 [i915]
<4> [309.731575] WARNING: CPU: 2 PID: 3161 at lib/debugobjects.c:612 debug_print_object+0x93/0xf0
...
<4> [309.731693] CPU: 2 UID: 0 PID: 3161 Comm: i915_module_loa Tainted: G U 6.14.0-CI_DRM_16362-gf0fd77956987+ #1
...
<4> [309.731700] RIP: 0010:debug_print_object+0x93/0xf0
...
<4> [309.731728] Call Trace:
<4> [309.731730] <TASK>
...
<4> [309.731949] __debug_object_init+0x17b/0x1c0
<4> [309.731957] debug_object_init+0x34/0x50
<4> [309.732126] __i915_sw_fence_init+0x34/0x60 [i915]
<4> [309.732256] intel_huc_init_early+0x4b/0x1d0 [i915]
<4> [309.732468] intel_uc_init_early+0x61/0x680 [i915]
<4> [309.732667] intel_gt_common_init_early+0x105/0x130 [i915]
<4> [309.732804] intel_root_gt_init_early+0x63/0x80 [i915]
<4> [309.732938] i915_driver_probe+0x1fa/0xeb0 [i915]
<4> [309.733075] i915_pci_probe+0xe6/0x220 [i915]
<4> [309.733198] local_pci_probe+0x44/0xb0
<4> [309.733203] pci_device_probe+0xf4/0x270
<4> [309.733209] really_probe+0xee/0x3c0
<4> [309.733215] __driver_probe_device+0x8c/0x180
<4> [309.733219] driver_probe_device+0x24/0xd0
<4> [309.733223] __driver_attach+0x10f/0x220
<4> [309.733230] bus_for_each_dev+0x7d/0xe0
<4> [309.733236] driver_attach+0x1e/0x30
<4> [309.733239] bus_add_driver+0x151/0x290
<4> [309.733244] driver_register+0x5e/0x130
<4> [309.733247] __pci_register_driver+0x7d/0x90
<4> [309.733251] i915_pci_register_driver+0x23/0x30 [i915]
<4> [309.733413] i915_init+0x34/0x120 [i915]
<4> [309.733655] do_one_initcall+0x62/0x3f0
<4> [309.733667] do_init_module+0x97/0x2a0
<4> [309.733671] load_module+0x25ff/0x2890
<4> [309.733688] init_module_from_file+0x97/0xe0
<4> [309.733701] idempotent_init_module+0x118/0x330
<4> [309.733711] __x64_sys_finit_module+0x77/0x100
<4> [309.733715] x64_sys_call+0x1f37/0x2650
<4> [309.733719] do_syscall_64+0x91/0x180
<4> [309.733763] entry_SYSCALL_64_after_hwframe+0x76/0x7e
<4> [309.733792] </TASK>
...
<4> [309.733806] ---[ end trace 0000000000000000 ]---
That scenario is most easily reproducible with
igt@i915_module_load@reload-with-fault-injection.
Fix the issue by moving the cleanup step to driver release path.
Fixes: 27536e03271da ("drm/i915/huc: track delayed HuC load with a fence")
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13592
Cc: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
Cc: Alan Previn <alan.previn.teres.alexis@intel.com>
Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Reviewed-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
Reviewed-by: Krzysztof Karas <krzysztof.karas@intel.com>
Signed-off-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
Link: https://lore.kernel.org/r/20250402172057.209924-2-janusz.krzysztofik@linux.intel.com
(cherry picked from commit 795dbde92fe5c6996a02a5b579481de73035e7bf)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/gt/uc/intel_huc.c | 11 +++++------
drivers/gpu/drm/i915/gt/uc/intel_huc.h | 1 +
drivers/gpu/drm/i915/gt/uc/intel_uc.c | 1 +
3 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/i915/gt/uc/intel_huc.c b/drivers/gpu/drm/i915/gt/uc/intel_huc.c
index b3cbf85c00cbd..eb59c1f2dccdc 100644
--- a/drivers/gpu/drm/i915/gt/uc/intel_huc.c
+++ b/drivers/gpu/drm/i915/gt/uc/intel_huc.c
@@ -317,6 +317,11 @@ void intel_huc_init_early(struct intel_huc *huc)
}
}
+void intel_huc_fini_late(struct intel_huc *huc)
+{
+ delayed_huc_load_fini(huc);
+}
+
#define HUC_LOAD_MODE_STRING(x) (x ? "GSC" : "legacy")
static int check_huc_loading_mode(struct intel_huc *huc)
{
@@ -414,12 +419,6 @@ int intel_huc_init(struct intel_huc *huc)
void intel_huc_fini(struct intel_huc *huc)
{
- /*
- * the fence is initialized in init_early, so we need to clean it up
- * even if HuC loading is off.
- */
- delayed_huc_load_fini(huc);
-
if (huc->heci_pkt)
i915_vma_unpin_and_release(&huc->heci_pkt, 0);
diff --git a/drivers/gpu/drm/i915/gt/uc/intel_huc.h b/drivers/gpu/drm/i915/gt/uc/intel_huc.h
index d5e441b9e08d6..921ad4b1687f0 100644
--- a/drivers/gpu/drm/i915/gt/uc/intel_huc.h
+++ b/drivers/gpu/drm/i915/gt/uc/intel_huc.h
@@ -55,6 +55,7 @@ struct intel_huc {
int intel_huc_sanitize(struct intel_huc *huc);
void intel_huc_init_early(struct intel_huc *huc);
+void intel_huc_fini_late(struct intel_huc *huc);
int intel_huc_init(struct intel_huc *huc);
void intel_huc_fini(struct intel_huc *huc);
int intel_huc_auth(struct intel_huc *huc, enum intel_huc_authentication_type type);
diff --git a/drivers/gpu/drm/i915/gt/uc/intel_uc.c b/drivers/gpu/drm/i915/gt/uc/intel_uc.c
index 5b8080ec5315b..4f751ce74214d 100644
--- a/drivers/gpu/drm/i915/gt/uc/intel_uc.c
+++ b/drivers/gpu/drm/i915/gt/uc/intel_uc.c
@@ -136,6 +136,7 @@ void intel_uc_init_late(struct intel_uc *uc)
void intel_uc_driver_late_release(struct intel_uc *uc)
{
+ intel_huc_fini_late(&uc->huc);
}
/**
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 032/449] s390/cpumf: Fix double free on error in cpumf_pmu_event_init()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 031/449] drm/i915/huc: Fix fence not released on early probe errors Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 033/449] nvmet-fcloop: swap list_add_tail arguments Greg Kroah-Hartman
` (423 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Richter, Sumanth Korikkar,
Heiko Carstens, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Richter <tmricht@linux.ibm.com>
[ Upstream commit aa1ac98268cd1f380c713f07e39b1fa1d5c7650c ]
In PMU event initialization functions
- cpumsf_pmu_event_init()
- cpumf_pmu_event_init()
- cfdiag_event_init()
the partially created event had to be removed when an error was detected.
The event::event_init() member function had to release all resources
it allocated in case of error. event::destroy() had to be called
on freeing an event after it was successfully created and
event::event_init() returned success.
With
commit c70ca298036c ("perf/core: Simplify the perf_event_alloc() error path")
this is not necessary anymore. The performance subsystem common
code now always calls event::destroy() to clean up the allocated
resources created during event initialization.
Remove the event::destroy() invocation in PMU event initialization
or that function is called twice for each event that runs into an
error condition in event creation.
This is the kernel log entry which shows up without the fix:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 43388 at lib/refcount.c:87 refcount_dec_not_one+0x74/0x90
CPU: 0 UID: 0 PID: 43388 Comm: perf Not tainted 6.15.0-20250407.rc1.git0.300.fc41.s390x+git #1 NONE
Hardware name: IBM 3931 A01 704 (LPAR)
Krnl PSW : 0704c00180000000 00000209cb2c1b88 (refcount_dec_not_one+0x78/0x90)
R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
Krnl GPRS: 0000020900000027 0000020900000023 0000000000000026 0000018900000000
00000004a2200a00 0000000000000000 0000000000000057 ffffffffffffffea
00000002b386c600 00000002b3f5b3e0 00000209cc51f140 00000209cc7fc550
0000000001449d38 ffffffffffffffff 00000209cb2c1b84 00000189d67dfb80
Krnl Code: 00000209cb2c1b78: c02000506727 larl %r2,00000209cbcce9c6
00000209cb2c1b7e: c0e5ffbd4431 brasl %r14,00000209caa6a3e0
#00000209cb2c1b84: af000000 mc 0,0
>00000209cb2c1b88: a7480001 lhi %r4,1
00000209cb2c1b8c: ebeff0a00004 lmg %r14,%r15,160(%r15)
00000209cb2c1b92: ec243fbf0055 risbg %r2,%r4,63,191,0
00000209cb2c1b98: 07fe bcr 15,%r14
00000209cb2c1b9a: 47000700 bc 0,1792
Call Trace:
[<00000209cb2c1b88>] refcount_dec_not_one+0x78/0x90
[<00000209cb2c1dc4>] refcount_dec_and_mutex_lock+0x24/0x90
[<00000209caa3c29e>] hw_perf_event_destroy+0x2e/0x80
[<00000209cacaf8b4>] __free_event+0x74/0x270
[<00000209cacb47c4>] perf_event_alloc.part.0+0x4a4/0x730
[<00000209cacbf3e8>] __do_sys_perf_event_open+0x248/0xc20
[<00000209cacc14a4>] __s390x_sys_perf_event_open+0x44/0x50
[<00000209cb8114de>] __do_syscall+0x12e/0x260
[<00000209cb81ce34>] system_call+0x74/0x98
Last Breaking-Event-Address:
[<00000209caa6a4d2>] __warn_printk+0xf2/0x100
---[ end trace 0000000000000000 ]---
Fixes: c70ca298036c ("perf/core: Simplify the perf_event_alloc() error path")
Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
Reviewed-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kernel/perf_cpum_cf.c | 9 +--------
arch/s390/kernel/perf_cpum_sf.c | 3 ---
2 files changed, 1 insertion(+), 11 deletions(-)
diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c
index 33205dd410e47..60a60185b1d4d 100644
--- a/arch/s390/kernel/perf_cpum_cf.c
+++ b/arch/s390/kernel/perf_cpum_cf.c
@@ -858,18 +858,13 @@ static int cpumf_pmu_event_type(struct perf_event *event)
static int cpumf_pmu_event_init(struct perf_event *event)
{
unsigned int type = event->attr.type;
- int err;
+ int err = -ENOENT;
if (type == PERF_TYPE_HARDWARE || type == PERF_TYPE_RAW)
err = __hw_perf_event_init(event, type);
else if (event->pmu->type == type)
/* Registered as unknown PMU */
err = __hw_perf_event_init(event, cpumf_pmu_event_type(event));
- else
- return -ENOENT;
-
- if (unlikely(err) && event->destroy)
- event->destroy(event);
return err;
}
@@ -1819,8 +1814,6 @@ static int cfdiag_event_init(struct perf_event *event)
event->destroy = hw_perf_event_destroy;
err = cfdiag_event_init2(event);
- if (unlikely(err))
- event->destroy(event);
out:
return err;
}
diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
index 5f60248cb4687..ad22799d8a7d9 100644
--- a/arch/s390/kernel/perf_cpum_sf.c
+++ b/arch/s390/kernel/perf_cpum_sf.c
@@ -885,9 +885,6 @@ static int cpumsf_pmu_event_init(struct perf_event *event)
event->attr.exclude_idle = 0;
err = __hw_perf_event_init(event);
- if (unlikely(err))
- if (event->destroy)
- event->destroy(event);
return err;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 033/449] nvmet-fcloop: swap list_add_tail arguments
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 032/449] s390/cpumf: Fix double free on error in cpumf_pmu_event_init() Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 034/449] net_sched: sch_sfq: use a temporary work area for validating configuration Greg Kroah-Hartman
` (422 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Wagner, Hannes Reinecke,
Christoph Hellwig, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Wagner <wagi@kernel.org>
[ Upstream commit 2b5f0c5bc819af2b0759a8fcddc1b39102735c0f ]
The newly element to be added to the list is the first argument of
list_add_tail. This fix is missing dcfad4ab4d67 ("nvmet-fcloop: swap
the list_add_tail arguments").
Fixes: 437c0b824dbd ("nvme-fcloop: add target to host LS request support")
Signed-off-by: Daniel Wagner <wagi@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/fcloop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c
index e1abb27927ff7..da195d61a9664 100644
--- a/drivers/nvme/target/fcloop.c
+++ b/drivers/nvme/target/fcloop.c
@@ -478,7 +478,7 @@ fcloop_t2h_xmt_ls_rsp(struct nvme_fc_local_port *localport,
if (targetport) {
tport = targetport->private;
spin_lock(&tport->lock);
- list_add_tail(&tport->ls_list, &tls_req->ls_list);
+ list_add_tail(&tls_req->ls_list, &tport->ls_list);
spin_unlock(&tport->lock);
queue_work(nvmet_wq, &tport->ls_work);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 034/449] net_sched: sch_sfq: use a temporary work area for validating configuration
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 033/449] nvmet-fcloop: swap list_add_tail arguments Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 035/449] net_sched: sch_sfq: move the limit validation Greg Kroah-Hartman
` (421 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Octavian Purdila, Cong Wang,
David S. Miller, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Octavian Purdila <tavip@google.com>
[ Upstream commit 8c0cea59d40cf6dd13c2950437631dd614fbade6 ]
Many configuration parameters have influence on others (e.g. divisor
-> flows -> limit, depth -> limit) and so it is difficult to correctly
do all of the validation before applying the configuration. And if a
validation error is detected late it is difficult to roll back a
partially applied configuration.
To avoid these issues use a temporary work area to update and validate
the configuration and only then apply the configuration to the
internal state.
Signed-off-by: Octavian Purdila <tavip@google.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: b3bf8f63e617 ("net_sched: sch_sfq: move the limit validation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_sfq.c | 56 +++++++++++++++++++++++++++++++++++----------
1 file changed, 44 insertions(+), 12 deletions(-)
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index 65d5b59da5830..7714ae94e0521 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -631,6 +631,15 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt,
struct red_parms *p = NULL;
struct sk_buff *to_free = NULL;
struct sk_buff *tail = NULL;
+ unsigned int maxflows;
+ unsigned int quantum;
+ unsigned int divisor;
+ int perturb_period;
+ u8 headdrop;
+ u8 maxdepth;
+ int limit;
+ u8 flags;
+
if (opt->nla_len < nla_attr_size(sizeof(*ctl)))
return -EINVAL;
@@ -656,36 +665,59 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt,
NL_SET_ERR_MSG_MOD(extack, "invalid limit");
return -EINVAL;
}
+
sch_tree_lock(sch);
+
+ limit = q->limit;
+ divisor = q->divisor;
+ headdrop = q->headdrop;
+ maxdepth = q->maxdepth;
+ maxflows = q->maxflows;
+ perturb_period = q->perturb_period;
+ quantum = q->quantum;
+ flags = q->flags;
+
+ /* update and validate configuration */
if (ctl->quantum)
- q->quantum = ctl->quantum;
- WRITE_ONCE(q->perturb_period, ctl->perturb_period * HZ);
+ quantum = ctl->quantum;
+ perturb_period = ctl->perturb_period * HZ;
if (ctl->flows)
- q->maxflows = min_t(u32, ctl->flows, SFQ_MAX_FLOWS);
+ maxflows = min_t(u32, ctl->flows, SFQ_MAX_FLOWS);
if (ctl->divisor) {
- q->divisor = ctl->divisor;
- q->maxflows = min_t(u32, q->maxflows, q->divisor);
+ divisor = ctl->divisor;
+ maxflows = min_t(u32, maxflows, divisor);
}
if (ctl_v1) {
if (ctl_v1->depth)
- q->maxdepth = min_t(u32, ctl_v1->depth, SFQ_MAX_DEPTH);
+ maxdepth = min_t(u32, ctl_v1->depth, SFQ_MAX_DEPTH);
if (p) {
- swap(q->red_parms, p);
- red_set_parms(q->red_parms,
+ red_set_parms(p,
ctl_v1->qth_min, ctl_v1->qth_max,
ctl_v1->Wlog,
ctl_v1->Plog, ctl_v1->Scell_log,
NULL,
ctl_v1->max_P);
}
- q->flags = ctl_v1->flags;
- q->headdrop = ctl_v1->headdrop;
+ flags = ctl_v1->flags;
+ headdrop = ctl_v1->headdrop;
}
if (ctl->limit) {
- q->limit = min_t(u32, ctl->limit, q->maxdepth * q->maxflows);
- q->maxflows = min_t(u32, q->maxflows, q->limit);
+ limit = min_t(u32, ctl->limit, maxdepth * maxflows);
+ maxflows = min_t(u32, maxflows, limit);
}
+ /* commit configuration */
+ q->limit = limit;
+ q->divisor = divisor;
+ q->headdrop = headdrop;
+ q->maxdepth = maxdepth;
+ q->maxflows = maxflows;
+ WRITE_ONCE(q->perturb_period, perturb_period);
+ q->quantum = quantum;
+ q->flags = flags;
+ if (p)
+ swap(q->red_parms, p);
+
qlen = sch->q.qlen;
while (sch->q.qlen > q->limit) {
dropped += sfq_drop(sch, &to_free);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 035/449] net_sched: sch_sfq: move the limit validation
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 034/449] net_sched: sch_sfq: use a temporary work area for validating configuration Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 036/449] x86/cpu: Avoid running off the end of an AMD erratum table Greg Kroah-Hartman
` (420 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Octavian Purdila, Cong Wang,
David S. Miller, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Octavian Purdila <tavip@google.com>
[ Upstream commit b3bf8f63e6179076b57c9de660c9f80b5abefe70 ]
It is not sufficient to directly validate the limit on the data that
the user passes as it can be updated based on how the other parameters
are changed.
Move the check at the end of the configuration update process to also
catch scenarios where the limit is indirectly updated, for example
with the following configurations:
tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1
tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1
This fixes the following syzkaller reported crash:
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6
index 65535 is out of range for type 'struct sfq_head[128]'
CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429
sfq_link net/sched/sch_sfq.c:203 [inline]
sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231
sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493
sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518
qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339
qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311
netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]
dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375
Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 10685681bafc ("net_sched: sch_sfq: don't allow 1 packet limit")
Signed-off-by: Octavian Purdila <tavip@google.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_sfq.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index 7714ae94e0521..58b42dcf8f201 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -661,10 +661,6 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt,
if (!p)
return -ENOMEM;
}
- if (ctl->limit == 1) {
- NL_SET_ERR_MSG_MOD(extack, "invalid limit");
- return -EINVAL;
- }
sch_tree_lock(sch);
@@ -705,6 +701,12 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt,
limit = min_t(u32, ctl->limit, maxdepth * maxflows);
maxflows = min_t(u32, maxflows, limit);
}
+ if (limit == 1) {
+ sch_tree_unlock(sch);
+ kfree(p);
+ NL_SET_ERR_MSG_MOD(extack, "invalid limit");
+ return -EINVAL;
+ }
/* commit configuration */
q->limit = limit;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 036/449] x86/cpu: Avoid running off the end of an AMD erratum table
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 035/449] net_sched: sch_sfq: move the limit validation Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 037/449] smb: client: fix UAF in decryption with multichannel Greg Kroah-Hartman
` (419 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiri Slaby, Dave Hansen, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Hansen <dave.hansen@linux.intel.com>
[ Upstream commit f0df00ebc57f803603f2a2e0df197e51f06fbe90 ]
The NULL array terminator at the end of erratum_1386_microcode was
removed during the switch from x86_cpu_desc to x86_cpu_id. This
causes readers to run off the end of the array.
Replace the NULL.
Fixes: f3f325152673 ("x86/cpu: Move AMD erratum 1386 table over to 'x86_cpu_id'")
Reported-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/amd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index 54194f5995de3..ce71f49654ee3 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -803,6 +803,7 @@ static void init_amd_bd(struct cpuinfo_x86 *c)
static const struct x86_cpu_id erratum_1386_microcode[] = {
X86_MATCH_VFM_STEPS(VFM_MAKE(X86_VENDOR_AMD, 0x17, 0x01), 0x2, 0x2, 0x0800126e),
X86_MATCH_VFM_STEPS(VFM_MAKE(X86_VENDOR_AMD, 0x17, 0x31), 0x0, 0x0, 0x08301052),
+ {}
};
static void fix_erratum_1386(struct cpuinfo_x86 *c)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 037/449] smb: client: fix UAF in decryption with multichannel
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 036/449] x86/cpu: Avoid running off the end of an AMD erratum table Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 038/449] net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() Greg Kroah-Hartman
` (418 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Steve French,
Paulo Alcantara (Red Hat), Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.com>
[ Upstream commit 9502dd5c7029902f4a425bf959917a5a9e7c0e50 ]
After commit f7025d861694 ("smb: client: allocate crypto only for
primary server") and commit b0abcd65ec54 ("smb: client: fix UAF in
async decryption"), the channels started reusing AEAD TFM from primary
channel to perform synchronous decryption, but that can't done as
there could be multiple cifsd threads (one per channel) simultaneously
accessing it to perform decryption.
This fixes the following KASAN splat when running fstest generic/249
with 'vers=3.1.1,multichannel,max_channels=4,seal' against Windows
Server 2022:
BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xba/0x110
Read of size 8 at addr ffff8881046c18a0 by task cifsd/986
CPU: 3 UID: 0 PID: 986 Comm: cifsd Not tainted 6.15.0-rc1 #1
PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41
04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
print_report+0x156/0x528
? gf128mul_4k_lle+0xba/0x110
? __virt_addr_valid+0x145/0x300
? __phys_addr+0x46/0x90
? gf128mul_4k_lle+0xba/0x110
kasan_report+0xdf/0x1a0
? gf128mul_4k_lle+0xba/0x110
gf128mul_4k_lle+0xba/0x110
ghash_update+0x189/0x210
shash_ahash_update+0x295/0x370
? __pfx_shash_ahash_update+0x10/0x10
? __pfx_shash_ahash_update+0x10/0x10
? __pfx_extract_iter_to_sg+0x10/0x10
? ___kmalloc_large_node+0x10e/0x180
? __asan_memset+0x23/0x50
crypto_ahash_update+0x3c/0xc0
gcm_hash_assoc_remain_continue+0x93/0xc0
crypt_message+0xe09/0xec0 [cifs]
? __pfx_crypt_message+0x10/0x10 [cifs]
? _raw_spin_unlock+0x23/0x40
? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs]
decrypt_raw_data+0x229/0x380 [cifs]
? __pfx_decrypt_raw_data+0x10/0x10 [cifs]
? __pfx_cifs_read_iter_from_socket+0x10/0x10 [cifs]
smb3_receive_transform+0x837/0xc80 [cifs]
? __pfx_smb3_receive_transform+0x10/0x10 [cifs]
? __pfx___might_resched+0x10/0x10
? __pfx_smb3_is_transform_hdr+0x10/0x10 [cifs]
cifs_demultiplex_thread+0x692/0x1570 [cifs]
? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
? rcu_is_watching+0x20/0x50
? rcu_lockdep_current_cpu_online+0x62/0xb0
? find_held_lock+0x32/0x90
? kvm_sched_clock_read+0x11/0x20
? local_clock_noinstr+0xd/0xd0
? trace_irq_enable.constprop.0+0xa8/0xe0
? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
kthread+0x1fe/0x380
? kthread+0x10f/0x380
? __pfx_kthread+0x10/0x10
? local_clock_noinstr+0xd/0xd0
? ret_from_fork+0x1b/0x60
? local_clock+0x15/0x30
? lock_release+0x29b/0x390
? rcu_is_watching+0x20/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork+0x31/0x60
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Tested-by: David Howells <dhowells@redhat.com>
Reported-by: Steve French <stfrench@microsoft.com>
Closes: https://lore.kernel.org/r/CAH2r5mu6Yc0-RJXM3kFyBYUB09XmXBrNodOiCVR4EDrmxq5Szg@mail.gmail.com
Fixes: f7025d861694 ("smb: client: allocate crypto only for primary server")
Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/cifsencrypt.c | 16 +++++-----------
fs/smb/client/smb2ops.c | 6 +++---
fs/smb/client/smb2pdu.c | 11 ++---------
3 files changed, 10 insertions(+), 23 deletions(-)
diff --git a/fs/smb/client/cifsencrypt.c b/fs/smb/client/cifsencrypt.c
index e69968e88fe72..35892df7335c7 100644
--- a/fs/smb/client/cifsencrypt.c
+++ b/fs/smb/client/cifsencrypt.c
@@ -704,18 +704,12 @@ cifs_crypto_secmech_release(struct TCP_Server_Info *server)
cifs_free_hash(&server->secmech.md5);
cifs_free_hash(&server->secmech.sha512);
- if (!SERVER_IS_CHAN(server)) {
- if (server->secmech.enc) {
- crypto_free_aead(server->secmech.enc);
- server->secmech.enc = NULL;
- }
-
- if (server->secmech.dec) {
- crypto_free_aead(server->secmech.dec);
- server->secmech.dec = NULL;
- }
- } else {
+ if (server->secmech.enc) {
+ crypto_free_aead(server->secmech.enc);
server->secmech.enc = NULL;
+ }
+ if (server->secmech.dec) {
+ crypto_free_aead(server->secmech.dec);
server->secmech.dec = NULL;
}
}
diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index 4dd11eafb69d9..7aeac8dd9a1d1 100644
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -4549,9 +4549,9 @@ decrypt_raw_data(struct TCP_Server_Info *server, char *buf,
return rc;
}
} else {
- if (unlikely(!server->secmech.dec))
- return -EIO;
-
+ rc = smb3_crypto_aead_allocate(server);
+ if (unlikely(rc))
+ return rc;
tfm = server->secmech.dec;
}
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index f9c521b3c65ee..163b8fea47e8a 100644
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -1251,15 +1251,8 @@ SMB2_negotiate(const unsigned int xid,
cifs_server_dbg(VFS, "Missing expected negotiate contexts\n");
}
- if (server->cipher_type && !rc) {
- if (!SERVER_IS_CHAN(server)) {
- rc = smb3_crypto_aead_allocate(server);
- } else {
- /* For channels, just reuse the primary server crypto secmech. */
- server->secmech.enc = server->primary_server->secmech.enc;
- server->secmech.dec = server->primary_server->secmech.dec;
- }
- }
+ if (server->cipher_type && !rc)
+ rc = smb3_crypto_aead_allocate(server);
neg_exit:
free_rsp_buf(resp_buftype, rsp);
return rc;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 038/449] net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 037/449] smb: client: fix UAF in decryption with multichannel Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 039/449] net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY Greg Kroah-Hartman
` (417 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean,
Russell King (Oracle), Jakub Kicinski, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit f40a673d6b4a128fe95dd9b8c3ed02da50a6a862 ]
In an upcoming change, mdio_bus_phy_may_suspend() will need to
distinguish a phylib-based PHY client from a phylink PHY client.
For that, it will need to compare the phydev->phy_link_change() function
pointer with the eponymous phy_link_change() provided by phylib.
To avoid forward function declarations, the default PHY link state
change method should be moved upwards. There is no functional change
associated with this patch, it is only to reduce the noise from a real
bug fix.
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://patch.msgid.link/20250407093900.2155112-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: fc75ea20ffb4 ("net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/phy_device.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index 46713d27412b7..27d61d95933fa 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -240,6 +240,19 @@ static bool phy_drv_wol_enabled(struct phy_device *phydev)
return wol.wolopts != 0;
}
+static void phy_link_change(struct phy_device *phydev, bool up)
+{
+ struct net_device *netdev = phydev->attached_dev;
+
+ if (up)
+ netif_carrier_on(netdev);
+ else
+ netif_carrier_off(netdev);
+ phydev->adjust_link(netdev);
+ if (phydev->mii_ts && phydev->mii_ts->link_state)
+ phydev->mii_ts->link_state(phydev->mii_ts, phydev);
+}
+
static bool mdio_bus_phy_may_suspend(struct phy_device *phydev)
{
struct device_driver *drv = phydev->mdio.dev.driver;
@@ -1052,19 +1065,6 @@ struct phy_device *phy_find_first(struct mii_bus *bus)
}
EXPORT_SYMBOL(phy_find_first);
-static void phy_link_change(struct phy_device *phydev, bool up)
-{
- struct net_device *netdev = phydev->attached_dev;
-
- if (up)
- netif_carrier_on(netdev);
- else
- netif_carrier_off(netdev);
- phydev->adjust_link(netdev);
- if (phydev->mii_ts && phydev->mii_ts->link_state)
- phydev->mii_ts->link_state(phydev->mii_ts, phydev);
-}
-
/**
* phy_prepare_link - prepares the PHY layer to monitor link status
* @phydev: target phy_device struct
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 039/449] net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 038/449] net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 040/449] ipv6: Align behavior across nexthops during path selection Greg Kroah-Hartman
` (416 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei Fang, Vladimir Oltean,
Jakub Kicinski, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit fc75ea20ffb452652f0d4033f38fe88d7cfdae35 ]
DSA has 2 kinds of drivers:
1. Those who call dsa_switch_suspend() and dsa_switch_resume() from
their device PM ops: qca8k-8xxx, bcm_sf2, microchip ksz
2. Those who don't: all others. The above methods should be optional.
For type 1, dsa_switch_suspend() calls dsa_user_suspend() -> phylink_stop(),
and dsa_switch_resume() calls dsa_user_resume() -> phylink_start().
These seem good candidates for setting mac_managed_pm = true because
that is essentially its definition [1], but that does not seem to be the
biggest problem for now, and is not what this change focuses on.
Talking strictly about the 2nd category of DSA drivers here (which
do not have MAC managed PM, meaning that for their attached PHYs,
mdio_bus_phy_suspend() and mdio_bus_phy_resume() should run in full),
I have noticed that the following warning from mdio_bus_phy_resume() is
triggered:
WARN_ON(phydev->state != PHY_HALTED && phydev->state != PHY_READY &&
phydev->state != PHY_UP);
because the PHY state machine is running.
It's running as a result of a previous dsa_user_open() -> ... ->
phylink_start() -> phy_start() having been initiated by the user.
The previous mdio_bus_phy_suspend() was supposed to have called
phy_stop_machine(), but it didn't. So this is why the PHY is in state
PHY_NOLINK by the time mdio_bus_phy_resume() runs.
mdio_bus_phy_suspend() did not call phy_stop_machine() because for
phylink, the phydev->adjust_link function pointer is NULL. This seems a
technicality introduced by commit fddd91016d16 ("phylib: fix PAL state
machine restart on resume"). That commit was written before phylink
existed, and was intended to avoid crashing with consumer drivers which
don't use the PHY state machine - phylink always does, when using a PHY.
But phylink itself has historically not been developed with
suspend/resume in mind, and apparently not tested too much in that
scenario, allowing this bug to exist unnoticed for so long. Plus, prior
to the WARN_ON(), it would have likely been invisible.
This issue is not in fact restricted to type 2 DSA drivers (according to
the above ad-hoc classification), but can be extrapolated to any MAC
driver with phylink and MDIO-bus-managed PHY PM ops. DSA is just where
the issue was reported. Assuming mac_managed_pm is set correctly, a
quick search indicates the following other drivers might be affected:
$ grep -Zlr PHYLINK_NETDEV drivers/ | xargs -0 grep -L mac_managed_pm
drivers/net/ethernet/atheros/ag71xx.c
drivers/net/ethernet/microchip/sparx5/sparx5_main.c
drivers/net/ethernet/microchip/lan966x/lan966x_main.c
drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c
drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c
drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
drivers/net/ethernet/freescale/ucc_geth.c
drivers/net/ethernet/freescale/enetc/enetc_pf_common.c
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
drivers/net/ethernet/marvell/mvneta.c
drivers/net/ethernet/marvell/prestera/prestera_main.c
drivers/net/ethernet/mediatek/mtk_eth_soc.c
drivers/net/ethernet/altera/altera_tse_main.c
drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c
drivers/net/ethernet/meta/fbnic/fbnic_phylink.c
drivers/net/ethernet/tehuti/tn40_phy.c
drivers/net/ethernet/mscc/ocelot_net.c
Make the existing conditions dependent on the PHY device having a
phydev->phy_link_change() implementation equal to the default
phy_link_change() provided by phylib. Otherwise, we implicitly know that
the phydev has the phylink-provided phylink_phy_change() callback, and
when phylink is used, the PHY state machine always needs to be stopped/
started on the suspend/resume path. The code is structured as such that
if phydev->phy_link_change() is absent, it is a matter of time until the
kernel will crash - no need to further complicate the test.
Thus, for the situation where the PM is not managed by the MAC, we will
make the MDIO bus PM ops treat identically the phylink-controlled PHYs
with the phylib-controlled PHYs where an adjust_link() callback is
supplied. In both cases, the MDIO bus PM ops should stop and restart the
PHY state machine.
[1] https://lore.kernel.org/netdev/Z-1tiW9zjcoFkhwc@shell.armlinux.org.uk/
Fixes: 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state")
Reported-by: Wei Fang <wei.fang@nxp.com>
Tested-by: Wei Fang <wei.fang@nxp.com>
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20250407094042.2155633-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/phy_device.c | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index 27d61d95933fa..92161af788afd 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -253,6 +253,33 @@ static void phy_link_change(struct phy_device *phydev, bool up)
phydev->mii_ts->link_state(phydev->mii_ts, phydev);
}
+/**
+ * phy_uses_state_machine - test whether consumer driver uses PAL state machine
+ * @phydev: the target PHY device structure
+ *
+ * Ultimately, this aims to indirectly determine whether the PHY is attached
+ * to a consumer which uses the state machine by calling phy_start() and
+ * phy_stop().
+ *
+ * When the PHY driver consumer uses phylib, it must have previously called
+ * phy_connect_direct() or one of its derivatives, so that phy_prepare_link()
+ * has set up a hook for monitoring state changes.
+ *
+ * When the PHY driver is used by the MAC driver consumer through phylink (the
+ * only other provider of a phy_link_change() method), using the PHY state
+ * machine is not optional.
+ *
+ * Return: true if consumer calls phy_start() and phy_stop(), false otherwise.
+ */
+static bool phy_uses_state_machine(struct phy_device *phydev)
+{
+ if (phydev->phy_link_change == phy_link_change)
+ return phydev->attached_dev && phydev->adjust_link;
+
+ /* phydev->phy_link_change is implicitly phylink_phy_change() */
+ return true;
+}
+
static bool mdio_bus_phy_may_suspend(struct phy_device *phydev)
{
struct device_driver *drv = phydev->mdio.dev.driver;
@@ -319,7 +346,7 @@ static __maybe_unused int mdio_bus_phy_suspend(struct device *dev)
* may call phy routines that try to grab the same lock, and that may
* lead to a deadlock.
*/
- if (phydev->attached_dev && phydev->adjust_link)
+ if (phy_uses_state_machine(phydev))
phy_stop_machine(phydev);
if (!mdio_bus_phy_may_suspend(phydev))
@@ -373,7 +400,7 @@ static __maybe_unused int mdio_bus_phy_resume(struct device *dev)
}
}
- if (phydev->attached_dev && phydev->adjust_link)
+ if (phy_uses_state_machine(phydev))
phy_start_machine(phydev);
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 040/449] ipv6: Align behavior across nexthops during path selection
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 039/449] net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 041/449] net: ppp: Add bound checking for skb data on ppp_sync_txmung Greg Kroah-Hartman
` (415 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Willem de Bruijn, Ido Schimmel,
Willem de Bruijn, David Ahern, Jakub Kicinski, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 6933cd4714861eea6848f18396a119d741f25fc3 ]
A nexthop is only chosen when the calculated multipath hash falls in the
nexthop's hash region (i.e., the hash is smaller than the nexthop's hash
threshold) and when the nexthop is assigned a non-negative score by
rt6_score_route().
Commit 4d0ab3a6885e ("ipv6: Start path selection from the first
nexthop") introduced an unintentional difference between the first
nexthop and the rest when the score is negative.
When the first nexthop matches, but has a negative score, the code will
currently evaluate subsequent nexthops until one is found with a
non-negative score. On the other hand, when a different nexthop matches,
but has a negative score, the code will fallback to the nexthop with
which the selection started ('match').
Align the behavior across all nexthops and fallback to 'match' when the
first nexthop matches, but has a negative score.
Fixes: 3d709f69a3e7 ("ipv6: Use hash-threshold instead of modulo-N")
Fixes: 4d0ab3a6885e ("ipv6: Start path selection from the first nexthop")
Reported-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Closes: https://lore.kernel.org/netdev/67efef607bc41_1ddca82948c@willemb.c.googlers.com.notmuch/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250408084316.243559-1-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 169a7b9bc40ea..08cee62e789e1 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -470,10 +470,10 @@ void fib6_select_path(const struct net *net, struct fib6_result *res,
goto out;
hash = fl6->mp_hash;
- if (hash <= atomic_read(&first->fib6_nh->fib_nh_upper_bound) &&
- rt6_score_route(first->fib6_nh, first->fib6_flags, oif,
- strict) >= 0) {
- match = first;
+ if (hash <= atomic_read(&first->fib6_nh->fib_nh_upper_bound)) {
+ if (rt6_score_route(first->fib6_nh, first->fib6_flags, oif,
+ strict) >= 0)
+ match = first;
goto out;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 041/449] net: ppp: Add bound checking for skb data on ppp_sync_txmung
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 040/449] ipv6: Align behavior across nexthops during path selection Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 042/449] nft_set_pipapo: fix incorrect avx2 match of 5th field octet Greg Kroah-Hartman
` (414 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+29fc8991b0ecb186cf40,
Arnaud Lecomte, Paolo Abeni, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaud Lecomte <contact@arnaud-lcm.com>
[ Upstream commit aabc6596ffb377c4c9c8f335124b92ea282c9821 ]
Ensure we have enough data in linear buffer from skb before accessing
initial bytes. This prevents potential out-of-bounds accesses
when processing short packets.
When ppp_sync_txmung receives an incoming package with an empty
payload:
(remote) gef➤ p *(struct pppoe_hdr *) (skb->head + skb->network_header)
$18 = {
type = 0x1,
ver = 0x1,
code = 0x0,
sid = 0x2,
length = 0x0,
tag = 0xffff8880371cdb96
}
from the skb struct (trimmed)
tail = 0x16,
end = 0x140,
head = 0xffff88803346f400 "4",
data = 0xffff88803346f416 ":\377",
truesize = 0x380,
len = 0x0,
data_len = 0x0,
mac_len = 0xe,
hdr_len = 0x0,
it is not safe to access data[2].
Reported-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=29fc8991b0ecb186cf40
Tested-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
Link: https://patch.msgid.link/20250408-bound-checking-ppp_txmung-v2-1-94bb6e1b92d0@arnaud-lcm.com
[pabeni@redhat.com: fixed subj typo]
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_synctty.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
index 644e99fc3623f..9c4932198931f 100644
--- a/drivers/net/ppp/ppp_synctty.c
+++ b/drivers/net/ppp/ppp_synctty.c
@@ -506,6 +506,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb)
unsigned char *data;
int islcp;
+ /* Ensure we can safely access protocol field and LCP code */
+ if (!pskb_may_pull(skb, 3)) {
+ kfree_skb(skb);
+ return NULL;
+ }
data = skb->data;
proto = get_unaligned_be16(data);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 042/449] nft_set_pipapo: fix incorrect avx2 match of 5th field octet
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 041/449] net: ppp: Add bound checking for skb data on ppp_sync_txmung Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 043/449] ethtool: cmis_cdb: Fix incorrect read / write length extension Greg Kroah-Hartman
` (413 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, sontu mazumdar, Stefano Brivio,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit e042ed950d4e176379ba4c0722146cd96fb38aa2 ]
Given a set element like:
icmpv6 . dead:beef:00ff::1
The value of 'ff' is irrelevant, any address will be matched
as long as the other octets are the same.
This is because of too-early register clobbering:
ymm7 is reloaded with new packet data (pkt[9]) but it still holds data
of an earlier load that wasn't processed yet.
The existing tests in nft_concat_range.sh selftests do exercise this code
path, but do not trigger incorrect matching due to the network prefix
limitation.
Fixes: 7400b063969b ("nft_set_pipapo: Introduce AVX2-based lookup implementation")
Reported-by: sontu mazumdar <sontu21@gmail.com>
Closes: https://lore.kernel.org/netfilter/CANgxkqwnMH7fXra+VUfODT-8+qFLgskq3set1cAzqqJaV4iEZg@mail.gmail.com/T/#t
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_pipapo_avx2.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
index b8d3c3213efee..c15db28c5ebc4 100644
--- a/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -994,8 +994,9 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
NFT_PIPAPO_AVX2_BUCKET_LOAD8(5, lt, 8, pkt[8], bsize);
NFT_PIPAPO_AVX2_AND(6, 2, 3);
+ NFT_PIPAPO_AVX2_AND(3, 4, 7);
NFT_PIPAPO_AVX2_BUCKET_LOAD8(7, lt, 9, pkt[9], bsize);
- NFT_PIPAPO_AVX2_AND(0, 4, 5);
+ NFT_PIPAPO_AVX2_AND(0, 3, 5);
NFT_PIPAPO_AVX2_BUCKET_LOAD8(1, lt, 10, pkt[10], bsize);
NFT_PIPAPO_AVX2_AND(2, 6, 7);
NFT_PIPAPO_AVX2_BUCKET_LOAD8(3, lt, 11, pkt[11], bsize);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 043/449] ethtool: cmis_cdb: Fix incorrect read / write length extension
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 042/449] nft_set_pipapo: fix incorrect avx2 match of 5th field octet Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 044/449] iommu/exynos: Fix suspend/resume with IDENTITY domain Greg Kroah-Hartman
` (412 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damodharam Ammepalli, Ido Schimmel,
Petr Machata, Paolo Abeni, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit eaa517b77e63442260640d875f824d1111ca6569 ]
The 'read_write_len_ext' field in 'struct ethtool_cmis_cdb_cmd_args'
stores the maximum number of bytes that can be read from or written to
the Local Payload (LPL) page in a single multi-byte access.
Cited commit started overwriting this field with the maximum number of
bytes that can be read from or written to the Extended Payload (LPL)
pages in a single multi-byte access. Transceiver modules that support
auto paging can advertise a number larger than 255 which is problematic
as 'read_write_len_ext' is a 'u8', resulting in the number getting
truncated and firmware flashing failing [1].
Fix by ignoring the maximum EPL access size as the kernel does not
currently support auto paging (even if the transceiver module does) and
will not try to read / write more than 128 bytes at once.
[1]
Transceiver module firmware flashing started for device enp177s0np0
Transceiver module firmware flashing in progress for device enp177s0np0
Progress: 0%
Transceiver module firmware flashing encountered an error for device enp177s0np0
Status message: Write FW block EPL command failed, LPL length is longer
than CDB read write length extension allows.
Fixes: 9a3b0d078bd8 ("net: ethtool: Add support for writing firmware blocks using EPL payload")
Reported-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
Closes: https://lore.kernel.org/netdev/20250402183123.321036-3-michael.chan@broadcom.com/
Tested-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/20250409112440.365672-1-idosch@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/cmis.h | 1 -
net/ethtool/cmis_cdb.c | 18 +++---------------
2 files changed, 3 insertions(+), 16 deletions(-)
diff --git a/net/ethtool/cmis.h b/net/ethtool/cmis.h
index 1e790413db0e8..4a9a946cabf05 100644
--- a/net/ethtool/cmis.h
+++ b/net/ethtool/cmis.h
@@ -101,7 +101,6 @@ struct ethtool_cmis_cdb_rpl {
};
u32 ethtool_cmis_get_max_lpl_size(u8 num_of_byte_octs);
-u32 ethtool_cmis_get_max_epl_size(u8 num_of_byte_octs);
void ethtool_cmis_cdb_compose_args(struct ethtool_cmis_cdb_cmd_args *args,
enum ethtool_cmis_cdb_cmd_id cmd, u8 *lpl,
diff --git a/net/ethtool/cmis_cdb.c b/net/ethtool/cmis_cdb.c
index d159dc121bde5..0e2691ccb0df3 100644
--- a/net/ethtool/cmis_cdb.c
+++ b/net/ethtool/cmis_cdb.c
@@ -16,15 +16,6 @@ u32 ethtool_cmis_get_max_lpl_size(u8 num_of_byte_octs)
return 8 * (1 + min_t(u8, num_of_byte_octs, 15));
}
-/* For accessing the EPL field on page 9Fh, the allowable length extension is
- * min(i, 255) byte octets where i specifies the allowable additional number of
- * byte octets in a READ or a WRITE.
- */
-u32 ethtool_cmis_get_max_epl_size(u8 num_of_byte_octs)
-{
- return 8 * (1 + min_t(u8, num_of_byte_octs, 255));
-}
-
void ethtool_cmis_cdb_compose_args(struct ethtool_cmis_cdb_cmd_args *args,
enum ethtool_cmis_cdb_cmd_id cmd, u8 *lpl,
u8 lpl_len, u8 *epl, u16 epl_len,
@@ -33,19 +24,16 @@ void ethtool_cmis_cdb_compose_args(struct ethtool_cmis_cdb_cmd_args *args,
{
args->req.id = cpu_to_be16(cmd);
args->req.lpl_len = lpl_len;
- if (lpl) {
+ if (lpl)
memcpy(args->req.payload, lpl, args->req.lpl_len);
- args->read_write_len_ext =
- ethtool_cmis_get_max_lpl_size(read_write_len_ext);
- }
if (epl) {
args->req.epl_len = cpu_to_be16(epl_len);
args->req.epl = epl;
- args->read_write_len_ext =
- ethtool_cmis_get_max_epl_size(read_write_len_ext);
}
args->max_duration = max_duration;
+ args->read_write_len_ext =
+ ethtool_cmis_get_max_lpl_size(read_write_len_ext);
args->msleep_pre_rpl = msleep_pre_rpl;
args->rpl_exp_len = rpl_exp_len;
args->flags = flags;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 044/449] iommu/exynos: Fix suspend/resume with IDENTITY domain
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 043/449] ethtool: cmis_cdb: Fix incorrect read / write length extension Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 045/449] iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group Greg Kroah-Hartman
` (411 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Joerg Roedel,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
[ Upstream commit 99deffc409b69000ac4877486e69ec6516becd53 ]
Commit bcb81ac6ae3c ("iommu: Get DT/ACPI parsing into the proper probe
path") changed the sequence of probing the SYSMMU controller devices and
calls to arm_iommu_attach_device(), what results in resuming SYSMMU
controller earlier, when it is still set to IDENTITY mapping. Such change
revealed the bug in IDENTITY handling in the exynos-iommu driver. When
SYSMMU controller is set to IDENTITY mapping, data->domain is NULL, so
adjust checks in suspend & resume callbacks to handle this case
correctly.
Fixes: b3d14960e629 ("iommu/exynos: Implement an IDENTITY domain")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/r/20250401202731.2810474-1-m.szyprowski@samsung.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/exynos-iommu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/iommu/exynos-iommu.c b/drivers/iommu/exynos-iommu.c
index 69e23e017d9e5..317266aca6e28 100644
--- a/drivers/iommu/exynos-iommu.c
+++ b/drivers/iommu/exynos-iommu.c
@@ -832,7 +832,7 @@ static int __maybe_unused exynos_sysmmu_suspend(struct device *dev)
struct exynos_iommu_owner *owner = dev_iommu_priv_get(master);
mutex_lock(&owner->rpm_lock);
- if (&data->domain->domain != &exynos_identity_domain) {
+ if (data->domain) {
dev_dbg(data->sysmmu, "saving state\n");
__sysmmu_disable(data);
}
@@ -850,7 +850,7 @@ static int __maybe_unused exynos_sysmmu_resume(struct device *dev)
struct exynos_iommu_owner *owner = dev_iommu_priv_get(master);
mutex_lock(&owner->rpm_lock);
- if (&data->domain->domain != &exynos_identity_domain) {
+ if (data->domain) {
dev_dbg(data->sysmmu, "restoring state\n");
__sysmmu_enable(data);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 045/449] iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 044/449] iommu/exynos: Fix suspend/resume with IDENTITY domain Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 046/449] net: libwx: Fix the wrong Rx descriptor field Greg Kroah-Hartman
` (410 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yong Wu, AngeloGioacchino Del Regno,
Louis-Alexis Eyraud, Joerg Roedel, Sasha Levin, Chen-Yu Tsai
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
[ Upstream commit 38e8844005e6068f336a3ad45451a562a0040ca1 ]
Currently, mtk_iommu calls during probe iommu_device_register before
the hw_list from driver data is initialized. Since iommu probing issue
fix, it leads to NULL pointer dereference in mtk_iommu_device_group when
hw_list is accessed with list_first_entry (not null safe).
So, change the call order to ensure iommu_device_register is called
after the driver data are initialized.
Fixes: 9e3a2a643653 ("iommu/mediatek: Adapt sharing and non-sharing pgtable case")
Fixes: bcb81ac6ae3c ("iommu: Get DT/ACPI parsing into the proper probe path")
Reviewed-by: Yong Wu <yong.wu@mediatek.com>
Tested-by: Chen-Yu Tsai <wenst@chromium.org> # MT8183 Juniper, MT8186 Tentacruel
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Tested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
Link: https://lore.kernel.org/r/20250403-fix-mtk-iommu-error-v2-1-fe8b18f8b0a8@collabora.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/mtk_iommu.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c
index 034b0e670384a..df98d0c65f546 100644
--- a/drivers/iommu/mtk_iommu.c
+++ b/drivers/iommu/mtk_iommu.c
@@ -1372,15 +1372,6 @@ static int mtk_iommu_probe(struct platform_device *pdev)
platform_set_drvdata(pdev, data);
mutex_init(&data->mutex);
- ret = iommu_device_sysfs_add(&data->iommu, dev, NULL,
- "mtk-iommu.%pa", &ioaddr);
- if (ret)
- goto out_link_remove;
-
- ret = iommu_device_register(&data->iommu, &mtk_iommu_ops, dev);
- if (ret)
- goto out_sysfs_remove;
-
if (MTK_IOMMU_HAS_FLAG(data->plat_data, SHARE_PGTABLE)) {
list_add_tail(&data->list, data->plat_data->hw_list);
data->hw_list = data->plat_data->hw_list;
@@ -1390,19 +1381,28 @@ static int mtk_iommu_probe(struct platform_device *pdev)
data->hw_list = &data->hw_list_head;
}
+ ret = iommu_device_sysfs_add(&data->iommu, dev, NULL,
+ "mtk-iommu.%pa", &ioaddr);
+ if (ret)
+ goto out_list_del;
+
+ ret = iommu_device_register(&data->iommu, &mtk_iommu_ops, dev);
+ if (ret)
+ goto out_sysfs_remove;
+
if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) {
ret = component_master_add_with_match(dev, &mtk_iommu_com_ops, match);
if (ret)
- goto out_list_del;
+ goto out_device_unregister;
}
return ret;
-out_list_del:
- list_del(&data->list);
+out_device_unregister:
iommu_device_unregister(&data->iommu);
out_sysfs_remove:
iommu_device_sysfs_remove(&data->iommu);
-out_link_remove:
+out_list_del:
+ list_del(&data->list);
if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM))
device_link_remove(data->smicomm_dev, dev);
out_runtime_disable:
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 046/449] net: libwx: Fix the wrong Rx descriptor field
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 045/449] iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 047/449] perf/core: Simplify the perf_event_alloc() error path Greg Kroah-Hartman
` (409 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiawen Wu, Michal Kubiak,
Paolo Abeni, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiawen Wu <jiawenwu@trustnetic.com>
[ Upstream commit 13e7d7240a43d8ea528c12ae5a912be1ff7fa29b ]
WX_RXD_IPV6EX was incorrectly defined in Rx ring descriptor. In fact, this
field stores the 802.1ad ID from which the packet was received. The wrong
definition caused the statistics rx_csum_offload_errors to fail to grow
when receiving the 802.1ad packet with incorrect checksum.
Fixes: ef4f3c19f912 ("net: wangxun: libwx add rx offload functions")
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
Link: https://patch.msgid.link/20250407103322.273241-1-jiawenwu@trustnetic.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/wangxun/libwx/wx_lib.c | 3 ++-
drivers/net/ethernet/wangxun/libwx/wx_type.h | 3 +--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c
index 43b89509d0fe5..5b113fd71fe2e 100644
--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c
+++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c
@@ -546,7 +546,8 @@ static void wx_rx_checksum(struct wx_ring *ring,
return;
/* Hardware can't guarantee csum if IPv6 Dest Header found */
- if (dptype.prot != WX_DEC_PTYPE_PROT_SCTP && WX_RXD_IPV6EX(rx_desc))
+ if (dptype.prot != WX_DEC_PTYPE_PROT_SCTP &&
+ wx_test_staterr(rx_desc, WX_RXD_STAT_IPV6EX))
return;
/* if L4 checksum error */
diff --git a/drivers/net/ethernet/wangxun/libwx/wx_type.h b/drivers/net/ethernet/wangxun/libwx/wx_type.h
index b54bffda027b4..1d9ed1cffd67c 100644
--- a/drivers/net/ethernet/wangxun/libwx/wx_type.h
+++ b/drivers/net/ethernet/wangxun/libwx/wx_type.h
@@ -460,6 +460,7 @@ enum WX_MSCA_CMD_value {
#define WX_RXD_STAT_L4CS BIT(7) /* L4 xsum calculated */
#define WX_RXD_STAT_IPCS BIT(8) /* IP xsum calculated */
#define WX_RXD_STAT_OUTERIPCS BIT(10) /* Cloud IP xsum calculated*/
+#define WX_RXD_STAT_IPV6EX BIT(12) /* IPv6 Dest Header */
#define WX_RXD_ERR_OUTERIPER BIT(26) /* CRC IP Header error */
#define WX_RXD_ERR_RXE BIT(29) /* Any MAC Error */
@@ -535,8 +536,6 @@ enum wx_l2_ptypes {
#define WX_RXD_PKTTYPE(_rxd) \
((le32_to_cpu((_rxd)->wb.lower.lo_dword.data) >> 9) & 0xFF)
-#define WX_RXD_IPV6EX(_rxd) \
- ((le32_to_cpu((_rxd)->wb.lower.lo_dword.data) >> 6) & 0x1)
/*********************** Transmit Descriptor Config Masks ****************/
#define WX_TXD_STAT_DD BIT(0) /* Descriptor Done */
#define WX_TXD_DTYP_DATA 0 /* Adv Data Descriptor */
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 047/449] perf/core: Simplify the perf_event_alloc() error path
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 046/449] net: libwx: Fix the wrong Rx descriptor field Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 048/449] perf: Fix hang while freeing sigtrap event Greg Kroah-Hartman
` (408 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra (Intel), Ingo Molnar,
Ravi Bangoria, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit c70ca298036c58a88686ff388d3d367e9d21acf0 ]
The error cleanup sequence in perf_event_alloc() is a subset of the
existing _free_event() function (it must of course be).
Split this out into __free_event() and simplify the error path.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Ravi Bangoria <ravi.bangoria@amd.com>
Link: https://lore.kernel.org/r/20241104135517.967889521@infradead.org
Stable-dep-of: 56799bc03565 ("perf: Fix hang while freeing sigtrap event")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/perf_event.h | 16 +++--
kernel/events/core.c | 138 ++++++++++++++++++-------------------
2 files changed, 78 insertions(+), 76 deletions(-)
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
index bcb764c3a8034..677f80249458e 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -673,13 +673,15 @@ struct swevent_hlist {
struct rcu_head rcu_head;
};
-#define PERF_ATTACH_CONTEXT 0x01
-#define PERF_ATTACH_GROUP 0x02
-#define PERF_ATTACH_TASK 0x04
-#define PERF_ATTACH_TASK_DATA 0x08
-#define PERF_ATTACH_ITRACE 0x10
-#define PERF_ATTACH_SCHED_CB 0x20
-#define PERF_ATTACH_CHILD 0x40
+#define PERF_ATTACH_CONTEXT 0x0001
+#define PERF_ATTACH_GROUP 0x0002
+#define PERF_ATTACH_TASK 0x0004
+#define PERF_ATTACH_TASK_DATA 0x0008
+#define PERF_ATTACH_ITRACE 0x0010
+#define PERF_ATTACH_SCHED_CB 0x0020
+#define PERF_ATTACH_CHILD 0x0040
+#define PERF_ATTACH_EXCLUSIVE 0x0080
+#define PERF_ATTACH_CALLCHAIN 0x0100
struct bpf_prog;
struct perf_cgroup;
diff --git a/kernel/events/core.c b/kernel/events/core.c
index f6cf17929bb98..3a69e816d6f12 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5253,6 +5253,8 @@ static int exclusive_event_init(struct perf_event *event)
return -EBUSY;
}
+ event->attach_state |= PERF_ATTACH_EXCLUSIVE;
+
return 0;
}
@@ -5260,14 +5262,13 @@ static void exclusive_event_destroy(struct perf_event *event)
{
struct pmu *pmu = event->pmu;
- if (!is_exclusive_pmu(pmu))
- return;
-
/* see comment in exclusive_event_init() */
if (event->attach_state & PERF_ATTACH_TASK)
atomic_dec(&pmu->exclusive_cnt);
else
atomic_inc(&pmu->exclusive_cnt);
+
+ event->attach_state &= ~PERF_ATTACH_EXCLUSIVE;
}
static bool exclusive_event_match(struct perf_event *e1, struct perf_event *e2)
@@ -5326,40 +5327,20 @@ static void perf_pending_task_sync(struct perf_event *event)
rcuwait_wait_event(&event->pending_work_wait, !event->pending_work, TASK_UNINTERRUPTIBLE);
}
-static void _free_event(struct perf_event *event)
+/* vs perf_event_alloc() error */
+static void __free_event(struct perf_event *event)
{
- irq_work_sync(&event->pending_irq);
- irq_work_sync(&event->pending_disable_irq);
- perf_pending_task_sync(event);
+ if (event->attach_state & PERF_ATTACH_CALLCHAIN)
+ put_callchain_buffers();
- unaccount_event(event);
+ kfree(event->addr_filter_ranges);
- security_perf_event_free(event);
-
- if (event->rb) {
- /*
- * Can happen when we close an event with re-directed output.
- *
- * Since we have a 0 refcount, perf_mmap_close() will skip
- * over us; possibly making our ring_buffer_put() the last.
- */
- mutex_lock(&event->mmap_mutex);
- ring_buffer_attach(event, NULL);
- mutex_unlock(&event->mmap_mutex);
- }
+ if (event->attach_state & PERF_ATTACH_EXCLUSIVE)
+ exclusive_event_destroy(event);
if (is_cgroup_event(event))
perf_detach_cgroup(event);
- if (!event->parent) {
- if (event->attr.sample_type & PERF_SAMPLE_CALLCHAIN)
- put_callchain_buffers();
- }
-
- perf_event_free_bpf_prog(event);
- perf_addr_filters_splice(event, NULL);
- kfree(event->addr_filter_ranges);
-
if (event->destroy)
event->destroy(event);
@@ -5370,22 +5351,58 @@ static void _free_event(struct perf_event *event)
if (event->hw.target)
put_task_struct(event->hw.target);
- if (event->pmu_ctx)
+ if (event->pmu_ctx) {
+ /*
+ * put_pmu_ctx() needs an event->ctx reference, because of
+ * epc->ctx.
+ */
+ WARN_ON_ONCE(!event->ctx);
+ WARN_ON_ONCE(event->pmu_ctx->ctx != event->ctx);
put_pmu_ctx(event->pmu_ctx);
+ }
/*
- * perf_event_free_task() relies on put_ctx() being 'last', in particular
- * all task references must be cleaned up.
+ * perf_event_free_task() relies on put_ctx() being 'last', in
+ * particular all task references must be cleaned up.
*/
if (event->ctx)
put_ctx(event->ctx);
- exclusive_event_destroy(event);
- module_put(event->pmu->module);
+ if (event->pmu)
+ module_put(event->pmu->module);
call_rcu(&event->rcu_head, free_event_rcu);
}
+/* vs perf_event_alloc() success */
+static void _free_event(struct perf_event *event)
+{
+ irq_work_sync(&event->pending_irq);
+ irq_work_sync(&event->pending_disable_irq);
+ perf_pending_task_sync(event);
+
+ unaccount_event(event);
+
+ security_perf_event_free(event);
+
+ if (event->rb) {
+ /*
+ * Can happen when we close an event with re-directed output.
+ *
+ * Since we have a 0 refcount, perf_mmap_close() will skip
+ * over us; possibly making our ring_buffer_put() the last.
+ */
+ mutex_lock(&event->mmap_mutex);
+ ring_buffer_attach(event, NULL);
+ mutex_unlock(&event->mmap_mutex);
+ }
+
+ perf_event_free_bpf_prog(event);
+ perf_addr_filters_splice(event, NULL);
+
+ __free_event(event);
+}
+
/*
* Used to free events which have a known refcount of 1, such as in error paths
* where the event isn't exposed yet and inherited events.
@@ -12056,8 +12073,10 @@ static int perf_try_init_event(struct pmu *pmu, struct perf_event *event)
event->destroy(event);
}
- if (ret)
+ if (ret) {
+ event->pmu = NULL;
module_put(pmu->module);
+ }
return ret;
}
@@ -12385,7 +12404,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
* See perf_output_read().
*/
if (has_inherit_and_sample_read(attr) && !(attr->sample_type & PERF_SAMPLE_TID))
- goto err_ns;
+ goto err;
if (!has_branch_stack(event))
event->attr.branch_sample_type = 0;
@@ -12393,7 +12412,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
pmu = perf_init_event(event);
if (IS_ERR(pmu)) {
err = PTR_ERR(pmu);
- goto err_ns;
+ goto err;
}
/*
@@ -12403,25 +12422,25 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
*/
if (pmu->task_ctx_nr == perf_invalid_context && (task || cgroup_fd != -1)) {
err = -EINVAL;
- goto err_pmu;
+ goto err;
}
if (event->attr.aux_output &&
(!(pmu->capabilities & PERF_PMU_CAP_AUX_OUTPUT) ||
event->attr.aux_pause || event->attr.aux_resume)) {
err = -EOPNOTSUPP;
- goto err_pmu;
+ goto err;
}
if (event->attr.aux_pause && event->attr.aux_resume) {
err = -EINVAL;
- goto err_pmu;
+ goto err;
}
if (event->attr.aux_start_paused) {
if (!(pmu->capabilities & PERF_PMU_CAP_AUX_PAUSE)) {
err = -EOPNOTSUPP;
- goto err_pmu;
+ goto err;
}
event->hw.aux_paused = 1;
}
@@ -12429,12 +12448,12 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
if (cgroup_fd != -1) {
err = perf_cgroup_connect(cgroup_fd, event, attr, group_leader);
if (err)
- goto err_pmu;
+ goto err;
}
err = exclusive_event_init(event);
if (err)
- goto err_pmu;
+ goto err;
if (has_addr_filter(event)) {
event->addr_filter_ranges = kcalloc(pmu->nr_addr_filters,
@@ -12442,7 +12461,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
GFP_KERNEL);
if (!event->addr_filter_ranges) {
err = -ENOMEM;
- goto err_per_task;
+ goto err;
}
/*
@@ -12467,41 +12486,22 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
if (event->attr.sample_type & PERF_SAMPLE_CALLCHAIN) {
err = get_callchain_buffers(attr->sample_max_stack);
if (err)
- goto err_addr_filters;
+ goto err;
+ event->attach_state |= PERF_ATTACH_CALLCHAIN;
}
}
err = security_perf_event_alloc(event);
if (err)
- goto err_callchain_buffer;
+ goto err;
/* symmetric to unaccount_event() in _free_event() */
account_event(event);
return event;
-err_callchain_buffer:
- if (!event->parent) {
- if (event->attr.sample_type & PERF_SAMPLE_CALLCHAIN)
- put_callchain_buffers();
- }
-err_addr_filters:
- kfree(event->addr_filter_ranges);
-
-err_per_task:
- exclusive_event_destroy(event);
-
-err_pmu:
- if (is_cgroup_event(event))
- perf_detach_cgroup(event);
- if (event->destroy)
- event->destroy(event);
- module_put(pmu->module);
-err_ns:
- if (event->hw.target)
- put_task_struct(event->hw.target);
- call_rcu(&event->rcu_head, free_event_rcu);
-
+err:
+ __free_event(event);
return ERR_PTR(err);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 048/449] perf: Fix hang while freeing sigtrap event
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 047/449] perf/core: Simplify the perf_event_alloc() error path Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 049/449] fs: consistently deref the files table with rcu_dereference_raw() Greg Kroah-Hartman
` (407 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yi Lai, syzbot+3c4321e10eea460eb606,
Frederic Weisbecker, Peter Zijlstra (Intel), Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frederic Weisbecker <frederic@kernel.org>
[ Upstream commit 56799bc035658738f362acec3e7647bb84e68933 ]
Perf can hang while freeing a sigtrap event if a related deferred
signal hadn't managed to be sent before the file got closed:
perf_event_overflow()
task_work_add(perf_pending_task)
fput()
task_work_add(____fput())
task_work_run()
____fput()
perf_release()
perf_event_release_kernel()
_free_event()
perf_pending_task_sync()
task_work_cancel() -> FAILED
rcuwait_wait_event()
Once task_work_run() is running, the list of pending callbacks is
removed from the task_struct and from this point on task_work_cancel()
can't remove any pending and not yet started work items, hence the
task_work_cancel() failure and the hang on rcuwait_wait_event().
Task work could be changed to remove one work at a time, so a work
running on the current task can always cancel a pending one, however
the wait / wake design is still subject to inverted dependencies when
remote targets are involved, as pictured by Oleg:
T1 T2
fd = perf_event_open(pid => T2->pid); fd = perf_event_open(pid => T1->pid);
close(fd) close(fd)
<IRQ> <IRQ>
perf_event_overflow() perf_event_overflow()
task_work_add(perf_pending_task) task_work_add(perf_pending_task)
</IRQ> </IRQ>
fput() fput()
task_work_add(____fput()) task_work_add(____fput())
task_work_run() task_work_run()
____fput() ____fput()
perf_release() perf_release()
perf_event_release_kernel() perf_event_release_kernel()
_free_event() _free_event()
perf_pending_task_sync() perf_pending_task_sync()
rcuwait_wait_event() rcuwait_wait_event()
Therefore the only option left is to acquire the event reference count
upon queueing the perf task work and release it from the task work, just
like it was done before 3a5465418f5f ("perf: Fix event leak upon exec and file release")
but without the leaks it fixed.
Some adjustments are necessary to make it work:
* A child event might dereference its parent upon freeing. Care must be
taken to release the parent last.
* Some places assuming the event doesn't have any reference held and
therefore can be freed right away must instead put the reference and
let the reference counting to its job.
Reported-by: "Yi Lai" <yi1.lai@linux.intel.com>
Closes: https://lore.kernel.org/all/Zx9Losv4YcJowaP%2F@ly-workstation/
Reported-by: syzbot+3c4321e10eea460eb606@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/673adf75.050a0220.87769.0024.GAE@google.com/
Fixes: 3a5465418f5f ("perf: Fix event leak upon exec and file release")
Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20250304135446.18905-1-frederic@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/perf_event.h | 1 -
kernel/events/core.c | 64 +++++++++++---------------------------
2 files changed, 18 insertions(+), 47 deletions(-)
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
index 677f80249458e..93ea9c6672f0e 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -833,7 +833,6 @@ struct perf_event {
struct irq_work pending_disable_irq;
struct callback_head pending_task;
unsigned int pending_work;
- struct rcuwait pending_work_wait;
atomic_t event_limit;
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 3a69e816d6f12..ee6b7281a1994 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5303,30 +5303,6 @@ static bool exclusive_event_installable(struct perf_event *event,
static void perf_addr_filters_splice(struct perf_event *event,
struct list_head *head);
-static void perf_pending_task_sync(struct perf_event *event)
-{
- struct callback_head *head = &event->pending_task;
-
- if (!event->pending_work)
- return;
- /*
- * If the task is queued to the current task's queue, we
- * obviously can't wait for it to complete. Simply cancel it.
- */
- if (task_work_cancel(current, head)) {
- event->pending_work = 0;
- local_dec(&event->ctx->nr_no_switch_fast);
- return;
- }
-
- /*
- * All accesses related to the event are within the same RCU section in
- * perf_pending_task(). The RCU grace period before the event is freed
- * will make sure all those accesses are complete by then.
- */
- rcuwait_wait_event(&event->pending_work_wait, !event->pending_work, TASK_UNINTERRUPTIBLE);
-}
-
/* vs perf_event_alloc() error */
static void __free_event(struct perf_event *event)
{
@@ -5379,7 +5355,6 @@ static void _free_event(struct perf_event *event)
{
irq_work_sync(&event->pending_irq);
irq_work_sync(&event->pending_disable_irq);
- perf_pending_task_sync(event);
unaccount_event(event);
@@ -5472,10 +5447,17 @@ static void perf_remove_from_owner(struct perf_event *event)
static void put_event(struct perf_event *event)
{
+ struct perf_event *parent;
+
if (!atomic_long_dec_and_test(&event->refcount))
return;
+ parent = event->parent;
_free_event(event);
+
+ /* Matches the refcount bump in inherit_event() */
+ if (parent)
+ put_event(parent);
}
/*
@@ -5559,11 +5541,6 @@ int perf_event_release_kernel(struct perf_event *event)
if (tmp == child) {
perf_remove_from_context(child, DETACH_GROUP);
list_move(&child->child_list, &free_list);
- /*
- * This matches the refcount bump in inherit_event();
- * this can't be the last reference.
- */
- put_event(event);
} else {
var = &ctx->refcount;
}
@@ -5589,7 +5566,8 @@ int perf_event_release_kernel(struct perf_event *event)
void *var = &child->ctx->refcount;
list_del(&child->child_list);
- free_event(child);
+ /* Last reference unless ->pending_task work is pending */
+ put_event(child);
/*
* Wake any perf_event_free_task() waiting for this event to be
@@ -5600,7 +5578,11 @@ int perf_event_release_kernel(struct perf_event *event)
}
no_ctx:
- put_event(event); /* Must be the 'last' reference */
+ /*
+ * Last reference unless ->pending_task work is pending on this event
+ * or any of its children.
+ */
+ put_event(event);
return 0;
}
EXPORT_SYMBOL_GPL(perf_event_release_kernel);
@@ -7014,12 +6996,6 @@ static void perf_pending_task(struct callback_head *head)
struct perf_event *event = container_of(head, struct perf_event, pending_task);
int rctx;
- /*
- * All accesses to the event must belong to the same implicit RCU read-side
- * critical section as the ->pending_work reset. See comment in
- * perf_pending_task_sync().
- */
- rcu_read_lock();
/*
* If we 'fail' here, that's OK, it means recursion is already disabled
* and we won't recurse 'further'.
@@ -7030,9 +7006,8 @@ static void perf_pending_task(struct callback_head *head)
event->pending_work = 0;
perf_sigtrap(event);
local_dec(&event->ctx->nr_no_switch_fast);
- rcuwait_wake_up(&event->pending_work_wait);
}
- rcu_read_unlock();
+ put_event(event);
if (rctx >= 0)
perf_swevent_put_recursion_context(rctx);
@@ -9978,6 +9953,7 @@ static int __perf_event_overflow(struct perf_event *event,
!task_work_add(current, &event->pending_task, notify_mode)) {
event->pending_work = pending_id;
local_inc(&event->ctx->nr_no_switch_fast);
+ WARN_ON_ONCE(!atomic_long_inc_not_zero(&event->refcount));
event->pending_addr = 0;
if (valid_sample && (data->sample_flags & PERF_SAMPLE_ADDR))
@@ -12325,7 +12301,6 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
init_irq_work(&event->pending_irq, perf_pending_irq);
event->pending_disable_irq = IRQ_WORK_INIT_HARD(perf_pending_disable);
init_task_work(&event->pending_task, perf_pending_task);
- rcuwait_init(&event->pending_work_wait);
mutex_init(&event->mmap_mutex);
raw_spin_lock_init(&event->addr_filters.lock);
@@ -13466,8 +13441,7 @@ perf_event_exit_event(struct perf_event *event, struct perf_event_context *ctx)
* Kick perf_poll() for is_event_hup();
*/
perf_event_wakeup(parent_event);
- free_event(event);
- put_event(parent_event);
+ put_event(event);
return;
}
@@ -13585,13 +13559,11 @@ static void perf_free_event(struct perf_event *event,
list_del_init(&event->child_list);
mutex_unlock(&parent->child_mutex);
- put_event(parent);
-
raw_spin_lock_irq(&ctx->lock);
perf_group_detach(event);
list_del_event(event, ctx);
raw_spin_unlock_irq(&ctx->lock);
- free_event(event);
+ put_event(event);
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 049/449] fs: consistently deref the files table with rcu_dereference_raw()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 048/449] perf: Fix hang while freeing sigtrap event Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 050/449] umount: Allow superblock owners to force umount Greg Kroah-Hartman
` (406 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mateusz Guzik, Christian Brauner,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mateusz Guzik <mjguzik@gmail.com>
[ Upstream commit f381640e1bd4f2de7ccafbfe8703d33c3718aad9 ]
... except when the table is known to be only used by one thread.
A file pointer can get installed at any moment despite the ->file_lock
being held since the following:
8a81252b774b53e6 ("fs/file.c: don't acquire files->file_lock in fd_install()")
Accesses subject to such a race can in principle suffer load tearing.
While here redo the comment in dup_fd -- it only covered a race against
files showing up, still assuming fd_install() takes the lock.
Signed-off-by: Mateusz Guzik <mjguzik@gmail.com>
Link: https://lore.kernel.org/r/20250313135725.1320914-1-mjguzik@gmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/file.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/fs/file.c b/fs/file.c
index d868cdb95d1e7..1ba03662ae66f 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -418,17 +418,25 @@ struct files_struct *dup_fd(struct files_struct *oldf, struct fd_range *punch_ho
old_fds = old_fdt->fd;
new_fds = new_fdt->fd;
+ /*
+ * We may be racing against fd allocation from other threads using this
+ * files_struct, despite holding ->file_lock.
+ *
+ * alloc_fd() might have already claimed a slot, while fd_install()
+ * did not populate it yet. Note the latter operates locklessly, so
+ * the file can show up as we are walking the array below.
+ *
+ * At the same time we know no files will disappear as all other
+ * operations take the lock.
+ *
+ * Instead of trying to placate userspace racing with itself, we
+ * ref the file if we see it and mark the fd slot as unused otherwise.
+ */
for (i = open_files; i != 0; i--) {
- struct file *f = *old_fds++;
+ struct file *f = rcu_dereference_raw(*old_fds++);
if (f) {
get_file(f);
} else {
- /*
- * The fd may be claimed in the fd bitmap but not yet
- * instantiated in the files array if a sibling thread
- * is partway through open(). So make sure that this
- * fd is available to the new process.
- */
__clear_open_fd(open_files - i, new_fdt);
}
rcu_assign_pointer(*new_fds++, f);
@@ -679,7 +687,7 @@ struct file *file_close_fd_locked(struct files_struct *files, unsigned fd)
return NULL;
fd = array_index_nospec(fd, fdt->max_fds);
- file = fdt->fd[fd];
+ file = rcu_dereference_raw(fdt->fd[fd]);
if (file) {
rcu_assign_pointer(fdt->fd[fd], NULL);
__put_unused_fd(files, fd);
@@ -1237,7 +1245,7 @@ __releases(&files->file_lock)
*/
fdt = files_fdtable(files);
fd = array_index_nospec(fd, fdt->max_fds);
- tofree = fdt->fd[fd];
+ tofree = rcu_dereference_raw(fdt->fd[fd]);
if (!tofree && fd_is_open(fd, fdt))
goto Ebusy;
get_file(file);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 050/449] umount: Allow superblock owners to force umount
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 049/449] fs: consistently deref the files table with rcu_dereference_raw() Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 051/449] srcu: Force synchronization for srcu_get_delay() Greg Kroah-Hartman
` (405 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Eric W. Biederman,
Christian Brauner, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit e1ff7aa34dec7e650159fd7ca8ec6af7cc428d9f ]
Loosen the permission check on forced umount to allow users holding
CAP_SYS_ADMIN privileges in namespaces that are privileged with respect
to the userns that originally mounted the filesystem.
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Link: https://lore.kernel.org/r/12f212d4ef983714d065a6bb372fbb378753bf4c.1742315194.git.trond.myklebust@hammerspace.com
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/namespace.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index 8f1000f9f3df1..d401486fe95d1 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2026,6 +2026,7 @@ static void warn_mandlock(void)
static int can_umount(const struct path *path, int flags)
{
struct mount *mnt = real_mount(path->mnt);
+ struct super_block *sb = path->dentry->d_sb;
if (!may_mount())
return -EPERM;
@@ -2035,7 +2036,7 @@ static int can_umount(const struct path *path, int flags)
return -EINVAL;
if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
return -EINVAL;
- if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
+ if (flags & MNT_FORCE && !ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
return -EPERM;
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 051/449] srcu: Force synchronization for srcu_get_delay()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 050/449] umount: Allow superblock owners to force umount Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 052/449] pm: cpupower: bench: Prevent NULL dereference on malloc failure Greg Kroah-Hartman
` (404 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+16a19b06125a2963eaee,
Paul E. McKenney, Alexei Starovoitov, Andrii Nakryiko,
Peter Zijlstra, Kent Overstreet, bpf, Boqun Feng, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul E. McKenney <paulmck@kernel.org>
[ Upstream commit d31e31365b5b6c0cdfc74d71be87234ced564395 ]
Currently, srcu_get_delay() can be called concurrently, for example,
by a CPU that is the first to request a new grace period and the CPU
processing the current grace period. Although concurrent access is
harmless, it unnecessarily expands the state space. Additionally,
all calls to srcu_get_delay() are from slow paths.
This commit therefore protects all calls to srcu_get_delay() with
ssp->srcu_sup->lock, which is already held on the invocation from the
srcu_funnel_gp_start() function. While in the area, this commit also
adds a lockdep_assert_held() to srcu_get_delay() itself.
Reported-by: syzbot+16a19b06125a2963eaee@syzkaller.appspotmail.com
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Andrii Nakryiko <andrii@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Kent Overstreet <kent.overstreet@linux.dev>
Cc: <bpf@vger.kernel.org>
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/srcutree.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/kernel/rcu/srcutree.c b/kernel/rcu/srcutree.c
index b83c74c4dcc0d..2d8f3329023c5 100644
--- a/kernel/rcu/srcutree.c
+++ b/kernel/rcu/srcutree.c
@@ -647,6 +647,7 @@ static unsigned long srcu_get_delay(struct srcu_struct *ssp)
unsigned long jbase = SRCU_INTERVAL;
struct srcu_usage *sup = ssp->srcu_sup;
+ lockdep_assert_held(&ACCESS_PRIVATE(ssp->srcu_sup, lock));
if (srcu_gp_is_expedited(ssp))
jbase = 0;
if (rcu_seq_state(READ_ONCE(sup->srcu_gp_seq))) {
@@ -674,9 +675,13 @@ static unsigned long srcu_get_delay(struct srcu_struct *ssp)
void cleanup_srcu_struct(struct srcu_struct *ssp)
{
int cpu;
+ unsigned long delay;
struct srcu_usage *sup = ssp->srcu_sup;
- if (WARN_ON(!srcu_get_delay(ssp)))
+ spin_lock_irq_rcu_node(ssp->srcu_sup);
+ delay = srcu_get_delay(ssp);
+ spin_unlock_irq_rcu_node(ssp->srcu_sup);
+ if (WARN_ON(!delay))
return; /* Just leak it! */
if (WARN_ON(srcu_readers_active(ssp)))
return; /* Just leak it! */
@@ -1102,7 +1107,9 @@ static bool try_check_zero(struct srcu_struct *ssp, int idx, int trycount)
{
unsigned long curdelay;
+ spin_lock_irq_rcu_node(ssp->srcu_sup);
curdelay = !srcu_get_delay(ssp);
+ spin_unlock_irq_rcu_node(ssp->srcu_sup);
for (;;) {
if (srcu_readers_active_idx_check(ssp, idx))
@@ -1849,7 +1856,9 @@ static void process_srcu(struct work_struct *work)
ssp = sup->srcu_ssp;
srcu_advance_state(ssp);
+ spin_lock_irq_rcu_node(ssp->srcu_sup);
curdelay = srcu_get_delay(ssp);
+ spin_unlock_irq_rcu_node(ssp->srcu_sup);
if (curdelay) {
WRITE_ONCE(sup->reschedule_count, 0);
} else {
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 052/449] pm: cpupower: bench: Prevent NULL dereference on malloc failure
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 051/449] srcu: Force synchronization for srcu_get_delay() Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 053/449] irqchip/gic-v3: Add Rockchip 3568002 erratum workaround Greg Kroah-Hartman
` (403 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhongqiu Han, Shuah Khan,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhongqiu Han <quic_zhonhan@quicinc.com>
[ Upstream commit 208baa3ec9043a664d9acfb8174b332e6b17fb69 ]
If malloc returns NULL due to low memory, 'config' pointer can be NULL.
Add a check to prevent NULL dereference.
Link: https://lore.kernel.org/r/20250219122715.3892223-1-quic_zhonhan@quicinc.com
Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/power/cpupower/bench/parse.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tools/power/cpupower/bench/parse.c b/tools/power/cpupower/bench/parse.c
index 080678d9d74e2..bd67c758b33ac 100644
--- a/tools/power/cpupower/bench/parse.c
+++ b/tools/power/cpupower/bench/parse.c
@@ -121,6 +121,10 @@ FILE *prepare_output(const char *dirname)
struct config *prepare_default_config()
{
struct config *config = malloc(sizeof(struct config));
+ if (!config) {
+ perror("malloc");
+ return NULL;
+ }
dprintf("loading defaults\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 053/449] irqchip/gic-v3: Add Rockchip 3568002 erratum workaround
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 052/449] pm: cpupower: bench: Prevent NULL dereference on malloc failure Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 054/449] x86/mm: Clear _PAGE_DIRTY for kernel mappings when we clear _PAGE_RW Greg Kroah-Hartman
` (402 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Osipenko, Thomas Gleixner,
Marc Zyngier, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
[ Upstream commit 2d81e1bb625238d40a686ed909ff3e1abab7556a ]
Rockchip RK3566/RK3568 GIC600 integration has DDR addressing
limited to the first 32bit of physical address space. Rockchip
assigned Erratum ID #3568002 for this issue. Add driver quirk for
this Rockchip GIC Erratum.
Note, that the 0x0201743b GIC600 ID is not Rockchip-specific and is
common for many ARM GICv3 implementations. Hence, there is an extra
of_machine_is_compatible() check.
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/all/20250216221634.364158-2-dmitry.osipenko@collabora.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/arch/arm64/silicon-errata.rst | 2 ++
arch/arm64/Kconfig | 9 ++++++++
drivers/irqchip/irq-gic-v3-its.c | 23 ++++++++++++++++++++-
3 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/Documentation/arch/arm64/silicon-errata.rst b/Documentation/arch/arm64/silicon-errata.rst
index f074f6219f5c3..f968c13b46a78 100644
--- a/Documentation/arch/arm64/silicon-errata.rst
+++ b/Documentation/arch/arm64/silicon-errata.rst
@@ -284,6 +284,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| Rockchip | RK3588 | #3588001 | ROCKCHIP_ERRATUM_3588001 |
+----------------+-----------------+-----------------+-----------------------------+
+| Rockchip | RK3568 | #3568002 | ROCKCHIP_ERRATUM_3568002 |
++----------------+-----------------+-----------------+-----------------------------+
+----------------+-----------------+-----------------+-----------------------------+
| Fujitsu | A64FX | E#010001 | FUJITSU_ERRATUM_010001 |
+----------------+-----------------+-----------------+-----------------------------+
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 940343beb3d4c..3e7483ad5276c 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1302,6 +1302,15 @@ config NVIDIA_CARMEL_CNP_ERRATUM
If unsure, say Y.
+config ROCKCHIP_ERRATUM_3568002
+ bool "Rockchip 3568002: GIC600 can not access physical addresses higher than 4GB"
+ default y
+ help
+ The Rockchip RK3566 and RK3568 GIC600 SoC integrations have AXI
+ addressing limited to the first 32bit of physical address space.
+
+ If unsure, say Y.
+
config ROCKCHIP_ERRATUM_3588001
bool "Rockchip 3588001: GIC600 can not support shareability attributes"
default y
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index 8c3ec5734f1ef..f30ed281882ff 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -205,13 +205,15 @@ static DEFINE_IDA(its_vpeid_ida);
#define gic_data_rdist_rd_base() (gic_data_rdist()->rd_base)
#define gic_data_rdist_vlpi_base() (gic_data_rdist_rd_base() + SZ_128K)
+static gfp_t gfp_flags_quirk;
+
static struct page *its_alloc_pages_node(int node, gfp_t gfp,
unsigned int order)
{
struct page *page;
int ret = 0;
- page = alloc_pages_node(node, gfp, order);
+ page = alloc_pages_node(node, gfp | gfp_flags_quirk, order);
if (!page)
return NULL;
@@ -4887,6 +4889,17 @@ static bool __maybe_unused its_enable_quirk_hip09_162100801(void *data)
return true;
}
+static bool __maybe_unused its_enable_rk3568002(void *data)
+{
+ if (!of_machine_is_compatible("rockchip,rk3566") &&
+ !of_machine_is_compatible("rockchip,rk3568"))
+ return false;
+
+ gfp_flags_quirk |= GFP_DMA32;
+
+ return true;
+}
+
static const struct gic_quirk its_quirks[] = {
#ifdef CONFIG_CAVIUM_ERRATUM_22375
{
@@ -4954,6 +4967,14 @@ static const struct gic_quirk its_quirks[] = {
.property = "dma-noncoherent",
.init = its_set_non_coherent,
},
+#ifdef CONFIG_ROCKCHIP_ERRATUM_3568002
+ {
+ .desc = "ITS: Rockchip erratum RK3568002",
+ .iidr = 0x0201743b,
+ .mask = 0xffffffff,
+ .init = its_enable_rk3568002,
+ },
+#endif
{
}
};
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 054/449] x86/mm: Clear _PAGE_DIRTY for kernel mappings when we clear _PAGE_RW
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 053/449] irqchip/gic-v3: Add Rockchip 3568002 erratum workaround Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 055/449] x86/percpu: Disable named address spaces for UBSAN_BOOL with KASAN for GCC < 14.2 Greg Kroah-Hartman
` (401 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Matthew Wilcox (Oracle), Ingo Molnar, Linus Torvalds, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit c1fcf41cf37f7a3fd3bbf6f0c04aba3ea4258888 ]
The bit pattern of _PAGE_DIRTY set and _PAGE_RW clear is used to mark
shadow stacks. This is currently checked for in mk_pte() but not
pfn_pte(). If we add the check to pfn_pte(), it catches vfree()
calling set_direct_map_invalid_noflush() which calls
__change_page_attr() which loads the old protection bits from the
PTE, clears the specified bits and uses pfn_pte() to construct the
new PTE.
We should, therefore, for kernel mappings, clear the _PAGE_DIRTY bit
consistently whenever we clear _PAGE_RW. I opted to do it in the
callers in case we want to use __change_page_attr() to create shadow
stacks inside the kernel at some point in the future. Arguably, we
might also want to clear _PAGE_ACCESSED here.
Note that the 3 functions involved:
__set_pages_np()
kernel_map_pages_in_pgd()
kernel_unmap_pages_in_pgd()
Only ever manipulate non-swappable kernel mappings, so maintaining
the DIRTY:1|RW:0 special pattern for shadow stacks and DIRTY:0
pattern for non-shadow-stack entries can be maintained consistently
and doesn't result in the unintended clearing of a live dirty bit
that could corrupt (destroy) dirty bit information for user mappings.
Reported-by: kernel test robot <oliver.sang@intel.com>
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/r/174051422675.10177.13226545170101706336.tip-bot2@tip-bot2
Closes: https://lore.kernel.org/oe-lkp/202502241646.719f4651-lkp@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/mm/pat/set_memory.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c
index ef4514d64c052..b491d8190a6c5 100644
--- a/arch/x86/mm/pat/set_memory.c
+++ b/arch/x86/mm/pat/set_memory.c
@@ -2420,7 +2420,7 @@ static int __set_pages_np(struct page *page, int numpages)
.pgd = NULL,
.numpages = numpages,
.mask_set = __pgprot(0),
- .mask_clr = __pgprot(_PAGE_PRESENT | _PAGE_RW),
+ .mask_clr = __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY),
.flags = CPA_NO_CHECK_ALIAS };
/*
@@ -2507,7 +2507,7 @@ int __init kernel_map_pages_in_pgd(pgd_t *pgd, u64 pfn, unsigned long address,
.pgd = pgd,
.numpages = numpages,
.mask_set = __pgprot(0),
- .mask_clr = __pgprot(~page_flags & (_PAGE_NX|_PAGE_RW)),
+ .mask_clr = __pgprot(~page_flags & (_PAGE_NX|_PAGE_RW|_PAGE_DIRTY)),
.flags = CPA_NO_CHECK_ALIAS,
};
@@ -2550,7 +2550,7 @@ int __init kernel_unmap_pages_in_pgd(pgd_t *pgd, unsigned long address,
.pgd = pgd,
.numpages = numpages,
.mask_set = __pgprot(0),
- .mask_clr = __pgprot(_PAGE_PRESENT | _PAGE_RW),
+ .mask_clr = __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY),
.flags = CPA_NO_CHECK_ALIAS,
};
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 055/449] x86/percpu: Disable named address spaces for UBSAN_BOOL with KASAN for GCC < 14.2
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 054/449] x86/mm: Clear _PAGE_DIRTY for kernel mappings when we clear _PAGE_RW Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 056/449] x86/ia32: Leave NULL selector values 0~3 unchanged Greg Kroah-Hartman
` (400 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Fleming, Uros Bizjak,
Ingo Molnar, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uros Bizjak <ubizjak@gmail.com>
[ Upstream commit b6762467a09ba8838c499e4f36561e82fc608ed1 ]
GCC < 14.2 does not correctly propagate address space qualifiers
with -fsanitize=bool,enum. Together with address sanitizer then
causes that load to be sanitized.
Disable named address spaces for GCC < 14.2 when both, UBSAN_BOOL
and KASAN are enabled.
Reported-by: Matt Fleming <matt@readmodwrite.com>
Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/20250227140715.2276353-1-ubizjak@gmail.com
Closes: https://lore.kernel.org/lkml/20241213190119.3449103-1-matt@readmodwrite.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/Kconfig | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index aaec6ebd6c4e0..aeb95b6e55369 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2452,18 +2452,20 @@ config CC_HAS_NAMED_AS
def_bool $(success,echo 'int __seg_fs fs; int __seg_gs gs;' | $(CC) -x c - -S -o /dev/null)
depends on CC_IS_GCC
+#
+# -fsanitize=kernel-address (KASAN) and -fsanitize=thread (KCSAN)
+# are incompatible with named address spaces with GCC < 13.3
+# (see GCC PR sanitizer/111736 and also PR sanitizer/115172).
+#
+
config CC_HAS_NAMED_AS_FIXED_SANITIZERS
- def_bool CC_IS_GCC && GCC_VERSION >= 130300
+ def_bool y
+ depends on !(KASAN || KCSAN) || GCC_VERSION >= 130300
+ depends on !(UBSAN_BOOL && KASAN) || GCC_VERSION >= 140200
config USE_X86_SEG_SUPPORT
- def_bool y
- depends on CC_HAS_NAMED_AS
- #
- # -fsanitize=kernel-address (KASAN) and -fsanitize=thread
- # (KCSAN) are incompatible with named address spaces with
- # GCC < 13.3 - see GCC PR sanitizer/111736.
- #
- depends on !(KASAN || KCSAN) || CC_HAS_NAMED_AS_FIXED_SANITIZERS
+ def_bool CC_HAS_NAMED_AS
+ depends on CC_HAS_NAMED_AS_FIXED_SANITIZERS
config CC_HAS_SLS
def_bool $(cc-option,-mharden-sls=all)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 056/449] x86/ia32: Leave NULL selector values 0~3 unchanged
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 055/449] x86/percpu: Disable named address spaces for UBSAN_BOOL with KASAN for GCC < 14.2 Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 057/449] x86/cpu: Dont clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Greg Kroah-Hartman
` (399 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Li (Intel), Ingo Molnar,
Andrew Cooper, Linus Torvalds, Andy Lutomirski, Brian Gerst,
Peter Zijlstra, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Li (Intel) <xin@zytor.com>
[ Upstream commit ad546940b5991d3e141238cd80a6d1894b767184 ]
The first GDT descriptor is reserved as 'NULL descriptor'. As bits 0
and 1 of a segment selector, i.e., the RPL bits, are NOT used to index
GDT, selector values 0~3 all point to the NULL descriptor, thus values
0, 1, 2 and 3 are all valid NULL selector values.
When a NULL selector value is to be loaded into a segment register,
reload_segments() sets its RPL bits. Later IRET zeros ES, FS, GS, and
DS segment registers if any of them is found to have any nonzero NULL
selector value. The two operations offset each other to actually effect
a nop.
Besides, zeroing of RPL in NULL selector values is an information leak
in pre-FRED systems as userspace can spot any interrupt/exception by
loading a nonzero NULL selector, and waiting for it to become zero.
But there is nothing software can do to prevent it before FRED.
ERETU, the only legit instruction to return to userspace from kernel
under FRED, by design does NOT zero any segment register to avoid this
problem behavior.
As such, leave NULL selector values 0~3 unchanged and close the leak.
Do the same on 32-bit kernel as well.
Signed-off-by: Xin Li (Intel) <xin@zytor.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20241126184529.1607334-1-xin@zytor.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/signal_32.c | 62 +++++++++++++++++++++++++------------
1 file changed, 43 insertions(+), 19 deletions(-)
diff --git a/arch/x86/kernel/signal_32.c b/arch/x86/kernel/signal_32.c
index ef654530bf5a9..98123ff10506c 100644
--- a/arch/x86/kernel/signal_32.c
+++ b/arch/x86/kernel/signal_32.c
@@ -33,25 +33,55 @@
#include <asm/smap.h>
#include <asm/gsseg.h>
+/*
+ * The first GDT descriptor is reserved as 'NULL descriptor'. As bits 0
+ * and 1 of a segment selector, i.e., the RPL bits, are NOT used to index
+ * GDT, selector values 0~3 all point to the NULL descriptor, thus values
+ * 0, 1, 2 and 3 are all valid NULL selector values.
+ *
+ * However IRET zeros ES, FS, GS, and DS segment registers if any of them
+ * is found to have any nonzero NULL selector value, which can be used by
+ * userspace in pre-FRED systems to spot any interrupt/exception by loading
+ * a nonzero NULL selector and waiting for it to become zero. Before FRED
+ * there was nothing software could do to prevent such an information leak.
+ *
+ * ERETU, the only legit instruction to return to userspace from kernel
+ * under FRED, by design does NOT zero any segment register to avoid this
+ * problem behavior.
+ *
+ * As such, leave NULL selector values 0~3 unchanged.
+ */
+static inline u16 fixup_rpl(u16 sel)
+{
+ return sel <= 3 ? sel : sel | 3;
+}
+
#ifdef CONFIG_IA32_EMULATION
#include <asm/unistd_32_ia32.h>
static inline void reload_segments(struct sigcontext_32 *sc)
{
- unsigned int cur;
+ u16 cur;
+ /*
+ * Reload fs and gs if they have changed in the signal
+ * handler. This does not handle long fs/gs base changes in
+ * the handler, but does not clobber them at least in the
+ * normal case.
+ */
savesegment(gs, cur);
- if ((sc->gs | 0x03) != cur)
- load_gs_index(sc->gs | 0x03);
+ if (fixup_rpl(sc->gs) != cur)
+ load_gs_index(fixup_rpl(sc->gs));
savesegment(fs, cur);
- if ((sc->fs | 0x03) != cur)
- loadsegment(fs, sc->fs | 0x03);
+ if (fixup_rpl(sc->fs) != cur)
+ loadsegment(fs, fixup_rpl(sc->fs));
+
savesegment(ds, cur);
- if ((sc->ds | 0x03) != cur)
- loadsegment(ds, sc->ds | 0x03);
+ if (fixup_rpl(sc->ds) != cur)
+ loadsegment(ds, fixup_rpl(sc->ds));
savesegment(es, cur);
- if ((sc->es | 0x03) != cur)
- loadsegment(es, sc->es | 0x03);
+ if (fixup_rpl(sc->es) != cur)
+ loadsegment(es, fixup_rpl(sc->es));
}
#define sigset32_t compat_sigset_t
@@ -105,18 +135,12 @@ static bool ia32_restore_sigcontext(struct pt_regs *regs,
regs->orig_ax = -1;
#ifdef CONFIG_IA32_EMULATION
- /*
- * Reload fs and gs if they have changed in the signal
- * handler. This does not handle long fs/gs base changes in
- * the handler, but does not clobber them at least in the
- * normal case.
- */
reload_segments(&sc);
#else
- loadsegment(gs, sc.gs);
- regs->fs = sc.fs;
- regs->es = sc.es;
- regs->ds = sc.ds;
+ loadsegment(gs, fixup_rpl(sc.gs));
+ regs->fs = fixup_rpl(sc.fs);
+ regs->es = fixup_rpl(sc.es);
+ regs->ds = fixup_rpl(sc.ds);
#endif
return fpu__restore_sig(compat_ptr(sc.fpstate), 1);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 057/449] x86/cpu: Dont clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 056/449] x86/ia32: Leave NULL selector values 0~3 unchanged Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 058/449] perf: arm_pmu: Dont disable counter in armpmu_add() Greg Kroah-Hartman
` (398 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Grobecker, Ingo Molnar,
linux-kernel, Borislav Petkov, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Grobecker <max@grobecker.info>
[ Upstream commit a4248ee16f411ac1ea7dfab228a6659b111e3d65 ]
When running in a virtual machine, we might see the original hardware CPU
vendor string (i.e. "AuthenticAMD"), but a model and family ID set by the
hypervisor. In case we run on AMD hardware and the hypervisor sets a model
ID < 0x14, the LAHF cpu feature is eliminated from the the list of CPU
capabilities present to circumvent a bug with some BIOSes in conjunction with
AMD K8 processors.
Parsing the flags list from /proc/cpuinfo seems to be happening mostly in
bash scripts and prebuilt Docker containers, as it does not need to have
additionals tools present – even though more reliable ways like using "kcpuid",
which calls the CPUID instruction instead of parsing a list, should be preferred.
Scripts, that use /proc/cpuinfo to determine if the current CPU is
"compliant" with defined microarchitecture levels like x86-64-v2 will falsely
claim the CPU is incapable of modern CPU instructions when "lahf_lm" is missing
in that flags list.
This can prevent some docker containers from starting or build scripts to create
unoptimized binaries.
Admittably, this is more a small inconvenience than a severe bug in the kernel
and the shoddy scripts that rely on parsing /proc/cpuinfo
should be fixed instead.
This patch adds an additional check to see if we're running inside a
virtual machine (X86_FEATURE_HYPERVISOR is present), which, to my
understanding, can't be present on a real K8 processor as it was introduced
only with the later/other Athlon64 models.
Example output with the "lahf_lm" flag missing in the flags list
(should be shown between "hypervisor" and "abm"):
$ cat /proc/cpuinfo
processor : 0
vendor_id : AuthenticAMD
cpu family : 15
model : 6
model name : Common KVM processor
stepping : 1
microcode : 0x1000065
cpu MHz : 2599.998
cache size : 512 KB
physical id : 0
siblings : 1
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx rdtscp
lm rep_good nopl cpuid extd_apicid tsc_known_freq pni
pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt
tsc_deadline_timer aes xsave avx f16c hypervisor abm
3dnowprefetch vmmcall bmi1 avx2 bmi2 xsaveopt
... while kcpuid shows the feature to be present in the CPU:
# kcpuid -d | grep lahf
lahf_lm - LAHF/SAHF available in 64-bit mode
[ mingo: Updated the comment a bit, incorporated Boris's review feedback. ]
Signed-off-by: Max Grobecker <max@grobecker.info>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: linux-kernel@vger.kernel.org
Cc: Borislav Petkov <bp@alien8.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/amd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index ce71f49654ee3..4c9b20d028eb4 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -632,7 +632,7 @@ static void init_amd_k8(struct cpuinfo_x86 *c)
* (model = 0x14) and later actually support it.
* (AMD Erratum #110, docId: 25759).
*/
- if (c->x86_model < 0x14 && cpu_has(c, X86_FEATURE_LAHF_LM)) {
+ if (c->x86_model < 0x14 && cpu_has(c, X86_FEATURE_LAHF_LM) && !cpu_has(c, X86_FEATURE_HYPERVISOR)) {
clear_cpu_cap(c, X86_FEATURE_LAHF_LM);
if (!rdmsrl_amd_safe(0xc001100d, &value)) {
value &= ~BIT_64(32);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 058/449] perf: arm_pmu: Dont disable counter in armpmu_add()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 057/449] x86/cpu: Dont clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 059/449] perf/dwc_pcie: fix some unreleased resources Greg Kroah-Hartman
` (397 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Rob Herring (Arm),
Anshuman Khandual, James Clark, Will Deacon, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit dcca27bc1eccb9abc2552aab950b18a9742fb8e7 ]
Currently armpmu_add() tries to handle a newly-allocated counter having
a stale associated event, but this should not be possible, and if this
were to happen the current mitigation is insufficient and potentially
expensive. It would be better to warn if we encounter the impossible
case.
Calls to pmu::add() and pmu::del() are serialized by the core perf code,
and armpmu_del() clears the relevant slot in pmu_hw_events::events[]
before clearing the bit in pmu_hw_events::used_mask such that the
counter can be reallocated. Thus when armpmu_add() allocates a counter
index from pmu_hw_events::used_mask, it should not be possible to observe
a stale even in pmu_hw_events::events[] unless either
pmu_hw_events::used_mask or pmu_hw_events::events[] have been corrupted.
If this were to happen, we'd end up with two events with the same
event->hw.idx, which would clash with each other during reprogramming,
deletion, etc, and produce bogus results. Add a WARN_ON_ONCE() for this
case so that we can detect if this ever occurs in practice.
That possiblity aside, there's no need to call arm_pmu::disable(event)
for the new event. The PMU reset code initialises the counter in a
disabled state, and armpmu_del() will disable the counter before it can
be reused. Remove the redundant disable.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Tested-by: James Clark <james.clark@linaro.org>
Link: https://lore.kernel.org/r/20250218-arm-brbe-v19-v20-2-4e9922fc2e8e@kernel.org
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/perf/arm_pmu.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/perf/arm_pmu.c b/drivers/perf/arm_pmu.c
index 398cce3d76fc4..2f33e69a8caf2 100644
--- a/drivers/perf/arm_pmu.c
+++ b/drivers/perf/arm_pmu.c
@@ -342,12 +342,10 @@ armpmu_add(struct perf_event *event, int flags)
if (idx < 0)
return idx;
- /*
- * If there is an event in the counter we are going to use then make
- * sure it is disabled.
- */
+ /* The newly-allocated counter should be empty */
+ WARN_ON_ONCE(hw_events->events[idx]);
+
event->hw.idx = idx;
- armpmu->disable(event);
hw_events->events[idx] = event;
hwc->state = PERF_HES_STOPPED | PERF_HES_UPTODATE;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 059/449] perf/dwc_pcie: fix some unreleased resources
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 058/449] perf: arm_pmu: Dont disable counter in armpmu_add() Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 060/449] perf/dwc_pcie: fix duplicate pci_dev devices Greg Kroah-Hartman
` (396 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yunhui Cui, Shuai Xue, Will Deacon,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yunhui Cui <cuiyunhui@bytedance.com>
[ Upstream commit 6eb1e8ef586ac4a3dcdc20248f9cb45e4ceb141f ]
Release leaked resources, such as plat_dev and dev_info.
Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
Reviewed-by: Shuai Xue <xueshuai@linux.alibaba.com>
Link: https://lore.kernel.org/r/20250220121716.50324-2-cuiyunhui@bytedance.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/perf/dwc_pcie_pmu.c | 33 ++++++++++++++++++++++-----------
1 file changed, 22 insertions(+), 11 deletions(-)
diff --git a/drivers/perf/dwc_pcie_pmu.c b/drivers/perf/dwc_pcie_pmu.c
index cccecae9823f6..19fa2ba8dd670 100644
--- a/drivers/perf/dwc_pcie_pmu.c
+++ b/drivers/perf/dwc_pcie_pmu.c
@@ -572,8 +572,10 @@ static int dwc_pcie_register_dev(struct pci_dev *pdev)
return PTR_ERR(plat_dev);
dev_info = kzalloc(sizeof(*dev_info), GFP_KERNEL);
- if (!dev_info)
+ if (!dev_info) {
+ platform_device_unregister(plat_dev);
return -ENOMEM;
+ }
/* Cache platform device to handle pci device hotplug */
dev_info->plat_dev = plat_dev;
@@ -730,6 +732,15 @@ static struct platform_driver dwc_pcie_pmu_driver = {
.driver = {.name = "dwc_pcie_pmu",},
};
+static void dwc_pcie_cleanup_devices(void)
+{
+ struct dwc_pcie_dev_info *dev_info, *tmp;
+
+ list_for_each_entry_safe(dev_info, tmp, &dwc_pcie_dev_info_head, dev_node) {
+ dwc_pcie_unregister_dev(dev_info);
+ }
+}
+
static int __init dwc_pcie_pmu_init(void)
{
struct pci_dev *pdev = NULL;
@@ -742,7 +753,7 @@ static int __init dwc_pcie_pmu_init(void)
ret = dwc_pcie_register_dev(pdev);
if (ret) {
pci_dev_put(pdev);
- return ret;
+ goto err_cleanup;
}
}
@@ -751,35 +762,35 @@ static int __init dwc_pcie_pmu_init(void)
dwc_pcie_pmu_online_cpu,
dwc_pcie_pmu_offline_cpu);
if (ret < 0)
- return ret;
+ goto err_cleanup;
dwc_pcie_pmu_hp_state = ret;
ret = platform_driver_register(&dwc_pcie_pmu_driver);
if (ret)
- goto platform_driver_register_err;
+ goto err_remove_cpuhp;
ret = bus_register_notifier(&pci_bus_type, &dwc_pcie_pmu_nb);
if (ret)
- goto platform_driver_register_err;
+ goto err_unregister_driver;
notify = true;
return 0;
-platform_driver_register_err:
+err_unregister_driver:
+ platform_driver_unregister(&dwc_pcie_pmu_driver);
+err_remove_cpuhp:
cpuhp_remove_multi_state(dwc_pcie_pmu_hp_state);
-
+err_cleanup:
+ dwc_pcie_cleanup_devices();
return ret;
}
static void __exit dwc_pcie_pmu_exit(void)
{
- struct dwc_pcie_dev_info *dev_info, *tmp;
-
if (notify)
bus_unregister_notifier(&pci_bus_type, &dwc_pcie_pmu_nb);
- list_for_each_entry_safe(dev_info, tmp, &dwc_pcie_dev_info_head, dev_node)
- dwc_pcie_unregister_dev(dev_info);
+ dwc_pcie_cleanup_devices();
platform_driver_unregister(&dwc_pcie_pmu_driver);
cpuhp_remove_multi_state(dwc_pcie_pmu_hp_state);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 060/449] perf/dwc_pcie: fix duplicate pci_dev devices
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 059/449] perf/dwc_pcie: fix some unreleased resources Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 061/449] PM: hibernate: Avoid deadlock in hibernate_compressor_param_set() Greg Kroah-Hartman
` (395 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yunhui Cui, Shuai Xue, Will Deacon,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yunhui Cui <cuiyunhui@bytedance.com>
[ Upstream commit 7f35b429802a8065aa61e2a3f567089649f4d98e ]
During platform_device_register, wrongly using struct device
pci_dev as platform_data caused a kmemdup copy of pci_dev. Worse
still, accessing the duplicated device leads to list corruption as its
mutex content (e.g., list, magic) remains the same as the original.
Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
Reviewed-by: Shuai Xue <xueshuai@linux.alibaba.com>
Link: https://lore.kernel.org/r/20250220121716.50324-3-cuiyunhui@bytedance.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/perf/dwc_pcie_pmu.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/drivers/perf/dwc_pcie_pmu.c b/drivers/perf/dwc_pcie_pmu.c
index 19fa2ba8dd670..f851e070760c5 100644
--- a/drivers/perf/dwc_pcie_pmu.c
+++ b/drivers/perf/dwc_pcie_pmu.c
@@ -565,9 +565,7 @@ static int dwc_pcie_register_dev(struct pci_dev *pdev)
u32 sbdf;
sbdf = (pci_domain_nr(pdev->bus) << 16) | PCI_DEVID(pdev->bus->number, pdev->devfn);
- plat_dev = platform_device_register_data(NULL, "dwc_pcie_pmu", sbdf,
- pdev, sizeof(*pdev));
-
+ plat_dev = platform_device_register_simple("dwc_pcie_pmu", sbdf, NULL, 0);
if (IS_ERR(plat_dev))
return PTR_ERR(plat_dev);
@@ -616,18 +614,26 @@ static struct notifier_block dwc_pcie_pmu_nb = {
static int dwc_pcie_pmu_probe(struct platform_device *plat_dev)
{
- struct pci_dev *pdev = plat_dev->dev.platform_data;
+ struct pci_dev *pdev;
struct dwc_pcie_pmu *pcie_pmu;
char *name;
u32 sbdf;
u16 vsec;
int ret;
+ sbdf = plat_dev->id;
+ pdev = pci_get_domain_bus_and_slot(sbdf >> 16, PCI_BUS_NUM(sbdf & 0xffff),
+ sbdf & 0xff);
+ if (!pdev) {
+ pr_err("No pdev found for the sbdf 0x%x\n", sbdf);
+ return -ENODEV;
+ }
+
vsec = dwc_pcie_des_cap(pdev);
if (!vsec)
return -ENODEV;
- sbdf = plat_dev->id;
+ pci_dev_put(pdev);
name = devm_kasprintf(&plat_dev->dev, GFP_KERNEL, "dwc_rootport_%x", sbdf);
if (!name)
return -ENOMEM;
@@ -642,7 +648,7 @@ static int dwc_pcie_pmu_probe(struct platform_device *plat_dev)
pcie_pmu->on_cpu = -1;
pcie_pmu->pmu = (struct pmu){
.name = name,
- .parent = &pdev->dev,
+ .parent = &plat_dev->dev,
.module = THIS_MODULE,
.attr_groups = dwc_pcie_attr_groups,
.capabilities = PERF_PMU_CAP_NO_EXCLUDE,
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 061/449] PM: hibernate: Avoid deadlock in hibernate_compressor_param_set()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 060/449] perf/dwc_pcie: fix duplicate pci_dev devices Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 062/449] Flush console log from kernel_power_off() Greg Kroah-Hartman
` (394 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ace60642828c074eb913,
Lizhi Xu, Rafael J. Wysocki, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhi Xu <lizhi.xu@windriver.com>
[ Upstream commit 52323ed1444ea5c2a5f1754ea0a2d9c8c216ccdf ]
syzbot reported a deadlock in lock_system_sleep() (see below).
The write operation to "/sys/module/hibernate/parameters/compressor"
conflicts with the registration of ieee80211 device, resulting in a deadlock
when attempting to acquire system_transition_mutex under param_lock.
To avoid this deadlock, change hibernate_compressor_param_set() to use
mutex_trylock() for attempting to acquire system_transition_mutex and
return -EBUSY when it fails.
Task flags need not be saved or adjusted before calling
mutex_trylock(&system_transition_mutex) because the caller is not going
to end up waiting for this mutex and if it runs concurrently with system
suspend in progress, it will be frozen properly when it returns to user
space.
syzbot report:
syz-executor895/5833 is trying to acquire lock:
ffffffff8e0828c8 (system_transition_mutex){+.+.}-{4:4}, at: lock_system_sleep+0x87/0xa0 kernel/power/main.c:56
but task is already holding lock:
ffffffff8e07dc68 (param_lock){+.+.}-{4:4}, at: kernel_param_lock kernel/params.c:607 [inline]
ffffffff8e07dc68 (param_lock){+.+.}-{4:4}, at: param_attr_store+0xe6/0x300 kernel/params.c:586
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (param_lock){+.+.}-{4:4}:
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x19b/0xb10 kernel/locking/mutex.c:730
ieee80211_rate_control_ops_get net/mac80211/rate.c:220 [inline]
rate_control_alloc net/mac80211/rate.c:266 [inline]
ieee80211_init_rate_ctrl_alg+0x18d/0x6b0 net/mac80211/rate.c:1015
ieee80211_register_hw+0x20cd/0x4060 net/mac80211/main.c:1531
mac80211_hwsim_new_radio+0x304e/0x54e0 drivers/net/wireless/virtual/mac80211_hwsim.c:5558
init_mac80211_hwsim+0x432/0x8c0 drivers/net/wireless/virtual/mac80211_hwsim.c:6910
do_one_initcall+0x128/0x700 init/main.c:1257
do_initcall_level init/main.c:1319 [inline]
do_initcalls init/main.c:1335 [inline]
do_basic_setup init/main.c:1354 [inline]
kernel_init_freeable+0x5c7/0x900 init/main.c:1568
kernel_init+0x1c/0x2b0 init/main.c:1457
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
-> #2 (rtnl_mutex){+.+.}-{4:4}:
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x19b/0xb10 kernel/locking/mutex.c:730
wg_pm_notification drivers/net/wireguard/device.c:80 [inline]
wg_pm_notification+0x49/0x180 drivers/net/wireguard/device.c:64
notifier_call_chain+0xb7/0x410 kernel/notifier.c:85
notifier_call_chain_robust kernel/notifier.c:120 [inline]
blocking_notifier_call_chain_robust kernel/notifier.c:345 [inline]
blocking_notifier_call_chain_robust+0xc9/0x170 kernel/notifier.c:333
pm_notifier_call_chain_robust+0x27/0x60 kernel/power/main.c:102
snapshot_open+0x189/0x2b0 kernel/power/user.c:77
misc_open+0x35a/0x420 drivers/char/misc.c:179
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x735/0x1c40 fs/open.c:956
vfs_open+0x82/0x3f0 fs/open.c:1086
do_open fs/namei.c:3830 [inline]
path_openat+0x1e88/0x2d80 fs/namei.c:3989
do_filp_open+0x20c/0x470 fs/namei.c:4016
do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #1 ((pm_chain_head).rwsem){++++}-{4:4}:
down_read+0x9a/0x330 kernel/locking/rwsem.c:1524
blocking_notifier_call_chain_robust kernel/notifier.c:344 [inline]
blocking_notifier_call_chain_robust+0xa9/0x170 kernel/notifier.c:333
pm_notifier_call_chain_robust+0x27/0x60 kernel/power/main.c:102
snapshot_open+0x189/0x2b0 kernel/power/user.c:77
misc_open+0x35a/0x420 drivers/char/misc.c:179
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x735/0x1c40 fs/open.c:956
vfs_open+0x82/0x3f0 fs/open.c:1086
do_open fs/namei.c:3830 [inline]
path_openat+0x1e88/0x2d80 fs/namei.c:3989
do_filp_open+0x20c/0x470 fs/namei.c:4016
do_sys_openat2+0x17a/0x1e0 fs/open.c:1428
do_sys_open fs/open.c:1443 [inline]
__do_sys_openat fs/open.c:1459 [inline]
__se_sys_openat fs/open.c:1454 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1454
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (system_transition_mutex){+.+.}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3163 [inline]
check_prevs_add kernel/locking/lockdep.c:3282 [inline]
validate_chain kernel/locking/lockdep.c:3906 [inline]
__lock_acquire+0x249e/0x3c40 kernel/locking/lockdep.c:5228
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5851
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0x19b/0xb10 kernel/locking/mutex.c:730
lock_system_sleep+0x87/0xa0 kernel/power/main.c:56
hibernate_compressor_param_set+0x1c/0x210 kernel/power/hibernate.c:1452
param_attr_store+0x18f/0x300 kernel/params.c:588
module_attr_store+0x55/0x80 kernel/params.c:924
sysfs_kf_write+0x117/0x170 fs/sysfs/file.c:139
kernfs_fop_write_iter+0x33d/0x500 fs/kernfs/file.c:334
new_sync_write fs/read_write.c:586 [inline]
vfs_write+0x5ae/0x1150 fs/read_write.c:679
ksys_write+0x12b/0x250 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Chain exists of:
system_transition_mutex --> rtnl_mutex --> param_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(param_lock);
lock(rtnl_mutex);
lock(param_lock);
lock(system_transition_mutex);
*** DEADLOCK ***
Reported-by: syzbot+ace60642828c074eb913@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ace60642828c074eb913
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Link: https://patch.msgid.link/20250224013139.3994500-1-lizhi.xu@windriver.com
[ rjw: New subject matching the code changes, changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/power/hibernate.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index 10a01af63a807..b129ed1d25a8a 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -1446,10 +1446,10 @@ static const char * const comp_alg_enabled[] = {
static int hibernate_compressor_param_set(const char *compressor,
const struct kernel_param *kp)
{
- unsigned int sleep_flags;
int index, ret;
- sleep_flags = lock_system_sleep();
+ if (!mutex_trylock(&system_transition_mutex))
+ return -EBUSY;
index = sysfs_match_string(comp_alg_enabled, compressor);
if (index >= 0) {
@@ -1461,7 +1461,7 @@ static int hibernate_compressor_param_set(const char *compressor,
ret = index;
}
- unlock_system_sleep(sleep_flags);
+ mutex_unlock(&system_transition_mutex);
if (ret)
pr_debug("Cannot set specified compressor %s\n",
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 062/449] Flush console log from kernel_power_off()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 061/449] PM: hibernate: Avoid deadlock in hibernate_compressor_param_set() Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 063/449] cpufreq/amd-pstate: Invalidate cppc_req_cached during suspend Greg Kroah-Hartman
` (393 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul E. McKenney, John Ogness,
Petr Mladek, Steven Rostedt, Sergey Senozhatsky, Boqun Feng,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul E. McKenney <paulmck@kernel.org>
[ Upstream commit 6ea9a1781c70a8be1fcdc49134fc1bf4baba8bca ]
Kernels built with CONFIG_PREEMPT_RT=y can lose significant console output
and shutdown time, which hides shutdown-time RCU issues from rcutorture.
Therefore, make pr_flush() public and invoke it after then last print
in kernel_power_off().
[ paulmck: Apply John Ogness feedback. ]
[ paulmck: Appy Sebastian Andrzej Siewior feedback. ]
[ paulmck: Apply kernel test robot feedback. ]
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Reviewed-by: John Ogness <john.ogness@linutronix.de>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Link: https://lore.kernel.org/r/5f743488-dc2a-4f19-bdda-cf50b9314832@paulmck-laptop
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/printk.h | 6 ++++++
kernel/printk/printk.c | 4 +---
kernel/reboot.c | 1 +
3 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/include/linux/printk.h b/include/linux/printk.h
index 4217a9f412b26..5b462029d03c1 100644
--- a/include/linux/printk.h
+++ b/include/linux/printk.h
@@ -207,6 +207,7 @@ void printk_legacy_allow_panic_sync(void);
extern bool nbcon_device_try_acquire(struct console *con);
extern void nbcon_device_release(struct console *con);
void nbcon_atomic_flush_unsafe(void);
+bool pr_flush(int timeout_ms, bool reset_on_progress);
#else
static inline __printf(1, 0)
int vprintk(const char *s, va_list args)
@@ -315,6 +316,11 @@ static inline void nbcon_atomic_flush_unsafe(void)
{
}
+static inline bool pr_flush(int timeout_ms, bool reset_on_progress)
+{
+ return true;
+}
+
#endif
bool this_cpu_in_panic(void);
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index 07668433644b8..057db78876cd9 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -2461,7 +2461,6 @@ asmlinkage __visible int _printk(const char *fmt, ...)
}
EXPORT_SYMBOL(_printk);
-static bool pr_flush(int timeout_ms, bool reset_on_progress);
static bool __pr_flush(struct console *con, int timeout_ms, bool reset_on_progress);
#else /* CONFIG_PRINTK */
@@ -2474,7 +2473,6 @@ static bool __pr_flush(struct console *con, int timeout_ms, bool reset_on_progre
static u64 syslog_seq;
-static bool pr_flush(int timeout_ms, bool reset_on_progress) { return true; }
static bool __pr_flush(struct console *con, int timeout_ms, bool reset_on_progress) { return true; }
#endif /* CONFIG_PRINTK */
@@ -4466,7 +4464,7 @@ static bool __pr_flush(struct console *con, int timeout_ms, bool reset_on_progre
* Context: Process context. May sleep while acquiring console lock.
* Return: true if all usable printers are caught up.
*/
-static bool pr_flush(int timeout_ms, bool reset_on_progress)
+bool pr_flush(int timeout_ms, bool reset_on_progress)
{
return __pr_flush(NULL, timeout_ms, reset_on_progress);
}
diff --git a/kernel/reboot.c b/kernel/reboot.c
index f348f1ba9e226..9461b6b0baa3a 100644
--- a/kernel/reboot.c
+++ b/kernel/reboot.c
@@ -704,6 +704,7 @@ void kernel_power_off(void)
migrate_to_reboot_cpu();
syscore_shutdown();
pr_emerg("Power down\n");
+ pr_flush(1000, true);
kmsg_dump(KMSG_DUMP_SHUTDOWN);
machine_power_off();
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 063/449] cpufreq/amd-pstate: Invalidate cppc_req_cached during suspend
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 062/449] Flush console log from kernel_power_off() Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 064/449] arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD Greg Kroah-Hartman
` (392 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gautham R. Shenoy, Dhananjay Ugwekar,
Miroslav Pavleski, Mario Limonciello, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit b7a41156588ad03757bf0a2f0e05d6cbcebeaa9e ]
During resume it's possible the firmware didn't restore the CPPC request
MSR but the kernel thinks the values line up. This leads to incorrect
performance after resume from suspend.
To fix the issue invalidate the cached value at suspend. During resume use
the saved values programmed as cached limits.
Reviewed-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
Reviewed-by: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com>
Reported-by: Miroslav Pavleski <miroslav@pavleski.net>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217931
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/amd-pstate.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c
index bd63837eabb4e..1b26845703f68 100644
--- a/drivers/cpufreq/amd-pstate.c
+++ b/drivers/cpufreq/amd-pstate.c
@@ -1619,7 +1619,7 @@ static int amd_pstate_epp_reenable(struct cpufreq_policy *policy)
max_perf, policy->boost_enabled);
}
- return amd_pstate_update_perf(cpudata, 0, 0, max_perf, cpudata->epp_cached, false);
+ return amd_pstate_epp_update_limit(policy);
}
static int amd_pstate_epp_cpu_online(struct cpufreq_policy *policy)
@@ -1668,6 +1668,9 @@ static int amd_pstate_epp_suspend(struct cpufreq_policy *policy)
if (cppc_state != AMD_PSTATE_ACTIVE)
return 0;
+ /* invalidate to ensure it's rewritten during resume */
+ cpudata->cppc_req_cached = 0;
+
/* set this flag to avoid setting core offline*/
cpudata->suspended = true;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 064/449] arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 063/449] cpufreq/amd-pstate: Invalidate cppc_req_cached during suspend Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 065/449] xen/mcelog: Add __nonstring annotations for unterminated strings Greg Kroah-Hartman
` (391 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Douglas Anderson,
Trilok Soni, Catalin Marinas, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
[ Upstream commit 401c3333bb2396aa52e4121887a6f6a6e2f040bc ]
Add a definition for the Qualcomm Kryo 300-series Gold cores.
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Acked-by: Trilok Soni <quic_tsoni@quicinc.com>
Link: https://lore.kernel.org/r/20241219131107.v3.1.I18e0288742871393228249a768e5d56ea65d93dc@changeid
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
index 6f3f4142e214f..c2da1661a44e6 100644
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -119,6 +119,7 @@
#define QCOM_CPU_PART_KRYO 0x200
#define QCOM_CPU_PART_KRYO_2XX_GOLD 0x800
#define QCOM_CPU_PART_KRYO_2XX_SILVER 0x801
+#define QCOM_CPU_PART_KRYO_3XX_GOLD 0x802
#define QCOM_CPU_PART_KRYO_3XX_SILVER 0x803
#define QCOM_CPU_PART_KRYO_4XX_GOLD 0x804
#define QCOM_CPU_PART_KRYO_4XX_SILVER 0x805
@@ -196,6 +197,7 @@
#define MIDR_QCOM_KRYO MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO)
#define MIDR_QCOM_KRYO_2XX_GOLD MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_2XX_GOLD)
#define MIDR_QCOM_KRYO_2XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_2XX_SILVER)
+#define MIDR_QCOM_KRYO_3XX_GOLD MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_3XX_GOLD)
#define MIDR_QCOM_KRYO_3XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_3XX_SILVER)
#define MIDR_QCOM_KRYO_4XX_GOLD MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_4XX_GOLD)
#define MIDR_QCOM_KRYO_4XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_4XX_SILVER)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 065/449] xen/mcelog: Add __nonstring annotations for unterminated strings
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 064/449] arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 066/449] zstd: Increase DYNAMIC_BMI2 GCC version cutoff from 4.8 to 11.0 to work around compiler segfault Greg Kroah-Hartman
` (390 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Juergen Gross, Stefano Stabellini,
Oleksandr Tyshchenko, xen-devel, Kees Cook, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 1c3dfc7c6b0f551fdca3f7c1f1e4c73be8adb17d ]
When a character array without a terminating NUL character has a static
initializer, GCC 15's -Wunterminated-string-initialization will only
warn if the array lacks the "nonstring" attribute[1]. Mark the arrays
with __nonstring to and correctly identify the char array as "not a C
string" and thereby eliminate the warning.
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117178 [1]
Cc: Juergen Gross <jgross@suse.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Cc: xen-devel@lists.xenproject.org
Signed-off-by: Kees Cook <kees@kernel.org>
Acked-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250310222234.work.473-kees@kernel.org>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/xen/interface/xen-mca.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/xen/interface/xen-mca.h b/include/xen/interface/xen-mca.h
index 464aa6b3a5f92..1c9afbe8cc260 100644
--- a/include/xen/interface/xen-mca.h
+++ b/include/xen/interface/xen-mca.h
@@ -372,7 +372,7 @@ struct xen_mce {
#define XEN_MCE_LOG_LEN 32
struct xen_mce_log {
- char signature[12]; /* "MACHINECHECK" */
+ char signature[12] __nonstring; /* "MACHINECHECK" */
unsigned len; /* = XEN_MCE_LOG_LEN */
unsigned next;
unsigned flags;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 066/449] zstd: Increase DYNAMIC_BMI2 GCC version cutoff from 4.8 to 11.0 to work around compiler segfault
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 065/449] xen/mcelog: Add __nonstring annotations for unterminated strings Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 067/449] tracing: Disable branch profiling in noinstr code Greg Kroah-Hartman
` (389 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Kelley, Ingo Molnar,
Linus Torvalds, Sasha Levin, Ard Biesheuvel,
//lore.kernel.org/r/SN6PR02MB415723FBCD79365E8D72CA5FD4D82
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ingo Molnar <mingo@kernel.org>
[ Upstream commit 1400c87e6cac47eb243f260352c854474d9a9073 ]
Due to pending percpu improvements in -next, GCC9 and GCC10 are
crashing during the build with:
lib/zstd/compress/huf_compress.c:1033:1: internal compiler error: Segmentation fault
1033 | {
| ^
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-9/README.Bugs> for instructions.
The DYNAMIC_BMI2 feature is a known-challenging feature of
the ZSTD library, with an existing GCC quirk turning it off
for GCC versions below 4.8.
Increase the DYNAMIC_BMI2 version cutoff to GCC 11.0 - GCC 10.5
is the last version known to crash.
Reported-by: Michael Kelley <mhklinux@outlook.com>
Debugged-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: https://lore.kernel.org/r/SN6PR02MB415723FBCD79365E8D72CA5FD4D82@SN6PR02MB4157.namprd02.prod.outlook.com
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/zstd/common/portability_macros.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/zstd/common/portability_macros.h b/lib/zstd/common/portability_macros.h
index 0e3b2c0a527db..0dde8bf56595e 100644
--- a/lib/zstd/common/portability_macros.h
+++ b/lib/zstd/common/portability_macros.h
@@ -55,7 +55,7 @@
#ifndef DYNAMIC_BMI2
#if ((defined(__clang__) && __has_attribute(__target__)) \
|| (defined(__GNUC__) \
- && (__GNUC__ >= 5 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 8)))) \
+ && (__GNUC__ >= 11))) \
&& (defined(__x86_64__) || defined(_M_X64)) \
&& !defined(__BMI2__)
# define DYNAMIC_BMI2 1
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 067/449] tracing: Disable branch profiling in noinstr code
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 066/449] zstd: Increase DYNAMIC_BMI2 GCC version cutoff from 4.8 to 11.0 to work around compiler segfault Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 068/449] platform/chrome: cros_ec_lpc: Match on Framework ACPI device Greg Kroah-Hartman
` (388 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ingo Molnar, Steven Rostedt,
Josh Poimboeuf, Thomas Gleixner, Linus Torvalds, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit 2cbb20b008dba39893f0e296dc8ca312f40a9a0e ]
CONFIG_TRACE_BRANCH_PROFILING inserts a call to ftrace_likely_update()
for each use of likely() or unlikely(). That breaks noinstr rules if
the affected function is annotated as noinstr.
Disable branch profiling for files with noinstr functions. In addition
to some individual files, this also includes the entire arch/x86
subtree, as well as the kernel/entry, drivers/cpuidle, and drivers/idle
directories, all of which are noinstr-heavy.
Due to the nature of how sched binaries are built by combining multiple
.c files into one, branch profiling is disabled more broadly across the
sched code than would otherwise be needed.
This fixes many warnings like the following:
vmlinux.o: warning: objtool: do_syscall_64+0x40: call to ftrace_likely_update() leaves .noinstr.text section
vmlinux.o: warning: objtool: __rdgsbase_inactive+0x33: call to ftrace_likely_update() leaves .noinstr.text section
vmlinux.o: warning: objtool: handle_bug.isra.0+0x198: call to ftrace_likely_update() leaves .noinstr.text section
...
Reported-by: Ingo Molnar <mingo@kernel.org>
Suggested-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/r/fb94fc9303d48a5ed370498f54500cc4c338eb6d.1742586676.git.jpoimboe@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/Kbuild | 4 ++++
arch/x86/coco/sev/core.c | 2 --
arch/x86/kernel/head64.c | 2 --
arch/x86/mm/kasan_init_64.c | 1 -
arch/x86/mm/mem_encrypt_amd.c | 2 --
arch/x86/mm/mem_encrypt_identity.c | 2 --
drivers/acpi/Makefile | 4 ++++
drivers/cpuidle/Makefile | 3 +++
drivers/idle/Makefile | 5 ++++-
kernel/Makefile | 5 +++++
kernel/entry/Makefile | 3 +++
kernel/sched/Makefile | 5 +++++
kernel/time/Makefile | 6 ++++++
lib/Makefile | 5 +++++
14 files changed, 39 insertions(+), 10 deletions(-)
diff --git a/arch/x86/Kbuild b/arch/x86/Kbuild
index cf0ad89f5639d..f7fb3d88c57bd 100644
--- a/arch/x86/Kbuild
+++ b/arch/x86/Kbuild
@@ -1,4 +1,8 @@
# SPDX-License-Identifier: GPL-2.0
+
+# Branch profiling isn't noinstr-safe. Disable it for arch/x86/*
+subdir-ccflags-$(CONFIG_TRACE_BRANCH_PROFILING) += -DDISABLE_BRANCH_PROFILING
+
obj-$(CONFIG_ARCH_HAS_CC_PLATFORM) += coco/
obj-y += entry/
diff --git a/arch/x86/coco/sev/core.c b/arch/x86/coco/sev/core.c
index 96c7bc698e6b6..d14bce0f82cc5 100644
--- a/arch/x86/coco/sev/core.c
+++ b/arch/x86/coco/sev/core.c
@@ -9,8 +9,6 @@
#define pr_fmt(fmt) "SEV: " fmt
-#define DISABLE_BRANCH_PROFILING
-
#include <linux/sched/debug.h> /* For show_regs() */
#include <linux/percpu-defs.h>
#include <linux/cc_platform.h>
diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
index 22c9ba305ac17..368157a7f6d21 100644
--- a/arch/x86/kernel/head64.c
+++ b/arch/x86/kernel/head64.c
@@ -5,8 +5,6 @@
* Copyright (C) 2000 Andrea Arcangeli <andrea@suse.de> SuSE
*/
-#define DISABLE_BRANCH_PROFILING
-
/* cpu_feature_enabled() cannot be used this early */
#define USE_EARLY_PGTABLE_L5
diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c
index 9dddf19a55716..0539efd0d216b 100644
--- a/arch/x86/mm/kasan_init_64.c
+++ b/arch/x86/mm/kasan_init_64.c
@@ -1,5 +1,4 @@
// SPDX-License-Identifier: GPL-2.0
-#define DISABLE_BRANCH_PROFILING
#define pr_fmt(fmt) "kasan: " fmt
/* cpu_feature_enabled() cannot be used this early */
diff --git a/arch/x86/mm/mem_encrypt_amd.c b/arch/x86/mm/mem_encrypt_amd.c
index b56c5c073003d..7490ff6d83b1b 100644
--- a/arch/x86/mm/mem_encrypt_amd.c
+++ b/arch/x86/mm/mem_encrypt_amd.c
@@ -7,8 +7,6 @@
* Author: Tom Lendacky <thomas.lendacky@amd.com>
*/
-#define DISABLE_BRANCH_PROFILING
-
#include <linux/linkage.h>
#include <linux/init.h>
#include <linux/mm.h>
diff --git a/arch/x86/mm/mem_encrypt_identity.c b/arch/x86/mm/mem_encrypt_identity.c
index 9fce5b87b8c50..5eecdd92da105 100644
--- a/arch/x86/mm/mem_encrypt_identity.c
+++ b/arch/x86/mm/mem_encrypt_identity.c
@@ -7,8 +7,6 @@
* Author: Tom Lendacky <thomas.lendacky@amd.com>
*/
-#define DISABLE_BRANCH_PROFILING
-
/*
* Since we're dealing with identity mappings, physical and virtual
* addresses are the same, so override these defines which are ultimately
diff --git a/drivers/acpi/Makefile b/drivers/acpi/Makefile
index 40208a0f5dfb5..797070fc9a3f4 100644
--- a/drivers/acpi/Makefile
+++ b/drivers/acpi/Makefile
@@ -5,6 +5,10 @@
ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT
+ifdef CONFIG_TRACE_BRANCH_PROFILING
+CFLAGS_processor_idle.o += -DDISABLE_BRANCH_PROFILING
+endif
+
#
# ACPI Boot-Time Table Parsing
#
diff --git a/drivers/cpuidle/Makefile b/drivers/cpuidle/Makefile
index d103342b7cfc2..1de9e92c5b0fc 100644
--- a/drivers/cpuidle/Makefile
+++ b/drivers/cpuidle/Makefile
@@ -3,6 +3,9 @@
# Makefile for cpuidle.
#
+# Branch profiling isn't noinstr-safe
+ccflags-$(CONFIG_TRACE_BRANCH_PROFILING) += -DDISABLE_BRANCH_PROFILING
+
obj-y += cpuidle.o driver.o governor.o sysfs.o governors/
obj-$(CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED) += coupled.o
obj-$(CONFIG_DT_IDLE_STATES) += dt_idle_states.o
diff --git a/drivers/idle/Makefile b/drivers/idle/Makefile
index 0a3c375100797..a34af1ba09bdb 100644
--- a/drivers/idle/Makefile
+++ b/drivers/idle/Makefile
@@ -1,3 +1,6 @@
# SPDX-License-Identifier: GPL-2.0-only
-obj-$(CONFIG_INTEL_IDLE) += intel_idle.o
+# Branch profiling isn't noinstr-safe
+ccflags-$(CONFIG_TRACE_BRANCH_PROFILING) += -DDISABLE_BRANCH_PROFILING
+
+obj-$(CONFIG_INTEL_IDLE) += intel_idle.o
diff --git a/kernel/Makefile b/kernel/Makefile
index 87866b037fbed..434929de17ef2 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -21,6 +21,11 @@ ifdef CONFIG_FUNCTION_TRACER
CFLAGS_REMOVE_irq_work.o = $(CC_FLAGS_FTRACE)
endif
+# Branch profiling isn't noinstr-safe
+ifdef CONFIG_TRACE_BRANCH_PROFILING
+CFLAGS_context_tracking.o += -DDISABLE_BRANCH_PROFILING
+endif
+
# Prevents flicker of uninteresting __do_softirq()/__local_bh_disable_ip()
# in coverage traces.
KCOV_INSTRUMENT_softirq.o := n
diff --git a/kernel/entry/Makefile b/kernel/entry/Makefile
index 095c775e001e2..d4b8bd0af79b0 100644
--- a/kernel/entry/Makefile
+++ b/kernel/entry/Makefile
@@ -6,6 +6,9 @@ KASAN_SANITIZE := n
UBSAN_SANITIZE := n
KCOV_INSTRUMENT := n
+# Branch profiling isn't noinstr-safe
+ccflags-$(CONFIG_TRACE_BRANCH_PROFILING) += -DDISABLE_BRANCH_PROFILING
+
CFLAGS_REMOVE_common.o = -fstack-protector -fstack-protector-strong
CFLAGS_common.o += -fno-stack-protector
diff --git a/kernel/sched/Makefile b/kernel/sched/Makefile
index 976092b7bd452..8ae86371ddcdd 100644
--- a/kernel/sched/Makefile
+++ b/kernel/sched/Makefile
@@ -22,6 +22,11 @@ ifneq ($(CONFIG_SCHED_OMIT_FRAME_POINTER),y)
CFLAGS_core.o := $(PROFILING) -fno-omit-frame-pointer
endif
+# Branch profiling isn't noinstr-safe
+ifdef CONFIG_TRACE_BRANCH_PROFILING
+CFLAGS_build_policy.o += -DDISABLE_BRANCH_PROFILING
+CFLAGS_build_utility.o += -DDISABLE_BRANCH_PROFILING
+endif
#
# Build efficiency:
#
diff --git a/kernel/time/Makefile b/kernel/time/Makefile
index fe0ae82124fe7..e6e9b85d4db5f 100644
--- a/kernel/time/Makefile
+++ b/kernel/time/Makefile
@@ -1,4 +1,10 @@
# SPDX-License-Identifier: GPL-2.0
+
+# Branch profiling isn't noinstr-safe
+ifdef CONFIG_TRACE_BRANCH_PROFILING
+CFLAGS_sched_clock.o += -DDISABLE_BRANCH_PROFILING
+endif
+
obj-y += time.o timer.o hrtimer.o sleep_timeout.o
obj-y += timekeeping.o ntp.o clocksource.o jiffies.o timer_list.o
obj-y += timeconv.o timecounter.o alarmtimer.o
diff --git a/lib/Makefile b/lib/Makefile
index d5cfc7afbbb82..4f3d00a2fd659 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -5,6 +5,11 @@
ccflags-remove-$(CONFIG_FUNCTION_TRACER) += $(CC_FLAGS_FTRACE)
+# Branch profiling isn't noinstr-safe
+ifdef CONFIG_TRACE_BRANCH_PROFILING
+CFLAGS_smp_processor_id.o += -DDISABLE_BRANCH_PROFILING
+endif
+
# These files are disabled because they produce lots of non-interesting and/or
# flaky coverage that is not a function of syscall inputs. For example,
# rbtree can be global and individual rotations don't correlate with inputs.
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 068/449] platform/chrome: cros_ec_lpc: Match on Framework ACPI device
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 067/449] tracing: Disable branch profiling in noinstr code Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 069/449] ASoC: SOF: topology: Use krealloc_array() to replace krealloc() Greg Kroah-Hartman
` (387 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tzung-Bi Shih, linux,
Dustin L. Howett, Daniel Schaefer, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Schaefer <dhs@frame.work>
[ Upstream commit d83c45aeec9b223fe6db4175e9d1c4f5699cc37a ]
Load the cros_ec_lpc driver based on a Framework FRMWC004 ACPI device,
which mirrors GOOG0004, but also applies npcx quirks for Framework
systems.
Matching on ACPI will let us avoid having to change the SMBIOS match
rules again and again.
Cc: Tzung-Bi Shih <tzungbi@kernel.org>
Cc: linux@frame.work
Cc: Dustin L. Howett <dustin@howett.net>
Signed-off-by: Daniel Schaefer <dhs@frame.work>
Link: https://lore.kernel.org/r/20250128181329.8070-1-dhs@frame.work
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/chrome/cros_ec_lpc.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c
index 5a2f1d98b3501..be319949b9415 100644
--- a/drivers/platform/chrome/cros_ec_lpc.c
+++ b/drivers/platform/chrome/cros_ec_lpc.c
@@ -30,6 +30,7 @@
#define DRV_NAME "cros_ec_lpcs"
#define ACPI_DRV_NAME "GOOG0004"
+#define FRMW_ACPI_DRV_NAME "FRMWC004"
/* True if ACPI device is present */
static bool cros_ec_lpc_acpi_device_found;
@@ -514,7 +515,7 @@ static int cros_ec_lpc_probe(struct platform_device *pdev)
acpi_status status;
struct cros_ec_device *ec_dev;
struct cros_ec_lpc *ec_lpc;
- struct lpc_driver_data *driver_data;
+ const struct lpc_driver_data *driver_data;
u8 buf[2] = {};
int irq, ret;
u32 quirks;
@@ -526,6 +527,9 @@ static int cros_ec_lpc_probe(struct platform_device *pdev)
ec_lpc->mmio_memory_base = EC_LPC_ADDR_MEMMAP;
driver_data = platform_get_drvdata(pdev);
+ if (!driver_data)
+ driver_data = acpi_device_get_match_data(dev);
+
if (driver_data) {
quirks = driver_data->quirks;
@@ -696,12 +700,6 @@ static void cros_ec_lpc_remove(struct platform_device *pdev)
cros_ec_unregister(ec_dev);
}
-static const struct acpi_device_id cros_ec_lpc_acpi_device_ids[] = {
- { ACPI_DRV_NAME, 0 },
- { }
-};
-MODULE_DEVICE_TABLE(acpi, cros_ec_lpc_acpi_device_ids);
-
static const struct lpc_driver_data framework_laptop_npcx_lpc_driver_data __initconst = {
.quirks = CROS_EC_LPC_QUIRK_REMAP_MEMORY,
.quirk_mmio_memory_base = 0xE00,
@@ -713,6 +711,13 @@ static const struct lpc_driver_data framework_laptop_mec_lpc_driver_data __initc
.quirk_aml_mutex_name = "ECMT",
};
+static const struct acpi_device_id cros_ec_lpc_acpi_device_ids[] = {
+ { ACPI_DRV_NAME, 0 },
+ { FRMW_ACPI_DRV_NAME, (kernel_ulong_t)&framework_laptop_npcx_lpc_driver_data },
+ { }
+};
+MODULE_DEVICE_TABLE(acpi, cros_ec_lpc_acpi_device_ids);
+
static const struct dmi_system_id cros_ec_lpc_dmi_table[] __initconst = {
{
/*
@@ -866,7 +871,8 @@ static int __init cros_ec_lpc_init(void)
int ret;
const struct dmi_system_id *dmi_match;
- cros_ec_lpc_acpi_device_found = !!cros_ec_lpc_get_device(ACPI_DRV_NAME);
+ cros_ec_lpc_acpi_device_found = !!cros_ec_lpc_get_device(ACPI_DRV_NAME) ||
+ !!cros_ec_lpc_get_device(FRMW_ACPI_DRV_NAME);
dmi_match = dmi_first_match(cros_ec_lpc_dmi_table);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 069/449] ASoC: SOF: topology: Use krealloc_array() to replace krealloc()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 068/449] platform/chrome: cros_ec_lpc: Match on Framework ACPI device Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 070/449] HID: pidff: Convert infinite length from Linux API to PID standard Greg Kroah-Hartman
` (386 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Heng, Mark Brown, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Heng <zhangheng@kylinos.cn>
[ Upstream commit a05143a8f713d9ae6abc41141dac52c66fca8b06 ]
Use krealloc_array() to replace krealloc() with multiplication.
krealloc_array() has multiply overflow check, which will be safer.
Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
Link: https://patch.msgid.link/20250117014343.451503-1-zhangheng@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/topology.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
index 688cc7ac17148..dc9cb83240678 100644
--- a/sound/soc/sof/topology.c
+++ b/sound/soc/sof/topology.c
@@ -1273,8 +1273,8 @@ static int sof_widget_parse_tokens(struct snd_soc_component *scomp, struct snd_s
struct snd_sof_tuple *new_tuples;
num_tuples += token_list[object_token_list[i]].count * (num_sets - 1);
- new_tuples = krealloc(swidget->tuples,
- sizeof(*new_tuples) * num_tuples, GFP_KERNEL);
+ new_tuples = krealloc_array(swidget->tuples,
+ num_tuples, sizeof(*new_tuples), GFP_KERNEL);
if (!new_tuples) {
ret = -ENOMEM;
goto err;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 070/449] HID: pidff: Convert infinite length from Linux API to PID standard
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 069/449] ASoC: SOF: topology: Use krealloc_array() to replace krealloc() Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 071/449] HID: pidff: Do not send effect envelope if its empty Greg Kroah-Hartman
` (385 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Makarenko Oleg, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 37e0591fe44dce39d1ebc7a82d5b6e4dba1582eb ]
Software uses 0 as de-facto infinite lenght on Linux FF apis (SDL),
Linux doesn't actually define anythi as of now, while USB PID defines
NULL (0xffff). Most PID devices do not expect a 0-length effect and
can't interpret it as infinite. This change fixes Force Feedback for
most PID compliant devices.
As most games depend on updating the values of already playing infinite
effects, this is crucial to ensure they will actually work.
Previously, users had to rely on third-party software to do this conversion
and make their PID devices usable.
Co-developed-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 3b4ee21cd8111..5fe4422bb5bad 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -21,6 +21,7 @@
#include "usbhid.h"
#define PID_EFFECTS_MAX 64
+#define PID_INFINITE 0xffff
/* Report usage table used to put reports into an array */
@@ -301,7 +302,12 @@ static void pidff_set_effect_report(struct pidff_device *pidff,
pidff->block_load[PID_EFFECT_BLOCK_INDEX].value[0];
pidff->set_effect_type->value[0] =
pidff->create_new_effect_type->value[0];
- pidff->set_effect[PID_DURATION].value[0] = effect->replay.length;
+
+ /* Convert infinite length from Linux API (0)
+ to PID standard (NULL) if needed */
+ pidff->set_effect[PID_DURATION].value[0] =
+ effect->replay.length == 0 ? PID_INFINITE : effect->replay.length;
+
pidff->set_effect[PID_TRIGGER_BUTTON].value[0] = effect->trigger.button;
pidff->set_effect[PID_TRIGGER_REPEAT_INT].value[0] =
effect->trigger.interval;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 071/449] HID: pidff: Do not send effect envelope if its empty
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 070/449] HID: pidff: Convert infinite length from Linux API to PID standard Greg Kroah-Hartman
@ 2025-04-17 17:45 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 072/449] HID: pidff: Add MISSING_DELAY quirk and its detection Greg Kroah-Hartman
` (384 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 8876fc1884f5b39550c8387ff3176396c988541d ]
Envelope struct is always initialized, but the envelope itself is
optional as described in USB PID Device class definition 1.0.
5.1.1.1 Type Specific Block Offsets
...
4) Effects that do not use Condition Blocks use 1 Parameter Block and
an *optional* Envelope Block.
Sending out "empty" envelope breaks force feedback on some devices with
games that use SINE effect + offset to emulate constant force effect, as
well as generally breaking Constant/Periodic effects. One of the affected
brands is Moza Racing.
This change prevents the envelope from being sent if it contains all
0 values while keeping the old behavior of only sending it, if it differs
from the old one.
Changes in v6:
- Simplify the checks to make them clearer
- Fix possible null pointer dereference while calling
pidff_needs_set_envelope
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 42 +++++++++++++++++++---------------
1 file changed, 24 insertions(+), 18 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 5fe4422bb5bad..a01c1b2ab2f4c 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -262,10 +262,22 @@ static void pidff_set_envelope_report(struct pidff_device *pidff,
static int pidff_needs_set_envelope(struct ff_envelope *envelope,
struct ff_envelope *old)
{
- return envelope->attack_level != old->attack_level ||
- envelope->fade_level != old->fade_level ||
+ bool needs_new_envelope;
+ needs_new_envelope = envelope->attack_level != 0 ||
+ envelope->fade_level != 0 ||
+ envelope->attack_length != 0 ||
+ envelope->fade_length != 0;
+
+ if (!needs_new_envelope)
+ return false;
+
+ if (!old)
+ return needs_new_envelope;
+
+ return envelope->attack_level != old->attack_level ||
+ envelope->fade_level != old->fade_level ||
envelope->attack_length != old->attack_length ||
- envelope->fade_length != old->fade_length;
+ envelope->fade_length != old->fade_length;
}
/*
@@ -580,11 +592,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect,
pidff_set_effect_report(pidff, effect);
if (!old || pidff_needs_set_constant(effect, old))
pidff_set_constant_force_report(pidff, effect);
- if (!old ||
- pidff_needs_set_envelope(&effect->u.constant.envelope,
- &old->u.constant.envelope))
- pidff_set_envelope_report(pidff,
- &effect->u.constant.envelope);
+ if (pidff_needs_set_envelope(&effect->u.constant.envelope,
+ old ? &old->u.constant.envelope : NULL))
+ pidff_set_envelope_report(pidff, &effect->u.constant.envelope);
break;
case FF_PERIODIC:
@@ -619,11 +629,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect,
pidff_set_effect_report(pidff, effect);
if (!old || pidff_needs_set_periodic(effect, old))
pidff_set_periodic_report(pidff, effect);
- if (!old ||
- pidff_needs_set_envelope(&effect->u.periodic.envelope,
- &old->u.periodic.envelope))
- pidff_set_envelope_report(pidff,
- &effect->u.periodic.envelope);
+ if (pidff_needs_set_envelope(&effect->u.periodic.envelope,
+ old ? &old->u.periodic.envelope : NULL))
+ pidff_set_envelope_report(pidff, &effect->u.periodic.envelope);
break;
case FF_RAMP:
@@ -637,11 +645,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect,
pidff_set_effect_report(pidff, effect);
if (!old || pidff_needs_set_ramp(effect, old))
pidff_set_ramp_force_report(pidff, effect);
- if (!old ||
- pidff_needs_set_envelope(&effect->u.ramp.envelope,
- &old->u.ramp.envelope))
- pidff_set_envelope_report(pidff,
- &effect->u.ramp.envelope);
+ if (pidff_needs_set_envelope(&effect->u.ramp.envelope,
+ old ? &old->u.ramp.envelope : NULL))
+ pidff_set_envelope_report(pidff, &effect->u.ramp.envelope);
break;
case FF_SPRING:
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 072/449] HID: pidff: Add MISSING_DELAY quirk and its detection
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2025-04-17 17:45 ` [PATCH 6.14 071/449] HID: pidff: Do not send effect envelope if its empty Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 073/449] HID: pidff: Add MISSING_PBO " Greg Kroah-Hartman
` (383 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Makarenko Oleg, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 2d5c7ce5bf4cc27db41632f357f682d0ee4518e7 ]
A lot of devices do not include this field, and it's seldom used in force
feedback implementations. I tested about three dozen applications and
none of them make use of the delay.
This fixes initialization of a lot of PID wheels like Cammus, VRS, FFBeast
This change has no effect on fully compliant devices
Co-developed-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 33 ++++++++++++++++++++++++++++-----
include/linux/hid.h | 3 +++
2 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index a01c1b2ab2f4c..929f5967e7cb1 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -185,6 +185,8 @@ struct pidff_device {
int operation_id[sizeof(pidff_effect_operation_status)];
int pid_id[PID_EFFECTS_MAX];
+
+ u32 quirks;
};
/*
@@ -329,7 +331,10 @@ static void pidff_set_effect_report(struct pidff_device *pidff,
pidff->effect_direction->value[0] =
pidff_rescale(effect->direction, 0xffff,
pidff->effect_direction);
- pidff->set_effect[PID_START_DELAY].value[0] = effect->replay.delay;
+
+ /* Omit setting delay field if it's missing */
+ if (!(pidff->quirks & HID_PIDFF_QUIRK_MISSING_DELAY))
+ pidff->set_effect[PID_START_DELAY].value[0] = effect->replay.delay;
hid_hw_request(pidff->hid, pidff->reports[PID_SET_EFFECT],
HID_REQ_SET_REPORT);
@@ -748,7 +753,10 @@ static void pidff_autocenter(struct pidff_device *pidff, u16 magnitude)
pidff->set_effect[PID_TRIGGER_REPEAT_INT].value[0] = 0;
pidff_set(&pidff->set_effect[PID_GAIN], magnitude);
pidff->set_effect[PID_DIRECTION_ENABLE].value[0] = 1;
- pidff->set_effect[PID_START_DELAY].value[0] = 0;
+
+ /* Omit setting delay field if it's missing */
+ if (!(pidff->quirks & HID_PIDFF_QUIRK_MISSING_DELAY))
+ pidff->set_effect[PID_START_DELAY].value[0] = 0;
hid_hw_request(pidff->hid, pidff->reports[PID_SET_EFFECT],
HID_REQ_SET_REPORT);
@@ -771,6 +779,7 @@ static int pidff_find_fields(struct pidff_usage *usage, const u8 *table,
struct hid_report *report, int count, int strict)
{
int i, j, k, found;
+ int return_value = 0;
for (k = 0; k < count; k++) {
found = 0;
@@ -795,12 +804,17 @@ static int pidff_find_fields(struct pidff_usage *usage, const u8 *table,
if (found)
break;
}
- if (!found && strict) {
+ if (!found && table[k] == pidff_set_effect[PID_START_DELAY]) {
+ pr_debug("Delay field not found, but that's OK\n");
+ pr_debug("Setting MISSING_DELAY quirk\n");
+ return_value |= HID_PIDFF_QUIRK_MISSING_DELAY;
+ }
+ else if (!found && strict) {
pr_debug("failed to locate %d\n", k);
return -1;
}
}
- return 0;
+ return return_value;
}
/*
@@ -1075,11 +1089,19 @@ static int pidff_find_effects(struct pidff_device *pidff,
static int pidff_init_fields(struct pidff_device *pidff, struct input_dev *dev)
{
int envelope_ok = 0;
+ int status = 0;
- if (PIDFF_FIND_FIELDS(set_effect, PID_SET_EFFECT, 1)) {
+ /* Save info about the device not having the DELAY ffb field. */
+ status = PIDFF_FIND_FIELDS(set_effect, PID_SET_EFFECT, 1);
+ if (status == -1) {
hid_err(pidff->hid, "unknown set_effect report layout\n");
return -ENODEV;
}
+ pidff->quirks |= status;
+
+ if (status & HID_PIDFF_QUIRK_MISSING_DELAY)
+ hid_dbg(pidff->hid, "Adding MISSING_DELAY quirk\n");
+
PIDFF_FIND_FIELDS(block_load, PID_BLOCK_LOAD, 0);
if (!pidff->block_load[PID_EFFECT_BLOCK_INDEX].value) {
@@ -1323,6 +1345,7 @@ int hid_pidff_init(struct hid_device *hid)
ff->playback = pidff_playback;
hid_info(dev, "Force feedback for USB HID PID devices by Anssi Hannula <anssi.hannula@gmail.com>\n");
+ hid_dbg(dev, "Active quirks mask: 0x%x\n", pidff->quirks);
hid_device_io_stop(hid);
diff --git a/include/linux/hid.h b/include/linux/hid.h
index cdc0dc13c87fe..9c3a728786c3e 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1228,6 +1228,9 @@ int hid_pidff_init(struct hid_device *hid);
#define hid_pidff_init NULL
#endif
+/* HID PIDFF quirks */
+#define HID_PIDFF_QUIRK_MISSING_DELAY BIT(0)
+
#define dbg_hid(fmt, ...) pr_debug("%s: " fmt, __FILE__, ##__VA_ARGS__)
#define hid_err(hid, fmt, ...) \
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 073/449] HID: pidff: Add MISSING_PBO quirk and its detection
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 072/449] HID: pidff: Add MISSING_DELAY quirk and its detection Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 074/449] HID: pidff: Add PERMISSIVE_CONTROL quirk Greg Kroah-Hartman
` (382 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Makarenko Oleg, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit fc7c154e9bb3c2b98875cfc565406f4787e3b7a4 ]
Some devices with only one axis are missing PARAMETER_BLOCK_OFFSET field
for conditional effects. They can only have one axis, so we're limiting
the max_axis when setting the report for those effects.
Automatic detection ensures compatibility even if such device won't be
explicitly defined in the kernel.
Fixes initialization of VRS DirectForce PRO and possibly other devices.
Changes in v6:
- Fixed NULL pointer dereference. When PBO is missing, make sure not
to set it anyway
Co-developed-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 47 +++++++++++++++++++++-------------
include/linux/hid.h | 1 +
2 files changed, 30 insertions(+), 18 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 929f5967e7cb1..503b22feacdbb 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -391,13 +391,19 @@ static int pidff_needs_set_periodic(struct ff_effect *effect,
static void pidff_set_condition_report(struct pidff_device *pidff,
struct ff_effect *effect)
{
- int i;
+ int i, max_axis;
+
+ /* Devices missing Parameter Block Offset can only have one axis */
+ max_axis = pidff->quirks & HID_PIDFF_QUIRK_MISSING_PBO ? 1 : 2;
pidff->set_condition[PID_EFFECT_BLOCK_INDEX].value[0] =
pidff->block_load[PID_EFFECT_BLOCK_INDEX].value[0];
- for (i = 0; i < 2; i++) {
- pidff->set_condition[PID_PARAM_BLOCK_OFFSET].value[0] = i;
+ for (i = 0; i < max_axis; i++) {
+ /* Omit Parameter Block Offset if missing */
+ if (!(pidff->quirks & HID_PIDFF_QUIRK_MISSING_PBO))
+ pidff->set_condition[PID_PARAM_BLOCK_OFFSET].value[0] = i;
+
pidff_set_signed(&pidff->set_condition[PID_CP_OFFSET],
effect->u.condition[i].center);
pidff_set_signed(&pidff->set_condition[PID_POS_COEFFICIENT],
@@ -809,6 +815,11 @@ static int pidff_find_fields(struct pidff_usage *usage, const u8 *table,
pr_debug("Setting MISSING_DELAY quirk\n");
return_value |= HID_PIDFF_QUIRK_MISSING_DELAY;
}
+ else if (!found && table[k] == pidff_set_condition[PID_PARAM_BLOCK_OFFSET]) {
+ pr_debug("PBO field not found, but that's OK\n");
+ pr_debug("Setting MISSING_PBO quirk\n");
+ return_value |= HID_PIDFF_QUIRK_MISSING_PBO;
+ }
else if (!found && strict) {
pr_debug("failed to locate %d\n", k);
return -1;
@@ -1088,7 +1099,6 @@ static int pidff_find_effects(struct pidff_device *pidff,
*/
static int pidff_init_fields(struct pidff_device *pidff, struct input_dev *dev)
{
- int envelope_ok = 0;
int status = 0;
/* Save info about the device not having the DELAY ffb field. */
@@ -1119,13 +1129,10 @@ static int pidff_init_fields(struct pidff_device *pidff, struct input_dev *dev)
return -ENODEV;
}
- if (!PIDFF_FIND_FIELDS(set_envelope, PID_SET_ENVELOPE, 1))
- envelope_ok = 1;
-
if (pidff_find_special_fields(pidff) || pidff_find_effects(pidff, dev))
return -ENODEV;
- if (!envelope_ok) {
+ if (PIDFF_FIND_FIELDS(set_envelope, PID_SET_ENVELOPE, 1)) {
if (test_and_clear_bit(FF_CONSTANT, dev->ffbit))
hid_warn(pidff->hid,
"has constant effect but no envelope\n");
@@ -1150,16 +1157,20 @@ static int pidff_init_fields(struct pidff_device *pidff, struct input_dev *dev)
clear_bit(FF_RAMP, dev->ffbit);
}
- if ((test_bit(FF_SPRING, dev->ffbit) ||
- test_bit(FF_DAMPER, dev->ffbit) ||
- test_bit(FF_FRICTION, dev->ffbit) ||
- test_bit(FF_INERTIA, dev->ffbit)) &&
- PIDFF_FIND_FIELDS(set_condition, PID_SET_CONDITION, 1)) {
- hid_warn(pidff->hid, "unknown condition effect layout\n");
- clear_bit(FF_SPRING, dev->ffbit);
- clear_bit(FF_DAMPER, dev->ffbit);
- clear_bit(FF_FRICTION, dev->ffbit);
- clear_bit(FF_INERTIA, dev->ffbit);
+ if (test_bit(FF_SPRING, dev->ffbit) ||
+ test_bit(FF_DAMPER, dev->ffbit) ||
+ test_bit(FF_FRICTION, dev->ffbit) ||
+ test_bit(FF_INERTIA, dev->ffbit)) {
+ status = PIDFF_FIND_FIELDS(set_condition, PID_SET_CONDITION, 1);
+
+ if (status < 0) {
+ hid_warn(pidff->hid, "unknown condition effect layout\n");
+ clear_bit(FF_SPRING, dev->ffbit);
+ clear_bit(FF_DAMPER, dev->ffbit);
+ clear_bit(FF_FRICTION, dev->ffbit);
+ clear_bit(FF_INERTIA, dev->ffbit);
+ }
+ pidff->quirks |= status;
}
if (test_bit(FF_PERIODIC, dev->ffbit) &&
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 9c3a728786c3e..ea7ba8e4bfe49 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1230,6 +1230,7 @@ int hid_pidff_init(struct hid_device *hid);
/* HID PIDFF quirks */
#define HID_PIDFF_QUIRK_MISSING_DELAY BIT(0)
+#define HID_PIDFF_QUIRK_MISSING_PBO BIT(1)
#define dbg_hid(fmt, ...) pr_debug("%s: " fmt, __FILE__, ##__VA_ARGS__)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 074/449] HID: pidff: Add PERMISSIVE_CONTROL quirk
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 073/449] HID: pidff: Add MISSING_PBO " Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 075/449] HID: pidff: Add hid_pidff_init_with_quirks and export as GPL symbol Greg Kroah-Hartman
` (381 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Makarenko Oleg, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit a4119108d2530747e61c7cbf52e2affd089cb1f6 ]
With this quirk, a PID device isn't required to have a strict
logical_minimum of 1 for the the PID_DEVICE_CONTROL usage page.
Some devices come with weird values in their device descriptors and
this quirk enables their initialization even if the logical minimum
of the DEVICE_CONTROL page is not 1.
Fixes initialization of VRS Direct Force Pro
Changes in v6:
- Change quirk name to better reflect it's intention
Co-developed-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 3 ++-
include/linux/hid.h | 5 +++--
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 503b22feacdbb..5a57ba0d7026a 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -969,7 +969,8 @@ static int pidff_find_special_fields(struct pidff_device *pidff)
0x57, 0);
pidff->device_control =
pidff_find_special_field(pidff->reports[PID_DEVICE_CONTROL],
- 0x96, 1);
+ 0x96, !(pidff->quirks & HID_PIDFF_QUIRK_PERMISSIVE_CONTROL));
+
pidff->block_load_status =
pidff_find_special_field(pidff->reports[PID_BLOCK_LOAD],
0x8b, 1);
diff --git a/include/linux/hid.h b/include/linux/hid.h
index ea7ba8e4bfe49..89a4dee377292 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1229,8 +1229,9 @@ int hid_pidff_init(struct hid_device *hid);
#endif
/* HID PIDFF quirks */
-#define HID_PIDFF_QUIRK_MISSING_DELAY BIT(0)
-#define HID_PIDFF_QUIRK_MISSING_PBO BIT(1)
+#define HID_PIDFF_QUIRK_MISSING_DELAY BIT(0)
+#define HID_PIDFF_QUIRK_MISSING_PBO BIT(1)
+#define HID_PIDFF_QUIRK_PERMISSIVE_CONTROL BIT(2)
#define dbg_hid(fmt, ...) pr_debug("%s: " fmt, __FILE__, ##__VA_ARGS__)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 075/449] HID: pidff: Add hid_pidff_init_with_quirks and export as GPL symbol
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 074/449] HID: pidff: Add PERMISSIVE_CONTROL quirk Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 076/449] HID: pidff: Add FIX_WHEEL_DIRECTION quirk Greg Kroah-Hartman
` (380 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 36de0164bbaff1484288e84ac5df5cff00580263 ]
This lays out a way to provide an initial set of quirks to enable before
device initialization takes place. GPL symbol export needed for the
possibility of building HID drivers which use this function as modules.
Adding a wrapper function to ensure compatibility with the old behavior
of hid_pidff_init.
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 15 ++++++++++++++-
include/linux/hid.h | 2 ++
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 5a57ba0d7026a..b8c2ba0a930c2 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -1268,8 +1268,9 @@ static int pidff_check_autocenter(struct pidff_device *pidff,
/*
* Check if the device is PID and initialize it
+ * Set initial quirks
*/
-int hid_pidff_init(struct hid_device *hid)
+int hid_pidff_init_with_quirks(struct hid_device *hid, __u32 initial_quirks)
{
struct pidff_device *pidff;
struct hid_input *hidinput = list_entry(hid->inputs.next,
@@ -1291,6 +1292,7 @@ int hid_pidff_init(struct hid_device *hid)
return -ENOMEM;
pidff->hid = hid;
+ pidff->quirks = initial_quirks;
hid_device_io_start(hid);
@@ -1369,3 +1371,14 @@ int hid_pidff_init(struct hid_device *hid)
kfree(pidff);
return error;
}
+EXPORT_SYMBOL_GPL(hid_pidff_init_with_quirks);
+
+/*
+ * Check if the device is PID and initialize it
+ * Wrapper made to keep the compatibility with old
+ * init function
+ */
+int hid_pidff_init(struct hid_device *hid)
+{
+ return hid_pidff_init_with_quirks(hid, 0);
+}
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 89a4dee377292..31dfe9ed5394b 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1224,8 +1224,10 @@ void hid_quirks_exit(__u16 bus);
#ifdef CONFIG_HID_PID
int hid_pidff_init(struct hid_device *hid);
+int hid_pidff_init_with_quirks(struct hid_device *hid, __u32 initial_quirks);
#else
#define hid_pidff_init NULL
+#define hid_pidff_init_with_quirks NULL
#endif
/* HID PIDFF quirks */
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 076/449] HID: pidff: Add FIX_WHEEL_DIRECTION quirk
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 075/449] HID: pidff: Add hid_pidff_init_with_quirks and export as GPL symbol Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 077/449] HID: Add hid-universal-pidff driver and supported device ids Greg Kroah-Hartman
` (379 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 3051bf5ec773b803c474ea556b57d678a8885be3 ]
Most steering wheels simply ignore DIRECTION field, but some try to be
compliant with the PID standard and use it in force calculations. Games
often ignore setting this field properly and/or there can be issues with
dinput8 -> wine -> SDL -> Linux API translation, and this value can be
incorrect. This can lead to partial/complete loss of Force Feedback or
even unexpected force reversal.
Sadly, this quirk can't be detected automatically without sending out
effects that would move an axis.
This fixes FFB on Moza Racing devices and others where effect direction
is not simply ignored.
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 12 +++++++++---
include/linux/hid.h | 1 +
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index b8c2ba0a930c2..a37cf852a2836 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -137,6 +137,9 @@ static const u8 pidff_block_load_status[] = { 0x8c, 0x8d };
#define PID_EFFECT_STOP 1
static const u8 pidff_effect_operation_status[] = { 0x79, 0x7b };
+/* Polar direction 90 degrees (North) */
+#define PIDFF_FIXED_WHEEL_DIRECTION 0x4000
+
struct pidff_usage {
struct hid_field *field;
s32 *value;
@@ -328,9 +331,12 @@ static void pidff_set_effect_report(struct pidff_device *pidff,
pidff->set_effect[PID_GAIN].value[0] =
pidff->set_effect[PID_GAIN].field->logical_maximum;
pidff->set_effect[PID_DIRECTION_ENABLE].value[0] = 1;
- pidff->effect_direction->value[0] =
- pidff_rescale(effect->direction, 0xffff,
- pidff->effect_direction);
+
+ /* Use fixed direction if needed */
+ pidff->effect_direction->value[0] = pidff_rescale(
+ pidff->quirks & HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION ?
+ PIDFF_FIXED_WHEEL_DIRECTION : effect->direction,
+ 0xffff, pidff->effect_direction);
/* Omit setting delay field if it's missing */
if (!(pidff->quirks & HID_PIDFF_QUIRK_MISSING_DELAY))
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 31dfe9ed5394b..7a55accf689e0 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1234,6 +1234,7 @@ int hid_pidff_init_with_quirks(struct hid_device *hid, __u32 initial_quirks);
#define HID_PIDFF_QUIRK_MISSING_DELAY BIT(0)
#define HID_PIDFF_QUIRK_MISSING_PBO BIT(1)
#define HID_PIDFF_QUIRK_PERMISSIVE_CONTROL BIT(2)
+#define HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION BIT(3)
#define dbg_hid(fmt, ...) pr_debug("%s: " fmt, __FILE__, ##__VA_ARGS__)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 077/449] HID: Add hid-universal-pidff driver and supported device ids
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 076/449] HID: pidff: Add FIX_WHEEL_DIRECTION quirk Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 078/449] HID: pidff: Add PERIODIC_SINE_ONLY quirk Greg Kroah-Hartman
` (378 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Makarenko Oleg, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit f06bf8d94fffbb544b1cb5402c92e0a075f0d420 ]
Extend pidff compatibility, usable button range, manage pidff quirks and
set improved fuzz/flat default for high precision devices. Possibility
of fixing device descriptors in the future if such needs arises.
As many of PID devices are quite similar and not dependent on
custom drivers, this one can handle all of PID devices which
need special care.
Numerous sim racing/sim flight bases report a lot of buttons
in excess of 100. Moza Racing exposes 128 of them and thus
the need to extend the available range.
All the included devices were tested and confirmed working
with the help of the sim racing community.
Changes in v6:
- Support "split" devices with a separate "input device" for buttons
- Fixed comment styling
Co-developed-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/Kconfig | 14 +++
drivers/hid/Makefile | 1 +
drivers/hid/hid-ids.h | 31 +++++
drivers/hid/hid-universal-pidff.c | 192 ++++++++++++++++++++++++++++++
4 files changed, 238 insertions(+)
create mode 100644 drivers/hid/hid-universal-pidff.c
diff --git a/drivers/hid/Kconfig b/drivers/hid/Kconfig
index dfc245867a46a..4cfea399ebab2 100644
--- a/drivers/hid/Kconfig
+++ b/drivers/hid/Kconfig
@@ -1220,6 +1220,20 @@ config HID_U2FZERO
allow setting the brightness to anything but 1, which will
trigger a single blink and immediately reset back to 0.
+config HID_UNIVERSAL_PIDFF
+ tristate "universal-pidff: extended USB PID driver compatibility and usage"
+ depends on USB_HID
+ depends on HID_PID
+ help
+ Extended PID support for selected devices.
+
+ Contains report fixups, extended usable button range and
+ pidff quirk management to extend compatibility with slightly
+ non-compliant USB PID devices and better fuzz/flat values for
+ high precision direct drive devices.
+
+ Supports Moza Racing, Cammus, VRS, FFBeast and more.
+
config HID_WACOM
tristate "Wacom Intuos/Graphire tablet support (USB)"
depends on USB_HID
diff --git a/drivers/hid/Makefile b/drivers/hid/Makefile
index 0abfe51704a0b..c7ecfbb3e2280 100644
--- a/drivers/hid/Makefile
+++ b/drivers/hid/Makefile
@@ -140,6 +140,7 @@ hid-uclogic-objs := hid-uclogic-core.o \
hid-uclogic-params.o
obj-$(CONFIG_HID_UCLOGIC) += hid-uclogic.o
obj-$(CONFIG_HID_UDRAW_PS3) += hid-udraw-ps3.o
+obj-$(CONFIG_HID_UNIVERSAL_PIDFF) += hid-universal-pidff.o
obj-$(CONFIG_HID_LED) += hid-led.o
obj-$(CONFIG_HID_XIAOMI) += hid-xiaomi.o
obj-$(CONFIG_HID_XINMO) += hid-xinmo.o
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index 7e400624908e3..d54b2b302ad7b 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -262,6 +262,10 @@
#define USB_DEVICE_ID_BTC_EMPREX_REMOTE 0x5578
#define USB_DEVICE_ID_BTC_EMPREX_REMOTE_2 0x5577
+#define USB_VENDOR_ID_CAMMUS 0x3416
+#define USB_DEVICE_ID_CAMMUS_C5 0x0301
+#define USB_DEVICE_ID_CAMMUS_C12 0x0302
+
#define USB_VENDOR_ID_CANDO 0x2087
#define USB_DEVICE_ID_CANDO_PIXCIR_MULTI_TOUCH 0x0703
#define USB_DEVICE_ID_CANDO_MULTI_TOUCH 0x0a01
@@ -453,6 +457,11 @@
#define USB_VENDOR_ID_EVISION 0x320f
#define USB_DEVICE_ID_EVISION_ICL01 0x5041
+#define USB_VENDOR_ID_FFBEAST 0x045b
+#define USB_DEVICE_ID_FFBEAST_JOYSTICK 0x58f9
+#define USB_DEVICE_ID_FFBEAST_RUDDER 0x5968
+#define USB_DEVICE_ID_FFBEAST_WHEEL 0x59d7
+
#define USB_VENDOR_ID_FLATFROG 0x25b5
#define USB_DEVICE_ID_MULTITOUCH_3200 0x0002
@@ -817,6 +826,13 @@
#define I2C_DEVICE_ID_LG_8001 0x8001
#define I2C_DEVICE_ID_LG_7010 0x7010
+#define USB_VENDOR_ID_LITE_STAR 0x11ff
+#define USB_DEVICE_ID_PXN_V10 0x3245
+#define USB_DEVICE_ID_PXN_V12 0x1212
+#define USB_DEVICE_ID_PXN_V12_LITE 0x1112
+#define USB_DEVICE_ID_PXN_V12_LITE_2 0x1211
+#define USB_DEVICE_LITE_STAR_GT987_FF 0x2141
+
#define USB_VENDOR_ID_LOGITECH 0x046d
#define USB_DEVICE_ID_LOGITECH_Z_10_SPK 0x0a07
#define USB_DEVICE_ID_LOGITECH_AUDIOHUB 0x0a0e
@@ -964,6 +980,18 @@
#define USB_VENDOR_ID_MONTEREY 0x0566
#define USB_DEVICE_ID_GENIUS_KB29E 0x3004
+#define USB_VENDOR_ID_MOZA 0x346e
+#define USB_DEVICE_ID_MOZA_R3 0x0005
+#define USB_DEVICE_ID_MOZA_R3_2 0x0015
+#define USB_DEVICE_ID_MOZA_R5 0x0004
+#define USB_DEVICE_ID_MOZA_R5_2 0x0014
+#define USB_DEVICE_ID_MOZA_R9 0x0002
+#define USB_DEVICE_ID_MOZA_R9_2 0x0012
+#define USB_DEVICE_ID_MOZA_R12 0x0006
+#define USB_DEVICE_ID_MOZA_R12_2 0x0016
+#define USB_DEVICE_ID_MOZA_R16_R21 0x0000
+#define USB_DEVICE_ID_MOZA_R16_R21_2 0x0010
+
#define USB_VENDOR_ID_MSI 0x1770
#define USB_DEVICE_ID_MSI_GT683R_LED_PANEL 0xff00
@@ -1377,6 +1405,9 @@
#define USB_DEVICE_ID_VELLEMAN_K8061_FIRST 0x8061
#define USB_DEVICE_ID_VELLEMAN_K8061_LAST 0x8068
+#define USB_VENDOR_ID_VRS 0x0483
+#define USB_DEVICE_ID_VRS_DFP 0xa355
+
#define USB_VENDOR_ID_VTL 0x0306
#define USB_DEVICE_ID_VTL_MULTITOUCH_FF3F 0xff3f
diff --git a/drivers/hid/hid-universal-pidff.c b/drivers/hid/hid-universal-pidff.c
new file mode 100644
index 0000000000000..55aad2e4ac1b8
--- /dev/null
+++ b/drivers/hid/hid-universal-pidff.c
@@ -0,0 +1,192 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * HID UNIVERSAL PIDFF
+ * hid-pidff wrapper for PID-enabled devices
+ * Handles device reports, quirks and extends usable button range
+ *
+ * Copyright (c) 2024, 2025 Makarenko Oleg
+ * Copyright (c) 2024, 2025 Tomasz Pakuła
+ */
+
+#include <linux/device.h>
+#include <linux/hid.h>
+#include <linux/module.h>
+#include <linux/input-event-codes.h>
+#include "hid-ids.h"
+
+#define JOY_RANGE (BTN_DEAD - BTN_JOYSTICK + 1)
+
+/*
+ * Map buttons manually to extend the default joystick button limit
+ */
+static int universal_pidff_input_mapping(struct hid_device *hdev,
+ struct hid_input *hi, struct hid_field *field, struct hid_usage *usage,
+ unsigned long **bit, int *max)
+{
+ if ((usage->hid & HID_USAGE_PAGE) != HID_UP_BUTTON)
+ return 0;
+
+ if (field->application != HID_GD_JOYSTICK)
+ return 0;
+
+ int button = ((usage->hid - 1) & HID_USAGE);
+ int code = button + BTN_JOYSTICK;
+
+ /* Detect the end of JOYSTICK buttons range */
+ if (code > BTN_DEAD)
+ code = button + KEY_NEXT_FAVORITE - JOY_RANGE;
+
+ /*
+ * Map overflowing buttons to KEY_RESERVED to not ignore
+ * them and let them still trigger MSC_SCAN
+ */
+ if (code > KEY_MAX)
+ code = KEY_RESERVED;
+
+ hid_map_usage(hi, usage, bit, max, EV_KEY, code);
+ hid_dbg(hdev, "Button %d: usage %d", button, code);
+ return 1;
+}
+
+/*
+ * Check if the device is PID and initialize it
+ * Add quirks after initialisation
+ */
+static int universal_pidff_probe(struct hid_device *hdev,
+ const struct hid_device_id *id)
+{
+ int i, error;
+ error = hid_parse(hdev);
+ if (error) {
+ hid_err(hdev, "HID parse failed\n");
+ goto err;
+ }
+
+ error = hid_hw_start(hdev, HID_CONNECT_DEFAULT & ~HID_CONNECT_FF);
+ if (error) {
+ hid_err(hdev, "HID hw start failed\n");
+ goto err;
+ }
+
+ /* Check if device contains PID usage page */
+ error = 1;
+ for (i = 0; i < hdev->collection_size; i++)
+ if ((hdev->collection[i].usage & HID_USAGE_PAGE) == HID_UP_PID) {
+ error = 0;
+ hid_dbg(hdev, "PID usage page found\n");
+ break;
+ }
+
+ /*
+ * Do not fail as this might be the second "device"
+ * just for additional buttons/axes. Exit cleanly if force
+ * feedback usage page wasn't found (included devices were
+ * tested and confirmed to be USB PID after all).
+ */
+ if (error) {
+ hid_dbg(hdev, "PID usage page not found in the descriptor\n");
+ return 0;
+ }
+
+ /* Check if HID_PID support is enabled */
+ int (*init_function)(struct hid_device *, __u32);
+ init_function = hid_pidff_init_with_quirks;
+
+ if (!init_function) {
+ hid_warn(hdev, "HID_PID support not enabled!\n");
+ return 0;
+ }
+
+ error = init_function(hdev, id->driver_data);
+ if (error) {
+ hid_warn(hdev, "Error initialising force feedback\n");
+ goto err;
+ }
+
+ hid_info(hdev, "Universal pidff driver loaded sucesfully!");
+
+ return 0;
+err:
+ return error;
+}
+
+static int universal_pidff_input_configured(struct hid_device *hdev,
+ struct hid_input *hidinput)
+{
+ int axis;
+ struct input_dev *input = hidinput->input;
+
+ if (!input->absinfo)
+ return 0;
+
+ /* Decrease fuzz and deadzone on available axes */
+ for (axis = ABS_X; axis <= ABS_BRAKE; axis++) {
+ if (!test_bit(axis, input->absbit))
+ continue;
+
+ input_set_abs_params(input, axis,
+ input->absinfo[axis].minimum,
+ input->absinfo[axis].maximum,
+ axis == ABS_X ? 0 : 8, 0);
+ }
+
+ /* Remove fuzz and deadzone from the second joystick axis */
+ if (hdev->vendor == USB_VENDOR_ID_FFBEAST &&
+ hdev->product == USB_DEVICE_ID_FFBEAST_JOYSTICK)
+ input_set_abs_params(input, ABS_Y,
+ input->absinfo[ABS_Y].minimum,
+ input->absinfo[ABS_Y].maximum, 0, 0);
+
+ return 0;
+}
+
+static const struct hid_device_id universal_pidff_devices[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_MOZA, USB_DEVICE_ID_MOZA_R3),
+ .driver_data = HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MOZA, USB_DEVICE_ID_MOZA_R3_2),
+ .driver_data = HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MOZA, USB_DEVICE_ID_MOZA_R5),
+ .driver_data = HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MOZA, USB_DEVICE_ID_MOZA_R5_2),
+ .driver_data = HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MOZA, USB_DEVICE_ID_MOZA_R9),
+ .driver_data = HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MOZA, USB_DEVICE_ID_MOZA_R9_2),
+ .driver_data = HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MOZA, USB_DEVICE_ID_MOZA_R12),
+ .driver_data = HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MOZA, USB_DEVICE_ID_MOZA_R12_2),
+ .driver_data = HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MOZA, USB_DEVICE_ID_MOZA_R16_R21),
+ .driver_data = HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MOZA, USB_DEVICE_ID_MOZA_R16_R21_2),
+ .driver_data = HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CAMMUS, USB_DEVICE_ID_CAMMUS_C5) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CAMMUS, USB_DEVICE_ID_CAMMUS_C12) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_VRS, USB_DEVICE_ID_VRS_DFP),
+ .driver_data = HID_PIDFF_QUIRK_PERMISSIVE_CONTROL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_FFBEAST, USB_DEVICE_ID_FFBEAST_JOYSTICK), },
+ { HID_USB_DEVICE(USB_VENDOR_ID_FFBEAST, USB_DEVICE_ID_FFBEAST_RUDDER), },
+ { HID_USB_DEVICE(USB_VENDOR_ID_FFBEAST, USB_DEVICE_ID_FFBEAST_WHEEL) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_ID_PXN_V10) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_ID_PXN_V12) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_ID_PXN_V12_LITE) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_ID_PXN_V12_LITE_2) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_LITE_STAR_GT987_FF) },
+ { }
+};
+MODULE_DEVICE_TABLE(hid, universal_pidff_devices);
+
+static struct hid_driver universal_pidff = {
+ .name = "hid-universal-pidff",
+ .id_table = universal_pidff_devices,
+ .input_mapping = universal_pidff_input_mapping,
+ .probe = universal_pidff_probe,
+ .input_configured = universal_pidff_input_configured
+};
+module_hid_driver(universal_pidff);
+
+MODULE_DESCRIPTION("Universal driver for USB PID Force Feedback devices");
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Makarenko Oleg <oleg@makarenk.ooo>");
+MODULE_AUTHOR("Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>");
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 078/449] HID: pidff: Add PERIODIC_SINE_ONLY quirk
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 077/449] HID: Add hid-universal-pidff driver and supported device ids Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 079/449] HID: pidff: Fix null pointer dereference in pidff_find_fields Greg Kroah-Hartman
` (377 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit abdbf8764f4962af2a910abb3a213ecf304a73d3 ]
Some devices only support SINE periodic effect although they advertise
support for all PERIODIC effect in their HID descriptor. Some just do
nothing when trying to play such an effect (upload goes fine), some express
undefined behavior like turning to one side.
This quirk forces all the periodic effects to be uploaded as SINE. This is
acceptable as all these effects are similar in nature and are mostly used as
rumble. SINE is the most popular with others seldom used (especially SAW_UP
and SAW_DOWN).
Fixes periodic effects for PXN and LITE STAR wheels
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-universal-pidff.c | 15 ++++++++++-----
drivers/hid/usbhid/hid-pidff.c | 3 +++
include/linux/hid.h | 1 +
3 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/drivers/hid/hid-universal-pidff.c b/drivers/hid/hid-universal-pidff.c
index 55aad2e4ac1b8..7ef5ab9146b1c 100644
--- a/drivers/hid/hid-universal-pidff.c
+++ b/drivers/hid/hid-universal-pidff.c
@@ -168,11 +168,16 @@ static const struct hid_device_id universal_pidff_devices[] = {
{ HID_USB_DEVICE(USB_VENDOR_ID_FFBEAST, USB_DEVICE_ID_FFBEAST_JOYSTICK), },
{ HID_USB_DEVICE(USB_VENDOR_ID_FFBEAST, USB_DEVICE_ID_FFBEAST_RUDDER), },
{ HID_USB_DEVICE(USB_VENDOR_ID_FFBEAST, USB_DEVICE_ID_FFBEAST_WHEEL) },
- { HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_ID_PXN_V10) },
- { HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_ID_PXN_V12) },
- { HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_ID_PXN_V12_LITE) },
- { HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_ID_PXN_V12_LITE_2) },
- { HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_LITE_STAR_GT987_FF) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_ID_PXN_V10),
+ .driver_data = HID_PIDFF_QUIRK_PERIODIC_SINE_ONLY },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_ID_PXN_V12),
+ .driver_data = HID_PIDFF_QUIRK_PERIODIC_SINE_ONLY },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_ID_PXN_V12_LITE),
+ .driver_data = HID_PIDFF_QUIRK_PERIODIC_SINE_ONLY },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_ID_PXN_V12_LITE_2),
+ .driver_data = HID_PIDFF_QUIRK_PERIODIC_SINE_ONLY },
+ { HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_LITE_STAR_GT987_FF),
+ .driver_data = HID_PIDFF_QUIRK_PERIODIC_SINE_ONLY },
{ }
};
MODULE_DEVICE_TABLE(hid, universal_pidff_devices);
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index a37cf852a2836..4c94d8cbac43a 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -637,6 +637,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect,
return -EINVAL;
}
+ if (pidff->quirks & HID_PIDFF_QUIRK_PERIODIC_SINE_ONLY)
+ type_id = PID_SINE;
+
error = pidff_request_effect_upload(pidff,
pidff->type_id[type_id]);
if (error)
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 7a55accf689e0..e180679ab284c 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1235,6 +1235,7 @@ int hid_pidff_init_with_quirks(struct hid_device *hid, __u32 initial_quirks);
#define HID_PIDFF_QUIRK_MISSING_PBO BIT(1)
#define HID_PIDFF_QUIRK_PERMISSIVE_CONTROL BIT(2)
#define HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION BIT(3)
+#define HID_PIDFF_QUIRK_PERIODIC_SINE_ONLY BIT(4)
#define dbg_hid(fmt, ...) pr_debug("%s: " fmt, __FILE__, ##__VA_ARGS__)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 079/449] HID: pidff: Fix null pointer dereference in pidff_find_fields
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 078/449] HID: pidff: Add PERIODIC_SINE_ONLY quirk Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 080/449] ASoC: amd: ps: use macro for ACP6.3 pci revision id Greg Kroah-Hartman
` (376 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nolan Nicholson, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <forest10pl@gmail.com>
[ Upstream commit 22a05462c3d0eee15154faf8d13c49e6295270a5 ]
This function triggered a null pointer dereference if used to search for
a report that isn't implemented on the device. This happened both for
optional and required reports alike.
The same logic was applied to pidff_find_special_field and although
pidff_init_fields should return an error earlier if one of the required
reports is missing, future modifications could change this logic and
resurface this possible null pointer dereference again.
LKML bug report:
https://lore.kernel.org/all/CAL-gK7f5=R0nrrQdPtaZZr1fd-cdAMbDMuZ_NLA8vM0SX+nGSw@mail.gmail.com
Reported-by: Nolan Nicholson <nolananicholson@gmail.com>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 4c94d8cbac43a..25dbed076f530 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -793,6 +793,11 @@ static void pidff_set_autocenter(struct input_dev *dev, u16 magnitude)
static int pidff_find_fields(struct pidff_usage *usage, const u8 *table,
struct hid_report *report, int count, int strict)
{
+ if (!report) {
+ pr_debug("pidff_find_fields, null report\n");
+ return -1;
+ }
+
int i, j, k, found;
int return_value = 0;
@@ -917,6 +922,11 @@ static int pidff_reports_ok(struct pidff_device *pidff)
static struct hid_field *pidff_find_special_field(struct hid_report *report,
int usage, int enforce_min)
{
+ if (!report) {
+ pr_debug("pidff_find_special_field, null report\n");
+ return NULL;
+ }
+
int i;
for (i = 0; i < report->maxfield; i++) {
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 080/449] ASoC: amd: ps: use macro for ACP6.3 pci revision id
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 079/449] HID: pidff: Fix null pointer dereference in pidff_find_fields Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 081/449] ASoC: amd: amd_sdw: Add quirks for Dell SKUs Greg Kroah-Hartman
` (375 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vijendar Mukunda, Mark Brown,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
[ Upstream commit 4b36a47e2d989b98953dbfb1e97da0f0169f5086 ]
Use macro for ACP6.3 PCI revision id instead of hard coded value.
Signed-off-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
Link: https://patch.msgid.link/20250207062819.1527184-3-Vijendar.Mukunda@amd.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/ps/acp63.h | 1 +
sound/soc/amd/ps/pci-ps.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/soc/amd/ps/acp63.h b/sound/soc/amd/ps/acp63.h
index e54eabaa4d3e1..28d3959a416b3 100644
--- a/sound/soc/amd/ps/acp63.h
+++ b/sound/soc/amd/ps/acp63.h
@@ -11,6 +11,7 @@
#define ACP_DEVICE_ID 0x15E2
#define ACP63_REG_START 0x1240000
#define ACP63_REG_END 0x125C000
+#define ACP63_PCI_REV 0x63
#define ACP_SOFT_RESET_SOFTRESET_AUDDONE_MASK 0x00010001
#define ACP_PGFSM_CNTL_POWER_ON_MASK 1
diff --git a/sound/soc/amd/ps/pci-ps.c b/sound/soc/amd/ps/pci-ps.c
index 8b556950b855a..6015dd5270731 100644
--- a/sound/soc/amd/ps/pci-ps.c
+++ b/sound/soc/amd/ps/pci-ps.c
@@ -562,7 +562,7 @@ static int snd_acp63_probe(struct pci_dev *pci,
/* Pink Sardine device check */
switch (pci->revision) {
- case 0x63:
+ case ACP63_PCI_REV:
break;
default:
dev_dbg(&pci->dev, "acp63 pci device not found\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 081/449] ASoC: amd: amd_sdw: Add quirks for Dell SKUs
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 080/449] ASoC: amd: ps: use macro for ACP6.3 pci revision id Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 082/449] ALSA: hda: intel: Fix Optimus when GPU has no sound Greg Kroah-Hartman
` (374 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vijendar Mukunda, Mark Brown,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
[ Upstream commit 4bb5b6f13fd83b32c8a93fbd399e7558415d1ce0 ]
This patch adds a quirk to include the codec amplifier function for Dell
SKU's listed in quirk table.
Note: In these SKU's, the RT722 codec amplifier is excluded, and an
external amplifier is used instead.
Signed-off-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
Link: https://patch.msgid.link/20250207062819.1527184-26-Vijendar.Mukunda@amd.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/acp/acp-sdw-legacy-mach.c | 34 +++++++++++++++++++++++++
sound/soc/amd/acp/soc_amd_sdw_common.h | 1 +
2 files changed, 35 insertions(+)
diff --git a/sound/soc/amd/acp/acp-sdw-legacy-mach.c b/sound/soc/amd/acp/acp-sdw-legacy-mach.c
index 9280cd30d19cf..a0defa5d15f73 100644
--- a/sound/soc/amd/acp/acp-sdw-legacy-mach.c
+++ b/sound/soc/amd/acp/acp-sdw-legacy-mach.c
@@ -28,6 +28,8 @@ static void log_quirks(struct device *dev)
SOC_JACK_JDSRC(soc_sdw_quirk));
if (soc_sdw_quirk & ASOC_SDW_ACP_DMIC)
dev_dbg(dev, "quirk SOC_SDW_ACP_DMIC enabled\n");
+ if (soc_sdw_quirk & ASOC_SDW_CODEC_SPKR)
+ dev_dbg(dev, "quirk ASOC_SDW_CODEC_SPKR enabled\n");
}
static int soc_sdw_quirk_cb(const struct dmi_system_id *id)
@@ -45,6 +47,38 @@ static const struct dmi_system_id soc_sdw_quirk_table[] = {
},
.driver_data = (void *)RT711_JD2,
},
+ {
+ .callback = soc_sdw_quirk_cb,
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "0D80"),
+ },
+ .driver_data = (void *)(ASOC_SDW_CODEC_SPKR),
+ },
+ {
+ .callback = soc_sdw_quirk_cb,
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "0D81"),
+ },
+ .driver_data = (void *)(ASOC_SDW_CODEC_SPKR),
+ },
+ {
+ .callback = soc_sdw_quirk_cb,
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "0D82"),
+ },
+ .driver_data = (void *)(ASOC_SDW_CODEC_SPKR),
+ },
+ {
+ .callback = soc_sdw_quirk_cb,
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "0D83"),
+ },
+ .driver_data = (void *)(ASOC_SDW_CODEC_SPKR),
+ },
{}
};
diff --git a/sound/soc/amd/acp/soc_amd_sdw_common.h b/sound/soc/amd/acp/soc_amd_sdw_common.h
index b7bae107c13e4..ed5aec9c01458 100644
--- a/sound/soc/amd/acp/soc_amd_sdw_common.h
+++ b/sound/soc/amd/acp/soc_amd_sdw_common.h
@@ -22,6 +22,7 @@
#define SOC_JACK_JDSRC(quirk) ((quirk) & GENMASK(3, 0))
#define ASOC_SDW_FOUR_SPK BIT(4)
#define ASOC_SDW_ACP_DMIC BIT(5)
+#define ASOC_SDW_CODEC_SPKR BIT(15)
#define AMD_SDW0 0
#define AMD_SDW1 1
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 082/449] ALSA: hda: intel: Fix Optimus when GPU has no sound
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 081/449] ASoC: amd: amd_sdw: Add quirks for Dell SKUs Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 083/449] ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist Greg Kroah-Hartman
` (373 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Mikityanskiy, Takashi Iwai,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Mikityanskiy <maxtram95@gmail.com>
[ Upstream commit 2b360ba9a4936486380bc30d1eabceb40a714d98 ]
quirk_nvidia_hda() forcefully enables HDA controller on all NVIDIA GPUs,
because some buggy BIOSes leave it disabled. However, some dual-GPU
laptops do not have a functional HDA controller in DGPU, and BIOS
disables it on purpose. After quirk_nvidia_hda() reenables this dummy
HDA controller, attempting to probe it fails at azx_first_init(), which
is too late to cancel the probe, as it happens in azx_probe_continue().
The sna_hda_intel driver calls azx_free() and stops the chip, however,
it stays probed, and from the runtime PM point of view, the device
remains active (it was set as active by the PCI subsystem on probe). It
prevents vga_switcheroo from turning off the DGPU, because
pci_create_device_link() syncs power management for video and audio
devices.
Affected devices should be added to driver_denylist to prevent them from
probing early. This patch helps identify such devices by printing a
warning, and also forces the device to the suspended state to allow
vga_switcheroo turn off DGPU.
Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
Link: https://patch.msgid.link/20250208214602.39607-2-maxtram95@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/hda_intel.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index e67c22c59f02b..b5ca933cd38fd 100644
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -1352,8 +1352,21 @@ static void azx_free(struct azx *chip)
if (use_vga_switcheroo(hda)) {
if (chip->disabled && hda->probe_continued)
snd_hda_unlock_devices(&chip->bus);
- if (hda->vga_switcheroo_registered)
+ if (hda->vga_switcheroo_registered) {
vga_switcheroo_unregister_client(chip->pci);
+
+ /* Some GPUs don't have sound, and azx_first_init fails,
+ * leaving the device probed but non-functional. As long
+ * as it's probed, the PCI subsystem keeps its runtime
+ * PM status as active. Force it to suspended (as we
+ * actually stop the chip) to allow GPU to suspend via
+ * vga_switcheroo, and print a warning.
+ */
+ dev_warn(&pci->dev, "GPU sound probed, but not operational: please add a quirk to driver_denylist\n");
+ pm_runtime_disable(&pci->dev);
+ pm_runtime_set_suspended(&pci->dev);
+ pm_runtime_enable(&pci->dev);
+ }
}
if (bus->chip_init) {
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 083/449] ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 082/449] ALSA: hda: intel: Fix Optimus when GPU has no sound Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 084/449] ASoC: fsl_audmix: register card device depends on dais property Greg Kroah-Hartman
` (372 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Mikityanskiy, Takashi Iwai,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Mikityanskiy <maxtram95@gmail.com>
[ Upstream commit becc794c5e46f4dfca59f2385f78d83fc9e84700 ]
Lenovo IdeaPad Z570 with NVIDIA GeForce Ge 540M doesn't have sound on
the discrete GPU. The HDA controller in DGPU is disabled by BIOS, but
then reenabled by quirk_nvidia_hda(). The probe fails and ends up with
the "GPU sound probed, but not operational" error.
Add this laptop to DMI-based denylist to prevent probe early. DMI is
used, because the audio device has zero subsystem IDs, and this entry
would be too much, blocking all 540M chips:
PCI_DEVICE_SUB(0x10de, 0x0bea, 0x0000, 0x0000)
Also, this laptop comes in a variety of modifications with different
NVIDIA GPUs, so the DMI check will cover them all.
Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
Link: https://patch.msgid.link/20250208214602.39607-3-maxtram95@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/hda_intel.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index b5ca933cd38fd..1ae26bdbe756a 100644
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -37,6 +37,7 @@
#include <linux/completion.h>
#include <linux/acpi.h>
#include <linux/pgtable.h>
+#include <linux/dmi.h>
#ifdef CONFIG_X86
/* for snoop control */
@@ -2074,6 +2075,27 @@ static const struct pci_device_id driver_denylist[] = {
{}
};
+static struct pci_device_id driver_denylist_ideapad_z570[] = {
+ { PCI_DEVICE_SUB(0x10de, 0x0bea, 0x0000, 0x0000) }, /* NVIDIA GF108 HDA */
+ {}
+};
+
+/* DMI-based denylist, to be used when:
+ * - PCI subsystem IDs are zero, impossible to distinguish from valid sound cards.
+ * - Different modifications of the same laptop use different GPU models.
+ */
+static const struct dmi_system_id driver_denylist_dmi[] = {
+ {
+ /* No HDA in NVIDIA DGPU. BIOS disables it, but quirk_nvidia_hda() reenables. */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "Ideapad Z570"),
+ },
+ .driver_data = &driver_denylist_ideapad_z570,
+ },
+ {}
+};
+
static const struct hda_controller_ops pci_hda_ops = {
.disable_msi_reset_irq = disable_msi_reset_irq,
.position_check = azx_position_check,
@@ -2084,6 +2106,7 @@ static DECLARE_BITMAP(probed_devs, SNDRV_CARDS);
static int azx_probe(struct pci_dev *pci,
const struct pci_device_id *pci_id)
{
+ const struct dmi_system_id *dmi;
struct snd_card *card;
struct hda_intel *hda;
struct azx *chip;
@@ -2096,6 +2119,12 @@ static int azx_probe(struct pci_dev *pci,
return -ENODEV;
}
+ dmi = dmi_first_match(driver_denylist_dmi);
+ if (dmi && pci_match_id(dmi->driver_data, pci)) {
+ dev_info(&pci->dev, "Skipping the device on the DMI denylist\n");
+ return -ENODEV;
+ }
+
dev = find_first_zero_bit(probed_devs, SNDRV_CARDS);
if (dev >= SNDRV_CARDS)
return -ENODEV;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 084/449] ASoC: fsl_audmix: register card device depends on dais property
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 083/449] ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 085/449] media: uvcvideo: Add quirk for Actions UVC05 Greg Kroah-Hartman
` (371 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 294a60e5e9830045c161181286d44ce669f88833 ]
In order to make the audmix device linked by audio graph card, make
'dais' property to be optional.
If 'dais' property exists, then register the imx-audmix card driver.
otherwise, it should be linked by audio graph card.
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20250226100508.2352568-5-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_audmix.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/sound/soc/fsl/fsl_audmix.c b/sound/soc/fsl/fsl_audmix.c
index 3cd9a66b70a15..7981d598ba139 100644
--- a/sound/soc/fsl/fsl_audmix.c
+++ b/sound/soc/fsl/fsl_audmix.c
@@ -488,11 +488,17 @@ static int fsl_audmix_probe(struct platform_device *pdev)
goto err_disable_pm;
}
- priv->pdev = platform_device_register_data(dev, "imx-audmix", 0, NULL, 0);
- if (IS_ERR(priv->pdev)) {
- ret = PTR_ERR(priv->pdev);
- dev_err(dev, "failed to register platform: %d\n", ret);
- goto err_disable_pm;
+ /*
+ * If dais property exist, then register the imx-audmix card driver.
+ * otherwise, it should be linked by audio graph card.
+ */
+ if (of_find_property(pdev->dev.of_node, "dais", NULL)) {
+ priv->pdev = platform_device_register_data(dev, "imx-audmix", 0, NULL, 0);
+ if (IS_ERR(priv->pdev)) {
+ ret = PTR_ERR(priv->pdev);
+ dev_err(dev, "failed to register platform: %d\n", ret);
+ goto err_disable_pm;
+ }
}
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 085/449] media: uvcvideo: Add quirk for Actions UVC05
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 084/449] ASoC: fsl_audmix: register card device depends on dais property Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 086/449] HID: lenovo: Fix to ensure the data as __le32 instead of u32 Greg Kroah-Hartman
` (370 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo Ribalda, Laurent Pinchart,
Hans Verkuil, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
[ Upstream commit 8c54e58f94ed3ff28643aefd2c0c2c98313ee770 ]
Actions UVC05 is a HDMI to USB dongle that implements the UVC protocol.
When the device suspends, its firmware seems to enter a weird mode when it
does not produce more frames.
Add the device to the quirk list to disable autosuspend.
Bus 001 Device 007: ID 1de1:f105 Actions Microelectronics Co. Display
capture-UVC05
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 239 Miscellaneous Device
bDeviceSubClass 2 [unknown]
bDeviceProtocol 1 Interface Association
bMaxPacketSize0 64
idVendor 0x1de1 Actions Microelectronics Co.
idProduct 0xf105 Display capture-UVC05
bcdDevice 4.09
iManufacturer 1 Actions Micro
iProduct 2 Display capture-UVC05
iSerial 3 -1005308387
bNumConfigurations 1
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/r/20241210-uvc-hdmi-suspend-v1-1-01f5dec023ea@chromium.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/uvc/uvc_driver.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
index deadbcea5e227..11b04f6f60cd1 100644
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -3062,6 +3062,15 @@ static const struct usb_device_id uvc_ids[] = {
.bInterfaceProtocol = 0,
.driver_info = UVC_INFO_QUIRK(UVC_QUIRK_PROBE_MINMAX
| UVC_QUIRK_IGNORE_SELECTOR_UNIT) },
+ /* Actions Microelectronics Co. Display capture-UVC05 */
+ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE
+ | USB_DEVICE_ID_MATCH_INT_INFO,
+ .idVendor = 0x1de1,
+ .idProduct = 0xf105,
+ .bInterfaceClass = USB_CLASS_VIDEO,
+ .bInterfaceSubClass = 1,
+ .bInterfaceProtocol = 0,
+ .driver_info = UVC_INFO_QUIRK(UVC_QUIRK_DISABLE_AUTOSUSPEND) },
/* NXP Semiconductors IR VIDEO */
{ .match_flags = USB_DEVICE_ID_MATCH_DEVICE
| USB_DEVICE_ID_MATCH_INT_INFO,
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 086/449] HID: lenovo: Fix to ensure the data as __le32 instead of u32
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 085/449] media: uvcvideo: Add quirk for Actions UVC05 Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 087/449] media: s5p-mfc: Corrected NV12M/NV21M plane-sizes Greg Kroah-Hartman
` (369 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vishnu Sankar, Vishnu Sankar,
kernel test robot, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vishnu Sankar <vishnuocv@gmail.com>
[ Upstream commit d6ea85f8371b99c1d3a90ee4e2fb1a648f8d71d3 ]
Ensure that data is treated as __le32 instead of u32 before
applying le32_to_cpu.
This patch fixes the sparse warning "sparse: cast to restricted __le32".
Signed-off-by: Vishnu Sankar <vishnuocv@gmail.com>
Signed-off-by: Vishnu Sankar <vsankar@lenovo.com>
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202501101635.qJrwAOwf-lkp@intel.com/
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-lenovo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c
index a7d9ca02779ea..04508c36bdc82 100644
--- a/drivers/hid/hid-lenovo.c
+++ b/drivers/hid/hid-lenovo.c
@@ -778,7 +778,7 @@ static int lenovo_raw_event(struct hid_device *hdev,
if (unlikely((hdev->product == USB_DEVICE_ID_LENOVO_X12_TAB
|| hdev->product == USB_DEVICE_ID_LENOVO_X12_TAB2)
&& size >= 3 && report->id == 0x03))
- return lenovo_raw_event_TP_X12_tab(hdev, le32_to_cpu(*(u32 *)data));
+ return lenovo_raw_event_TP_X12_tab(hdev, le32_to_cpu(*(__le32 *)data));
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 087/449] media: s5p-mfc: Corrected NV12M/NV21M plane-sizes
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 086/449] HID: lenovo: Fix to ensure the data as __le32 instead of u32 Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 088/449] mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves Greg Kroah-Hartman
` (368 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans Verkuil, Aakarsh Jain,
Nicolas Dufresne, Marek Szyprowski, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aakarsh Jain <aakarsh.jain@samsung.com>
[ Upstream commit 7d0d0b2342bebc47a46499cdf21257ed1e58c4aa ]
There is a possibility of getting page fault if the overall
buffer size is not aligned to 256bytes. Since MFC does read
operation only and it won't corrupt the data values even if
it reads the extra bytes.
Corrected luma and chroma plane sizes for V4L2_PIX_FMT_NV12M
and V4L2_PIX_FMT_NV21M pixel format.
Suggested-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Aakarsh Jain <aakarsh.jain@samsung.com>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/samsung/s5p-mfc/s5p_mfc_opr_v6.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_opr_v6.c b/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_opr_v6.c
index 73f7af674c01b..0c636090d723d 100644
--- a/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_opr_v6.c
+++ b/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_opr_v6.c
@@ -549,8 +549,9 @@ static void s5p_mfc_enc_calc_src_size_v6(struct s5p_mfc_ctx *ctx)
case V4L2_PIX_FMT_NV21M:
ctx->stride[0] = ALIGN(ctx->img_width, S5P_FIMV_NV12M_HALIGN_V6);
ctx->stride[1] = ALIGN(ctx->img_width, S5P_FIMV_NV12M_HALIGN_V6);
- ctx->luma_size = ctx->stride[0] * ALIGN(ctx->img_height, 16);
- ctx->chroma_size = ctx->stride[0] * ALIGN(ctx->img_height / 2, 16);
+ ctx->luma_size = ALIGN(ctx->stride[0] * ALIGN(ctx->img_height, 16), 256);
+ ctx->chroma_size = ALIGN(ctx->stride[0] * ALIGN(ctx->img_height / 2, 16),
+ 256);
break;
case V4L2_PIX_FMT_YUV420M:
case V4L2_PIX_FMT_YVU420M:
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 088/449] mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 087/449] media: s5p-mfc: Corrected NV12M/NV21M plane-sizes Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 089/449] ALSA: usb-audio: Fix CME quirk for UF series keyboards Greg Kroah-Hartman
` (367 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kaustabh Chakraborty, Ulf Hansson,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kaustabh Chakraborty <kauschluss@disroot.org>
[ Upstream commit 57c0902f8bec51add5a1eb908d8b876592725d81 ]
In certain DW MMC implementations (such as in some Exynos7870
controllers), 64-bit read/write is not allowed from a 64-bit FIFO.
Add a quirk which facilitates accessing the 64-bit FIFO registers in two
32-bit halves.
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org>
Link: https://lore.kernel.org/r/20250219-exynos7870-mmc-v2-2-b4255a3e39ed@disroot.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/dw_mmc.c | 94 ++++++++++++++++++++++++++++++++++++++-
drivers/mmc/host/dw_mmc.h | 27 +++++++++++
2 files changed, 119 insertions(+), 2 deletions(-)
diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c
index 3cbda98d08d28..74f224647bf1e 100644
--- a/drivers/mmc/host/dw_mmc.c
+++ b/drivers/mmc/host/dw_mmc.c
@@ -2579,6 +2579,91 @@ static void dw_mci_pull_data64(struct dw_mci *host, void *buf, int cnt)
}
}
+static void dw_mci_push_data64_32(struct dw_mci *host, void *buf, int cnt)
+{
+ struct mmc_data *data = host->data;
+ int init_cnt = cnt;
+
+ /* try and push anything in the part_buf */
+ if (unlikely(host->part_buf_count)) {
+ int len = dw_mci_push_part_bytes(host, buf, cnt);
+
+ buf += len;
+ cnt -= len;
+
+ if (host->part_buf_count == 8) {
+ mci_fifo_l_writeq(host->fifo_reg, host->part_buf);
+ host->part_buf_count = 0;
+ }
+ }
+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+ if (unlikely((unsigned long)buf & 0x7)) {
+ while (cnt >= 8) {
+ u64 aligned_buf[16];
+ int len = min(cnt & -8, (int)sizeof(aligned_buf));
+ int items = len >> 3;
+ int i;
+ /* memcpy from input buffer into aligned buffer */
+ memcpy(aligned_buf, buf, len);
+ buf += len;
+ cnt -= len;
+ /* push data from aligned buffer into fifo */
+ for (i = 0; i < items; ++i)
+ mci_fifo_l_writeq(host->fifo_reg, aligned_buf[i]);
+ }
+ } else
+#endif
+ {
+ u64 *pdata = buf;
+
+ for (; cnt >= 8; cnt -= 8)
+ mci_fifo_l_writeq(host->fifo_reg, *pdata++);
+ buf = pdata;
+ }
+ /* put anything remaining in the part_buf */
+ if (cnt) {
+ dw_mci_set_part_bytes(host, buf, cnt);
+ /* Push data if we have reached the expected data length */
+ if ((data->bytes_xfered + init_cnt) ==
+ (data->blksz * data->blocks))
+ mci_fifo_l_writeq(host->fifo_reg, host->part_buf);
+ }
+}
+
+static void dw_mci_pull_data64_32(struct dw_mci *host, void *buf, int cnt)
+{
+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+ if (unlikely((unsigned long)buf & 0x7)) {
+ while (cnt >= 8) {
+ /* pull data from fifo into aligned buffer */
+ u64 aligned_buf[16];
+ int len = min(cnt & -8, (int)sizeof(aligned_buf));
+ int items = len >> 3;
+ int i;
+
+ for (i = 0; i < items; ++i)
+ aligned_buf[i] = mci_fifo_l_readq(host->fifo_reg);
+
+ /* memcpy from aligned buffer into output buffer */
+ memcpy(buf, aligned_buf, len);
+ buf += len;
+ cnt -= len;
+ }
+ } else
+#endif
+ {
+ u64 *pdata = buf;
+
+ for (; cnt >= 8; cnt -= 8)
+ *pdata++ = mci_fifo_l_readq(host->fifo_reg);
+ buf = pdata;
+ }
+ if (cnt) {
+ host->part_buf = mci_fifo_l_readq(host->fifo_reg);
+ dw_mci_pull_final_bytes(host, buf, cnt);
+ }
+}
+
static void dw_mci_pull_data(struct dw_mci *host, void *buf, int cnt)
{
int len;
@@ -3379,8 +3464,13 @@ int dw_mci_probe(struct dw_mci *host)
width = 16;
host->data_shift = 1;
} else if (i == 2) {
- host->push_data = dw_mci_push_data64;
- host->pull_data = dw_mci_pull_data64;
+ if ((host->quirks & DW_MMC_QUIRK_FIFO64_32)) {
+ host->push_data = dw_mci_push_data64_32;
+ host->pull_data = dw_mci_pull_data64_32;
+ } else {
+ host->push_data = dw_mci_push_data64;
+ host->pull_data = dw_mci_pull_data64;
+ }
width = 64;
host->data_shift = 3;
} else {
diff --git a/drivers/mmc/host/dw_mmc.h b/drivers/mmc/host/dw_mmc.h
index 6447b916990dc..5463392dc8110 100644
--- a/drivers/mmc/host/dw_mmc.h
+++ b/drivers/mmc/host/dw_mmc.h
@@ -281,6 +281,8 @@ struct dw_mci_board {
/* Support for longer data read timeout */
#define DW_MMC_QUIRK_EXTENDED_TMOUT BIT(0)
+/* Force 32-bit access to the FIFO */
+#define DW_MMC_QUIRK_FIFO64_32 BIT(1)
#define DW_MMC_240A 0x240a
#define DW_MMC_280A 0x280a
@@ -472,6 +474,31 @@ struct dw_mci_board {
#define mci_fifo_writel(__value, __reg) __raw_writel(__reg, __value)
#define mci_fifo_writeq(__value, __reg) __raw_writeq(__reg, __value)
+/*
+ * Some dw_mmc devices have 64-bit FIFOs, but expect them to be
+ * accessed using two 32-bit accesses. If such controller is used
+ * with a 64-bit kernel, this has to be done explicitly.
+ */
+static inline u64 mci_fifo_l_readq(void __iomem *addr)
+{
+ u64 ans;
+ u32 proxy[2];
+
+ proxy[0] = mci_fifo_readl(addr);
+ proxy[1] = mci_fifo_readl(addr + 4);
+ memcpy(&ans, proxy, 8);
+ return ans;
+}
+
+static inline void mci_fifo_l_writeq(void __iomem *addr, u64 value)
+{
+ u32 proxy[2];
+
+ memcpy(proxy, &value, 8);
+ mci_fifo_writel(addr, proxy[0]);
+ mci_fifo_writel(addr + 4, proxy[1]);
+}
+
/* Register access macros */
#define mci_readl(dev, reg) \
readl_relaxed((dev)->regs + SDMMC_##reg)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 089/449] ALSA: usb-audio: Fix CME quirk for UF series keyboards
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 088/449] mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 090/449] ASoC: amd: Add DMI quirk for ACP6X mic support Greg Kroah-Hartman
` (366 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricard Wanderlof, Takashi Iwai,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricard Wanderlof <ricard2013@butoba.net>
[ Upstream commit c2820405ba55a38932aa2177f026b70064296663 ]
Fix quirk for CME master keyboards so it not only handles
sysex but also song position pointer, MIDI timing clock, start
and stop messages, and active sensing. All of these can be
output by the CME UF series master keyboards.
Tested with a CME UF6 in a desktop Linux environment as
well as on the Zynthian Raspberry Pi based platform.
Signed-off-by: Ricard Wanderlof <ricard2013@butoba.net>
Link: https://patch.msgid.link/20250313-cme-fix-v1-1-d404889e4de8@butoba.net
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/midi.c | 80 ++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 74 insertions(+), 6 deletions(-)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index 779d97d31f170..826ac870f2469 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -489,16 +489,84 @@ static void ch345_broken_sysex_input(struct snd_usb_midi_in_endpoint *ep,
/*
* CME protocol: like the standard protocol, but SysEx commands are sent as a
- * single USB packet preceded by a 0x0F byte.
+ * single USB packet preceded by a 0x0F byte, as are system realtime
+ * messages and MIDI Active Sensing.
+ * Also, multiple messages can be sent in the same packet.
*/
static void snd_usbmidi_cme_input(struct snd_usb_midi_in_endpoint *ep,
uint8_t *buffer, int buffer_length)
{
- if (buffer_length < 2 || (buffer[0] & 0x0f) != 0x0f)
- snd_usbmidi_standard_input(ep, buffer, buffer_length);
- else
- snd_usbmidi_input_data(ep, buffer[0] >> 4,
- &buffer[1], buffer_length - 1);
+ int remaining = buffer_length;
+
+ /*
+ * CME send sysex, song position pointer, system realtime
+ * and active sensing using CIN 0x0f, which in the standard
+ * is only intended for single byte unparsed data.
+ * So we need to interpret these here before sending them on.
+ * By default, we assume single byte data, which is true
+ * for system realtime (midi clock, start, stop and continue)
+ * and active sensing, and handle the other (known) cases
+ * separately.
+ * In contrast to the standard, CME does not split sysex
+ * into multiple 4-byte packets, but lumps everything together
+ * into one. In addition, CME can string multiple messages
+ * together in the same packet; pressing the Record button
+ * on an UF6 sends a sysex message directly followed
+ * by a song position pointer in the same packet.
+ * For it to have any reasonable meaning, a sysex message
+ * needs to be at least 3 bytes in length (0xf0, id, 0xf7),
+ * corresponding to a packet size of 4 bytes, and the ones sent
+ * by CME devices are 6 or 7 bytes, making the packet fragments
+ * 7 or 8 bytes long (six or seven bytes plus preceding CN+CIN byte).
+ * For the other types, the packet size is always 4 bytes,
+ * as per the standard, with the data size being 3 for SPP
+ * and 1 for the others.
+ * Thus all packet fragments are at least 4 bytes long, so we can
+ * skip anything that is shorter; this also conveniantly skips
+ * packets with size 0, which CME devices continuously send when
+ * they have nothing better to do.
+ * Another quirk is that sometimes multiple messages are sent
+ * in the same packet. This has been observed for midi clock
+ * and active sensing i.e. 0x0f 0xf8 0x00 0x00 0x0f 0xfe 0x00 0x00,
+ * but also multiple note ons/offs, and control change together
+ * with MIDI clock. Similarly, some sysex messages are followed by
+ * the song position pointer in the same packet, and occasionally
+ * additionally by a midi clock or active sensing.
+ * We handle this by looping over all data and parsing it along the way.
+ */
+ while (remaining >= 4) {
+ int source_length = 4; /* default */
+
+ if ((buffer[0] & 0x0f) == 0x0f) {
+ int data_length = 1; /* default */
+
+ if (buffer[1] == 0xf0) {
+ /* Sysex: Find EOX and send on whole message. */
+ /* To kick off the search, skip the first
+ * two bytes (CN+CIN and SYSEX (0xf0).
+ */
+ uint8_t *tmp_buf = buffer + 2;
+ int tmp_length = remaining - 2;
+
+ while (tmp_length > 1 && *tmp_buf != 0xf7) {
+ tmp_buf++;
+ tmp_length--;
+ }
+ data_length = tmp_buf - buffer;
+ source_length = data_length + 1;
+ } else if (buffer[1] == 0xf2) {
+ /* Three byte song position pointer */
+ data_length = 3;
+ }
+ snd_usbmidi_input_data(ep, buffer[0] >> 4,
+ &buffer[1], data_length);
+ } else {
+ /* normal channel events */
+ snd_usbmidi_standard_input(ep, buffer, source_length);
+ }
+ buffer += source_length;
+ remaining -= source_length;
+ }
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 090/449] ASoC: amd: Add DMI quirk for ACP6X mic support
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 089/449] ALSA: usb-audio: Fix CME quirk for UF series keyboards Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 091/449] ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3315 Greg Kroah-Hartman
` (365 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, keenplify, Mark Brown, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: keenplify <keenplify@gmail.com>
[ Upstream commit 309b367eafc8e162603cd29189da6db770411fea ]
Some AMD laptops with ACP6X do not expose the DMIC properly on Linux.
Adding a DMI quirk enables mic functionality.
Similar to Bugzilla #218402, this issue affects multiple users.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=219853
Signed-off-by: keenplify <keenplify@gmail.com>
Link: https://patch.msgid.link/20250315111617.12194-1-keenplify@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
index a7637056972aa..bd3808f98ec9e 100644
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -584,6 +584,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
DMI_MATCH(DMI_PRODUCT_VERSION, "pang13"),
}
},
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Bravo 15 C7UCX"),
+ }
+ },
{}
};
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 091/449] ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3315
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 090/449] ASoC: amd: Add DMI quirk for ACP6X mic support Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 092/449] ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3247 Greg Kroah-Hartman
` (364 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Chiu, Simon Trimmer,
Takashi Iwai, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Chiu <chris.chiu@canonical.com>
[ Upstream commit 0b1b5161648f35fb96967fb9d80965614657a84e ]
More HP laptops with Realtek HDA codec ALC3315 with combined CS35L56
Amplifiers need quirk ALC285_FIXUP_HP_GPIO_LED to fix the micmute LED.
Signed-off-by: Chris Chiu <chris.chiu@canonical.com>
Reviewed-by: Simon Trimmer <simont@opensource.cirrus.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20250321104914.544233-1-chris.chiu@canonical.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 65ece19a6dd7d..e8e11f43f6668 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -10691,13 +10691,27 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x103c, 0x8cf5, "HP ZBook Studio 16", ALC245_FIXUP_CS35L41_SPI_4_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8d01, "HP ZBook Power 14 G12", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8d84, "HP EliteBook X G1i", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8d85, "HP EliteBook 14 G12", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8d86, "HP Elite X360 14 G12", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8d8c, "HP EliteBook 13 G12", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8d8d, "HP Elite X360 13 G12", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8d8e, "HP EliteBook 14 G12", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8d8f, "HP EliteBook 14 G12", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8d90, "HP EliteBook 16 G12", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8d91, "HP ZBook Firefly 14 G12", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8d92, "HP ZBook Firefly 16 G12", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8de8, "HP Gemtree", ALC245_FIXUP_TAS2781_SPI_2),
SND_PCI_QUIRK(0x103c, 0x8de9, "HP Gemtree", ALC245_FIXUP_TAS2781_SPI_2),
+ SND_PCI_QUIRK(0x103c, 0x8e14, "HP ZBook Firefly 14 G12", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8e15, "HP ZBook Firefly 14 G12", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8e16, "HP ZBook Firefly 14 G12", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8e17, "HP ZBook Firefly 14 G12", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8e18, "HP ZBook Firefly 14 G12A", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8e19, "HP ZBook Firefly 14 G12A", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8e1a, "HP ZBook Firefly 14 G12A", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8e1b, "HP EliteBook G12", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8e1c, "HP EliteBook G12", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8e2c, "HP EliteBook 16 G12", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300),
SND_PCI_QUIRK(0x1043, 0x1054, "ASUS G614FH/FM/FP", ALC287_FIXUP_CS35L41_I2C_2),
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 092/449] ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3247
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 091/449] ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3315 Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 093/449] ASoC: amd: yc: update quirk data for new Lenovo model Greg Kroah-Hartman
` (363 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Chiu, Simon Trimmer,
Takashi Iwai, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Chiu <chris.chiu@canonical.com>
[ Upstream commit 78f4ca3c6f6fd305b9af8c51470643617df85e11 ]
More HP EliteBook with Realtek HDA codec ALC3247 with combined CS35L56
Amplifiers need quirk ALC236_FIXUP_HP_GPIO_LED to fix the micmute LED.
Signed-off-by: Chris Chiu <chris.chiu@canonical.com>
Reviewed-by: Simon Trimmer <simont@opensource.cirrus.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20250321104914.544233-2-chris.chiu@canonical.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index e8e11f43f6668..2ac1656472864 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -10702,6 +10702,11 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x103c, 0x8d92, "HP ZBook Firefly 16 G12", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8de8, "HP Gemtree", ALC245_FIXUP_TAS2781_SPI_2),
SND_PCI_QUIRK(0x103c, 0x8de9, "HP Gemtree", ALC245_FIXUP_TAS2781_SPI_2),
+ SND_PCI_QUIRK(0x103c, 0x8dec, "HP EliteBook 640 G12", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8dee, "HP EliteBook 660 G12", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8df0, "HP EliteBook 630 G12", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8dfc, "HP EliteBook 645 G12", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8dfe, "HP EliteBook 665 G12", ALC236_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8e14, "HP ZBook Firefly 14 G12", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8e15, "HP ZBook Firefly 14 G12", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8e16, "HP ZBook Firefly 14 G12", ALC285_FIXUP_HP_GPIO_LED),
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 093/449] ASoC: amd: yc: update quirk data for new Lenovo model
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 092/449] ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3247 Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 094/449] platform/x86: x86-android-tablets: Add select POWER_SUPPLY to Kconfig Greg Kroah-Hartman
` (362 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Syed Saba kareem, Reiner,
Mario Limonciello, Mark Brown, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Syed Saba kareem <syed.sabakareem@amd.com>
[ Upstream commit 5a4dd520ef8a94ecf81ac77b90d6a03e91c100a9 ]
Update Quirk data for new Lenovo model 83J2 for YC platform.
Signed-off-by: Syed Saba kareem <syed.sabakareem@amd.com>
Link: https://patch.msgid.link/20250321122507.190193-1-syed.sabakareem@amd.com
Reported-by: Reiner <Reiner.Proels@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219887
Tested-by: Reiner <Reiner.Proels@gmail.com>
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
index bd3808f98ec9e..e632f16c91025 100644
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -339,6 +339,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "83Q3"),
}
},
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "83J2"),
+ }
+ },
{
.driver_data = &acp6x_card,
.matches = {
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 094/449] platform/x86: x86-android-tablets: Add select POWER_SUPPLY to Kconfig
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 093/449] ASoC: amd: yc: update quirk data for new Lenovo model Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 095/449] wifi: ath9k: use unsigned long for activity check timestamp Greg Kroah-Hartman
` (361 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Hans de Goede,
Ilpo Järvinen, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit 2c30357e755b087217c7643fda2b8aea6d6deda4 ]
Commit c78dd25138d1 ("platform/x86: x86-android-tablets: Add Vexia EDU
ATLA 10 EC battery driver"), adds power_supply class registering to
the x86-android-tablets code.
Add "select POWER_SUPPLY" to the Kconfig entry to avoid these errors:
ERROR: modpost: "power_supply_get_drvdata" [drivers/platform/x86/x86-android-tablets/vexia_atla10_ec.ko] undefined!
ERROR: modpost: "power_supply_changed" [drivers/platform/x86/x86-android-tablets/vexia_atla10_ec.ko] undefined!
ERROR: modpost: "devm_power_supply_register" [drivers/platform/x86/x86-android-tablets/vexia_atla10_ec.ko] undefined!
When POWER_SUPPLY support is not enabled.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202503231159.ga9eWMVO-lkp@intel.com/
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20250324125052.374369-1-hdegoede@redhat.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/x86-android-tablets/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/platform/x86/x86-android-tablets/Kconfig b/drivers/platform/x86/x86-android-tablets/Kconfig
index a67bddc430075..193da15ee01ca 100644
--- a/drivers/platform/x86/x86-android-tablets/Kconfig
+++ b/drivers/platform/x86/x86-android-tablets/Kconfig
@@ -10,6 +10,7 @@ config X86_ANDROID_TABLETS
depends on ACPI && EFI && PCI
select NEW_LEDS
select LEDS_CLASS
+ select POWER_SUPPLY
help
X86 tablets which ship with Android as (part of) the factory image
typically have various problems with their DSDTs. The factory kernels
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 095/449] wifi: ath9k: use unsigned long for activity check timestamp
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 094/449] platform/x86: x86-android-tablets: Add select POWER_SUPPLY to Kconfig Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 096/449] wifi: ath11k: Fix DMA buffer allocation to resolve SWIOTLB issues Greg Kroah-Hartman
` (360 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov,
Toke Høiland-Jørgensen, Jeff Johnson, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 8fe64b0fedcb7348080529c46c71ae23f60c9d3e ]
Since 'rx_active_check_time' of 'struct ath_softc' is in jiffies,
prefer 'unsigned long' over 'u32' to avoid possible truncation in
'ath_hw_rx_inactive_check()'. Found with clang's -Wshorten-64-to-32,
compile tested only.
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Link: https://patch.msgid.link/20250115171750.259917-2-dmantipov@yandex.ru
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/ath9k.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath9k/ath9k.h b/drivers/net/wireless/ath/ath9k/ath9k.h
index a728cc0387df8..cbcf37008556f 100644
--- a/drivers/net/wireless/ath/ath9k/ath9k.h
+++ b/drivers/net/wireless/ath/ath9k/ath9k.h
@@ -1018,7 +1018,7 @@ struct ath_softc {
u8 gtt_cnt;
u32 intrstatus;
- u32 rx_active_check_time;
+ unsigned long rx_active_check_time;
u32 rx_active_count;
u16 ps_flags; /* PS_* */
bool ps_enabled;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 096/449] wifi: ath11k: Fix DMA buffer allocation to resolve SWIOTLB issues
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 095/449] wifi: ath9k: use unsigned long for activity check timestamp Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 097/449] wifi: ath11k: fix memory leak in ath11k_xxx_remove() Greg Kroah-Hartman
` (359 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tim Harvey, P Praneesh, Jeff Johnson,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: P Praneesh <quic_ppranees@quicinc.com>
[ Upstream commit 1bcd20981834928ccc5d981aacb806bb523d8b29 ]
Currently, the driver allocates cacheable DMA buffers for rings like
HAL_REO_DST and HAL_WBM2SW_RELEASE. The buffers for HAL_WBM2SW_RELEASE
are large (1024 KiB), exceeding the SWIOTLB slot size of 256 KiB. This
leads to "swiotlb buffer is full" error messages on systems without an
IOMMU that use SWIOTLB, causing driver initialization failures. The driver
calls dma_map_single() with these large buffers obtained from kzalloc(),
resulting in ring initialization errors on systems without an IOMMU that
use SWIOTLB.
To address these issues, replace the flawed buffer allocation mechanism
with the appropriate DMA API. Specifically, use dma_alloc_noncoherent()
for cacheable DMA buffers, ensuring proper freeing of buffers with
dma_free_noncoherent().
Error log:
[ 10.194343] ath11k_pci 0000:04:00.0: swiotlb buffer is full (sz:1048583 bytes), total 32768 (slots), used 2529 (slots)
[ 10.194406] ath11k_pci 0000:04:00.0: failed to set up tcl_comp ring (0) :-12
[ 10.194781] ath11k_pci 0000:04:00.0: failed to init DP: -12
Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3
Reported-by: Tim Harvey <tharvey@gateworks.com>
Closes: https://lore.kernel.org/all/20241210041133.GA17116@lst.de/
Signed-off-by: P Praneesh <quic_ppranees@quicinc.com>
Tested-by: Tim Harvey <tharvey@gateworks.com>
Link: https://patch.msgid.link/20250119164219.647059-2-quic_ppranees@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/dp.c | 35 +++++++++-------------------
1 file changed, 11 insertions(+), 24 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/dp.c b/drivers/net/wireless/ath/ath11k/dp.c
index fbf666d0ecf1d..f124b7329e1ac 100644
--- a/drivers/net/wireless/ath/ath11k/dp.c
+++ b/drivers/net/wireless/ath/ath11k/dp.c
@@ -1,7 +1,7 @@
// SPDX-License-Identifier: BSD-3-Clause-Clear
/*
* Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include <crypto/hash.h>
@@ -104,14 +104,12 @@ void ath11k_dp_srng_cleanup(struct ath11k_base *ab, struct dp_srng *ring)
if (!ring->vaddr_unaligned)
return;
- if (ring->cached) {
- dma_unmap_single(ab->dev, ring->paddr_unaligned, ring->size,
- DMA_FROM_DEVICE);
- kfree(ring->vaddr_unaligned);
- } else {
+ if (ring->cached)
+ dma_free_noncoherent(ab->dev, ring->size, ring->vaddr_unaligned,
+ ring->paddr_unaligned, DMA_FROM_DEVICE);
+ else
dma_free_coherent(ab->dev, ring->size, ring->vaddr_unaligned,
ring->paddr_unaligned);
- }
ring->vaddr_unaligned = NULL;
}
@@ -249,25 +247,14 @@ int ath11k_dp_srng_setup(struct ath11k_base *ab, struct dp_srng *ring,
default:
cached = false;
}
-
- if (cached) {
- ring->vaddr_unaligned = kzalloc(ring->size, GFP_KERNEL);
- if (!ring->vaddr_unaligned)
- return -ENOMEM;
-
- ring->paddr_unaligned = dma_map_single(ab->dev,
- ring->vaddr_unaligned,
- ring->size,
- DMA_FROM_DEVICE);
- if (dma_mapping_error(ab->dev, ring->paddr_unaligned)) {
- kfree(ring->vaddr_unaligned);
- ring->vaddr_unaligned = NULL;
- return -ENOMEM;
- }
- }
}
- if (!cached)
+ if (cached)
+ ring->vaddr_unaligned = dma_alloc_noncoherent(ab->dev, ring->size,
+ &ring->paddr_unaligned,
+ DMA_FROM_DEVICE,
+ GFP_KERNEL);
+ else
ring->vaddr_unaligned = dma_alloc_coherent(ab->dev, ring->size,
&ring->paddr_unaligned,
GFP_KERNEL);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 097/449] wifi: ath11k: fix memory leak in ath11k_xxx_remove()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 096/449] wifi: ath11k: Fix DMA buffer allocation to resolve SWIOTLB issues Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 098/449] wifi: ath12k: fix memory leak in ath12k_pci_remove() Greg Kroah-Hartman
` (358 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqing Pan, Aditya Kumar Singh,
Jeff Johnson, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqing Pan <quic_miaoqing@quicinc.com>
[ Upstream commit efb24b1f0d29537714dd3cc46fb335ac27855251 ]
The firmware memory was allocated in ath11k_pci_probe() or
ath11k_ahb_probe(), but not freed in ath11k_xxx_remove() in case
ATH11K_FLAG_QMI_FAIL bit is set. So call ath11k_fw_destroy() to
free the memory.
Found while fixing the same problem in ath12k:
https://lore.kernel.org/linux-wireless/20240314012746.2729101-1-quic_miaoqing@quicinc.com
Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-04546-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1
Signed-off-by: Miaoqing Pan <quic_miaoqing@quicinc.com>
Reviewed-by: Aditya Kumar Singh <aditya.kumar.singh@oss.qualcomm.com>
Link: https://patch.msgid.link/20250123084948.1124357-1-quic_miaoqing@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/ahb.c | 4 +++-
drivers/net/wireless/ath/ath11k/core.c | 3 +--
drivers/net/wireless/ath/ath11k/fw.c | 3 ++-
drivers/net/wireless/ath/ath11k/pci.c | 3 ++-
4 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/ahb.c b/drivers/net/wireless/ath/ath11k/ahb.c
index f2fc04596d481..eedba3766ba24 100644
--- a/drivers/net/wireless/ath/ath11k/ahb.c
+++ b/drivers/net/wireless/ath/ath11k/ahb.c
@@ -1,7 +1,7 @@
// SPDX-License-Identifier: BSD-3-Clause-Clear
/*
* Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
- * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2025 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include <linux/module.h>
@@ -1290,6 +1290,7 @@ static void ath11k_ahb_remove(struct platform_device *pdev)
ath11k_core_deinit(ab);
qmi_fail:
+ ath11k_fw_destroy(ab);
ath11k_ahb_free_resources(ab);
}
@@ -1309,6 +1310,7 @@ static void ath11k_ahb_shutdown(struct platform_device *pdev)
ath11k_core_deinit(ab);
free_resources:
+ ath11k_fw_destroy(ab);
ath11k_ahb_free_resources(ab);
}
diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index c576bbba52bf1..85077247b0251 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -1,7 +1,7 @@
// SPDX-License-Identifier: BSD-3-Clause-Clear
/*
* Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include <linux/module.h>
@@ -2346,7 +2346,6 @@ void ath11k_core_deinit(struct ath11k_base *ab)
ath11k_hif_power_down(ab);
ath11k_mac_destroy(ab);
ath11k_core_soc_destroy(ab);
- ath11k_fw_destroy(ab);
}
EXPORT_SYMBOL(ath11k_core_deinit);
diff --git a/drivers/net/wireless/ath/ath11k/fw.c b/drivers/net/wireless/ath/ath11k/fw.c
index 4e36292a79db8..cbbd8e57119f2 100644
--- a/drivers/net/wireless/ath/ath11k/fw.c
+++ b/drivers/net/wireless/ath/ath11k/fw.c
@@ -1,6 +1,6 @@
// SPDX-License-Identifier: BSD-3-Clause-Clear
/*
- * Copyright (c) 2022-2023, Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2025 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include "core.h"
@@ -166,3 +166,4 @@ void ath11k_fw_destroy(struct ath11k_base *ab)
{
release_firmware(ab->fw.fw);
}
+EXPORT_SYMBOL(ath11k_fw_destroy);
diff --git a/drivers/net/wireless/ath/ath11k/pci.c b/drivers/net/wireless/ath/ath11k/pci.c
index eaac9eabcc70a..4d96f838b5ae0 100644
--- a/drivers/net/wireless/ath/ath11k/pci.c
+++ b/drivers/net/wireless/ath/ath11k/pci.c
@@ -1,7 +1,7 @@
// SPDX-License-Identifier: BSD-3-Clause-Clear
/*
* Copyright (c) 2019-2020 The Linux Foundation. All rights reserved.
- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include <linux/module.h>
@@ -986,6 +986,7 @@ static void ath11k_pci_remove(struct pci_dev *pdev)
ath11k_core_deinit(ab);
qmi_fail:
+ ath11k_fw_destroy(ab);
ath11k_mhi_unregister(ab_pci);
ath11k_pcic_free_irq(ab);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 098/449] wifi: ath12k: fix memory leak in ath12k_pci_remove()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 097/449] wifi: ath11k: fix memory leak in ath11k_xxx_remove() Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 099/449] wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process Greg Kroah-Hartman
` (357 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqing Pan, Aditya Kumar Singh,
Jeff Johnson, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqing Pan <quic_miaoqing@quicinc.com>
[ Upstream commit 1b24394ed5c8a8d8f7b9e3aa9044c31495d46f2e ]
Kmemleak reported this error:
unreferenced object 0xffff1c165cec3060 (size 32):
comm "insmod", pid 560, jiffies 4296964570 (age 235.596s)
backtrace:
[<000000005434db68>] __kmem_cache_alloc_node+0x1f4/0x2c0
[<000000001203b155>] kmalloc_trace+0x40/0x88
[<0000000028adc9c8>] _request_firmware+0xb8/0x608
[<00000000cad1aef7>] firmware_request_nowarn+0x50/0x80
[<000000005011a682>] local_pci_probe+0x48/0xd0
[<00000000077cd295>] pci_device_probe+0xb4/0x200
[<0000000087184c94>] really_probe+0x150/0x2c0
The firmware memory was allocated in ath12k_pci_probe(), but not
freed in ath12k_pci_remove() in case ATH12K_FLAG_QMI_FAIL bit is
set. So call ath12k_fw_unmap() to free the memory.
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.2.0-02280-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1
Signed-off-by: Miaoqing Pan <quic_miaoqing@quicinc.com>
Reviewed-by: Aditya Kumar Singh <aditya.kumar.singh@oss.qualcomm.com>
Link: https://patch.msgid.link/20250123080226.1116479-1-quic_miaoqing@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath12k/pci.c b/drivers/net/wireless/ath/ath12k/pci.c
index 2851f6944b864..ee14b84845487 100644
--- a/drivers/net/wireless/ath/ath12k/pci.c
+++ b/drivers/net/wireless/ath/ath12k/pci.c
@@ -1736,9 +1736,9 @@ static void ath12k_pci_remove(struct pci_dev *pdev)
cancel_work_sync(&ab->reset_work);
cancel_work_sync(&ab->dump_work);
ath12k_core_deinit(ab);
- ath12k_fw_unmap(ab);
qmi_fail:
+ ath12k_fw_unmap(ab);
ath12k_mhi_unregister(ab_pci);
ath12k_pci_free_irq(ab);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 099/449] wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 098/449] wifi: ath12k: fix memory leak in ath12k_pci_remove() Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 100/449] wifi: ath12k: Avoid memory leak while enabling statistics Greg Kroah-Hartman
` (356 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, P Praneesh, Jeff Johnson,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: P Praneesh <quic_ppranees@quicinc.com>
[ Upstream commit 63fdc4509bcf483e79548de6bc08bf3c8e504bb3 ]
Currently, ath12k_dp_mon_srng_process uses ath12k_hal_srng_src_get_next_entry
to fetch the next entry from the destination ring. This is incorrect because
ath12k_hal_srng_src_get_next_entry is intended for source rings, not destination
rings. This leads to invalid entry fetches, causing potential data corruption or
crashes due to accessing incorrect memory locations. This happens because the
source ring and destination ring have different handling mechanisms and using
the wrong function results in incorrect pointer arithmetic and ring management.
To fix this issue, replace the call to ath12k_hal_srng_src_get_next_entry with
ath12k_hal_srng_dst_get_next_entry in ath12k_dp_mon_srng_process. This ensures
that the correct function is used for fetching entries from the destination
ring, preventing invalid memory accesses.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1
Tested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
Signed-off-by: P Praneesh <quic_ppranees@quicinc.com>
Link: https://patch.msgid.link/20241223060132.3506372-7-quic_ppranees@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/dp_mon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath12k/dp_mon.c b/drivers/net/wireless/ath/ath12k/dp_mon.c
index 5a21961cfd465..252d8e8a2080e 100644
--- a/drivers/net/wireless/ath/ath12k/dp_mon.c
+++ b/drivers/net/wireless/ath/ath12k/dp_mon.c
@@ -2519,7 +2519,7 @@ int ath12k_dp_mon_rx_process_stats(struct ath12k *ar, int mac_id,
dest_idx = 0;
move_next:
ath12k_dp_mon_buf_replenish(ab, buf_ring, 1);
- ath12k_hal_srng_src_get_next_entry(ab, srng);
+ ath12k_hal_srng_dst_get_next_entry(ab, srng);
num_buffs_reaped++;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 100/449] wifi: ath12k: Avoid memory leak while enabling statistics
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 099/449] wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 101/449] ata: libata-core: Add external to the libata.force kernel parameter Greg Kroah-Hartman
` (355 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, P Praneesh, Jeff Johnson,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: P Praneesh <quic_ppranees@quicinc.com>
[ Upstream commit ecfc131389923405be8e7a6f4408fd9321e4d19b ]
Driver uses monitor destination rings for extended statistics mode and
standalone monitor mode. In extended statistics mode, TLVs are parsed from
the buffer received from the monitor destination ring and assigned to the
ppdu_info structure to update per-packet statistics. In standalone monitor
mode, along with per-packet statistics, the packet data (payload) is
captured, and the driver updates per MSDU to mac80211.
When the AP interface is enabled, only extended statistics mode is
activated. As part of enabling monitor rings for collecting statistics,
the driver subscribes to HAL_RX_MPDU_START TLV in the filter
configuration. This TLV is received from the monitor destination ring, and
kzalloc for the mon_mpdu object occurs, which is not freed, leading to a
memory leak. The kzalloc for the mon_mpdu object is only required while
enabling the standalone monitor interface. This causes a memory leak while
enabling extended statistics mode in the driver.
Fix this memory leak by removing the kzalloc for the mon_mpdu object in
the HAL_RX_MPDU_START TLV handling. Additionally, remove the standalone
monitor mode handlings in the HAL_MON_BUF_ADDR and HAL_RX_MSDU_END TLVs.
These TLV tags will be handled properly when enabling standalone monitor
mode in the future.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
Signed-off-by: P Praneesh <quic_ppranees@quicinc.com>
Link: https://patch.msgid.link/20241223060132.3506372-13-quic_ppranees@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/dp_mon.c | 64 ++++--------------------
drivers/net/wireless/ath/ath12k/hal_rx.h | 3 ++
2 files changed, 12 insertions(+), 55 deletions(-)
diff --git a/drivers/net/wireless/ath/ath12k/dp_mon.c b/drivers/net/wireless/ath/ath12k/dp_mon.c
index 252d8e8a2080e..0b089389087d3 100644
--- a/drivers/net/wireless/ath/ath12k/dp_mon.c
+++ b/drivers/net/wireless/ath/ath12k/dp_mon.c
@@ -743,7 +743,6 @@ ath12k_dp_mon_rx_parse_status_tlv(struct ath12k_base *ab,
}
case HAL_RX_MPDU_START: {
const struct hal_rx_mpdu_start *mpdu_start = tlv_data;
- struct dp_mon_mpdu *mon_mpdu = pmon->mon_mpdu;
u16 peer_id;
info[1] = __le32_to_cpu(mpdu_start->info1);
@@ -760,65 +759,17 @@ ath12k_dp_mon_rx_parse_status_tlv(struct ath12k_base *ab,
u32_get_bits(info[0], HAL_RX_MPDU_START_INFO1_PEERID);
}
- mon_mpdu = kzalloc(sizeof(*mon_mpdu), GFP_ATOMIC);
- if (!mon_mpdu)
- return HAL_RX_MON_STATUS_PPDU_NOT_DONE;
-
break;
}
case HAL_RX_MSDU_START:
/* TODO: add msdu start parsing logic */
break;
- case HAL_MON_BUF_ADDR: {
- struct dp_rxdma_mon_ring *buf_ring = &ab->dp.rxdma_mon_buf_ring;
- const struct dp_mon_packet_info *packet_info = tlv_data;
- int buf_id = u32_get_bits(packet_info->cookie,
- DP_RXDMA_BUF_COOKIE_BUF_ID);
- struct sk_buff *msdu;
- struct dp_mon_mpdu *mon_mpdu = pmon->mon_mpdu;
- struct ath12k_skb_rxcb *rxcb;
-
- spin_lock_bh(&buf_ring->idr_lock);
- msdu = idr_remove(&buf_ring->bufs_idr, buf_id);
- spin_unlock_bh(&buf_ring->idr_lock);
-
- if (unlikely(!msdu)) {
- ath12k_warn(ab, "monitor destination with invalid buf_id %d\n",
- buf_id);
- return HAL_RX_MON_STATUS_PPDU_NOT_DONE;
- }
-
- rxcb = ATH12K_SKB_RXCB(msdu);
- dma_unmap_single(ab->dev, rxcb->paddr,
- msdu->len + skb_tailroom(msdu),
- DMA_FROM_DEVICE);
-
- if (mon_mpdu->tail)
- mon_mpdu->tail->next = msdu;
- else
- mon_mpdu->tail = msdu;
-
- ath12k_dp_mon_buf_replenish(ab, buf_ring, 1);
-
- break;
- }
- case HAL_RX_MSDU_END: {
- const struct rx_msdu_end_qcn9274 *msdu_end = tlv_data;
- bool is_first_msdu_in_mpdu;
- u16 msdu_end_info;
-
- msdu_end_info = __le16_to_cpu(msdu_end->info5);
- is_first_msdu_in_mpdu = u32_get_bits(msdu_end_info,
- RX_MSDU_END_INFO5_FIRST_MSDU);
- if (is_first_msdu_in_mpdu) {
- pmon->mon_mpdu->head = pmon->mon_mpdu->tail;
- pmon->mon_mpdu->tail = NULL;
- }
- break;
- }
+ case HAL_MON_BUF_ADDR:
+ return HAL_RX_MON_STATUS_BUF_ADDR;
+ case HAL_RX_MSDU_END:
+ return HAL_RX_MON_STATUS_MSDU_END;
case HAL_RX_MPDU_END:
- list_add_tail(&pmon->mon_mpdu->list, &pmon->dp_rx_mon_mpdu_list);
- break;
+ return HAL_RX_MON_STATUS_MPDU_END;
case HAL_DUMMY:
return HAL_RX_MON_STATUS_BUF_DONE;
case HAL_RX_PPDU_END_STATUS_DONE:
@@ -1216,7 +1167,10 @@ ath12k_dp_mon_parse_rx_dest(struct ath12k_base *ab, struct ath12k_mon_data *pmon
if ((ptr - skb->data) >= DP_RX_BUFFER_SIZE)
break;
- } while (hal_status == HAL_RX_MON_STATUS_PPDU_NOT_DONE);
+ } while ((hal_status == HAL_RX_MON_STATUS_PPDU_NOT_DONE) ||
+ (hal_status == HAL_RX_MON_STATUS_BUF_ADDR) ||
+ (hal_status == HAL_RX_MON_STATUS_MPDU_END) ||
+ (hal_status == HAL_RX_MON_STATUS_MSDU_END));
return hal_status;
}
diff --git a/drivers/net/wireless/ath/ath12k/hal_rx.h b/drivers/net/wireless/ath/ath12k/hal_rx.h
index b08aa2e79f411..54f3eaeca8bb9 100644
--- a/drivers/net/wireless/ath/ath12k/hal_rx.h
+++ b/drivers/net/wireless/ath/ath12k/hal_rx.h
@@ -108,6 +108,9 @@ enum hal_rx_mon_status {
HAL_RX_MON_STATUS_PPDU_NOT_DONE,
HAL_RX_MON_STATUS_PPDU_DONE,
HAL_RX_MON_STATUS_BUF_DONE,
+ HAL_RX_MON_STATUS_BUF_ADDR,
+ HAL_RX_MON_STATUS_MPDU_END,
+ HAL_RX_MON_STATUS_MSDU_END,
};
#define HAL_RX_MAX_MPDU 256
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 101/449] ata: libata-core: Add external to the libata.force kernel parameter
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 100/449] wifi: ath12k: Avoid memory leak while enabling statistics Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 102/449] scsi: mpi3mr: Avoid reply queue full condition Greg Kroah-Hartman
` (354 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Niklas Cassel,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
[ Upstream commit deca423213cb33feda15e261e7b5b992077a6a08 ]
Commit ae1f3db006b7 ("ata: ahci: do not enable LPM on external ports")
changed so that LPM is not enabled on external ports (hotplug-capable or
eSATA ports).
This is because hotplug and LPM are mutually exclusive, see 7.3.1 Hot Plug
Removal Detection and Power Management Interaction in AHCI 1.3.1.
This does require that firmware has set the appropate bits (HPCP or ESP)
in PxCMD (which is a per port register in the AHCI controller).
If the firmware has failed to mark a port as hotplug-capable or eSATA in
PxCMD, then there is currently not much a user can do.
If LPM is enabled on the port, hotplug insertions and removals will not be
detected on that port.
In order to allow a user to fix up broken firmware, add 'external' to the
libata.force kernel parameter.
libata.force can be specified either on the kernel command line, or as a
kernel module parameter.
For more information, see Documentation/admin-guide/kernel-parameters.txt.
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Link: https://lore.kernel.org/r/20250130133544.219297-4-cassel@kernel.org
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../admin-guide/kernel-parameters.txt | 2 +
drivers/ata/libata-core.c | 38 +++++++++++++++++++
2 files changed, 40 insertions(+)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index fb8752b42ec85..aa7447f8837cb 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -3116,6 +3116,8 @@
* max_sec_lba48: Set or clear transfer size limit to
65535 sectors.
+ * external: Mark port as external (hotplug-capable).
+
* [no]lpm: Enable or disable link power management.
* [no]setxfer: Indicate if transfer speed mode setting
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index 3d730c10f7bea..05bfcb359f92c 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -88,6 +88,7 @@ struct ata_force_param {
unsigned int xfer_mask;
unsigned int quirk_on;
unsigned int quirk_off;
+ unsigned int pflags_on;
u16 lflags_on;
u16 lflags_off;
};
@@ -331,6 +332,35 @@ void ata_force_cbl(struct ata_port *ap)
}
}
+/**
+ * ata_force_pflags - force port flags according to libata.force
+ * @ap: ATA port of interest
+ *
+ * Force port flags according to libata.force and whine about it.
+ *
+ * LOCKING:
+ * EH context.
+ */
+static void ata_force_pflags(struct ata_port *ap)
+{
+ int i;
+
+ for (i = ata_force_tbl_size - 1; i >= 0; i--) {
+ const struct ata_force_ent *fe = &ata_force_tbl[i];
+
+ if (fe->port != -1 && fe->port != ap->print_id)
+ continue;
+
+ /* let pflags stack */
+ if (fe->param.pflags_on) {
+ ap->pflags |= fe->param.pflags_on;
+ ata_port_notice(ap,
+ "FORCE: port flag 0x%x forced -> 0x%x\n",
+ fe->param.pflags_on, ap->pflags);
+ }
+ }
+}
+
/**
* ata_force_link_limits - force link limits according to libata.force
* @link: ATA link of interest
@@ -486,6 +516,7 @@ static void ata_force_quirks(struct ata_device *dev)
}
}
#else
+static inline void ata_force_pflags(struct ata_port *ap) { }
static inline void ata_force_link_limits(struct ata_link *link) { }
static inline void ata_force_xfermask(struct ata_device *dev) { }
static inline void ata_force_quirks(struct ata_device *dev) { }
@@ -5460,6 +5491,8 @@ struct ata_port *ata_port_alloc(struct ata_host *host)
#endif
ata_sff_port_init(ap);
+ ata_force_pflags(ap);
+
return ap;
}
EXPORT_SYMBOL_GPL(ata_port_alloc);
@@ -6272,6 +6305,9 @@ EXPORT_SYMBOL_GPL(ata_platform_remove_one);
{ "no" #name, .lflags_on = (flags) }, \
{ #name, .lflags_off = (flags) }
+#define force_pflag_on(name, flags) \
+ { #name, .pflags_on = (flags) }
+
#define force_quirk_on(name, flag) \
{ #name, .quirk_on = (flag) }
@@ -6331,6 +6367,8 @@ static const struct ata_force_param force_tbl[] __initconst = {
force_lflag_on(rstonce, ATA_LFLAG_RST_ONCE),
force_lflag_onoff(dbdelay, ATA_LFLAG_NO_DEBOUNCE_DELAY),
+ force_pflag_on(external, ATA_PFLAG_EXTERNAL),
+
force_quirk_onoff(ncq, ATA_QUIRK_NONCQ),
force_quirk_onoff(ncqtrim, ATA_QUIRK_NO_NCQ_TRIM),
force_quirk_onoff(ncqati, ATA_QUIRK_NO_NCQ_ON_ATI),
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 102/449] scsi: mpi3mr: Avoid reply queue full condition
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 101/449] ata: libata-core: Add external to the libata.force kernel parameter Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 103/449] scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue Greg Kroah-Hartman
` (353 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sumit Saxena, Ranjan Kumar,
Martin K. Petersen, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
[ Upstream commit f08b24d82749117ce779cc66689e8594341130d3 ]
To avoid reply queue full condition, update the driver to check IOCFacts
capabilities for qfull.
Update the operational reply queue's Consumer Index after processing 100
replies. If pending I/Os on a reply queue exceeds a threshold
(reply_queue_depth - 200), then return I/O back to OS to retry.
Also increase default admin reply queue size to 2K.
Signed-off-by: Sumit Saxena <sumit.saxena@broadcom.com>
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://lore.kernel.org/r/20250129100850.25430-2-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpi3mr/mpi3mr.h | 12 +++++++++++-
drivers/scsi/mpi3mr/mpi3mr_app.c | 24 ++++++++++++++++++++++++
drivers/scsi/mpi3mr/mpi3mr_fw.c | 32 ++++++++++++++++++++++++++++----
3 files changed, 63 insertions(+), 5 deletions(-)
diff --git a/drivers/scsi/mpi3mr/mpi3mr.h b/drivers/scsi/mpi3mr/mpi3mr.h
index 0d72b5f1b69df..9ed20ed581be6 100644
--- a/drivers/scsi/mpi3mr/mpi3mr.h
+++ b/drivers/scsi/mpi3mr/mpi3mr.h
@@ -80,13 +80,14 @@ extern atomic64_t event_counter;
/* Admin queue management definitions */
#define MPI3MR_ADMIN_REQ_Q_SIZE (2 * MPI3MR_PAGE_SIZE_4K)
-#define MPI3MR_ADMIN_REPLY_Q_SIZE (4 * MPI3MR_PAGE_SIZE_4K)
+#define MPI3MR_ADMIN_REPLY_Q_SIZE (8 * MPI3MR_PAGE_SIZE_4K)
#define MPI3MR_ADMIN_REQ_FRAME_SZ 128
#define MPI3MR_ADMIN_REPLY_FRAME_SZ 16
/* Operational queue management definitions */
#define MPI3MR_OP_REQ_Q_QD 512
#define MPI3MR_OP_REP_Q_QD 1024
+#define MPI3MR_OP_REP_Q_QD2K 2048
#define MPI3MR_OP_REP_Q_QD4K 4096
#define MPI3MR_OP_REQ_Q_SEG_SIZE 4096
#define MPI3MR_OP_REP_Q_SEG_SIZE 4096
@@ -328,6 +329,7 @@ enum mpi3mr_reset_reason {
#define MPI3MR_RESET_REASON_OSTYPE_SHIFT 28
#define MPI3MR_RESET_REASON_IOCNUM_SHIFT 20
+
/* Queue type definitions */
enum queue_type {
MPI3MR_DEFAULT_QUEUE = 0,
@@ -387,6 +389,7 @@ struct mpi3mr_ioc_facts {
u16 max_msix_vectors;
u8 personality;
u8 dma_mask;
+ bool max_req_limit;
u8 protocol_flags;
u8 sge_mod_mask;
u8 sge_mod_value;
@@ -456,6 +459,8 @@ struct op_req_qinfo {
* @enable_irq_poll: Flag to indicate polling is enabled
* @in_use: Queue is handled by poll/ISR
* @qtype: Type of queue (types defined in enum queue_type)
+ * @qfull_watermark: Watermark defined in reply queue to avoid
+ * reply queue full
*/
struct op_reply_qinfo {
u16 ci;
@@ -471,6 +476,7 @@ struct op_reply_qinfo {
bool enable_irq_poll;
atomic_t in_use;
enum queue_type qtype;
+ u16 qfull_watermark;
};
/**
@@ -1153,6 +1159,8 @@ struct scmd_priv {
* @snapdump_trigger_active: Snapdump trigger active flag
* @pci_err_recovery: PCI error recovery in progress
* @block_on_pci_err: Block IO during PCI error recovery
+ * @reply_qfull_count: Occurences of reply queue full avoidance kicking-in
+ * @prevent_reply_qfull: Enable reply queue prevention
*/
struct mpi3mr_ioc {
struct list_head list;
@@ -1351,6 +1359,8 @@ struct mpi3mr_ioc {
bool fw_release_trigger_active;
bool pci_err_recovery;
bool block_on_pci_err;
+ atomic_t reply_qfull_count;
+ bool prevent_reply_qfull;
};
/**
diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c
index f4b5813e6fc4c..db4b9f1b1d1b3 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_app.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_app.c
@@ -3061,6 +3061,29 @@ reply_queue_count_show(struct device *dev, struct device_attribute *attr,
static DEVICE_ATTR_RO(reply_queue_count);
+/**
+ * reply_qfull_count_show - Show reply qfull count
+ * @dev: class device
+ * @attr: Device attributes
+ * @buf: Buffer to copy
+ *
+ * Retrieves the current value of the reply_qfull_count from the mrioc structure and
+ * formats it as a string for display.
+ *
+ * Return: sysfs_emit() return
+ */
+static ssize_t
+reply_qfull_count_show(struct device *dev, struct device_attribute *attr,
+ char *buf)
+{
+ struct Scsi_Host *shost = class_to_shost(dev);
+ struct mpi3mr_ioc *mrioc = shost_priv(shost);
+
+ return sysfs_emit(buf, "%u\n", atomic_read(&mrioc->reply_qfull_count));
+}
+
+static DEVICE_ATTR_RO(reply_qfull_count);
+
/**
* logging_level_show - Show controller debug level
* @dev: class device
@@ -3153,6 +3176,7 @@ static struct attribute *mpi3mr_host_attrs[] = {
&dev_attr_fw_queue_depth.attr,
&dev_attr_op_req_q_count.attr,
&dev_attr_reply_queue_count.attr,
+ &dev_attr_reply_qfull_count.attr,
&dev_attr_logging_level.attr,
&dev_attr_adp_state.attr,
NULL,
diff --git a/drivers/scsi/mpi3mr/mpi3mr_fw.c b/drivers/scsi/mpi3mr/mpi3mr_fw.c
index 5ed31fe57474a..656108dd2ee30 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
@@ -2104,15 +2104,22 @@ static int mpi3mr_create_op_reply_q(struct mpi3mr_ioc *mrioc, u16 qidx)
}
reply_qid = qidx + 1;
- op_reply_q->num_replies = MPI3MR_OP_REP_Q_QD;
- if ((mrioc->pdev->device == MPI3_MFGPAGE_DEVID_SAS4116) &&
- !mrioc->pdev->revision)
- op_reply_q->num_replies = MPI3MR_OP_REP_Q_QD4K;
+
+ if (mrioc->pdev->device == MPI3_MFGPAGE_DEVID_SAS4116) {
+ if (mrioc->pdev->revision)
+ op_reply_q->num_replies = MPI3MR_OP_REP_Q_QD;
+ else
+ op_reply_q->num_replies = MPI3MR_OP_REP_Q_QD4K;
+ } else
+ op_reply_q->num_replies = MPI3MR_OP_REP_Q_QD2K;
+
op_reply_q->ci = 0;
op_reply_q->ephase = 1;
atomic_set(&op_reply_q->pend_ios, 0);
atomic_set(&op_reply_q->in_use, 0);
op_reply_q->enable_irq_poll = false;
+ op_reply_q->qfull_watermark =
+ op_reply_q->num_replies - (MPI3MR_THRESHOLD_REPLY_COUNT * 2);
if (!op_reply_q->q_segments) {
retval = mpi3mr_alloc_op_reply_q_segments(mrioc, qidx);
@@ -2416,8 +2423,10 @@ int mpi3mr_op_request_post(struct mpi3mr_ioc *mrioc,
void *segment_base_addr;
u16 req_sz = mrioc->facts.op_req_sz;
struct segments *segments = op_req_q->q_segments;
+ struct op_reply_qinfo *op_reply_q = NULL;
reply_qidx = op_req_q->reply_qid - 1;
+ op_reply_q = mrioc->op_reply_qinfo + reply_qidx;
if (mrioc->unrecoverable)
return -EFAULT;
@@ -2448,6 +2457,15 @@ int mpi3mr_op_request_post(struct mpi3mr_ioc *mrioc,
goto out;
}
+ /* Reply queue is nearing to get full, push back IOs to SML */
+ if ((mrioc->prevent_reply_qfull == true) &&
+ (atomic_read(&op_reply_q->pend_ios) >
+ (op_reply_q->qfull_watermark))) {
+ atomic_inc(&mrioc->reply_qfull_count);
+ retval = -EAGAIN;
+ goto out;
+ }
+
segment_base_addr = segments[pi / op_req_q->segment_qd].segment;
req_entry = (u8 *)segment_base_addr +
((pi % op_req_q->segment_qd) * req_sz);
@@ -3091,6 +3109,9 @@ static void mpi3mr_process_factsdata(struct mpi3mr_ioc *mrioc,
mrioc->facts.dma_mask = (facts_flags &
MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_MASK) >>
MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_SHIFT;
+ mrioc->facts.dma_mask = (facts_flags &
+ MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_MASK) >>
+ MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_SHIFT;
mrioc->facts.protocol_flags = facts_data->protocol_flags;
mrioc->facts.mpi_version = le32_to_cpu(facts_data->mpi_version.word);
mrioc->facts.max_reqs = le16_to_cpu(facts_data->max_outstanding_requests);
@@ -4214,6 +4235,9 @@ int mpi3mr_init_ioc(struct mpi3mr_ioc *mrioc)
mrioc->shost->transportt = mpi3mr_transport_template;
}
+ if (mrioc->facts.max_req_limit)
+ mrioc->prevent_reply_qfull = true;
+
mrioc->reply_sz = mrioc->facts.reply_sz;
retval = mpi3mr_check_reset_dma_mask(mrioc);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 103/449] scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 102/449] scsi: mpi3mr: Avoid reply queue full condition Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 104/449] net: page_pool: dont cast mp param to devmem Greg Kroah-Hartman
` (352 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sumit Saxena, Ranjan Kumar,
Martin K. Petersen, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
[ Upstream commit f195fc060c738d303a21fae146dbf85e1595fb4c ]
When the task management thread processes reply queues while the reset
thread resets them, the task management thread accesses an invalid queue ID
(0xFFFF), set by the reset thread, which points to unallocated memory,
causing a crash.
Add flag 'io_admin_reset_sync' to synchronize access between the reset,
I/O, and admin threads. Before a reset, the reset handler sets this flag to
block I/O and admin processing threads. If any thread bypasses the initial
check, the reset thread waits up to 10 seconds for processing to finish. If
the wait exceeds 10 seconds, the controller is marked as unrecoverable.
Signed-off-by: Sumit Saxena <sumit.saxena@broadcom.com>
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://lore.kernel.org/r/20250129100850.25430-4-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpi3mr/mpi3mr.h | 2 +
drivers/scsi/mpi3mr/mpi3mr_fw.c | 67 +++++++++++++++++++++++++++++++--
2 files changed, 66 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/mpi3mr/mpi3mr.h b/drivers/scsi/mpi3mr/mpi3mr.h
index 9ed20ed581be6..6e3f337ace9f8 100644
--- a/drivers/scsi/mpi3mr/mpi3mr.h
+++ b/drivers/scsi/mpi3mr/mpi3mr.h
@@ -1096,6 +1096,7 @@ struct scmd_priv {
* @ts_update_interval: Timestamp update interval
* @reset_in_progress: Reset in progress flag
* @unrecoverable: Controller unrecoverable flag
+ * @io_admin_reset_sync: Manage state of I/O ops during an admin reset process
* @prev_reset_result: Result of previous reset
* @reset_mutex: Controller reset mutex
* @reset_waitq: Controller reset wait queue
@@ -1284,6 +1285,7 @@ struct mpi3mr_ioc {
u16 ts_update_interval;
u8 reset_in_progress;
u8 unrecoverable;
+ u8 io_admin_reset_sync;
int prev_reset_result;
struct mutex reset_mutex;
wait_queue_head_t reset_waitq;
diff --git a/drivers/scsi/mpi3mr/mpi3mr_fw.c b/drivers/scsi/mpi3mr/mpi3mr_fw.c
index 656108dd2ee30..ec5b1ab287177 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
@@ -17,7 +17,7 @@ static void mpi3mr_process_factsdata(struct mpi3mr_ioc *mrioc,
struct mpi3_ioc_facts_data *facts_data);
static void mpi3mr_pel_wait_complete(struct mpi3mr_ioc *mrioc,
struct mpi3mr_drv_cmd *drv_cmd);
-
+static int mpi3mr_check_op_admin_proc(struct mpi3mr_ioc *mrioc);
static int poll_queues;
module_param(poll_queues, int, 0444);
MODULE_PARM_DESC(poll_queues, "Number of queues for io_uring poll mode. (Range 1 - 126)");
@@ -459,7 +459,7 @@ int mpi3mr_process_admin_reply_q(struct mpi3mr_ioc *mrioc)
}
do {
- if (mrioc->unrecoverable)
+ if (mrioc->unrecoverable || mrioc->io_admin_reset_sync)
break;
mrioc->admin_req_ci = le16_to_cpu(reply_desc->request_queue_ci);
@@ -554,7 +554,7 @@ int mpi3mr_process_op_reply_q(struct mpi3mr_ioc *mrioc,
}
do {
- if (mrioc->unrecoverable)
+ if (mrioc->unrecoverable || mrioc->io_admin_reset_sync)
break;
req_q_idx = le16_to_cpu(reply_desc->request_queue_id) - 1;
@@ -4394,6 +4394,7 @@ int mpi3mr_reinit_ioc(struct mpi3mr_ioc *mrioc, u8 is_resume)
goto out_failed_noretry;
}
+ mrioc->io_admin_reset_sync = 0;
if (is_resume || mrioc->block_on_pci_err) {
dprint_reset(mrioc, "setting up single ISR\n");
retval = mpi3mr_setup_isr(mrioc, 1);
@@ -5252,6 +5253,55 @@ void mpi3mr_pel_get_seqnum_complete(struct mpi3mr_ioc *mrioc,
drv_cmd->retry_count = 0;
}
+/**
+ * mpi3mr_check_op_admin_proc -
+ * @mrioc: Adapter instance reference
+ *
+ * Check if any of the operation reply queues
+ * or the admin reply queue are currently in use.
+ * If any queue is in use, this function waits for
+ * a maximum of 10 seconds for them to become available.
+ *
+ * Return: 0 on success, non-zero on failure.
+ */
+static int mpi3mr_check_op_admin_proc(struct mpi3mr_ioc *mrioc)
+{
+
+ u16 timeout = 10 * 10;
+ u16 elapsed_time = 0;
+ bool op_admin_in_use = false;
+
+ do {
+ op_admin_in_use = false;
+
+ /* Check admin_reply queue first to exit early */
+ if (atomic_read(&mrioc->admin_reply_q_in_use) == 1)
+ op_admin_in_use = true;
+ else {
+ /* Check op_reply queues */
+ int i;
+
+ for (i = 0; i < mrioc->num_queues; i++) {
+ if (atomic_read(&mrioc->op_reply_qinfo[i].in_use) == 1) {
+ op_admin_in_use = true;
+ break;
+ }
+ }
+ }
+
+ if (!op_admin_in_use)
+ break;
+
+ msleep(100);
+
+ } while (++elapsed_time < timeout);
+
+ if (op_admin_in_use)
+ return 1;
+
+ return 0;
+}
+
/**
* mpi3mr_soft_reset_handler - Reset the controller
* @mrioc: Adapter instance reference
@@ -5332,6 +5382,7 @@ int mpi3mr_soft_reset_handler(struct mpi3mr_ioc *mrioc,
mpi3mr_wait_for_host_io(mrioc, MPI3MR_RESET_HOST_IOWAIT_TIMEOUT);
mpi3mr_ioc_disable_intr(mrioc);
+ mrioc->io_admin_reset_sync = 1;
if (snapdump) {
mpi3mr_set_diagsave(mrioc);
@@ -5359,6 +5410,16 @@ int mpi3mr_soft_reset_handler(struct mpi3mr_ioc *mrioc,
ioc_err(mrioc, "Failed to issue soft reset to the ioc\n");
goto out;
}
+
+ retval = mpi3mr_check_op_admin_proc(mrioc);
+ if (retval) {
+ ioc_err(mrioc, "Soft reset failed due to an Admin or I/O queue polling\n"
+ "thread still processing replies even after a 10 second\n"
+ "timeout. Marking the controller as unrecoverable!\n");
+
+ goto out;
+ }
+
if (mrioc->num_io_throttle_group !=
mrioc->facts.max_io_throttle_group) {
ioc_err(mrioc,
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 104/449] net: page_pool: dont cast mp param to devmem
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 103/449] scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 105/449] f2fs: dont retry IO for corrupted data scenario Greg Kroah-Hartman
` (351 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Mina Almasry,
Pavel Begunkov, David Wei, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
[ Upstream commit 8d522566ae9cb3f0609ddb2a6ce3f4f39988043c ]
page_pool_check_memory_provider() is a generic path and shouldn't assume
anything about the actual type of the memory provider argument. It's
fine while devmem is the only provider, but cast away the devmem
specific binding types to avoid confusion.
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Mina Almasry <almasrymina@google.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: David Wei <dw@davidwei.uk>
Link: https://patch.msgid.link/20250204215622.695511-2-dw@davidwei.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/page_pool_user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/page_pool_user.c b/net/core/page_pool_user.c
index 6677e0c2e2565..d5e214c30c310 100644
--- a/net/core/page_pool_user.c
+++ b/net/core/page_pool_user.c
@@ -356,7 +356,7 @@ void page_pool_unlist(struct page_pool *pool)
int page_pool_check_memory_provider(struct net_device *dev,
struct netdev_rx_queue *rxq)
{
- struct net_devmem_dmabuf_binding *binding = rxq->mp_params.mp_priv;
+ void *binding = rxq->mp_params.mp_priv;
struct page_pool *pool;
struct hlist_node *n;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 105/449] f2fs: dont retry IO for corrupted data scenario
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 104/449] net: page_pool: dont cast mp param to devmem Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 106/449] wifi: mac80211: add strict mode disabling workarounds Greg Kroah-Hartman
` (350 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 1534747d3170646ddeb9ea5f7caaac90359707cf ]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
F2FS-fs (dm-105): inconsistent node block, nid:430, node_footer[nid:2198964142,ino:598252782,ofs:118300154,cpver:5409237455940746069,blkaddr:2125070942]
If node block is loaded successfully, but its content is inconsistent, it
doesn't need to retry IO.
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/inode.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index cd17d6f4c291f..f0abefc30cfda 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -765,8 +765,12 @@ void f2fs_update_inode_page(struct inode *inode)
if (err == -ENOENT)
return;
+ if (err == -EFSCORRUPTED)
+ goto stop_checkpoint;
+
if (err == -ENOMEM || ++count <= DEFAULT_RETRY_IO_COUNT)
goto retry;
+stop_checkpoint:
f2fs_stop_checkpoint(sbi, false, STOP_CP_REASON_UPDATE_INODE);
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 106/449] wifi: mac80211: add strict mode disabling workarounds
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 105/449] f2fs: dont retry IO for corrupted data scenario Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 107/449] wifi: mac80211: ensure sdata->work is canceled before initialized Greg Kroah-Hartman
` (349 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Berg, Ilan Peer,
Miri Korenblit, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 3ad4fce66e4f9d82abfc366707757e29cc14a9d2 ]
Add a strict mode where we disable certain workarounds and have
additional checks such as, for now, that VHT capabilities from
association response match those from beacon/probe response. We
can extend the checks in the future.
Make it an opt-in setting by the driver so it can be set there
in some driver-specific way, for example. Also allow setting
this one hw flag through the hwflags debugfs, by writing a new
strict=0 or strict=1 value.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20250205110958.5cecb0469479.I4a69617dc60ba0d6308416ffbc3102cfd08ba068@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/mac80211.h | 6 ++++++
net/mac80211/debugfs.c | 44 +++++++++++++++++++++++++++++++++++++++--
net/mac80211/mlme.c | 45 +++++++++++++++++++++++++++++-------------
3 files changed, 79 insertions(+), 16 deletions(-)
diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index c3ed2fcff8b79..dcbb2e54746c7 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -2851,6 +2851,11 @@ struct ieee80211_txq {
* implements MLO, so operation can continue on other links when one
* link is switching.
*
+ * @IEEE80211_HW_STRICT: strictly enforce certain things mandated by the spec
+ * but otherwise ignored/worked around for interoperability. This is a
+ * HW flag so drivers can opt in according to their own control, e.g. in
+ * testing.
+ *
* @NUM_IEEE80211_HW_FLAGS: number of hardware flags, used for sizing arrays
*/
enum ieee80211_hw_flags {
@@ -2911,6 +2916,7 @@ enum ieee80211_hw_flags {
IEEE80211_HW_DISALLOW_PUNCTURING,
IEEE80211_HW_DISALLOW_PUNCTURING_5GHZ,
IEEE80211_HW_HANDLES_QUIET_CSA,
+ IEEE80211_HW_STRICT,
/* keep last, obviously */
NUM_IEEE80211_HW_FLAGS
diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c
index bf0a2902d93c6..69e03630f64c9 100644
--- a/net/mac80211/debugfs.c
+++ b/net/mac80211/debugfs.c
@@ -492,6 +492,7 @@ static const char *hw_flag_names[] = {
FLAG(DISALLOW_PUNCTURING),
FLAG(DISALLOW_PUNCTURING_5GHZ),
FLAG(HANDLES_QUIET_CSA),
+ FLAG(STRICT),
#undef FLAG
};
@@ -524,6 +525,46 @@ static ssize_t hwflags_read(struct file *file, char __user *user_buf,
return rv;
}
+static ssize_t hwflags_write(struct file *file, const char __user *user_buf,
+ size_t count, loff_t *ppos)
+{
+ struct ieee80211_local *local = file->private_data;
+ char buf[100];
+ int val;
+
+ if (count >= sizeof(buf))
+ return -EINVAL;
+
+ if (copy_from_user(buf, user_buf, count))
+ return -EFAULT;
+
+ if (count && buf[count - 1] == '\n')
+ buf[count - 1] = '\0';
+ else
+ buf[count] = '\0';
+
+ if (sscanf(buf, "strict=%d", &val) == 1) {
+ switch (val) {
+ case 0:
+ ieee80211_hw_set(&local->hw, STRICT);
+ return count;
+ case 1:
+ __clear_bit(IEEE80211_HW_STRICT, local->hw.flags);
+ return count;
+ default:
+ return -EINVAL;
+ }
+ }
+
+ return -EINVAL;
+}
+
+static const struct file_operations hwflags_ops = {
+ .open = simple_open,
+ .read = hwflags_read,
+ .write = hwflags_write,
+};
+
static ssize_t misc_read(struct file *file, char __user *user_buf,
size_t count, loff_t *ppos)
{
@@ -574,7 +615,6 @@ static ssize_t queues_read(struct file *file, char __user *user_buf,
return simple_read_from_buffer(user_buf, count, ppos, buf, res);
}
-DEBUGFS_READONLY_FILE_OPS(hwflags);
DEBUGFS_READONLY_FILE_OPS(queues);
DEBUGFS_READONLY_FILE_OPS(misc);
@@ -651,7 +691,7 @@ void debugfs_hw_add(struct ieee80211_local *local)
#ifdef CONFIG_PM
DEBUGFS_ADD_MODE(reset, 0200);
#endif
- DEBUGFS_ADD(hwflags);
+ DEBUGFS_ADD_MODE(hwflags, 0600);
DEBUGFS_ADD(user_power);
DEBUGFS_ADD(power);
DEBUGFS_ADD(hw_conf);
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index da2c2e6035be8..9411500a61350 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -168,6 +168,9 @@ ieee80211_determine_ap_chan(struct ieee80211_sub_if_data *sdata,
bool no_vht = false;
u32 ht_cfreq;
+ if (ieee80211_hw_check(&sdata->local->hw, STRICT))
+ ignore_ht_channel_mismatch = false;
+
*chandef = (struct cfg80211_chan_def) {
.chan = channel,
.width = NL80211_CHAN_WIDTH_20_NOHT,
@@ -388,7 +391,7 @@ ieee80211_verify_peer_he_mcs_support(struct ieee80211_sub_if_data *sdata,
* zeroes, which is nonsense, and completely inconsistent with itself
* (it doesn't have 8 streams). Accept the settings in this case anyway.
*/
- if (!ap_min_req_set)
+ if (!ieee80211_hw_check(&sdata->local->hw, STRICT) && !ap_min_req_set)
return true;
/* make sure the AP is consistent with itself
@@ -448,7 +451,7 @@ ieee80211_verify_sta_he_mcs_support(struct ieee80211_sub_if_data *sdata,
* zeroes, which is nonsense, and completely inconsistent with itself
* (it doesn't have 8 streams). Accept the settings in this case anyway.
*/
- if (!ap_min_req_set)
+ if (!ieee80211_hw_check(&sdata->local->hw, STRICT) && !ap_min_req_set)
return true;
/* Need to go over for 80MHz, 160MHz and for 80+80 */
@@ -1313,13 +1316,15 @@ static bool ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata,
* Some APs apparently get confused if our capabilities are better
* than theirs, so restrict what we advertise in the assoc request.
*/
- if (!(ap_vht_cap->vht_cap_info &
- cpu_to_le32(IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE)))
- cap &= ~(IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE |
- IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE);
- else if (!(ap_vht_cap->vht_cap_info &
- cpu_to_le32(IEEE80211_VHT_CAP_MU_BEAMFORMER_CAPABLE)))
- cap &= ~IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE;
+ if (!ieee80211_hw_check(&local->hw, STRICT)) {
+ if (!(ap_vht_cap->vht_cap_info &
+ cpu_to_le32(IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE)))
+ cap &= ~(IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE |
+ IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE);
+ else if (!(ap_vht_cap->vht_cap_info &
+ cpu_to_le32(IEEE80211_VHT_CAP_MU_BEAMFORMER_CAPABLE)))
+ cap &= ~IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE;
+ }
/*
* If some other vif is using the MU-MIMO capability we cannot associate
@@ -1361,14 +1366,16 @@ static bool ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata,
return mu_mimo_owner;
}
-static void ieee80211_assoc_add_rates(struct sk_buff *skb,
+static void ieee80211_assoc_add_rates(struct ieee80211_local *local,
+ struct sk_buff *skb,
enum nl80211_chan_width width,
struct ieee80211_supported_band *sband,
struct ieee80211_mgd_assoc_data *assoc_data)
{
u32 rates;
- if (assoc_data->supp_rates_len) {
+ if (assoc_data->supp_rates_len &&
+ !ieee80211_hw_check(&local->hw, STRICT)) {
/*
* Get all rates supported by the device and the AP as
* some APs don't like getting a superset of their rates
@@ -1584,7 +1591,7 @@ ieee80211_add_link_elems(struct ieee80211_sub_if_data *sdata,
*capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
if (sband->band != NL80211_BAND_S1GHZ)
- ieee80211_assoc_add_rates(skb, width, sband, assoc_data);
+ ieee80211_assoc_add_rates(local, skb, width, sband, assoc_data);
if (*capab & WLAN_CAPABILITY_SPECTRUM_MGMT ||
*capab & WLAN_CAPABILITY_RADIO_MEASURE) {
@@ -2051,7 +2058,8 @@ static int ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
* for some reason check it and want it to be set, set the bit for all
* pre-EHT connections as we used to do.
*/
- if (link->u.mgd.conn.mode < IEEE80211_CONN_MODE_EHT)
+ if (link->u.mgd.conn.mode < IEEE80211_CONN_MODE_EHT &&
+ !ieee80211_hw_check(&local->hw, STRICT))
capab |= WLAN_CAPABILITY_ESS;
/* add the elements for the assoc (main) link */
@@ -4936,7 +4944,7 @@ static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link,
* 2G/3G/4G wifi routers, reported models include the "Onda PN51T",
* "Vodafone PocketWiFi 2", "ZTE MF60" and a similar T-Mobile device.
*/
- if (!is_6ghz &&
+ if (!ieee80211_hw_check(&local->hw, STRICT) && !is_6ghz &&
((assoc_data->wmm && !elems->wmm_param) ||
(link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT &&
(!elems->ht_cap_elem || !elems->ht_operation)) ||
@@ -5072,6 +5080,15 @@ static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link,
bss_vht_cap = (const void *)elem->data;
}
+ if (ieee80211_hw_check(&local->hw, STRICT) &&
+ (!bss_vht_cap || memcmp(bss_vht_cap, elems->vht_cap_elem,
+ sizeof(*bss_vht_cap)))) {
+ rcu_read_unlock();
+ ret = false;
+ link_info(link, "VHT capabilities mismatch\n");
+ goto out;
+ }
+
ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
elems->vht_cap_elem,
bss_vht_cap, link_sta);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 107/449] wifi: mac80211: ensure sdata->work is canceled before initialized.
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 106/449] wifi: mac80211: add strict mode disabling workarounds Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 108/449] scsi: target: spc: Fix RSOC parameter data header size Greg Kroah-Hartman
` (348 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miri Korenblit, Johannes Berg,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
[ Upstream commit 6c93fd502023dd919b5987ccbe990735410edd49 ]
This wiphy work is canceled when the iface is stopped,
and shouldn't be queued for a non-running iface.
If it happens to be queued for a non-running iface (due to a bug)
it can cause a corruption of wiphy_work_list when ieee80211_setup_sdata
is called. Make sure to cancel it in this case and warn on.
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Link: https://patch.msgid.link/20250205110958.99204c767c10.I84ce27a239059f6009cee197b252549a11426046@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/iface.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 738de269e13f0..459fc391a4d93 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -8,7 +8,7 @@
* Copyright 2008, Johannes Berg <johannes@sipsolutions.net>
* Copyright 2013-2014 Intel Mobile Communications GmbH
* Copyright (c) 2016 Intel Deutschland GmbH
- * Copyright (C) 2018-2024 Intel Corporation
+ * Copyright (C) 2018-2025 Intel Corporation
*/
#include <linux/slab.h>
#include <linux/kernel.h>
@@ -807,6 +807,9 @@ static void ieee80211_set_multicast_list(struct net_device *dev)
*/
static void ieee80211_teardown_sdata(struct ieee80211_sub_if_data *sdata)
{
+ if (WARN_ON(!list_empty(&sdata->work.entry)))
+ wiphy_work_cancel(sdata->local->hw.wiphy, &sdata->work);
+
/* free extra data */
ieee80211_free_keys(sdata, false);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 108/449] scsi: target: spc: Fix RSOC parameter data header size
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 107/449] wifi: mac80211: ensure sdata->work is canceled before initialized Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 109/449] net: usb: asix_devices: add FiberGecko DeviceID Greg Kroah-Hartman
` (347 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chaohai Chen, Dmitry Bogdanov,
Martin K. Petersen, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chaohai Chen <wdhh66@163.com>
[ Upstream commit b50532318793d28a7628c1ffc129a2226e83e495 ]
The SPC document states that "The COMMAND DATA LENGTH field indicates the
length in bytes of the command descriptor list".
The length should be subtracted by 4 to represent the length of the
description list, not 3.
Signed-off-by: Chaohai Chen <wdhh66@163.com>
Link: https://lore.kernel.org/r/20250115070739.216154-1-wdhh66@163.com
Reviewed-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/target_core_spc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/target/target_core_spc.c b/drivers/target/target_core_spc.c
index ea14a38356814..61c065702350e 100644
--- a/drivers/target/target_core_spc.c
+++ b/drivers/target/target_core_spc.c
@@ -2243,7 +2243,7 @@ spc_emulate_report_supp_op_codes(struct se_cmd *cmd)
response_length += spc_rsoc_encode_command_descriptor(
&buf[response_length], rctd, descr);
}
- put_unaligned_be32(response_length - 3, buf);
+ put_unaligned_be32(response_length - 4, buf);
} else {
response_length = spc_rsoc_encode_one_command_descriptor(
&buf[response_length], rctd, descr,
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 109/449] net: usb: asix_devices: add FiberGecko DeviceID
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 108/449] scsi: target: spc: Fix RSOC parameter data header size Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 110/449] page_pool: avoid infinite loop to schedule delayed worker Greg Kroah-Hartman
` (346 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Schulze, David Hollis,
Sven Kreiensen, Jakub Kicinski, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Schulze <max.schulze@online.de>
[ Upstream commit 4079918ae720e842ed7dff65fedeb9980b374995 ]
The FiberGecko is a small USB module that connects a 100 Mbit/s SFP
Signed-off-by: Max Schulze <max.schulze@online.de>
Tested-by: Max Schulze <max.schulze@online.de>
Suggested-by: David Hollis <dhollis@davehollis.com>
Reported-by: Sven Kreiensen <s.kreiensen@lyconsys.com>
Link: https://patch.msgid.link/20250212150957.43900-2-max.schulze@online.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/asix_devices.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
index 57d6e5abc30e8..da24941a6e444 100644
--- a/drivers/net/usb/asix_devices.c
+++ b/drivers/net/usb/asix_devices.c
@@ -1421,6 +1421,19 @@ static const struct driver_info hg20f9_info = {
.data = FLAG_EEPROM_MAC,
};
+static const struct driver_info lyconsys_fibergecko100_info = {
+ .description = "LyconSys FiberGecko 100 USB 2.0 to SFP Adapter",
+ .bind = ax88178_bind,
+ .status = asix_status,
+ .link_reset = ax88178_link_reset,
+ .reset = ax88178_link_reset,
+ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_LINK_INTR |
+ FLAG_MULTI_PACKET,
+ .rx_fixup = asix_rx_fixup_common,
+ .tx_fixup = asix_tx_fixup,
+ .data = 0x20061201,
+};
+
static const struct usb_device_id products [] = {
{
// Linksys USB200M
@@ -1578,6 +1591,10 @@ static const struct usb_device_id products [] = {
// Linux Automation GmbH USB 10Base-T1L
USB_DEVICE(0x33f7, 0x0004),
.driver_info = (unsigned long) &lxausb_t1l_info,
+}, {
+ /* LyconSys FiberGecko 100 */
+ USB_DEVICE(0x1d2a, 0x0801),
+ .driver_info = (unsigned long) &lyconsys_fibergecko100_info,
},
{ }, // END
};
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 110/449] page_pool: avoid infinite loop to schedule delayed worker
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 109/449] net: usb: asix_devices: add FiberGecko DeviceID Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 111/449] can: flexcan: Add quirk to handle separate interrupt lines for mailboxes Greg Kroah-Hartman
` (345 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Xing, Mina Almasry,
Paolo Abeni, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Xing <kerneljasonxing@gmail.com>
[ Upstream commit 43130d02baa137033c25297aaae95fd0edc41654 ]
We noticed the kworker in page_pool_release_retry() was waken
up repeatedly and infinitely in production because of the
buggy driver causing the inflight less than 0 and warning
us in page_pool_inflight()[1].
Since the inflight value goes negative, it means we should
not expect the whole page_pool to get back to work normally.
This patch mitigates the adverse effect by not rescheduling
the kworker when detecting the inflight negative in
page_pool_release_retry().
[1]
[Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------
[Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages
...
[Mon Feb 10 20:36:11 2025] Call Trace:
[Mon Feb 10 20:36:11 2025] page_pool_release_retry+0x23/0x70
[Mon Feb 10 20:36:11 2025] process_one_work+0x1b1/0x370
[Mon Feb 10 20:36:11 2025] worker_thread+0x37/0x3a0
[Mon Feb 10 20:36:11 2025] kthread+0x11a/0x140
[Mon Feb 10 20:36:11 2025] ? process_one_work+0x370/0x370
[Mon Feb 10 20:36:11 2025] ? __kthread_cancel_work+0x40/0x40
[Mon Feb 10 20:36:11 2025] ret_from_fork+0x35/0x40
[Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]---
Note: before this patch, the above calltrace would flood the
dmesg due to repeated reschedule of release_dw kworker.
Signed-off-by: Jason Xing <kerneljasonxing@gmail.com>
Reviewed-by: Mina Almasry <almasrymina@google.com>
Link: https://patch.msgid.link/20250214064250.85987-1-kerneljasonxing@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/page_pool.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/core/page_pool.c b/net/core/page_pool.c
index f5e908c9e7ad8..ede82c610936e 100644
--- a/net/core/page_pool.c
+++ b/net/core/page_pool.c
@@ -1104,7 +1104,13 @@ static void page_pool_release_retry(struct work_struct *wq)
int inflight;
inflight = page_pool_release(pool);
- if (!inflight)
+ /* In rare cases, a driver bug may cause inflight to go negative.
+ * Don't reschedule release if inflight is 0 or negative.
+ * - If 0, the page_pool has been destroyed
+ * - if negative, we will never recover
+ * in both cases no reschedule is necessary.
+ */
+ if (inflight <= 0)
return;
/* Periodic warning for page pools the user can't see */
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 111/449] can: flexcan: Add quirk to handle separate interrupt lines for mailboxes
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 110/449] page_pool: avoid infinite loop to schedule delayed worker Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 112/449] can: flexcan: add NXP S32G2/S32G3 SoC support Greg Kroah-Hartman
` (344 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ciprian Marian Costea,
Vincent Mailhol, Marc Kleine-Budde, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ciprian Marian Costea <ciprianmarian.costea@oss.nxp.com>
[ Upstream commit 8c652cf030a769fbfc73cfc280ed3f1656343c35 ]
Introduce 'FLEXCAN_QUIRK_SECONDARY_MB_IRQ' quirk to handle a FlexCAN
hardware module integration particularity where two ranges of mailboxes
are controlled by separate hardware interrupt lines.
The same 'flexcan_irq' handler is used for both separate mailbox interrupt
lines, with no other changes.
Signed-off-by: Ciprian Marian Costea <ciprianmarian.costea@oss.nxp.com>
Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Link: https://patch.msgid.link/20250113120704.522307-3-ciprianmarian.costea@oss.nxp.com
[mkl: flexcan_open(): change order and free irq_secondary_mb first]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/flexcan/flexcan-core.c | 24 +++++++++++++++++++++++-
drivers/net/can/flexcan/flexcan.h | 5 +++++
2 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/drivers/net/can/flexcan/flexcan-core.c b/drivers/net/can/flexcan/flexcan-core.c
index b080740bcb104..1a94586cbd11e 100644
--- a/drivers/net/can/flexcan/flexcan-core.c
+++ b/drivers/net/can/flexcan/flexcan-core.c
@@ -1762,14 +1762,25 @@ static int flexcan_open(struct net_device *dev)
goto out_free_irq_boff;
}
+ if (priv->devtype_data.quirks & FLEXCAN_QUIRK_SECONDARY_MB_IRQ) {
+ err = request_irq(priv->irq_secondary_mb,
+ flexcan_irq, IRQF_SHARED, dev->name, dev);
+ if (err)
+ goto out_free_irq_err;
+ }
+
flexcan_chip_interrupts_enable(dev);
netif_start_queue(dev);
return 0;
+ out_free_irq_err:
+ if (priv->devtype_data.quirks & FLEXCAN_QUIRK_NR_IRQ_3)
+ free_irq(priv->irq_err, dev);
out_free_irq_boff:
- free_irq(priv->irq_boff, dev);
+ if (priv->devtype_data.quirks & FLEXCAN_QUIRK_NR_IRQ_3)
+ free_irq(priv->irq_boff, dev);
out_free_irq:
free_irq(dev->irq, dev);
out_can_rx_offload_disable:
@@ -1794,6 +1805,9 @@ static int flexcan_close(struct net_device *dev)
netif_stop_queue(dev);
flexcan_chip_interrupts_disable(dev);
+ if (priv->devtype_data.quirks & FLEXCAN_QUIRK_SECONDARY_MB_IRQ)
+ free_irq(priv->irq_secondary_mb, dev);
+
if (priv->devtype_data.quirks & FLEXCAN_QUIRK_NR_IRQ_3) {
free_irq(priv->irq_err, dev);
free_irq(priv->irq_boff, dev);
@@ -2187,6 +2201,14 @@ static int flexcan_probe(struct platform_device *pdev)
}
}
+ if (priv->devtype_data.quirks & FLEXCAN_QUIRK_SECONDARY_MB_IRQ) {
+ priv->irq_secondary_mb = platform_get_irq_byname(pdev, "mb-1");
+ if (priv->irq_secondary_mb < 0) {
+ err = priv->irq_secondary_mb;
+ goto failed_platform_get_irq;
+ }
+ }
+
if (priv->devtype_data.quirks & FLEXCAN_QUIRK_SUPPORT_FD) {
priv->can.ctrlmode_supported |= CAN_CTRLMODE_FD |
CAN_CTRLMODE_FD_NON_ISO;
diff --git a/drivers/net/can/flexcan/flexcan.h b/drivers/net/can/flexcan/flexcan.h
index 4933d8c7439e6..2cf886618c962 100644
--- a/drivers/net/can/flexcan/flexcan.h
+++ b/drivers/net/can/flexcan/flexcan.h
@@ -70,6 +70,10 @@
#define FLEXCAN_QUIRK_SUPPORT_RX_FIFO BIT(16)
/* Setup stop mode with ATF SCMI protocol to support wakeup */
#define FLEXCAN_QUIRK_SETUP_STOP_MODE_SCMI BIT(17)
+/* Device has two separate interrupt lines for two mailbox ranges, which
+ * both need to have an interrupt handler registered.
+ */
+#define FLEXCAN_QUIRK_SECONDARY_MB_IRQ BIT(18)
struct flexcan_devtype_data {
u32 quirks; /* quirks needed for different IP cores */
@@ -107,6 +111,7 @@ struct flexcan_priv {
int irq_boff;
int irq_err;
+ int irq_secondary_mb;
/* IPC handle when setup stop mode by System Controller firmware(scfw) */
struct imx_sc_ipc *sc_ipc_handle;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 112/449] can: flexcan: add NXP S32G2/S32G3 SoC support
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 111/449] can: flexcan: Add quirk to handle separate interrupt lines for mailboxes Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 113/449] jfs: Fix uninit-value access of imap allocated in the diMount() function Greg Kroah-Hartman
` (343 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ciprian Marian Costea,
Marc Kleine-Budde, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ciprian Marian Costea <ciprianmarian.costea@oss.nxp.com>
[ Upstream commit 8503a4b1a24d32e95f3a233062e8f1dc0b2052bd ]
Add device type data for S32G2/S32G3 SoC.
FlexCAN module from S32G2/S32G3 is similar with i.MX SoCs, but interrupt
management is different.
On S32G2/S32G3 SoC, there are separate interrupts for state change, bus
errors, Mailboxes 0-7 and Mailboxes 8-127 respectively.
In order to handle this FlexCAN hardware particularity, first reuse the
'FLEXCAN_QUIRK_NR_IRQ_3' quirk provided by mcf5441x's irq handling
support. Secondly, use the newly introduced
'FLEXCAN_QUIRK_SECONDARY_MB_IRQ' quirk which handles the case where two
separate mailbox ranges are controlled by independent hardware interrupt
lines.
Signed-off-by: Ciprian Marian Costea <ciprianmarian.costea@oss.nxp.com>
Link: https://patch.msgid.link/20250113120704.522307-4-ciprianmarian.costea@oss.nxp.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/flexcan/flexcan-core.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/net/can/flexcan/flexcan-core.c b/drivers/net/can/flexcan/flexcan-core.c
index 1a94586cbd11e..fca290afb5329 100644
--- a/drivers/net/can/flexcan/flexcan-core.c
+++ b/drivers/net/can/flexcan/flexcan-core.c
@@ -386,6 +386,16 @@ static const struct flexcan_devtype_data fsl_lx2160a_r1_devtype_data = {
FLEXCAN_QUIRK_SUPPORT_RX_MAILBOX_RTR,
};
+static const struct flexcan_devtype_data nxp_s32g2_devtype_data = {
+ .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
+ FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_BROKEN_PERR_STATE |
+ FLEXCAN_QUIRK_USE_RX_MAILBOX | FLEXCAN_QUIRK_SUPPORT_FD |
+ FLEXCAN_QUIRK_SUPPORT_ECC | FLEXCAN_QUIRK_NR_IRQ_3 |
+ FLEXCAN_QUIRK_SUPPORT_RX_MAILBOX |
+ FLEXCAN_QUIRK_SUPPORT_RX_MAILBOX_RTR |
+ FLEXCAN_QUIRK_SECONDARY_MB_IRQ,
+};
+
static const struct can_bittiming_const flexcan_bittiming_const = {
.name = DRV_NAME,
.tseg1_min = 4,
@@ -2055,6 +2065,7 @@ static const struct of_device_id flexcan_of_match[] = {
{ .compatible = "fsl,vf610-flexcan", .data = &fsl_vf610_devtype_data, },
{ .compatible = "fsl,ls1021ar2-flexcan", .data = &fsl_ls1021a_r2_devtype_data, },
{ .compatible = "fsl,lx2160ar1-flexcan", .data = &fsl_lx2160a_r1_devtype_data, },
+ { .compatible = "nxp,s32g2-flexcan", .data = &nxp_s32g2_devtype_data, },
{ /* sentinel */ },
};
MODULE_DEVICE_TABLE(of, flexcan_of_match);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 113/449] jfs: Fix uninit-value access of imap allocated in the diMount() function
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 112/449] can: flexcan: add NXP S32G2/S32G3 SoC support Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 114/449] fs/jfs: cast inactags to s64 to prevent potential overflow Greg Kroah-Hartman
` (342 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhongqiu Han,
syzbot+df6cdcb35904203d2b6d, Dave Kleikamp, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhongqiu Han <quic_zhonhan@quicinc.com>
[ Upstream commit 9629d7d66c621671d9a47afe27ca9336bfc8a9ea ]
syzbot reports that hex_dump_to_buffer is using uninit-value:
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876
jfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156
evict+0x723/0xd10 fs/inode.c:796
iput_final fs/inode.c:1946 [inline]
iput+0x97b/0xdb0 fs/inode.c:1972
txUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367
txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
jfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733
kthread+0x6b9/0xef0 kernel/kthread.c:464
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4121 [inline]
slab_alloc_node mm/slub.c:4164 [inline]
__kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320
kmalloc_noprof include/linux/slab.h:901 [inline]
diMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105
jfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176
jfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523
get_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636
get_tree_bdev+0x37/0x50 fs/super.c:1659
jfs_get_tree+0x34/0x40 fs/jfs/super.c:635
vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
path_mount+0x742/0x1f10 fs/namespace.c:3887
do_mount fs/namespace.c:3900 [inline]
__do_sys_mount fs/namespace.c:4111 [inline]
__se_sys_mount+0x71f/0x800 fs/namespace.c:4088
__x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
=====================================================
The reason is that imap is not properly initialized after memory
allocation. It will cause the snprintf() function to write uninitialized
data into linebuf within hex_dump_to_buffer().
Fix this by using kzalloc instead of kmalloc to clear its content at the
beginning in diMount().
Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
Reported-by: syzbot+df6cdcb35904203d2b6d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/lkml/67b5d07e.050a0220.14d86d.00e6.GAE@google.com/
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_imap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index debfc1389cb3e..298445f6d3d4b 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -102,7 +102,7 @@ int diMount(struct inode *ipimap)
* allocate/initialize the in-memory inode map control structure
*/
/* allocate the in-memory inode map control structure. */
- imap = kmalloc(sizeof(struct inomap), GFP_KERNEL);
+ imap = kzalloc(sizeof(struct inomap), GFP_KERNEL);
if (imap == NULL)
return -ENOMEM;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 114/449] fs/jfs: cast inactags to s64 to prevent potential overflow
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 113/449] jfs: Fix uninit-value access of imap allocated in the diMount() function Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 115/449] fs/jfs: Prevent integer overflow in AG size calculation Greg Kroah-Hartman
` (341 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rand Deeb, Dave Kleikamp,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rand Deeb <rand.sec96@gmail.com>
[ Upstream commit 70ca3246ad201b53a9f09380b3f29d8bac320383 ]
The expression "inactags << bmp->db_agl2size" in the function
dbFinalizeBmap() is computed using int operands. Although the
values (inactags and db_agl2size) are derived from filesystem
parameters and are usually small, there is a theoretical risk that
the shift could overflow a 32-bit int if extreme values occur.
According to the C standard, shifting a signed 32-bit int can lead
to undefined behavior if the result exceeds its range. In our
case, an overflow could miscalculate free blocks, potentially
leading to erroneous filesystem accounting.
To ensure the arithmetic is performed in 64-bit space, we cast
"inactags" to s64 before shifting. This defensive fix prevents any
risk of overflow and complies with kernel coding best practices.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index f9009e4f9ffd8..f89f07c9580ea 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -3666,8 +3666,8 @@ void dbFinalizeBmap(struct inode *ipbmap)
* system size is not a multiple of the group size).
*/
inactfree = (inactags && ag_rem) ?
- ((inactags - 1) << bmp->db_agl2size) + ag_rem
- : inactags << bmp->db_agl2size;
+ (((s64)inactags - 1) << bmp->db_agl2size) + ag_rem
+ : ((s64)inactags << bmp->db_agl2size);
/* determine how many free blocks are in the active
* allocation groups plus the average number of free blocks
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 115/449] fs/jfs: Prevent integer overflow in AG size calculation
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 114/449] fs/jfs: cast inactags to s64 to prevent potential overflow Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 116/449] jfs: Prevent copying of nlink with value 0 from disk inode Greg Kroah-Hartman
` (340 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rand Deeb, Dave Kleikamp,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rand Deeb <rand.sec96@gmail.com>
[ Upstream commit 7fcbf789629cdb9fbf4e2172ce31136cfed11e5e ]
The JFS filesystem calculates allocation group (AG) size using 1 <<
l2agsize in dbExtendFS(). When l2agsize exceeds 31 (possible with >2TB
aggregates on 32-bit systems), this 32-bit shift operation causes undefined
behavior and improper AG sizing.
On 32-bit architectures:
- Left-shifting 1 by 32+ bits results in 0 due to integer overflow
- This creates invalid AG sizes (0 or garbage values) in
sbi->bmap->db_agsize
- Subsequent block allocations would reference invalid AG structures
- Could lead to:
- Filesystem corruption during extend operations
- Kernel crashes due to invalid memory accesses
- Security vulnerabilities via malformed on-disk structures
Fix by casting to s64 before shifting:
bmp->db_agsize = (s64)1 << l2agsize;
This ensures 64-bit arithmetic even on 32-bit architectures. The cast
matches the data type of db_agsize (s64) and follows similar patterns in
JFS block calculation code.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index f89f07c9580ea..9ac1fc2ed05bc 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -3403,7 +3403,7 @@ int dbExtendFS(struct inode *ipbmap, s64 blkno, s64 nblocks)
oldl2agsize = bmp->db_agl2size;
bmp->db_agl2size = l2agsize;
- bmp->db_agsize = 1 << l2agsize;
+ bmp->db_agsize = (s64)1 << l2agsize;
/* compute new number of AG */
agno = bmp->db_numag;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 116/449] jfs: Prevent copying of nlink with value 0 from disk inode
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 115/449] fs/jfs: Prevent integer overflow in AG size calculation Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 117/449] jfs: add sanity check for agwidth in dbMount Greg Kroah-Hartman
` (339 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+355da3b3a74881008e8f,
Edward Adam Davis, Dave Kleikamp, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit b61e69bb1c049cf507e3c654fa3dc1568231bd07 ]
syzbot report a deadlock in diFree. [1]
When calling "ioctl$LOOP_SET_STATUS64", the offset value passed in is 4,
which does not match the mounted loop device, causing the mapping of the
mounted loop device to be invalidated.
When creating the directory and creating the inode of iag in diReadSpecial(),
read the page of fixed disk inode (AIT) in raw mode in read_metapage(), the
metapage data it returns is corrupted, which causes the nlink value of 0 to be
assigned to the iag inode when executing copy_from_dinode(), which ultimately
causes a deadlock when entering diFree().
To avoid this, first check the nlink value of dinode before setting iag inode.
[1]
WARNING: possible recursive locking detected
6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted
--------------------------------------------
syz-executor301/5309 is trying to acquire lock:
ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889
but task is already holding lock:
ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&(imap->im_aglock[index]));
lock(&(imap->im_aglock[index]));
*** DEADLOCK ***
May be due to missing lock nesting notation
5 locks held by syz-executor301/5309:
#0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515
#1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:850 [inline]
#1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:4026
#2: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630
#3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2460 [inline]
#3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
#3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfs_imap.c:1669
#4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2477 [inline]
#4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
#4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669
stack backtrace:
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037
check_deadlock kernel/locking/lockdep.c:3089 [inline]
validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891
__lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889
jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156
evict+0x4e8/0x9b0 fs/inode.c:725
diFreeSpecial fs/jfs/jfs_imap.c:552 [inline]
duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022
diNewIAG fs/jfs/jfs_imap.c:2597 [inline]
diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669
diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590
ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56
jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225
vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257
do_mkdirat+0x264/0x3a0 fs/namei.c:4280
__do_sys_mkdirat fs/namei.c:4295 [inline]
__se_sys_mkdirat fs/namei.c:4293 [inline]
__x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Reported-by: syzbot+355da3b3a74881008e8f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=355da3b3a74881008e8f
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_imap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index 298445f6d3d4b..ecb8e05b8b848 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -456,7 +456,7 @@ struct inode *diReadSpecial(struct super_block *sb, ino_t inum, int secondary)
dp += inum % 8; /* 8 inodes per 4K page */
/* copy on-disk inode to in-memory inode */
- if ((copy_from_dinode(dp, ip)) != 0) {
+ if ((copy_from_dinode(dp, ip) != 0) || (ip->i_nlink == 0)) {
/* handle bad return by returning NULL for ip */
set_nlink(ip, 1); /* Don't want iput() deleting it */
iput(ip);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 117/449] jfs: add sanity check for agwidth in dbMount
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 116/449] jfs: Prevent copying of nlink with value 0 from disk inode Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 118/449] wifi: rtw88: Add support for Mercusys MA30N and D-Link DWA-T185 rev. A1 Greg Kroah-Hartman
` (338 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Adam Davis, Dave Kleikamp,
Sasha Levin, syzbot+7c808908291a569281a9
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit ddf2846f22e8575d6b4b6a66f2100f168b8cd73d ]
The width in dmapctl of the AG is zero, it trigger a divide error when
calculating the control page level in dbAllocAG.
To avoid this issue, add a check for agwidth in dbAllocAG.
Reported-and-tested-by: syzbot+7c808908291a569281a9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7c808908291a569281a9
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 9ac1fc2ed05bc..0e1019382cf51 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -204,6 +204,10 @@ int dbMount(struct inode *ipbmap)
bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel);
bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight);
bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
+ if (!bmp->db_agwidth) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG ||
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 118/449] wifi: rtw88: Add support for Mercusys MA30N and D-Link DWA-T185 rev. A1
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 117/449] jfs: add sanity check for agwidth in dbMount Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 119/449] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Greg Kroah-Hartman
` (337 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zenm Chen, Ping-Ke Shih, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zenm Chen <zenmchen@gmail.com>
[ Upstream commit 80c4668d024ff7b5427d90b5fad655ce9461c7b1 ]
Add two more USB IDs found in
https://github.com/RinCat/RTL88x2BU-Linux-Driver
to support Mercusys MA30N and D-Link DWA-T185 rev. A1.
Signed-off-by: Zenm Chen <zenmchen@gmail.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250210073610.4174-1-zenmchen@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw88/rtw8822bu.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822bu.c b/drivers/net/wireless/realtek/rtw88/rtw8822bu.c
index 8883300fc6adb..572d1f31832ee 100644
--- a/drivers/net/wireless/realtek/rtw88/rtw8822bu.c
+++ b/drivers/net/wireless/realtek/rtw88/rtw8822bu.c
@@ -73,6 +73,10 @@ static const struct usb_device_id rtw_8822bu_id_table[] = {
.driver_info = (kernel_ulong_t)&(rtw8822b_hw_spec) }, /* ELECOM WDB-867DU3S */
{ USB_DEVICE_AND_INTERFACE_INFO(0x2c4e, 0x0107, 0xff, 0xff, 0xff),
.driver_info = (kernel_ulong_t)&(rtw8822b_hw_spec) }, /* Mercusys MA30H */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2c4e, 0x010a, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t)&(rtw8822b_hw_spec) }, /* Mercusys MA30N */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x3322, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t)&(rtw8822b_hw_spec) }, /* D-Link DWA-T185 rev. A1 */
{},
};
MODULE_DEVICE_TABLE(usb, rtw_8822bu_id_table);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 119/449] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 118/449] wifi: rtw88: Add support for Mercusys MA30N and D-Link DWA-T185 rev. A1 Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 120/449] net: sfp: add quirk for 2.5G OEM BX SFP Greg Kroah-Hartman
` (336 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Pemberton, Damien Le Moal,
Niklas Cassel, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
[ Upstream commit 91ec84f8eaddbc93d7c62e363d68aeb7b89879c7 ]
atapi_eh_request_sense() currently uses ATAPI DMA if the SATA controller
has ATA_FLAG_PIO_DMA (PIO cmds via DMA) set.
However, ATA_FLAG_PIO_DMA is a flag that can be set by a low-level driver
on a port at initialization time, before any devices are scanned.
If a controller detects a connected device that only supports PIO, we set
the flag ATA_DFLAG_PIO.
Modify atapi_eh_request_sense() to not use ATAPI DMA if the connected
device only supports PIO.
Reported-by: Philip Pemberton <lists@philpem.me.uk>
Closes: https://lore.kernel.org/linux-ide/c6722ee8-5e21-4169-af59-cbbae9edc02f@philpem.me.uk/
Tested-by: Philip Pemberton <lists@philpem.me.uk>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Link: https://lore.kernel.org/r/20250221015422.20687-2-cassel@kernel.org
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/libata-eh.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
index 3b303d4ae37a0..16cd676eae1f9 100644
--- a/drivers/ata/libata-eh.c
+++ b/drivers/ata/libata-eh.c
@@ -1542,8 +1542,15 @@ unsigned int atapi_eh_request_sense(struct ata_device *dev,
tf.flags |= ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE;
tf.command = ATA_CMD_PACKET;
- /* is it pointless to prefer PIO for "safety reasons"? */
- if (ap->flags & ATA_FLAG_PIO_DMA) {
+ /*
+ * Do not use DMA if the connected device only supports PIO, even if the
+ * port prefers PIO commands via DMA.
+ *
+ * Ideally, we should call atapi_check_dma() to check if it is safe for
+ * the LLD to use DMA for REQUEST_SENSE, but we don't have a qc.
+ * Since we can't check the command, perhaps we should only use pio?
+ */
+ if ((ap->flags & ATA_FLAG_PIO_DMA) && !(dev->flags & ATA_DFLAG_PIO)) {
tf.protocol = ATAPI_PROT_DMA;
tf.feature |= ATAPI_PKT_DMA;
} else {
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 120/449] net: sfp: add quirk for 2.5G OEM BX SFP
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 119/449] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 121/449] wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi Greg Kroah-Hartman
` (335 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Birger Koblitz, Daniel Golle,
Jakub Kicinski, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Birger Koblitz <mail@birger-koblitz.de>
[ Upstream commit a85035561025063125f81090e4f2bd65da368c83 ]
The OEM SFP-2.5G-BX10-D/U SFP module pair is meant to operate with
2500Base-X. However, in their EEPROM they incorrectly specify:
Transceiver codes : 0x00 0x12 0x00 0x00 0x12 0x00 0x01 0x05 0x00
BR, Nominal : 2500MBd
Use sfp_quirk_2500basex for this module to allow 2500Base-X mode anyway.
Tested on BananaPi R3.
Signed-off-by: Birger Koblitz <mail@birger-koblitz.de>
Reviewed-by: Daniel Golle <daniel@makrotopia.org>
Link: https://patch.msgid.link/20250218-b4-lkmsub-v1-1-1e51dcabed90@birger-koblitz.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/sfp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
index 7dbcbf0a4ee26..9369f52977694 100644
--- a/drivers/net/phy/sfp.c
+++ b/drivers/net/phy/sfp.c
@@ -515,6 +515,8 @@ static const struct sfp_quirk sfp_quirks[] = {
SFP_QUIRK_F("OEM", "SFP-10G-T", sfp_fixup_rollball_cc),
SFP_QUIRK_M("OEM", "SFP-2.5G-T", sfp_quirk_oem_2_5g),
+ SFP_QUIRK_M("OEM", "SFP-2.5G-BX10-D", sfp_quirk_2500basex),
+ SFP_QUIRK_M("OEM", "SFP-2.5G-BX10-U", sfp_quirk_2500basex),
SFP_QUIRK_F("OEM", "RTSFP-10", sfp_fixup_rollball_cc),
SFP_QUIRK_F("OEM", "RTSFP-10G", sfp_fixup_rollball_cc),
SFP_QUIRK_F("Turris", "RTSFP-2.5G", sfp_fixup_rollball),
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 121/449] wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 120/449] net: sfp: add quirk for 2.5G OEM BX SFP Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 122/449] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Greg Kroah-Hartman
` (334 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manish Dharanenthiran,
Tamizh Chelvam Raja, Jeff Johnson, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manish Dharanenthiran <quic_mdharane@quicinc.com>
[ Upstream commit 9a0dddfb30f120db3851627935851d262e4e7acb ]
In certain cases, hardware might provide packets with a
length greater than the maximum native Wi-Fi header length.
This can lead to accessing and modifying fields in the header
within the ath12k_dp_rx_h_undecap_nwifi function for
DP_RX_DECAP_TYPE_NATIVE_WIFI decap type and
potentially resulting in invalid data access and memory corruption.
Add a sanity check before processing the SKB to prevent invalid
data access in the undecap native Wi-Fi function for the
DP_RX_DECAP_TYPE_NATIVE_WIFI decap type.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1
Signed-off-by: Manish Dharanenthiran <quic_mdharane@quicinc.com>
Signed-off-by: Tamizh Chelvam Raja <tamizh.raja@oss.qualcomm.com>
Link: https://patch.msgid.link/20250211090302.4105141-1-tamizh.raja@oss.qualcomm.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/dp_rx.c | 42 +++++++++++++++++++++++--
1 file changed, 40 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c
index 68d609f2ac60e..ae6608b10bb57 100644
--- a/drivers/net/wireless/ath/ath12k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath12k/dp_rx.c
@@ -2530,6 +2530,29 @@ static void ath12k_dp_rx_deliver_msdu(struct ath12k *ar, struct napi_struct *nap
ieee80211_rx_napi(ath12k_ar_to_hw(ar), pubsta, msdu, napi);
}
+static bool ath12k_dp_rx_check_nwifi_hdr_len_valid(struct ath12k_base *ab,
+ struct hal_rx_desc *rx_desc,
+ struct sk_buff *msdu)
+{
+ struct ieee80211_hdr *hdr;
+ u8 decap_type;
+ u32 hdr_len;
+
+ decap_type = ath12k_dp_rx_h_decap_type(ab, rx_desc);
+ if (decap_type != DP_RX_DECAP_TYPE_NATIVE_WIFI)
+ return true;
+
+ hdr = (struct ieee80211_hdr *)msdu->data;
+ hdr_len = ieee80211_hdrlen(hdr->frame_control);
+
+ if ((likely(hdr_len <= DP_MAX_NWIFI_HDR_LEN)))
+ return true;
+
+ ab->soc_stats.invalid_rbm++;
+ WARN_ON_ONCE(1);
+ return false;
+}
+
static int ath12k_dp_rx_process_msdu(struct ath12k *ar,
struct sk_buff *msdu,
struct sk_buff_head *msdu_list,
@@ -2588,6 +2611,11 @@ static int ath12k_dp_rx_process_msdu(struct ath12k *ar,
}
}
+ if (unlikely(!ath12k_dp_rx_check_nwifi_hdr_len_valid(ab, rx_desc, msdu))) {
+ ret = -EINVAL;
+ goto free_out;
+ }
+
ath12k_dp_rx_h_ppdu(ar, rx_desc, rx_status);
ath12k_dp_rx_h_mpdu(ar, msdu, rx_desc, rx_status);
@@ -2978,6 +3006,9 @@ static int ath12k_dp_rx_h_verify_tkip_mic(struct ath12k *ar, struct ath12k_peer
RX_FLAG_IV_STRIPPED | RX_FLAG_DECRYPTED;
skb_pull(msdu, hal_rx_desc_sz);
+ if (unlikely(!ath12k_dp_rx_check_nwifi_hdr_len_valid(ab, rx_desc, msdu)))
+ return -EINVAL;
+
ath12k_dp_rx_h_ppdu(ar, rx_desc, rxs);
ath12k_dp_rx_h_undecap(ar, msdu, rx_desc,
HAL_ENCRYPT_TYPE_TKIP_MIC, rxs, true);
@@ -3720,6 +3751,9 @@ static int ath12k_dp_rx_h_null_q_desc(struct ath12k *ar, struct sk_buff *msdu,
skb_put(msdu, hal_rx_desc_sz + l3pad_bytes + msdu_len);
skb_pull(msdu, hal_rx_desc_sz + l3pad_bytes);
}
+ if (unlikely(!ath12k_dp_rx_check_nwifi_hdr_len_valid(ab, desc, msdu)))
+ return -EINVAL;
+
ath12k_dp_rx_h_ppdu(ar, desc, status);
ath12k_dp_rx_h_mpdu(ar, msdu, desc, status);
@@ -3764,7 +3798,7 @@ static bool ath12k_dp_rx_h_reo_err(struct ath12k *ar, struct sk_buff *msdu,
return drop;
}
-static void ath12k_dp_rx_h_tkip_mic_err(struct ath12k *ar, struct sk_buff *msdu,
+static bool ath12k_dp_rx_h_tkip_mic_err(struct ath12k *ar, struct sk_buff *msdu,
struct ieee80211_rx_status *status)
{
struct ath12k_base *ab = ar->ab;
@@ -3782,6 +3816,9 @@ static void ath12k_dp_rx_h_tkip_mic_err(struct ath12k *ar, struct sk_buff *msdu,
skb_put(msdu, hal_rx_desc_sz + l3pad_bytes + msdu_len);
skb_pull(msdu, hal_rx_desc_sz + l3pad_bytes);
+ if (unlikely(!ath12k_dp_rx_check_nwifi_hdr_len_valid(ab, desc, msdu)))
+ return true;
+
ath12k_dp_rx_h_ppdu(ar, desc, status);
status->flag |= (RX_FLAG_MMIC_STRIPPED | RX_FLAG_MMIC_ERROR |
@@ -3789,6 +3826,7 @@ static void ath12k_dp_rx_h_tkip_mic_err(struct ath12k *ar, struct sk_buff *msdu,
ath12k_dp_rx_h_undecap(ar, msdu, desc,
HAL_ENCRYPT_TYPE_TKIP_MIC, status, false);
+ return false;
}
static bool ath12k_dp_rx_h_rxdma_err(struct ath12k *ar, struct sk_buff *msdu,
@@ -3807,7 +3845,7 @@ static bool ath12k_dp_rx_h_rxdma_err(struct ath12k *ar, struct sk_buff *msdu,
case HAL_REO_ENTR_RING_RXDMA_ECODE_TKIP_MIC_ERR:
err_bitmap = ath12k_dp_rx_h_mpdu_err(ab, rx_desc);
if (err_bitmap & HAL_RX_MPDU_ERR_TKIP_MIC) {
- ath12k_dp_rx_h_tkip_mic_err(ar, msdu, status);
+ drop = ath12k_dp_rx_h_tkip_mic_err(ar, msdu, status);
break;
}
fallthrough;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 122/449] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 121/449] wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 123/449] net: sfp: add quirk for FS SFP-10GM-T copper SFP+ module Greg Kroah-Hartman
` (333 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6653f10281a1badc749e, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit e6494977bd4a83862118a05f57a8df40256951c0 ]
syzbot reports an UBSAN issue as below:
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10
index 18446744073709550692 is out of range for type '__le32[5]' (aka 'unsigned int[5]')
CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
get_nid fs/f2fs/node.h:381 [inline]
f2fs_truncate_inode_blocks+0xa5e/0xf60 fs/f2fs/node.c:1181
f2fs_do_truncate_blocks+0x782/0x1030 fs/f2fs/file.c:808
f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:836
f2fs_truncate+0x417/0x720 fs/f2fs/file.c:886
f2fs_file_write_iter+0x1bdb/0x2550 fs/f2fs/file.c:5093
aio_write+0x56b/0x7c0 fs/aio.c:1633
io_submit_one+0x8a7/0x18a0 fs/aio.c:2052
__do_sys_io_submit fs/aio.c:2111 [inline]
__se_sys_io_submit+0x171/0x2e0 fs/aio.c:2081
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f238798cde9
index 18446744073709550692 (decimal, unsigned long long)
= 0xfffffffffffffc64 (hexadecimal, unsigned long long)
= -924 (decimal, long long)
In f2fs_truncate_inode_blocks(), UBSAN detects that get_nid() tries to
access .i_nid[-924], it means both offset[0] and level should zero.
The possible case should be in f2fs_do_truncate_blocks(), we try to
truncate inode size to zero, however, dn.ofs_in_node is zero and
dn.node_page is not an inode page, so it fails to truncate inode page,
and then pass zeroed free_from to f2fs_truncate_inode_blocks(), result
in this issue.
if (dn.ofs_in_node || IS_INODE(dn.node_page)) {
f2fs_truncate_data_blocks_range(&dn, count);
free_from += count;
}
I guess the reason why dn.node_page is not an inode page could be: there
are multiple nat entries share the same node block address, once the node
block address was reused, f2fs_get_node_page() may load a non-inode block.
Let's add a sanity check for such condition to avoid out-of-bounds access
issue.
Reported-by: syzbot+6653f10281a1badc749e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/66fdcdf3.050a0220.40bef.0025.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/node.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
index f88392fc4ba95..c1274bcec68b4 100644
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -1135,7 +1135,14 @@ int f2fs_truncate_inode_blocks(struct inode *inode, pgoff_t from)
trace_f2fs_truncate_inode_blocks_enter(inode, from);
level = get_node_path(inode, from, offset, noffset);
- if (level < 0) {
+ if (level <= 0) {
+ if (!level) {
+ level = -EFSCORRUPTED;
+ f2fs_err(sbi, "%s: inode ino=%lx has corrupted node block, from:%lu addrs:%u",
+ __func__, inode->i_ino,
+ from, ADDRS_PER_INODE(inode));
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ }
trace_f2fs_truncate_inode_blocks_exit(inode, level);
return level;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 123/449] net: sfp: add quirk for FS SFP-10GM-T copper SFP+ module
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 122/449] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 124/449] ahci: add PCI ID for Marvell 88SE9215 SATA Controller Greg Kroah-Hartman
` (332 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Schiller, Jakub Kicinski,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Schiller <ms@dev.tdt.de>
[ Upstream commit 05ec5c085eb7ae044d49e04a3cff194a0b2a3251 ]
Add quirk for a copper SFP that identifies itself as "FS" "SFP-10GM-T".
It uses RollBall protocol to talk to the PHY and needs 4 sec wait before
probing the PHY.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Link: https://patch.msgid.link/20250227071058.1520027-1-ms@dev.tdt.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/sfp.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
index 9369f52977694..c88217af44a14 100644
--- a/drivers/net/phy/sfp.c
+++ b/drivers/net/phy/sfp.c
@@ -385,7 +385,7 @@ static void sfp_fixup_rollball(struct sfp *sfp)
sfp->phy_t_retry = msecs_to_jiffies(1000);
}
-static void sfp_fixup_fs_2_5gt(struct sfp *sfp)
+static void sfp_fixup_rollball_wait4s(struct sfp *sfp)
{
sfp_fixup_rollball(sfp);
@@ -399,7 +399,7 @@ static void sfp_fixup_fs_2_5gt(struct sfp *sfp)
static void sfp_fixup_fs_10gt(struct sfp *sfp)
{
sfp_fixup_10gbaset_30m(sfp);
- sfp_fixup_fs_2_5gt(sfp);
+ sfp_fixup_rollball_wait4s(sfp);
}
static void sfp_fixup_halny_gsfp(struct sfp *sfp)
@@ -479,9 +479,10 @@ static const struct sfp_quirk sfp_quirks[] = {
// PHY.
SFP_QUIRK_F("FS", "SFP-10G-T", sfp_fixup_fs_10gt),
- // Fiberstore SFP-2.5G-T uses Rollball protocol to talk to the PHY and
- // needs 4 sec wait before probing the PHY.
- SFP_QUIRK_F("FS", "SFP-2.5G-T", sfp_fixup_fs_2_5gt),
+ // Fiberstore SFP-2.5G-T and SFP-10GM-T uses Rollball protocol to talk
+ // to the PHY and needs 4 sec wait before probing the PHY.
+ SFP_QUIRK_F("FS", "SFP-2.5G-T", sfp_fixup_rollball_wait4s),
+ SFP_QUIRK_F("FS", "SFP-10GM-T", sfp_fixup_rollball_wait4s),
// Fiberstore GPON-ONU-34-20BI can operate at 2500base-X, but report 1.2GBd
// NRZ in their EEPROM
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 124/449] ahci: add PCI ID for Marvell 88SE9215 SATA Controller
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 123/449] net: sfp: add quirk for FS SFP-10GM-T copper SFP+ module Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 125/449] ext4: protect ext4_release_dquot against freezing Greg Kroah-Hartman
` (331 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Daniel Kral, Niklas Cassel,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Kral <d.kral@proxmox.com>
[ Upstream commit 885251dc35767b1c992f6909532ca366c830814a ]
Add support for Marvell Technology Group Ltd. 88SE9215 SATA 6 Gb/s
controller, which is e.g. used in the DAWICONTROL DC-614e RAID bus
controller and was not automatically recognized before.
Tested with a DAWICONTROL DC-614e RAID bus controller.
Signed-off-by: Daniel Kral <d.kral@proxmox.com>
Link: https://lore.kernel.org/r/20250304092030.37108-1-d.kral@proxmox.com
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/ahci.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
index f813dbdc2346f..52ae8f9a7dd61 100644
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -589,6 +589,8 @@ static const struct pci_device_id ahci_pci_tbl[] = {
.driver_data = board_ahci_yes_fbs },
{ PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x91a3),
.driver_data = board_ahci_yes_fbs },
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9215),
+ .driver_data = board_ahci_yes_fbs },
{ PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230),
.driver_data = board_ahci_yes_fbs },
{ PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9235),
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 125/449] ext4: protect ext4_release_dquot against freezing
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 124/449] ahci: add PCI ID for Marvell 88SE9215 SATA Controller Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 126/449] Revert "f2fs: rebuild nat_bits during umount" Greg Kroah-Hartman
` (330 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Ojaswin Mujoo, Baokun Li,
Theodore Tso, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
[ Upstream commit 530fea29ef82e169cd7fe048c2b7baaeb85a0028 ]
Protect ext4_release_dquot against freezing so that we
don't try to start a transaction when FS is frozen, leading
to warnings.
Further, avoid taking the freeze protection if a transaction
is already running so that we don't need end up in a deadlock
as described in
46e294efc355 ext4: fix deadlock with fs freezing and EA inodes
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20241121123855.645335-3-ojaswin@linux.ibm.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/super.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index dc46a7063f1e1..528979de0f7c1 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -6938,12 +6938,25 @@ static int ext4_release_dquot(struct dquot *dquot)
{
int ret, err;
handle_t *handle;
+ bool freeze_protected = false;
+
+ /*
+ * Trying to sb_start_intwrite() in a running transaction
+ * can result in a deadlock. Further, running transactions
+ * are already protected from freezing.
+ */
+ if (!ext4_journal_current_handle()) {
+ sb_start_intwrite(dquot->dq_sb);
+ freeze_protected = true;
+ }
handle = ext4_journal_start(dquot_to_inode(dquot), EXT4_HT_QUOTA,
EXT4_QUOTA_DEL_BLOCKS(dquot->dq_sb));
if (IS_ERR(handle)) {
/* Release dquot anyway to avoid endless cycle in dqput() */
dquot_release(dquot);
+ if (freeze_protected)
+ sb_end_intwrite(dquot->dq_sb);
return PTR_ERR(handle);
}
ret = dquot_release(dquot);
@@ -6954,6 +6967,10 @@ static int ext4_release_dquot(struct dquot *dquot)
err = ext4_journal_stop(handle);
if (!ret)
ret = err;
+
+ if (freeze_protected)
+ sb_end_intwrite(dquot->dq_sb);
+
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 126/449] Revert "f2fs: rebuild nat_bits during umount"
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 125/449] ext4: protect ext4_release_dquot against freezing Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 127/449] wifi: mac80211: fix userspace_selectors corruption Greg Kroah-Hartman
` (329 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 19426c4988aa85298c1b4caf2889d37ec5c80fea ]
This reverts commit 94c821fb286b545d37549ff30a0c341e066f0d6c.
It reports that there is potential corruption in node footer,
the most suspious feature is nat_bits, let's revert recovery
related code.
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/checkpoint.c | 21 +++------
fs/f2fs/f2fs.h | 32 +++++++++++++-
fs/f2fs/node.c | 101 ++++++++++---------------------------------
3 files changed, 59 insertions(+), 95 deletions(-)
diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c
index bd890738b94d7..92be53a83744e 100644
--- a/fs/f2fs/checkpoint.c
+++ b/fs/f2fs/checkpoint.c
@@ -1346,21 +1346,13 @@ static void update_ckpt_flags(struct f2fs_sb_info *sbi, struct cp_control *cpc)
struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi);
unsigned long flags;
- if (cpc->reason & CP_UMOUNT) {
- if (le32_to_cpu(ckpt->cp_pack_total_block_count) +
- NM_I(sbi)->nat_bits_blocks > BLKS_PER_SEG(sbi)) {
- clear_ckpt_flags(sbi, CP_NAT_BITS_FLAG);
- f2fs_notice(sbi, "Disable nat_bits due to no space");
- } else if (!is_set_ckpt_flags(sbi, CP_NAT_BITS_FLAG) &&
- f2fs_nat_bitmap_enabled(sbi)) {
- f2fs_enable_nat_bits(sbi);
- set_ckpt_flags(sbi, CP_NAT_BITS_FLAG);
- f2fs_notice(sbi, "Rebuild and enable nat_bits");
- }
- }
-
spin_lock_irqsave(&sbi->cp_lock, flags);
+ if ((cpc->reason & CP_UMOUNT) &&
+ le32_to_cpu(ckpt->cp_pack_total_block_count) >
+ sbi->blocks_per_seg - NM_I(sbi)->nat_bits_blocks)
+ disable_nat_bits(sbi, false);
+
if (cpc->reason & CP_TRIMMED)
__set_ckpt_flags(ckpt, CP_TRIMMED_FLAG);
else
@@ -1543,8 +1535,7 @@ static int do_checkpoint(struct f2fs_sb_info *sbi, struct cp_control *cpc)
start_blk = __start_cp_next_addr(sbi);
/* write nat bits */
- if ((cpc->reason & CP_UMOUNT) &&
- is_set_ckpt_flags(sbi, CP_NAT_BITS_FLAG)) {
+ if (enabled_nat_bits(sbi, cpc)) {
__u64 cp_ver = cur_cp_version(ckpt);
block_t blk;
diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index 493dda2d4b663..02fc4e9d42120 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -2220,6 +2220,36 @@ static inline void f2fs_up_write(struct f2fs_rwsem *sem)
#endif
}
+static inline void disable_nat_bits(struct f2fs_sb_info *sbi, bool lock)
+{
+ unsigned long flags;
+ unsigned char *nat_bits;
+
+ /*
+ * In order to re-enable nat_bits we need to call fsck.f2fs by
+ * set_sbi_flag(sbi, SBI_NEED_FSCK). But it may give huge cost,
+ * so let's rely on regular fsck or unclean shutdown.
+ */
+
+ if (lock)
+ spin_lock_irqsave(&sbi->cp_lock, flags);
+ __clear_ckpt_flags(F2FS_CKPT(sbi), CP_NAT_BITS_FLAG);
+ nat_bits = NM_I(sbi)->nat_bits;
+ NM_I(sbi)->nat_bits = NULL;
+ if (lock)
+ spin_unlock_irqrestore(&sbi->cp_lock, flags);
+
+ kvfree(nat_bits);
+}
+
+static inline bool enabled_nat_bits(struct f2fs_sb_info *sbi,
+ struct cp_control *cpc)
+{
+ bool set = is_set_ckpt_flags(sbi, CP_NAT_BITS_FLAG);
+
+ return (cpc) ? (cpc->reason & CP_UMOUNT) && set : set;
+}
+
static inline void f2fs_lock_op(struct f2fs_sb_info *sbi)
{
f2fs_down_read(&sbi->cp_rwsem);
@@ -3663,7 +3693,6 @@ int f2fs_truncate_inode_blocks(struct inode *inode, pgoff_t from);
int f2fs_truncate_xattr_node(struct inode *inode);
int f2fs_wait_on_node_pages_writeback(struct f2fs_sb_info *sbi,
unsigned int seq_id);
-bool f2fs_nat_bitmap_enabled(struct f2fs_sb_info *sbi);
int f2fs_remove_inode_page(struct inode *inode);
struct page *f2fs_new_inode_page(struct inode *inode);
struct page *f2fs_new_node_page(struct dnode_of_data *dn, unsigned int ofs);
@@ -3688,7 +3717,6 @@ int f2fs_recover_xattr_data(struct inode *inode, struct page *page);
int f2fs_recover_inode_page(struct f2fs_sb_info *sbi, struct page *page);
int f2fs_restore_node_summary(struct f2fs_sb_info *sbi,
unsigned int segno, struct f2fs_summary_block *sum);
-void f2fs_enable_nat_bits(struct f2fs_sb_info *sbi);
int f2fs_flush_nat_entries(struct f2fs_sb_info *sbi, struct cp_control *cpc);
int f2fs_build_node_manager(struct f2fs_sb_info *sbi);
void f2fs_destroy_node_manager(struct f2fs_sb_info *sbi);
diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
index c1274bcec68b4..9f6cca183c608 100644
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -2276,24 +2276,6 @@ static void __move_free_nid(struct f2fs_sb_info *sbi, struct free_nid *i,
}
}
-bool f2fs_nat_bitmap_enabled(struct f2fs_sb_info *sbi)
-{
- struct f2fs_nm_info *nm_i = NM_I(sbi);
- unsigned int i;
- bool ret = true;
-
- f2fs_down_read(&nm_i->nat_tree_lock);
- for (i = 0; i < nm_i->nat_blocks; i++) {
- if (!test_bit_le(i, nm_i->nat_block_bitmap)) {
- ret = false;
- break;
- }
- }
- f2fs_up_read(&nm_i->nat_tree_lock);
-
- return ret;
-}
-
static void update_free_nid_bitmap(struct f2fs_sb_info *sbi, nid_t nid,
bool set, bool build)
{
@@ -2972,23 +2954,7 @@ static void __adjust_nat_entry_set(struct nat_entry_set *nes,
list_add_tail(&nes->set_list, head);
}
-static void __update_nat_bits(struct f2fs_nm_info *nm_i, unsigned int nat_ofs,
- unsigned int valid)
-{
- if (valid == 0) {
- __set_bit_le(nat_ofs, nm_i->empty_nat_bits);
- __clear_bit_le(nat_ofs, nm_i->full_nat_bits);
- return;
- }
-
- __clear_bit_le(nat_ofs, nm_i->empty_nat_bits);
- if (valid == NAT_ENTRY_PER_BLOCK)
- __set_bit_le(nat_ofs, nm_i->full_nat_bits);
- else
- __clear_bit_le(nat_ofs, nm_i->full_nat_bits);
-}
-
-static void update_nat_bits(struct f2fs_sb_info *sbi, nid_t start_nid,
+static void __update_nat_bits(struct f2fs_sb_info *sbi, nid_t start_nid,
struct page *page)
{
struct f2fs_nm_info *nm_i = NM_I(sbi);
@@ -2997,7 +2963,7 @@ static void update_nat_bits(struct f2fs_sb_info *sbi, nid_t start_nid,
int valid = 0;
int i = 0;
- if (!is_set_ckpt_flags(sbi, CP_NAT_BITS_FLAG))
+ if (!enabled_nat_bits(sbi, NULL))
return;
if (nat_index == 0) {
@@ -3008,36 +2974,17 @@ static void update_nat_bits(struct f2fs_sb_info *sbi, nid_t start_nid,
if (le32_to_cpu(nat_blk->entries[i].block_addr) != NULL_ADDR)
valid++;
}
-
- __update_nat_bits(nm_i, nat_index, valid);
-}
-
-void f2fs_enable_nat_bits(struct f2fs_sb_info *sbi)
-{
- struct f2fs_nm_info *nm_i = NM_I(sbi);
- unsigned int nat_ofs;
-
- f2fs_down_read(&nm_i->nat_tree_lock);
-
- for (nat_ofs = 0; nat_ofs < nm_i->nat_blocks; nat_ofs++) {
- unsigned int valid = 0, nid_ofs = 0;
-
- /* handle nid zero due to it should never be used */
- if (unlikely(nat_ofs == 0)) {
- valid = 1;
- nid_ofs = 1;
- }
-
- for (; nid_ofs < NAT_ENTRY_PER_BLOCK; nid_ofs++) {
- if (!test_bit_le(nid_ofs,
- nm_i->free_nid_bitmap[nat_ofs]))
- valid++;
- }
-
- __update_nat_bits(nm_i, nat_ofs, valid);
+ if (valid == 0) {
+ __set_bit_le(nat_index, nm_i->empty_nat_bits);
+ __clear_bit_le(nat_index, nm_i->full_nat_bits);
+ return;
}
- f2fs_up_read(&nm_i->nat_tree_lock);
+ __clear_bit_le(nat_index, nm_i->empty_nat_bits);
+ if (valid == NAT_ENTRY_PER_BLOCK)
+ __set_bit_le(nat_index, nm_i->full_nat_bits);
+ else
+ __clear_bit_le(nat_index, nm_i->full_nat_bits);
}
static int __flush_nat_entry_set(struct f2fs_sb_info *sbi,
@@ -3056,7 +3003,7 @@ static int __flush_nat_entry_set(struct f2fs_sb_info *sbi,
* #1, flush nat entries to journal in current hot data summary block.
* #2, flush nat entries to nat page.
*/
- if ((cpc->reason & CP_UMOUNT) ||
+ if (enabled_nat_bits(sbi, cpc) ||
!__has_cursum_space(journal, set->entry_cnt, NAT_JOURNAL))
to_journal = false;
@@ -3103,7 +3050,7 @@ static int __flush_nat_entry_set(struct f2fs_sb_info *sbi,
if (to_journal) {
up_write(&curseg->journal_rwsem);
} else {
- update_nat_bits(sbi, start_nid, page);
+ __update_nat_bits(sbi, start_nid, page);
f2fs_put_page(page, 1);
}
@@ -3134,7 +3081,7 @@ int f2fs_flush_nat_entries(struct f2fs_sb_info *sbi, struct cp_control *cpc)
* during unmount, let's flush nat_bits before checking
* nat_cnt[DIRTY_NAT].
*/
- if (cpc->reason & CP_UMOUNT) {
+ if (enabled_nat_bits(sbi, cpc)) {
f2fs_down_write(&nm_i->nat_tree_lock);
remove_nats_in_journal(sbi);
f2fs_up_write(&nm_i->nat_tree_lock);
@@ -3150,7 +3097,7 @@ int f2fs_flush_nat_entries(struct f2fs_sb_info *sbi, struct cp_control *cpc)
* entries, remove all entries from journal and merge them
* into nat entry set.
*/
- if (cpc->reason & CP_UMOUNT ||
+ if (enabled_nat_bits(sbi, cpc) ||
!__has_cursum_space(journal,
nm_i->nat_cnt[DIRTY_NAT], NAT_JOURNAL))
remove_nats_in_journal(sbi);
@@ -3187,18 +3134,15 @@ static int __get_nat_bitmaps(struct f2fs_sb_info *sbi)
__u64 cp_ver = cur_cp_version(ckpt);
block_t nat_bits_addr;
+ if (!enabled_nat_bits(sbi, NULL))
+ return 0;
+
nm_i->nat_bits_blocks = F2FS_BLK_ALIGN((nat_bits_bytes << 1) + 8);
nm_i->nat_bits = f2fs_kvzalloc(sbi,
F2FS_BLK_TO_BYTES(nm_i->nat_bits_blocks), GFP_KERNEL);
if (!nm_i->nat_bits)
return -ENOMEM;
- nm_i->full_nat_bits = nm_i->nat_bits + 8;
- nm_i->empty_nat_bits = nm_i->full_nat_bits + nat_bits_bytes;
-
- if (!is_set_ckpt_flags(sbi, CP_NAT_BITS_FLAG))
- return 0;
-
nat_bits_addr = __start_cp_addr(sbi) + BLKS_PER_SEG(sbi) -
nm_i->nat_bits_blocks;
for (i = 0; i < nm_i->nat_bits_blocks; i++) {
@@ -3215,12 +3159,13 @@ static int __get_nat_bitmaps(struct f2fs_sb_info *sbi)
cp_ver |= (cur_cp_crc(ckpt) << 32);
if (cpu_to_le64(cp_ver) != *(__le64 *)nm_i->nat_bits) {
- clear_ckpt_flags(sbi, CP_NAT_BITS_FLAG);
- f2fs_notice(sbi, "Disable nat_bits due to incorrect cp_ver (%llu, %llu)",
- cp_ver, le64_to_cpu(*(__le64 *)nm_i->nat_bits));
+ disable_nat_bits(sbi, true);
return 0;
}
+ nm_i->full_nat_bits = nm_i->nat_bits + 8;
+ nm_i->empty_nat_bits = nm_i->full_nat_bits + nat_bits_bytes;
+
f2fs_notice(sbi, "Found nat_bits in checkpoint");
return 0;
}
@@ -3231,7 +3176,7 @@ static inline void load_free_nid_bitmap(struct f2fs_sb_info *sbi)
unsigned int i = 0;
nid_t nid, last_nid;
- if (!is_set_ckpt_flags(sbi, CP_NAT_BITS_FLAG))
+ if (!enabled_nat_bits(sbi, NULL))
return;
for (i = 0; i < nm_i->nat_blocks; i++) {
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 127/449] wifi: mac80211: fix userspace_selectors corruption
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 126/449] Revert "f2fs: rebuild nat_bits during umount" Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 128/449] ext4: ignore xattrs past end Greg Kroah-Hartman
` (328 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Berg, Ilan Peer,
Miri Korenblit, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 700014d3ad1fd6e55c8f9ffa817514d3fbb5286e ]
Spotted during code review, the selectors need to be large
enough for a 128-bit bitmap, not a single unsigned long,
otherwise we have stack corruption.
We should also allow passing selectors from userspace, but
that should be a separate change.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20250308225541.8f1bcf96a504.Ibeb8970c82a30c97279a4cc4e68faca5df1813a5@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/mlme.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 9411500a61350..99e9b03d7fe19 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -9648,8 +9648,6 @@ EXPORT_SYMBOL(ieee80211_disable_rssi_reports);
static void ieee80211_ml_reconf_selectors(unsigned long *userspace_selectors)
{
- *userspace_selectors = 0;
-
/* these selectors are mandatory for ML reconfiguration */
set_bit(BSS_MEMBERSHIP_SELECTOR_SAE_H2E, userspace_selectors);
set_bit(BSS_MEMBERSHIP_SELECTOR_HE_PHY, userspace_selectors);
@@ -9669,7 +9667,7 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
sdata->u.mgd.reconf.removed_links;
u16 link_mask, valid_links;
unsigned int link_id;
- unsigned long userspace_selectors;
+ unsigned long userspace_selectors[BITS_TO_LONGS(128)] = {};
size_t orig_len = len;
u8 i, group_key_data_len;
u8 *pos;
@@ -9777,7 +9775,7 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
}
ieee80211_vif_set_links(sdata, valid_links, sdata->vif.dormant_links);
- ieee80211_ml_reconf_selectors(&userspace_selectors);
+ ieee80211_ml_reconf_selectors(userspace_selectors);
link_mask = 0;
for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
struct cfg80211_bss *cbss = add_links_data->link[link_id].bss;
@@ -9823,7 +9821,7 @@ void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
link->u.mgd.conn = add_links_data->link[link_id].conn;
if (ieee80211_prep_channel(sdata, link, link_id, cbss,
true, &link->u.mgd.conn,
- &userspace_selectors)) {
+ userspace_selectors)) {
link_info(link, "mlo: reconf: prep_channel failed\n");
goto disconnect;
}
@@ -10152,14 +10150,14 @@ int ieee80211_mgd_assoc_ml_reconf(struct ieee80211_sub_if_data *sdata,
*/
if (added_links) {
bool uapsd_supported;
- unsigned long userspace_selectors;
+ unsigned long userspace_selectors[BITS_TO_LONGS(128)] = {};
data = kzalloc(sizeof(*data), GFP_KERNEL);
if (!data)
return -ENOMEM;
uapsd_supported = true;
- ieee80211_ml_reconf_selectors(&userspace_selectors);
+ ieee80211_ml_reconf_selectors(userspace_selectors);
for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
link_id++) {
struct ieee80211_supported_band *sband;
@@ -10235,7 +10233,7 @@ int ieee80211_mgd_assoc_ml_reconf(struct ieee80211_sub_if_data *sdata,
data->link[link_id].bss,
true,
&data->link[link_id].conn,
- &userspace_selectors);
+ userspace_selectors);
if (err)
goto err_free;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 128/449] ext4: ignore xattrs past end
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 127/449] wifi: mac80211: fix userspace_selectors corruption Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 129/449] cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk Greg Kroah-Hartman
` (327 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b244bda78289b00204ed,
Thadeu Lima de Souza Cascardo, Bhupesh, Theodore Tso, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bhupesh <bhupesh@igalia.com>
[ Upstream commit c8e008b60492cf6fd31ef127aea6d02fd3d314cd ]
Once inside 'ext4_xattr_inode_dec_ref_all' we should
ignore xattrs entries past the 'end' entry.
This fixes the following KASAN reported issue:
==================================================================
BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
Read of size 4 at addr ffff888012c120c4 by task repro/2065
CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x1fd/0x300
? tcp_gro_dev_warn+0x260/0x260
? _printk+0xc0/0x100
? read_lock_is_recursive+0x10/0x10
? irq_work_queue+0x72/0xf0
? __virt_addr_valid+0x17b/0x4b0
print_address_description+0x78/0x390
print_report+0x107/0x1f0
? __virt_addr_valid+0x17b/0x4b0
? __virt_addr_valid+0x3ff/0x4b0
? __phys_addr+0xb5/0x160
? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
kasan_report+0xcc/0x100
? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
? ext4_xattr_delete_inode+0xd30/0xd30
? __ext4_journal_ensure_credits+0x5f0/0x5f0
? __ext4_journal_ensure_credits+0x2b/0x5f0
? inode_update_timestamps+0x410/0x410
ext4_xattr_delete_inode+0xb64/0xd30
? ext4_truncate+0xb70/0xdc0
? ext4_expand_extra_isize_ea+0x1d20/0x1d20
? __ext4_mark_inode_dirty+0x670/0x670
? ext4_journal_check_start+0x16f/0x240
? ext4_inode_is_fast_symlink+0x2f2/0x3a0
ext4_evict_inode+0xc8c/0xff0
? ext4_inode_is_fast_symlink+0x3a0/0x3a0
? do_raw_spin_unlock+0x53/0x8a0
? ext4_inode_is_fast_symlink+0x3a0/0x3a0
evict+0x4ac/0x950
? proc_nr_inodes+0x310/0x310
? trace_ext4_drop_inode+0xa2/0x220
? _raw_spin_unlock+0x1a/0x30
? iput+0x4cb/0x7e0
do_unlinkat+0x495/0x7c0
? try_break_deleg+0x120/0x120
? 0xffffffff81000000
? __check_object_size+0x15a/0x210
? strncpy_from_user+0x13e/0x250
? getname_flags+0x1dc/0x530
__x64_sys_unlinkat+0xc8/0xf0
do_syscall_64+0x65/0x110
entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x434ffd
Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8
RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107
RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001
</TASK>
The buggy address belongs to the object at ffff888012c12000
which belongs to the cache filp of size 360
The buggy address is located 196 bytes inside of
freed 360-byte region [ffff888012c12000, ffff888012c12168)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x40(head|node=0|zone=0)
page_type: f5(slab)
raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000
head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
ffff888012c12180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Reported-by: syzbot+b244bda78289b00204ed@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b244bda78289b00204ed
Suggested-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Bhupesh <bhupesh@igalia.com>
Link: https://patch.msgid.link/20250128082751.124948-2-bhupesh@igalia.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/xattr.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index a10fb8a9d02dc..8ced9beba2f7e 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1159,15 +1159,24 @@ ext4_xattr_inode_dec_ref_all(handle_t *handle, struct inode *parent,
{
struct inode *ea_inode;
struct ext4_xattr_entry *entry;
+ struct ext4_iloc iloc;
bool dirty = false;
unsigned int ea_ino;
int err;
int credits;
+ void *end;
+
+ if (block_csum)
+ end = (void *)bh->b_data + bh->b_size;
+ else {
+ ext4_get_inode_loc(parent, &iloc);
+ end = (void *)ext4_raw_inode(&iloc) + EXT4_SB(parent->i_sb)->s_inode_size;
+ }
/* One credit for dec ref on ea_inode, one for orphan list addition, */
credits = 2 + extra_credits;
- for (entry = first; !IS_LAST_ENTRY(entry);
+ for (entry = first; (void *)entry < end && !IS_LAST_ENTRY(entry);
entry = EXT4_XATTR_NEXT(entry)) {
if (!entry->e_value_inum)
continue;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 129/449] cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 128/449] ext4: ignore xattrs past end Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 130/449] scsi: st: Fix array overflow in st_setup() Greg Kroah-Hartman
` (326 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leon Schuermann, Jakub Kicinski,
"open list:NETWORKING DRIVERS", Philipp Hahn,
Kory Maincent, Paolo Abeni, Sasha Levin, Oliver Neukum
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philipp Hahn <phahn-oss@avm.de>
[ Upstream commit a07f23ad9baf716cbf7746e452c92960536ceae6 ]
Lenovo ThinkPad Hybrid USB-C with USB-A Dock (17ef:a359) is affected by
the same problem as the Lenovo Powered USB-C Travel Hub (17ef:721e):
Both are based on the Realtek RTL8153B chip used to use the cdc_ether
driver. However, using this driver, with the system suspended the device
constantly sends pause-frames as soon as the receive buffer fills up.
This causes issues with other devices, where some Ethernet switches stop
forwarding packets altogether.
Using the Realtek driver (r8152) fixes this issue. Pause frames are no
longer sent while the host system is suspended.
Cc: Leon Schuermann <leon@is.currently.online>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Oliver Neukum <oliver@neukum.org> (maintainer:USB CDC ETHERNET DRIVER)
Cc: netdev@vger.kernel.org (open list:NETWORKING DRIVERS)
Link: https://git.kernel.org/netdev/net/c/cb82a54904a9
Link: https://git.kernel.org/netdev/net/c/2284bbd0cf39
Link: https://www.lenovo.com/de/de/p/accessories-and-software/docking/docking-usb-docks/40af0135eu
Signed-off-by: Philipp Hahn <phahn-oss@avm.de>
Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>
Link: https://patch.msgid.link/484336aad52d14ccf061b535bc19ef6396ef5120.1741601523.git.p.hahn@avm.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/cdc_ether.c | 7 +++++++
drivers/net/usb/r8152.c | 6 ++++++
drivers/net/usb/r8153_ecm.c | 6 ++++++
3 files changed, 19 insertions(+)
diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index a6469235d904e..a032c1ded4063 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -783,6 +783,13 @@ static const struct usb_device_id products[] = {
.driver_info = 0,
},
+/* Lenovo ThinkPad Hybrid USB-C with USB-A Dock (40af0135eu, based on Realtek RTL8153) */
+{
+ USB_DEVICE_AND_INTERFACE_INFO(LENOVO_VENDOR_ID, 0xa359, USB_CLASS_COMM,
+ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
+ .driver_info = 0,
+},
+
/* Aquantia AQtion USB to 5GbE Controller (based on AQC111U) */
{
USB_DEVICE_AND_INTERFACE_INFO(AQUANTIA_VENDOR_ID, 0xc101,
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 468c739740463..96fa3857d8e25 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -785,6 +785,7 @@ enum rtl8152_flags {
#define DEVICE_ID_THINKPAD_USB_C_DONGLE 0x720c
#define DEVICE_ID_THINKPAD_USB_C_DOCK_GEN2 0xa387
#define DEVICE_ID_THINKPAD_USB_C_DOCK_GEN3 0x3062
+#define DEVICE_ID_THINKPAD_HYBRID_USB_C_DOCK 0xa359
struct tally_counter {
__le64 tx_packets;
@@ -9787,6 +9788,7 @@ static bool rtl8152_supports_lenovo_macpassthru(struct usb_device *udev)
case DEVICE_ID_THINKPAD_USB_C_DOCK_GEN2:
case DEVICE_ID_THINKPAD_USB_C_DOCK_GEN3:
case DEVICE_ID_THINKPAD_USB_C_DONGLE:
+ case DEVICE_ID_THINKPAD_HYBRID_USB_C_DOCK:
return 1;
}
} else if (vendor_id == VENDOR_ID_REALTEK && parent_vendor_id == VENDOR_ID_LENOVO) {
@@ -10064,6 +10066,8 @@ static const struct usb_device_id rtl8152_table[] = {
{ USB_DEVICE(VENDOR_ID_MICROSOFT, 0x0927) },
{ USB_DEVICE(VENDOR_ID_MICROSOFT, 0x0c5e) },
{ USB_DEVICE(VENDOR_ID_SAMSUNG, 0xa101) },
+
+ /* Lenovo */
{ USB_DEVICE(VENDOR_ID_LENOVO, 0x304f) },
{ USB_DEVICE(VENDOR_ID_LENOVO, 0x3054) },
{ USB_DEVICE(VENDOR_ID_LENOVO, 0x3062) },
@@ -10074,7 +10078,9 @@ static const struct usb_device_id rtl8152_table[] = {
{ USB_DEVICE(VENDOR_ID_LENOVO, 0x720c) },
{ USB_DEVICE(VENDOR_ID_LENOVO, 0x7214) },
{ USB_DEVICE(VENDOR_ID_LENOVO, 0x721e) },
+ { USB_DEVICE(VENDOR_ID_LENOVO, 0xa359) },
{ USB_DEVICE(VENDOR_ID_LENOVO, 0xa387) },
+
{ USB_DEVICE(VENDOR_ID_LINKSYS, 0x0041) },
{ USB_DEVICE(VENDOR_ID_NVIDIA, 0x09ff) },
{ USB_DEVICE(VENDOR_ID_TPLINK, 0x0601) },
diff --git a/drivers/net/usb/r8153_ecm.c b/drivers/net/usb/r8153_ecm.c
index 20b2df8d74ae1..8d860dacdf49b 100644
--- a/drivers/net/usb/r8153_ecm.c
+++ b/drivers/net/usb/r8153_ecm.c
@@ -135,6 +135,12 @@ static const struct usb_device_id products[] = {
USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
.driver_info = (unsigned long)&r8153_info,
},
+/* Lenovo ThinkPad Hybrid USB-C with USB-A Dock (40af0135eu, based on Realtek RTL8153) */
+{
+ USB_DEVICE_AND_INTERFACE_INFO(VENDOR_ID_LENOVO, 0xa359, USB_CLASS_COMM,
+ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
+ .driver_info = (unsigned long)&r8153_info,
+},
{ }, /* END */
};
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 130/449] scsi: st: Fix array overflow in st_setup()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 129/449] cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 131/449] ahci: Marvell 88SE9215 controllers prefer DMA for ATAPI Greg Kroah-Hartman
` (325 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Kai Mäkisara,
Martin K. Petersen, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
[ Upstream commit a018d1cf990d0c339fe0e29b762ea5dc10567d67 ]
Change the array size to follow parms size instead of a fixed value.
Reported-by: Chenyuan Yang <chenyuan0y@gmail.com>
Closes: https://lore.kernel.org/linux-scsi/CALGdzuoubbra4xKOJcsyThdk5Y1BrAmZs==wbqjbkAgmKS39Aw@mail.gmail.com/
Signed-off-by: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
Link: https://lore.kernel.org/r/20250311112516.5548-2-Kai.Makisara@kolumbus.fi
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/st.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
index ebbd50ec0cda5..344e4da336bb5 100644
--- a/drivers/scsi/st.c
+++ b/drivers/scsi/st.c
@@ -4122,7 +4122,7 @@ static void validate_options(void)
*/
static int __init st_setup(char *str)
{
- int i, len, ints[5];
+ int i, len, ints[ARRAY_SIZE(parms) + 1];
char *stp;
stp = get_options(str, ARRAY_SIZE(ints), ints);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 131/449] ahci: Marvell 88SE9215 controllers prefer DMA for ATAPI
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 130/449] scsi: st: Fix array overflow in st_setup() Greg Kroah-Hartman
@ 2025-04-17 17:46 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 132/449] btrfs: harden block_group::bg_list against list_del() races Greg Kroah-Hartman
` (324 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuli Wang, Jie Fan, Erpeng Xu,
Huacai Chen, Niklas Cassel, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
[ Upstream commit 0507c777f5d8f9e34b137d28ee263599a7b81242 ]
We use CD/DVD drives under Marvell 88SE9215 SATA controller on many
Loongson-based machines. We found its PIO doesn't work well, and on the
opposite its DMA seems work very well.
We don't know the detail of the 88SE9215 SATA controller, but we have
tested different CD/DVD drives and they all have problems under 88SE9215
(but they all work well under an Intel SATA controller). So, we consider
this problem is bound to 88SE9215 SATA controller rather than bound to
CD/DVD drives.
As a solution, we define a new dedicated AHCI board id which is named
board_ahci_yes_fbs_atapi_dma for 88SE9215, and for this id we set the
AHCI_HFLAG_ATAPI_DMA_QUIRK and ATA_QUIRK_ATAPI_MOD16_DMA flags on the
SATA controller in order to prefer ATAPI DMA.
Reported-by: Yuli Wang <wangyuli@uniontech.com>
Tested-by: Jie Fan <fanjie@uniontech.com>
Tested-by: Erpeng Xu <xuerpeng@uniontech.com>
Tested-by: Yuli Wang <wangyuli@uniontech.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Link: https://lore.kernel.org/r/20250318104314.2160526-1-chenhuacai@loongson.cn
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/ahci.c | 11 ++++++++++-
drivers/ata/ahci.h | 1 +
drivers/ata/libahci.c | 4 ++++
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
index 52ae8f9a7dd61..f3a6bfe098cd4 100644
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -63,6 +63,7 @@ enum board_ids {
board_ahci_pcs_quirk_no_devslp,
board_ahci_pcs_quirk_no_sntf,
board_ahci_yes_fbs,
+ board_ahci_yes_fbs_atapi_dma,
/* board IDs for specific chipsets in alphabetical order */
board_ahci_al,
@@ -188,6 +189,14 @@ static const struct ata_port_info ahci_port_info[] = {
.udma_mask = ATA_UDMA6,
.port_ops = &ahci_ops,
},
+ [board_ahci_yes_fbs_atapi_dma] = {
+ AHCI_HFLAGS (AHCI_HFLAG_YES_FBS |
+ AHCI_HFLAG_ATAPI_DMA_QUIRK),
+ .flags = AHCI_FLAG_COMMON,
+ .pio_mask = ATA_PIO4,
+ .udma_mask = ATA_UDMA6,
+ .port_ops = &ahci_ops,
+ },
/* by chipsets */
[board_ahci_al] = {
AHCI_HFLAGS (AHCI_HFLAG_NO_PMP | AHCI_HFLAG_NO_MSI),
@@ -590,7 +599,7 @@ static const struct pci_device_id ahci_pci_tbl[] = {
{ PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x91a3),
.driver_data = board_ahci_yes_fbs },
{ PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9215),
- .driver_data = board_ahci_yes_fbs },
+ .driver_data = board_ahci_yes_fbs_atapi_dma },
{ PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230),
.driver_data = board_ahci_yes_fbs },
{ PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9235),
diff --git a/drivers/ata/ahci.h b/drivers/ata/ahci.h
index c842e2de6ef98..2c10c8f440d12 100644
--- a/drivers/ata/ahci.h
+++ b/drivers/ata/ahci.h
@@ -246,6 +246,7 @@ enum {
AHCI_HFLAG_NO_SXS = BIT(26), /* SXS not supported */
AHCI_HFLAG_43BIT_ONLY = BIT(27), /* 43bit DMA addr limit */
AHCI_HFLAG_INTEL_PCS_QUIRK = BIT(28), /* apply Intel PCS quirk */
+ AHCI_HFLAG_ATAPI_DMA_QUIRK = BIT(29), /* force ATAPI to use DMA */
/* ap->flags bits */
diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
index e7ace4b10f15b..22afa4ff860d1 100644
--- a/drivers/ata/libahci.c
+++ b/drivers/ata/libahci.c
@@ -1322,6 +1322,10 @@ static void ahci_dev_config(struct ata_device *dev)
{
struct ahci_host_priv *hpriv = dev->link->ap->host->private_data;
+ if ((dev->class == ATA_DEV_ATAPI) &&
+ (hpriv->flags & AHCI_HFLAG_ATAPI_DMA_QUIRK))
+ dev->quirks |= ATA_QUIRK_ATAPI_MOD16_DMA;
+
if (hpriv->flags & AHCI_HFLAG_SECT255) {
dev->max_sectors = 255;
ata_dev_info(dev,
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 132/449] btrfs: harden block_group::bg_list against list_del() races
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2025-04-17 17:46 ` [PATCH 6.14 131/449] ahci: Marvell 88SE9215 controllers prefer DMA for ATAPI Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 133/449] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Greg Kroah-Hartman
` (323 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Filipe Manana,
Boris Burkov, David Sterba, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Burkov <boris@bur.io>
[ Upstream commit 7511e29cf1355b2c47d0effb39e463119913e2f6 ]
As far as I can tell, these calls of list_del_init() on bg_list cannot
run concurrently with btrfs_mark_bg_unused() or btrfs_mark_bg_to_reclaim(),
as they are in transaction error paths and situations where the block
group is readonly.
However, if there is any chance at all of racing with mark_bg_unused(),
or a different future user of bg_list, better to be safe than sorry.
Otherwise we risk the following interleaving (bg_list refcount in parens)
T1 (some random op) T2 (btrfs_mark_bg_unused)
!list_empty(&bg->bg_list); (1)
list_del_init(&bg->bg_list); (1)
list_move_tail (1)
btrfs_put_block_group (0)
btrfs_delete_unused_bgs
bg = list_first_entry
list_del_init(&bg->bg_list);
btrfs_put_block_group(bg); (-1)
Ultimately, this results in a broken ref count that hits zero one deref
early and the real final deref underflows the refcount, resulting in a WARNING.
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Boris Burkov <boris@bur.io>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/extent-tree.c | 8 ++++++++
fs/btrfs/transaction.c | 12 ++++++++++++
2 files changed, 20 insertions(+)
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 3014a1a23efdb..6d615711f0400 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -2874,7 +2874,15 @@ int btrfs_finish_extent_commit(struct btrfs_trans_handle *trans)
block_group->length,
&trimmed);
+ /*
+ * Not strictly necessary to lock, as the block_group should be
+ * read-only from btrfs_delete_unused_bgs().
+ */
+ ASSERT(block_group->ro);
+ spin_lock(&fs_info->unused_bgs_lock);
list_del_init(&block_group->bg_list);
+ spin_unlock(&fs_info->unused_bgs_lock);
+
btrfs_unfreeze_block_group(block_group);
btrfs_put_block_group(block_group);
diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
index aca83a98b75a2..c0e9d4bbe380d 100644
--- a/fs/btrfs/transaction.c
+++ b/fs/btrfs/transaction.c
@@ -160,7 +160,13 @@ void btrfs_put_transaction(struct btrfs_transaction *transaction)
cache = list_first_entry(&transaction->deleted_bgs,
struct btrfs_block_group,
bg_list);
+ /*
+ * Not strictly necessary to lock, as no other task will be using a
+ * block_group on the deleted_bgs list during a transaction abort.
+ */
+ spin_lock(&transaction->fs_info->unused_bgs_lock);
list_del_init(&cache->bg_list);
+ spin_unlock(&transaction->fs_info->unused_bgs_lock);
btrfs_unfreeze_block_group(cache);
btrfs_put_block_group(cache);
}
@@ -2096,7 +2102,13 @@ static void btrfs_cleanup_pending_block_groups(struct btrfs_trans_handle *trans)
list_for_each_entry_safe(block_group, tmp, &trans->new_bgs, bg_list) {
btrfs_dec_delayed_refs_rsv_bg_inserts(fs_info);
+ /*
+ * Not strictly necessary to lock, as no other task will be using a
+ * block_group on the new_bgs list during a transaction abort.
+ */
+ spin_lock(&fs_info->unused_bgs_lock);
list_del_init(&block_group->bg_list);
+ spin_unlock(&fs_info->unused_bgs_lock);
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 133/449] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 132/449] btrfs: harden block_group::bg_list against list_del() races Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 134/449] net: vlan: dont propagate flags on open Greg Kroah-Hartman
` (322 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Icenowy Zheng, Felix Fietkau,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Icenowy Zheng <uwu@icenowy.me>
[ Upstream commit 06cccc2ebbe6c8a20f714f3a0ff3ff489d3004bb ]
The TP-Link TL-WDN6200 "Driverless" version cards use a MT7612U chipset.
Add the USB ID to mt76x2u driver.
Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
Link: https://patch.msgid.link/20250317102235.1421726-1-uwu@icenowy.me
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
index e832ad53e2393..a4f4d12f904e7 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
@@ -22,6 +22,7 @@ static const struct usb_device_id mt76x2u_device_table[] = {
{ USB_DEVICE(0x0846, 0x9053) }, /* Netgear A6210 */
{ USB_DEVICE(0x045e, 0x02e6) }, /* XBox One Wireless Adapter */
{ USB_DEVICE(0x045e, 0x02fe) }, /* XBox One Wireless Adapter */
+ { USB_DEVICE(0x2357, 0x0137) }, /* TP-Link TL-WDN6200 */
{ },
};
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 134/449] net: vlan: dont propagate flags on open
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 133/449] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 135/449] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Greg Kroah-Hartman
` (321 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b0c03d76056ef6cd12a6,
Stanislav Fomichev, Simon Horman, Paolo Abeni, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislav Fomichev <sdf@fomichev.me>
[ Upstream commit 27b918007d96402aba10ed52a6af8015230f1793 ]
With the device instance lock, there is now a possibility of a deadlock:
[ 1.211455] ============================================
[ 1.211571] WARNING: possible recursive locking detected
[ 1.211687] 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 Not tainted
[ 1.211823] --------------------------------------------
[ 1.211936] ip/184 is trying to acquire lock:
[ 1.212032] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_set_allmulti+0x4e/0xb0
[ 1.212207]
[ 1.212207] but task is already holding lock:
[ 1.212332] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0
[ 1.212487]
[ 1.212487] other info that might help us debug this:
[ 1.212626] Possible unsafe locking scenario:
[ 1.212626]
[ 1.212751] CPU0
[ 1.212815] ----
[ 1.212871] lock(&dev->lock);
[ 1.212944] lock(&dev->lock);
[ 1.213016]
[ 1.213016] *** DEADLOCK ***
[ 1.213016]
[ 1.213143] May be due to missing lock nesting notation
[ 1.213143]
[ 1.213294] 3 locks held by ip/184:
[ 1.213371] #0: ffffffff838b53e0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x1b/0xa0
[ 1.213543] #1: ffffffff84e5fc70 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x37/0xa0
[ 1.213727] #2: ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0
[ 1.213895]
[ 1.213895] stack backtrace:
[ 1.213991] CPU: 0 UID: 0 PID: 184 Comm: ip Not tainted 6.14.0-rc5-01215-g032756b4ca7a-dirty #5
[ 1.213993] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
[ 1.213994] Call Trace:
[ 1.213995] <TASK>
[ 1.213996] dump_stack_lvl+0x8e/0xd0
[ 1.214000] print_deadlock_bug+0x28b/0x2a0
[ 1.214020] lock_acquire+0xea/0x2a0
[ 1.214027] __mutex_lock+0xbf/0xd40
[ 1.214038] dev_set_allmulti+0x4e/0xb0 # real_dev->flags & IFF_ALLMULTI
[ 1.214040] vlan_dev_open+0xa5/0x170 # ndo_open on vlandev
[ 1.214042] __dev_open+0x145/0x270
[ 1.214046] __dev_change_flags+0xb0/0x1e0
[ 1.214051] netif_change_flags+0x22/0x60 # IFF_UP vlandev
[ 1.214053] dev_change_flags+0x61/0xb0 # for each device in group from dev->vlan_info
[ 1.214055] vlan_device_event+0x766/0x7c0 # on netdevsim0
[ 1.214058] notifier_call_chain+0x78/0x120
[ 1.214062] netif_open+0x6d/0x90
[ 1.214064] dev_open+0x5b/0xb0 # locks netdevsim0
[ 1.214066] bond_enslave+0x64c/0x1230
[ 1.214075] do_set_master+0x175/0x1e0 # on netdevsim0
[ 1.214077] do_setlink+0x516/0x13b0
[ 1.214094] rtnl_newlink+0xaba/0xb80
[ 1.214132] rtnetlink_rcv_msg+0x440/0x490
[ 1.214144] netlink_rcv_skb+0xeb/0x120
[ 1.214150] netlink_unicast+0x1f9/0x320
[ 1.214153] netlink_sendmsg+0x346/0x3f0
[ 1.214157] __sock_sendmsg+0x86/0xb0
[ 1.214160] ____sys_sendmsg+0x1c8/0x220
[ 1.214164] ___sys_sendmsg+0x28f/0x2d0
[ 1.214179] __x64_sys_sendmsg+0xef/0x140
[ 1.214184] do_syscall_64+0xec/0x1d0
[ 1.214190] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 1.214191] RIP: 0033:0x7f2d1b4a7e56
Device setup:
netdevsim0 (down)
^ ^
bond netdevsim1.100@netdevsim1 allmulticast=on (down)
When we enslave the lower device (netdevsim0) which has a vlan, we
propagate vlan's allmuti/promisc flags during ndo_open. This causes
(re)locking on of the real_dev.
Propagate allmulti/promisc on flags change, not on the open. There
is a slight semantics change that vlans that are down now propagate
the flags, but this seems unlikely to result in the real issues.
Reproducer:
echo 0 1 > /sys/bus/netdevsim/new_device
dev_path=$(ls -d /sys/bus/netdevsim/devices/netdevsim0/net/*)
dev=$(echo $dev_path | rev | cut -d/ -f1 | rev)
ip link set dev $dev name netdevsim0
ip link set dev netdevsim0 up
ip link add link netdevsim0 name netdevsim0.100 type vlan id 100
ip link set dev netdevsim0.100 allmulticast on down
ip link add name bond1 type bond mode 802.3ad
ip link set dev netdevsim0 down
ip link set dev netdevsim0 master bond1
ip link set dev bond1 up
ip link show
Reported-by: syzbot+b0c03d76056ef6cd12a6@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/Z9CfXjLMKn6VLG5d@mini-arch/T/#m15ba130f53227c883e79fb969687d69d670337a0
Signed-off-by: Stanislav Fomichev <sdf@fomichev.me>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250313100657.2287455-1-sdf@fomichev.me
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/8021q/vlan_dev.c | 31 ++++---------------------------
1 file changed, 4 insertions(+), 27 deletions(-)
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 91d134961357c..ee7186e4d353b 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -273,17 +273,6 @@ static int vlan_dev_open(struct net_device *dev)
goto out;
}
- if (dev->flags & IFF_ALLMULTI) {
- err = dev_set_allmulti(real_dev, 1);
- if (err < 0)
- goto del_unicast;
- }
- if (dev->flags & IFF_PROMISC) {
- err = dev_set_promiscuity(real_dev, 1);
- if (err < 0)
- goto clear_allmulti;
- }
-
ether_addr_copy(vlan->real_dev_addr, real_dev->dev_addr);
if (vlan->flags & VLAN_FLAG_GVRP)
@@ -297,12 +286,6 @@ static int vlan_dev_open(struct net_device *dev)
netif_carrier_on(dev);
return 0;
-clear_allmulti:
- if (dev->flags & IFF_ALLMULTI)
- dev_set_allmulti(real_dev, -1);
-del_unicast:
- if (!ether_addr_equal(dev->dev_addr, real_dev->dev_addr))
- dev_uc_del(real_dev, dev->dev_addr);
out:
netif_carrier_off(dev);
return err;
@@ -315,10 +298,6 @@ static int vlan_dev_stop(struct net_device *dev)
dev_mc_unsync(real_dev, dev);
dev_uc_unsync(real_dev, dev);
- if (dev->flags & IFF_ALLMULTI)
- dev_set_allmulti(real_dev, -1);
- if (dev->flags & IFF_PROMISC)
- dev_set_promiscuity(real_dev, -1);
if (!ether_addr_equal(dev->dev_addr, real_dev->dev_addr))
dev_uc_del(real_dev, dev->dev_addr);
@@ -490,12 +469,10 @@ static void vlan_dev_change_rx_flags(struct net_device *dev, int change)
{
struct net_device *real_dev = vlan_dev_priv(dev)->real_dev;
- if (dev->flags & IFF_UP) {
- if (change & IFF_ALLMULTI)
- dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
- if (change & IFF_PROMISC)
- dev_set_promiscuity(real_dev, dev->flags & IFF_PROMISC ? 1 : -1);
- }
+ if (change & IFF_ALLMULTI)
+ dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
+ if (change & IFF_PROMISC)
+ dev_set_promiscuity(real_dev, dev->flags & IFF_PROMISC ? 1 : -1);
}
static void vlan_dev_set_rx_mode(struct net_device *vlan_dev)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 135/449] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 134/449] net: vlan: dont propagate flags on open Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 136/449] Bluetooth: btusb: Add new VID/PID for WCN785x Greg Kroah-Hartman
` (320 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabriele Paoloni,
Steven Rostedt (Google), Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriele Paoloni <gpaoloni@redhat.com>
[ Upstream commit 0c588ac0ca6c22b774d9ad4a6594681fdfa57d9d ]
When __ftrace_event_enable_disable invokes the class callback to
unregister the event, the return value is not reported up to the
caller, hence leading to event unregister failures being silently
ignored.
This patch assigns the ret variable to the invocation of the
event unregister callback, so that its return value is stored
and reported to the caller, and it raises a warning in case
of error.
Link: https://lore.kernel.org/20250321170821.101403-1-gpaoloni@redhat.com
Signed-off-by: Gabriele Paoloni <gpaoloni@redhat.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index b1f6d04f9fe99..ceeedcb5940bd 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -797,7 +797,9 @@ static int __ftrace_event_enable_disable(struct trace_event_file *file,
clear_bit(EVENT_FILE_FL_RECORDED_TGID_BIT, &file->flags);
}
- call->class->reg(call, TRACE_REG_UNREGISTER, file);
+ ret = call->class->reg(call, TRACE_REG_UNREGISTER, file);
+
+ WARN_ON_ONCE(ret);
}
/* If in SOFT_MODE, just set the SOFT_DISABLE_BIT, else clear it */
if (file->flags & EVENT_FILE_FL_SOFT_MODE)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 136/449] Bluetooth: btusb: Add new VID/PID for WCN785x
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 135/449] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 137/449] Bluetooth: btintel_pcie: Add device id of Whale Peak Greg Kroah-Hartman
` (319 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dorian Cruveiller,
Luiz Augusto von Dentz, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dorian Cruveiller <doriancruveiller@gmail.com>
[ Upstream commit c7629ccfa175e16bb44a60c469214e1a6051f63d ]
Add VID 0489 & PID e10d for Qualcomm WCN785x USB Bluetooth chip.
The information in /sys/kernel/debug/usb/devices about the Bluetooth
device is listed as the below.
T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=03 Dev#= 4 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0489 ProdID=e10d Rev= 0.01
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms
I: If#= 1 Alt= 7 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 65 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 65 Ivl=1ms
Signed-off-by: Dorian Cruveiller <doriancruveiller@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 699ff21d97675..5c93d974130f0 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -376,6 +376,8 @@ static const struct usb_device_id quirks_table[] = {
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x0489, 0xe0f3), .driver_info = BTUSB_QCA_WCN6855 |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe10d), .driver_info = BTUSB_QCA_WCN6855 |
+ BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x13d3, 0x3623), .driver_info = BTUSB_QCA_WCN6855 |
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x2c7c, 0x0130), .driver_info = BTUSB_QCA_WCN6855 |
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 137/449] Bluetooth: btintel_pcie: Add device id of Whale Peak
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 136/449] Bluetooth: btusb: Add new VID/PID for WCN785x Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 138/449] Bluetooth: btusb: Add 13 USB device IDs for Qualcomm WCN785x Greg Kroah-Hartman
` (318 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kiran K, Luiz Augusto von Dentz,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kiran K <kiran.k@intel.com>
[ Upstream commit 6b8c05e52d66e4fe4ab1df4c6e15f339ecd9aa51 ]
Add device of Whale Peak.
Output of sudo lspci -v -s 00:14.7:
00:14.7 Bluetooth: Intel Corporation Device e476
Subsystem: Intel Corporation Device 0011
Flags: bus master, fast devsel, latency 0, IRQ 16, IOMMU group 11
Memory at 11011c30000 (64-bit, non-prefetchable) [size=16K]
Capabilities: [c8] Power Management version 3
Capabilities: [d0] MSI: Enable- Count=1/1 Maskable- 64bit+
Capabilities: [40] Express Root Complex Integrated Endpoint, MSI 00
Capabilities: [80] MSI-X: Enable+ Count=32 Masked-
Capabilities: [100] Latency Tolerance Reporting
Kernel driver in use: btintel_pcie
Kernel modules: btintel_pcie
Signed-off-by: Kiran K <kiran.k@intel.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btintel_pcie.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
index 091ffe3e14954..6130854b6658a 100644
--- a/drivers/bluetooth/btintel_pcie.c
+++ b/drivers/bluetooth/btintel_pcie.c
@@ -36,6 +36,7 @@
/* Intel Bluetooth PCIe device id table */
static const struct pci_device_id btintel_pcie_table[] = {
{ BTINTEL_PCI_DEVICE(0xA876, PCI_ANY_ID) },
+ { BTINTEL_PCI_DEVICE(0xE476, PCI_ANY_ID) },
{ 0 }
};
MODULE_DEVICE_TABLE(pci, btintel_pcie_table);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 138/449] Bluetooth: btusb: Add 13 USB device IDs for Qualcomm WCN785x
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 137/449] Bluetooth: btintel_pcie: Add device id of Whale Peak Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 139/449] Bluetooth: hci_uart: fix race during initialization Greg Kroah-Hartman
` (317 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zijun Hu, Luiz Augusto von Dentz,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
[ Upstream commit 2dd1c1eee3e496fcc16971be4db5bb792a36025c ]
Add 13 USB device IDs for Qualcomm WCN785x, and these IDs are
extracted from Windows driver inf file for various types of
WoS (Windows on Snapdragon) laptop.
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 5c93d974130f0..1295a979a3264 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -376,12 +376,38 @@ static const struct usb_device_id quirks_table[] = {
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x0489, 0xe0f3), .driver_info = BTUSB_QCA_WCN6855 |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe100), .driver_info = BTUSB_QCA_WCN6855 |
+ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe103), .driver_info = BTUSB_QCA_WCN6855 |
+ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe10a), .driver_info = BTUSB_QCA_WCN6855 |
+ BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x0489, 0xe10d), .driver_info = BTUSB_QCA_WCN6855 |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe11b), .driver_info = BTUSB_QCA_WCN6855 |
+ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe11c), .driver_info = BTUSB_QCA_WCN6855 |
+ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe11f), .driver_info = BTUSB_QCA_WCN6855 |
+ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe141), .driver_info = BTUSB_QCA_WCN6855 |
+ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe14a), .driver_info = BTUSB_QCA_WCN6855 |
+ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe14b), .driver_info = BTUSB_QCA_WCN6855 |
+ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe14d), .driver_info = BTUSB_QCA_WCN6855 |
+ BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x13d3, 0x3623), .driver_info = BTUSB_QCA_WCN6855 |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x13d3, 0x3624), .driver_info = BTUSB_QCA_WCN6855 |
+ BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x2c7c, 0x0130), .driver_info = BTUSB_QCA_WCN6855 |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x2c7c, 0x0131), .driver_info = BTUSB_QCA_WCN6855 |
+ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x2c7c, 0x0132), .driver_info = BTUSB_QCA_WCN6855 |
+ BTUSB_WIDEBAND_SPEECH },
/* Broadcom BCM2035 */
{ USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 },
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 139/449] Bluetooth: hci_uart: fix race during initialization
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 138/449] Bluetooth: btusb: Add 13 USB device IDs for Qualcomm WCN785x Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 140/449] Bluetooth: btusb: Add 2 HWIDs for MT7922 Greg Kroah-Hartman
` (316 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arseniy Krasnov,
Luiz Augusto von Dentz, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arseniy Krasnov <avkrasnov@salutedevices.com>
[ Upstream commit 366ceff495f902182d42b6f41525c2474caf3f9a ]
'hci_register_dev()' calls power up function, which is executed by
kworker - 'hci_power_on()'. This function does access to bluetooth chip
using callbacks from 'hci_ldisc.c', for example 'hci_uart_send_frame()'.
Now 'hci_uart_send_frame()' checks 'HCI_UART_PROTO_READY' bit set, and
if not - it fails. Problem is that 'HCI_UART_PROTO_READY' is set after
'hci_register_dev()', and there is tiny chance that 'hci_power_on()' will
be executed before setting this bit. In that case HCI init logic fails.
Patch moves setting of 'HCI_UART_PROTO_READY' before calling function
'hci_uart_register_dev()'.
Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_ldisc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index d2d6ba8d2f8b1..b955dc96b483a 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -707,12 +707,13 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id)
hu->proto = p;
+ set_bit(HCI_UART_PROTO_READY, &hu->flags);
+
err = hci_uart_register_dev(hu);
if (err) {
return err;
}
- set_bit(HCI_UART_PROTO_READY, &hu->flags);
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 140/449] Bluetooth: btusb: Add 2 HWIDs for MT7922
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 139/449] Bluetooth: hci_uart: fix race during initialization Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 141/449] Bluetooth: hci_qca: use the power sequencer for wcn6750 Greg Kroah-Hartman
` (315 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiande Lu, Luiz Augusto von Dentz,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiande Lu <jiande.lu@mediatek.com>
[ Upstream commit a88643b7e48506777e175e80c902c727ddd90851 ]
Add below HWIDs for MediaTek MT7922 USB Bluetooth chip.
VID 0x0489, PID 0xe152
VID 0x0489, PID 0xe153
Patch has been tested successfully and controller is recognized
device pair successfully.
MT7922 module bring up message as below.
Bluetooth: Core ver 2.22
Bluetooth: HCI device and connection manager initialized
Bluetooth: HCI socket layer initialized
Bluetooth: L2CAP socket layer initialized
Bluetooth: SCO socket layer initialized
Bluetooth: hci0: HW/SW Version: 0x008a008a, Build Time: 20241106163512
Bluetooth: hci0: Device setup in 2284925 usecs
Bluetooth: hci0: HCI Enhanced Setup Synchronous Connection command is advertised, but not supported.
Bluetooth: hci0: AOSP extensions version v1.00
Bluetooth: BNEP (Ethernet Emulation) ver 1.3
Bluetooth: BNEP filters: protocol multicast
Bluetooth: BNEP socket layer initialized
Bluetooth: MGMT ver 1.22
Bluetooth: RFCOMM TTY layer initialized
Bluetooth: RFCOMM socket layer initialized
Bluetooth: RFCOMM ver 1.11
Signed-off-by: Jiande Lu <jiande.lu@mediatek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 1295a979a3264..bfd769f2026b3 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -668,6 +668,10 @@ static const struct usb_device_id quirks_table[] = {
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x0489, 0xe102), .driver_info = BTUSB_MEDIATEK |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe152), .driver_info = BTUSB_MEDIATEK |
+ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe153), .driver_info = BTUSB_MEDIATEK |
+ BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x04ca, 0x3804), .driver_info = BTUSB_MEDIATEK |
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x04ca, 0x38e4), .driver_info = BTUSB_MEDIATEK |
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 141/449] Bluetooth: hci_qca: use the power sequencer for wcn6750
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 140/449] Bluetooth: btusb: Add 2 HWIDs for MT7922 Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 142/449] Bluetooth: qca: simplify WCN399x NVM loading Greg Kroah-Hartman
` (314 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Janaki Ramaiah Thota,
Dmitry Baryshkov, Luiz Augusto von Dentz, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janaki Ramaiah Thota <quic_janathot@quicinc.com>
[ Upstream commit 852cfdc7a5a5af54358325c1e0f490cc178d9664 ]
Older boards are having entry "enable-gpios" in dts, we can safely assume
latest boards which are supporting PMU node enrty will support power
sequencer.
Signed-off-by: Janaki Ramaiah Thota <quic_janathot@quicinc.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_qca.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 0ac2168f1dc4f..d2fd08aceb179 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -2359,6 +2359,7 @@ static int qca_serdev_probe(struct serdev_device *serdev)
switch (qcadev->btsoc_type) {
case QCA_WCN6855:
case QCA_WCN7850:
+ case QCA_WCN6750:
if (!device_property_present(&serdev->dev, "enable-gpios")) {
/*
* Backward compatibility with old DT sources. If the
@@ -2378,7 +2379,6 @@ static int qca_serdev_probe(struct serdev_device *serdev)
case QCA_WCN3990:
case QCA_WCN3991:
case QCA_WCN3998:
- case QCA_WCN6750:
qcadev->bt_power->dev = &serdev->dev;
err = qca_init_regulators(qcadev->bt_power, data->vregs,
data->num_vregs);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 142/449] Bluetooth: qca: simplify WCN399x NVM loading
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 141/449] Bluetooth: hci_qca: use the power sequencer for wcn6750 Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 143/449] Bluetooth: qca: add WCN3950 support Greg Kroah-Hartman
` (313 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov,
Luiz Augusto von Dentz, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit 1cc41b5092e3aa511454ec882c525af311bee631 ]
The WCN399x code has two separate cases for loading the NVM data. In
preparation to adding support for WCN3950, which also requires similar
quirk, split the "variant" to be specified explicitly and merge two
snprintfs into a single one.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btqca.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
index cdf09d9a9ad27..7d6b02fe2040f 100644
--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -785,6 +785,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
const char *firmware_name, const char *rampatch_name)
{
struct qca_fw_config config = {};
+ const char *variant = "";
int err;
u8 rom_ver = 0;
u32 soc_ver;
@@ -883,13 +884,11 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
case QCA_WCN3990:
case QCA_WCN3991:
case QCA_WCN3998:
- if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) {
- snprintf(config.fwname, sizeof(config.fwname),
- "qca/crnv%02xu.bin", rom_ver);
- } else {
- snprintf(config.fwname, sizeof(config.fwname),
- "qca/crnv%02x.bin", rom_ver);
- }
+ if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID)
+ variant = "u";
+
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/crnv%02x%s.bin", rom_ver, variant);
break;
case QCA_WCN3988:
snprintf(config.fwname, sizeof(config.fwname),
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 143/449] Bluetooth: qca: add WCN3950 support
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 142/449] Bluetooth: qca: simplify WCN399x NVM loading Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 144/449] drm: allow encoder mode_set even when connectors change for crtc Greg Kroah-Hartman
` (312 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov,
Luiz Augusto von Dentz, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit d5712c511cb358ab87f1e884848419ec76a67ab2 ]
WCN3950 is another example of the WCN39xx BT/WiFI family of chips. It
requires different firmware files and has different current
requirements, so add it as a separate SoC type.
The firmware for these chips has been recently added to the
linux-firmware repository and will be a part of the upcoming release:
- qca/cmbtfw12.tlv
- qca/cmbtfw13.tlv
- qca/cmnv12.bin
- qca/cmnv13.bin
- qca/cmnv13s.bin
- qca/cmnv13t.bin
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btqca.c | 14 ++++++++++++++
drivers/bluetooth/btqca.h | 4 ++++
drivers/bluetooth/hci_qca.c | 25 +++++++++++++++++++++++++
3 files changed, 43 insertions(+)
diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
index 7d6b02fe2040f..3d6778b95e005 100644
--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -816,6 +816,10 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
snprintf(config.fwname, sizeof(config.fwname), "qca/%s", rampatch_name);
} else {
switch (soc_type) {
+ case QCA_WCN3950:
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/cmbtfw%02x.tlv", rom_ver);
+ break;
case QCA_WCN3990:
case QCA_WCN3991:
case QCA_WCN3998:
@@ -881,6 +885,15 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
}
} else {
switch (soc_type) {
+ case QCA_WCN3950:
+ if (le32_to_cpu(ver.soc_id) == QCA_WCN3950_SOC_ID_T)
+ variant = "t";
+ else if (le32_to_cpu(ver.soc_id) == QCA_WCN3950_SOC_ID_S)
+ variant = "u";
+
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/cmnv%02x%s.bin", rom_ver, variant);
+ break;
case QCA_WCN3990:
case QCA_WCN3991:
case QCA_WCN3998:
@@ -947,6 +960,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
* VsMsftOpCode.
*/
switch (soc_type) {
+ case QCA_WCN3950:
case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h
index 9d28c88002257..8f3c1b1c77b3d 100644
--- a/drivers/bluetooth/btqca.h
+++ b/drivers/bluetooth/btqca.h
@@ -41,6 +41,9 @@
#define QCA_WCN3991_SOC_ID 0x40014320
+#define QCA_WCN3950_SOC_ID_T 0x40074130
+#define QCA_WCN3950_SOC_ID_S 0x40075130
+
/* QCA chipset version can be decided by patch and SoC
* version, combination with upper 2 bytes from SoC
* and lower 2 bytes from patch will be used.
@@ -145,6 +148,7 @@ enum qca_btsoc_type {
QCA_INVALID = -1,
QCA_AR3002,
QCA_ROME,
+ QCA_WCN3950,
QCA_WCN3988,
QCA_WCN3990,
QCA_WCN3998,
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index d2fd08aceb179..f2558506a02c7 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -623,6 +623,7 @@ static int qca_open(struct hci_uart *hu)
qcadev = serdev_device_get_drvdata(hu->serdev);
switch (qcadev->btsoc_type) {
+ case QCA_WCN3950:
case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
@@ -1366,6 +1367,7 @@ static int qca_set_baudrate(struct hci_dev *hdev, uint8_t baudrate)
/* Give the controller time to process the request */
switch (qca_soc_type(hu)) {
+ case QCA_WCN3950:
case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
@@ -1452,6 +1454,7 @@ static unsigned int qca_get_speed(struct hci_uart *hu,
static int qca_check_speeds(struct hci_uart *hu)
{
switch (qca_soc_type(hu)) {
+ case QCA_WCN3950:
case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
@@ -1494,6 +1497,7 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type)
* changing the baudrate of chip and host.
*/
switch (soc_type) {
+ case QCA_WCN3950:
case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
@@ -1528,6 +1532,7 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type)
error:
switch (soc_type) {
+ case QCA_WCN3950:
case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
@@ -1746,6 +1751,7 @@ static int qca_regulator_init(struct hci_uart *hu)
}
switch (soc_type) {
+ case QCA_WCN3950:
case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
@@ -1776,6 +1782,7 @@ static int qca_regulator_init(struct hci_uart *hu)
qca_set_speed(hu, QCA_INIT_SPEED);
switch (soc_type) {
+ case QCA_WCN3950:
case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
@@ -1807,6 +1814,7 @@ static int qca_power_on(struct hci_dev *hdev)
return 0;
switch (soc_type) {
+ case QCA_WCN3950:
case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
@@ -1891,6 +1899,7 @@ static int qca_setup(struct hci_uart *hu)
soc_name = "qca2066";
break;
+ case QCA_WCN3950:
case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
@@ -1925,6 +1934,7 @@ static int qca_setup(struct hci_uart *hu)
clear_bit(QCA_SSR_TRIGGERED, &qca->flags);
switch (soc_type) {
+ case QCA_WCN3950:
case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
@@ -1958,6 +1968,7 @@ static int qca_setup(struct hci_uart *hu)
}
switch (soc_type) {
+ case QCA_WCN3950:
case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
@@ -2046,6 +2057,17 @@ static const struct hci_uart_proto qca_proto = {
.dequeue = qca_dequeue,
};
+static const struct qca_device_data qca_soc_data_wcn3950 __maybe_unused = {
+ .soc_type = QCA_WCN3950,
+ .vregs = (struct qca_vreg []) {
+ { "vddio", 15000 },
+ { "vddxo", 60000 },
+ { "vddrf", 155000 },
+ { "vddch0", 585000 },
+ },
+ .num_vregs = 4,
+};
+
static const struct qca_device_data qca_soc_data_wcn3988 __maybe_unused = {
.soc_type = QCA_WCN3988,
.vregs = (struct qca_vreg []) {
@@ -2338,6 +2360,7 @@ static int qca_serdev_probe(struct serdev_device *serdev)
qcadev->btsoc_type = QCA_ROME;
switch (qcadev->btsoc_type) {
+ case QCA_WCN3950:
case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
@@ -2375,6 +2398,7 @@ static int qca_serdev_probe(struct serdev_device *serdev)
break;
}
fallthrough;
+ case QCA_WCN3950:
case QCA_WCN3988:
case QCA_WCN3990:
case QCA_WCN3991:
@@ -2683,6 +2707,7 @@ static const struct of_device_id qca_bluetooth_of_match[] = {
{ .compatible = "qcom,qca6174-bt" },
{ .compatible = "qcom,qca6390-bt", .data = &qca_soc_data_qca6390},
{ .compatible = "qcom,qca9377-bt" },
+ { .compatible = "qcom,wcn3950-bt", .data = &qca_soc_data_wcn3950},
{ .compatible = "qcom,wcn3988-bt", .data = &qca_soc_data_wcn3988},
{ .compatible = "qcom,wcn3990-bt", .data = &qca_soc_data_wcn3990},
{ .compatible = "qcom,wcn3991-bt", .data = &qca_soc_data_wcn3991},
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 144/449] drm: allow encoder mode_set even when connectors change for crtc
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 143/449] Bluetooth: qca: add WCN3950 support Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 145/449] drm/virtio: Set missing bo->attached flag Greg Kroah-Hartman
` (311 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abhinav Kumar, Jessica Zhang,
Maxime Ripard, Dmitry Baryshkov, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abhinav Kumar <quic_abhinavk@quicinc.com>
[ Upstream commit 7e182cb4f5567f53417b762ec0d679f0b6f0039d ]
In certain use-cases, a CRTC could switch between two encoders
and because the mode being programmed on the CRTC remains
the same during this switch, the CRTC's mode_changed remains false.
In such cases, the encoder's mode_set also gets skipped.
Skipping mode_set on the encoder for such cases could cause an issue
because even though the same CRTC mode was being used, the encoder
type could have changed like the CRTC could have switched from a
real time encoder to a writeback encoder OR vice-versa.
Allow encoder's mode_set to happen even when connectors changed on a
CRTC and not just when the mode changed.
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Jessica Zhang <quic_jesszhan@quicinc.com>
Reviewed-by: Maxime Ripard <mripard@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20241211-abhinavk-modeset-fix-v3-1-0de4bf3e7c32@quicinc.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_atomic_helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
index 5186d2114a503..32902f77f00dd 100644
--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -1376,7 +1376,7 @@ crtc_set_mode(struct drm_device *dev, struct drm_atomic_state *old_state)
mode = &new_crtc_state->mode;
adjusted_mode = &new_crtc_state->adjusted_mode;
- if (!new_crtc_state->mode_changed)
+ if (!new_crtc_state->mode_changed && !new_crtc_state->connectors_changed)
continue;
drm_dbg_atomic(dev, "modeset on [ENCODER:%d:%s]\n",
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 145/449] drm/virtio: Set missing bo->attached flag
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 144/449] drm: allow encoder mode_set even when connectors change for crtc Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 146/449] drm/rockchip: Dont change hdmi reference clock rate Greg Kroah-Hartman
` (310 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Osipenko, Vivek Kasireddy,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
[ Upstream commit ffda6454267d0b870f3a09945a7ce88137b914a6 ]
VirtIO-GPU driver now supports detachment of shmem BOs from host, but
doing it only for imported dma-bufs. Mark all shmem BOs as attached, not
just dma-bufs. This is a minor correction since detachment of a non-dmabuf
BOs not supported today.
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241129155357.2265357-1-dmitry.osipenko@collabora.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/virtio/virtgpu_prime.c | 1 -
drivers/gpu/drm/virtio/virtgpu_vq.c | 3 +++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/virtio/virtgpu_prime.c b/drivers/gpu/drm/virtio/virtgpu_prime.c
index d28d1c45a703b..58c9e22e9745c 100644
--- a/drivers/gpu/drm/virtio/virtgpu_prime.c
+++ b/drivers/gpu/drm/virtio/virtgpu_prime.c
@@ -250,7 +250,6 @@ static int virtgpu_dma_buf_init_obj(struct drm_device *dev,
virtio_gpu_cmd_resource_create_blob(vgdev, bo, ¶ms,
ents, nents);
bo->guest_blob = true;
- bo->attached = true;
dma_buf_unpin(attach);
dma_resv_unlock(resv);
diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c
index ad91624df42dd..062639250a4e9 100644
--- a/drivers/gpu/drm/virtio/virtgpu_vq.c
+++ b/drivers/gpu/drm/virtio/virtgpu_vq.c
@@ -1300,6 +1300,9 @@ virtio_gpu_cmd_resource_create_blob(struct virtio_gpu_device *vgdev,
virtio_gpu_queue_ctrl_buffer(vgdev, vbuf);
bo->created = true;
+
+ if (nents)
+ bo->attached = true;
}
void virtio_gpu_cmd_set_scanout_blob(struct virtio_gpu_device *vgdev,
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 146/449] drm/rockchip: Dont change hdmi reference clock rate
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 145/449] drm/virtio: Set missing bo->attached flag Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 147/449] drm/xe/bmg: Add new PCI IDs Greg Kroah-Hartman
` (309 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Derek Foreman, Cristian Ciocaltea,
Heiko Stuebner, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Derek Foreman <derek.foreman@collabora.com>
[ Upstream commit 1854df7087be70ad54e24b2e308d7558ebea9f27 ]
The code that changes hdmi->ref_clk was accidentally copied from
downstream code that sets a different clock. We don't actually
want to set any clock here at all.
Setting this clock incorrectly leads to incorrect timings for
DDC, CEC, and HDCP signal generation.
No Fixes listed, as the theoretical timing error in DDC appears to
still be within tolerances and harmless - and HDCP and CEC are not
yet supported.
Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
Reviewed-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20241217201708.3320673-1-derek.foreman@collabora.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c b/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c
index e498767a0a667..cebd72bf1ef25 100644
--- a/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c
+++ b/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c
@@ -54,7 +54,6 @@ struct rockchip_hdmi_qp {
struct regmap *regmap;
struct regmap *vo_regmap;
struct rockchip_encoder encoder;
- struct clk *ref_clk;
struct dw_hdmi_qp *hdmi;
struct phy *phy;
struct gpio_desc *enable_gpio;
@@ -81,7 +80,6 @@ static void dw_hdmi_qp_rockchip_encoder_enable(struct drm_encoder *encoder)
if (crtc && crtc->state) {
rate = drm_hdmi_compute_mode_clock(&crtc->state->adjusted_mode,
8, HDMI_COLORSPACE_RGB);
- clk_set_rate(hdmi->ref_clk, rate);
/*
* FIXME: Temporary workaround to pass pixel clock rate
* to the PHY driver until phy_configure_opts_hdmi
@@ -330,17 +328,6 @@ static int dw_hdmi_qp_rockchip_bind(struct device *dev, struct device *master,
return ret;
}
- for (i = 0; i < ret; i++) {
- if (!strcmp(clks[i].id, "ref")) {
- hdmi->ref_clk = clks[1].clk;
- break;
- }
- }
- if (!hdmi->ref_clk) {
- drm_err(hdmi, "Missing ref clock\n");
- return -EINVAL;
- }
-
hdmi->enable_gpio = devm_gpiod_get_optional(hdmi->dev, "enable",
GPIOD_OUT_HIGH);
if (IS_ERR(hdmi->enable_gpio)) {
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 147/449] drm/xe/bmg: Add new PCI IDs
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 146/449] drm/rockchip: Dont change hdmi reference clock rate Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 148/449] drm/xe/ptl: Update the PTL pci id table Greg Kroah-Hartman
` (308 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shekhar Chauhan, Clint Taylor,
Rodrigo Vivi, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shekhar Chauhan <shekhar.chauhan@intel.com>
[ Upstream commit fa8ffaae1b15236b8afb0fbbc04117ff7c900a83 ]
Add 3 new PCI IDs for BMG.
v2: Fix typo -> Replace '.' with ','
Signed-off-by: Shekhar Chauhan <shekhar.chauhan@intel.com>
Reviewed-by: Clint Taylor <Clinton.A.Taylor@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250128162015.3288675-1-shekhar.chauhan@intel.com
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/drm/intel/pciids.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/drm/intel/pciids.h b/include/drm/intel/pciids.h
index 77c826589ec11..4035e215c962a 100644
--- a/include/drm/intel/pciids.h
+++ b/include/drm/intel/pciids.h
@@ -846,7 +846,10 @@
MACRO__(0xE20B, ## __VA_ARGS__), \
MACRO__(0xE20C, ## __VA_ARGS__), \
MACRO__(0xE20D, ## __VA_ARGS__), \
- MACRO__(0xE212, ## __VA_ARGS__)
+ MACRO__(0xE210, ## __VA_ARGS__), \
+ MACRO__(0xE212, ## __VA_ARGS__), \
+ MACRO__(0xE215, ## __VA_ARGS__), \
+ MACRO__(0xE216, ## __VA_ARGS__)
/* PTL */
#define INTEL_PTL_IDS(MACRO__, ...) \
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 148/449] drm/xe/ptl: Update the PTL pci id table
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 147/449] drm/xe/bmg: Add new PCI IDs Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 149/449] drm/xe/pf: Dont send BEGIN_ID if VF has no context/doorbells Greg Kroah-Hartman
` (307 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Atwood, Clint Taylor,
Rodrigo Vivi, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Atwood <matthew.s.atwood@intel.com>
[ Upstream commit 16016ade13f691da315fac7b23ebf1ab7b28b7ab ]
Update to current bspec table.
Bspec: 72574
Signed-off-by: Matt Atwood <matthew.s.atwood@intel.com>
Reviewed-by: Clint Taylor <Clinton.A.Taylor@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250128175102.45797-1-matthew.s.atwood@intel.com
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/drm/intel/pciids.h | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/include/drm/intel/pciids.h b/include/drm/intel/pciids.h
index 4035e215c962a..f9d3e85142ea8 100644
--- a/include/drm/intel/pciids.h
+++ b/include/drm/intel/pciids.h
@@ -856,12 +856,10 @@
MACRO__(0xB080, ## __VA_ARGS__), \
MACRO__(0xB081, ## __VA_ARGS__), \
MACRO__(0xB082, ## __VA_ARGS__), \
+ MACRO__(0xB083, ## __VA_ARGS__), \
+ MACRO__(0xB08F, ## __VA_ARGS__), \
MACRO__(0xB090, ## __VA_ARGS__), \
- MACRO__(0xB091, ## __VA_ARGS__), \
- MACRO__(0xB092, ## __VA_ARGS__), \
MACRO__(0xB0A0, ## __VA_ARGS__), \
- MACRO__(0xB0A1, ## __VA_ARGS__), \
- MACRO__(0xB0A2, ## __VA_ARGS__), \
MACRO__(0xB0B0, ## __VA_ARGS__)
#endif /* __PCIIDS_H__ */
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 149/449] drm/xe/pf: Dont send BEGIN_ID if VF has no context/doorbells
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 148/449] drm/xe/ptl: Update the PTL pci id table Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 150/449] drm/xe/vf: Dont try to trigger a full GT reset if VF Greg Kroah-Hartman
` (306 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Wajdeczko,
Michał Winiarski, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Wajdeczko <michal.wajdeczko@intel.com>
[ Upstream commit 21ccac0e22aaf27b767f9de4bf573e7c47f619c8 ]
It turned out that GuC validates VF configuration immediately
after receiving "some" set of configuration KLVs and complains
if one of the critical, from GuC understanding, resource is left
unprovisioned, even if PF should be still allowed to make late VF
config adjustments, since VF was not yet started.
This issue was discovered after we decided to asynchronously
re-send configuration KLVs after GT reset/resume, as then fair
VF auto-provisioning could already allocate some of the resources,
which was a prerequiste for sending those config KLVs:
# fair GGTT provisioning
[] xe 0000:00:02.0: [drm] GT0: PF: pushed VF1 config with 2 KLVs:
[] xe 0000:00:02.0: [drm] GT0: { key 0x0001 : 64b value 0x176a000 } # ggtt_start
[] xe 0000:00:02.0: [drm] GT0: { key 0x0002 : 64b value 0xfd696000 } # ggtt_size
[] xe 0000:00:02.0: [drm] GT0: PF: VF1 provisioned with 4251541504 (3.96 GiB) GGTT
# re-provisioning worker
[] xe 0000:00:02.0: [drm] *ERROR* GT0: H2G request 0x5503 failed: error 0x60 hint 0x0
[] xe 0000:00:02.0: [drm] GT0: PF: Failed to push VF1 14 config KLVs (-EIO)
[] xe 0000:00:02.0: [drm] GT0: { key 0x0001 : 64b value 0x176a000 } # ggtt_start
[] xe 0000:00:02.0: [drm] GT0: { key 0x0002 : 64b value 0xfd696000 } # ggtt_size
[] xe 0000:00:02.0: [drm] GT0: { key 0x8a0b : 32b value 0 } # begin_ctx_id
[] xe 0000:00:02.0: [drm] GT0: { key 0x0004 : 32b value 0 } # num_contexts
[] xe 0000:00:02.0: [drm] GT0: { key 0x8a0a : 32b value 0 } # begin_db_id
[] xe 0000:00:02.0: [drm] GT0: { key 0x0006 : 32b value 0 } # num_doorbells
[] xe 0000:00:02.0: [drm] GT0: { key 0x8a01 : 32b value 0 } # exec_quantum
[] xe 0000:00:02.0: [drm] GT0: { key 0x8a02 : 32b value 0 } # preempt_timeout
[] xe 0000:00:02.0: [drm] GT0: { key 0x8a03 : 32b value 0 } # cat_error_count
[] xe 0000:00:02.0: [drm] GT0: { key 0x8a04 : 32b value 0 } # engine_reset_count
[] xe 0000:00:02.0: [drm] GT0: { key 0x8a05 : 32b value 0 } # page_fault_count
[] xe 0000:00:02.0: [drm] GT0: { key 0x8a06 : 32b value 0 } # guc_time_us
[] xe 0000:00:02.0: [drm] GT0: { key 0x8a07 : 32b value 0 } # irq_time_us
[] xe 0000:00:02.0: [drm] GT0: { key 0x8a08 : 32b value 0 } # doorbell_time_us
[] xe 0000:00:02.0: [drm] GT0: PF: Failed to push VF1 configuration (-EIO)
To avoid such errors stop sending BEGIN_CONTEXT/DOORBELL_ID KLVs
if no GuC context/doorbell IDs were provisioned to VF.
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4176
Signed-off-by: Michal Wajdeczko <michal.wajdeczko@intel.com>
Reviewed-by: Michał Winiarski <michal.winiarski@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250129195947.764-2-michal.wajdeczko@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c b/drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c
index 878e96281c035..4bd255adfb401 100644
--- a/drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c
+++ b/drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c
@@ -262,7 +262,7 @@ static u32 encode_config(u32 *cfg, const struct xe_gt_sriov_config *config, bool
n += encode_config_ggtt(cfg, config, details);
- if (details) {
+ if (details && config->num_ctxs) {
cfg[n++] = PREP_GUC_KLV_TAG(VF_CFG_BEGIN_CONTEXT_ID);
cfg[n++] = config->begin_ctx;
}
@@ -270,7 +270,7 @@ static u32 encode_config(u32 *cfg, const struct xe_gt_sriov_config *config, bool
cfg[n++] = PREP_GUC_KLV_TAG(VF_CFG_NUM_CONTEXTS);
cfg[n++] = config->num_ctxs;
- if (details) {
+ if (details && config->num_dbs) {
cfg[n++] = PREP_GUC_KLV_TAG(VF_CFG_BEGIN_DOORBELL_ID);
cfg[n++] = config->begin_db;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 150/449] drm/xe/vf: Dont try to trigger a full GT reset if VF
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 149/449] drm/xe/pf: Dont send BEGIN_ID if VF has no context/doorbells Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 151/449] drm/amd/display: Update Cursor request mode to the beginning prefetch always Greg Kroah-Hartman
` (305 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Wajdeczko, Lucas De Marchi,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Wajdeczko <michal.wajdeczko@intel.com>
[ Upstream commit 459777724d306315070d24608fcd89aea85516d6 ]
VFs don't have access to the GDRST(0x941c) register that driver
uses to reset a GT. Attempt to trigger a reset using debugfs:
$ cat /sys/kernel/debug/dri/0000:00:02.1/gt0/force_reset
or due to a hang condition detected by the driver leads to:
[ ] xe 0000:00:02.1: [drm] GT0: trying reset from force_reset [xe]
[ ] xe 0000:00:02.1: [drm] GT0: reset queued
[ ] xe 0000:00:02.1: [drm] GT0: reset started
[ ] ------------[ cut here ]------------
[ ] xe 0000:00:02.1: [drm] GT0: VF is trying to write 0x1 to an inaccessible register 0x941c+0x0
[ ] WARNING: CPU: 3 PID: 3069 at drivers/gpu/drm/xe/xe_gt_sriov_vf.c:996 xe_gt_sriov_vf_write32+0xc6/0x580 [xe]
[ ] RIP: 0010:xe_gt_sriov_vf_write32+0xc6/0x580 [xe]
[ ] Call Trace:
[ ] <TASK>
[ ] ? show_regs+0x6c/0x80
[ ] ? __warn+0x93/0x1c0
[ ] ? xe_gt_sriov_vf_write32+0xc6/0x580 [xe]
[ ] ? report_bug+0x182/0x1b0
[ ] ? handle_bug+0x6e/0xb0
[ ] ? exc_invalid_op+0x18/0x80
[ ] ? asm_exc_invalid_op+0x1b/0x20
[ ] ? xe_gt_sriov_vf_write32+0xc6/0x580 [xe]
[ ] ? xe_gt_sriov_vf_write32+0xc6/0x580 [xe]
[ ] ? xe_gt_tlb_invalidation_reset+0xef/0x110 [xe]
[ ] ? __mutex_unlock_slowpath+0x41/0x2e0
[ ] xe_mmio_write32+0x64/0x150 [xe]
[ ] do_gt_reset+0x2f/0xa0 [xe]
[ ] gt_reset_worker+0x14e/0x1e0 [xe]
[ ] process_one_work+0x21c/0x740
[ ] worker_thread+0x1db/0x3c0
Fix that by sending H2G VF_RESET(0x5507) action instead.
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4078
Signed-off-by: Michal Wajdeczko <michal.wajdeczko@intel.com>
Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250131182502.852-1-michal.wajdeczko@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_gt.c | 4 ++++
drivers/gpu/drm/xe/xe_gt_sriov_vf.c | 16 ++++++++++++++++
drivers/gpu/drm/xe/xe_gt_sriov_vf.h | 1 +
3 files changed, 21 insertions(+)
diff --git a/drivers/gpu/drm/xe/xe_gt.c b/drivers/gpu/drm/xe/xe_gt.c
index 9f4f27d1ef4a9..8a20e6744836c 100644
--- a/drivers/gpu/drm/xe/xe_gt.c
+++ b/drivers/gpu/drm/xe/xe_gt.c
@@ -32,6 +32,7 @@
#include "xe_gt_pagefault.h"
#include "xe_gt_printk.h"
#include "xe_gt_sriov_pf.h"
+#include "xe_gt_sriov_vf.h"
#include "xe_gt_sysfs.h"
#include "xe_gt_tlb_invalidation.h"
#include "xe_gt_topology.h"
@@ -676,6 +677,9 @@ static int do_gt_reset(struct xe_gt *gt)
{
int err;
+ if (IS_SRIOV_VF(gt_to_xe(gt)))
+ return xe_gt_sriov_vf_reset(gt);
+
xe_gsc_wa_14015076503(gt, true);
xe_mmio_write32(>->mmio, GDRST, GRDOM_FULL);
diff --git a/drivers/gpu/drm/xe/xe_gt_sriov_vf.c b/drivers/gpu/drm/xe/xe_gt_sriov_vf.c
index cca5d57328021..9c30cbd9af6e1 100644
--- a/drivers/gpu/drm/xe/xe_gt_sriov_vf.c
+++ b/drivers/gpu/drm/xe/xe_gt_sriov_vf.c
@@ -58,6 +58,22 @@ static int vf_reset_guc_state(struct xe_gt *gt)
return err;
}
+/**
+ * xe_gt_sriov_vf_reset - Reset GuC VF internal state.
+ * @gt: the &xe_gt
+ *
+ * It requires functional `GuC MMIO based communication`_.
+ *
+ * Return: 0 on success or a negative error code on failure.
+ */
+int xe_gt_sriov_vf_reset(struct xe_gt *gt)
+{
+ if (!xe_device_uc_enabled(gt_to_xe(gt)))
+ return -ENODEV;
+
+ return vf_reset_guc_state(gt);
+}
+
static int guc_action_match_version(struct xe_guc *guc,
u32 wanted_branch, u32 wanted_major, u32 wanted_minor,
u32 *branch, u32 *major, u32 *minor, u32 *patch)
diff --git a/drivers/gpu/drm/xe/xe_gt_sriov_vf.h b/drivers/gpu/drm/xe/xe_gt_sriov_vf.h
index 912d208142616..ba6c5d74e326f 100644
--- a/drivers/gpu/drm/xe/xe_gt_sriov_vf.h
+++ b/drivers/gpu/drm/xe/xe_gt_sriov_vf.h
@@ -12,6 +12,7 @@ struct drm_printer;
struct xe_gt;
struct xe_reg;
+int xe_gt_sriov_vf_reset(struct xe_gt *gt);
int xe_gt_sriov_vf_bootstrap(struct xe_gt *gt);
int xe_gt_sriov_vf_query_config(struct xe_gt *gt);
int xe_gt_sriov_vf_connect(struct xe_gt *gt);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 151/449] drm/amd/display: Update Cursor request mode to the beginning prefetch always
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 150/449] drm/xe/vf: Dont try to trigger a full GT reset if VF Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 152/449] drm/amd/display: Guard Possible Null Pointer Dereference Greg Kroah-Hartman
` (304 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Kazlauskas, Zhikai Zhai,
Zaeem Mohamed, Daniel Wheeler, Alex Deucher, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhikai Zhai <zhikai.zhai@amd.com>
[ Upstream commit 4a4077b4b63a8404efd6d37fc2926f03fb25bace ]
[Why]
The double buffer cursor registers is updated by the cursor
vupdate event. There is a gap between vupdate and cursor data
fetch if cursor fetch data reletive to cursor position.
Cursor corruption will happen if we update the cursor surface
in this gap.
[How]
Modify the cursor request mode to the beginning prefetch always
and avoid wraparound calculation issues.
Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Signed-off-by: Zhikai Zhai <zhikai.zhai@amd.com>
Signed-off-by: Zaeem Mohamed <zaeem.mohamed@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../amd/display/dc/hubp/dcn31/dcn31_hubp.c | 2 +-
.../amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 22 ++++++++-----------
2 files changed, 10 insertions(+), 14 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/hubp/dcn31/dcn31_hubp.c b/drivers/gpu/drm/amd/display/dc/hubp/dcn31/dcn31_hubp.c
index c2900c79a2d35..7fd582a8a4ba9 100644
--- a/drivers/gpu/drm/amd/display/dc/hubp/dcn31/dcn31_hubp.c
+++ b/drivers/gpu/drm/amd/display/dc/hubp/dcn31/dcn31_hubp.c
@@ -44,7 +44,7 @@ void hubp31_set_unbounded_requesting(struct hubp *hubp, bool enable)
struct dcn20_hubp *hubp2 = TO_DCN20_HUBP(hubp);
REG_UPDATE(DCHUBP_CNTL, HUBP_UNBOUNDED_REQ_MODE, enable);
- REG_UPDATE(CURSOR_CONTROL, CURSOR_REQ_MODE, enable);
+ REG_UPDATE(CURSOR_CONTROL, CURSOR_REQ_MODE, 1);
}
void hubp31_soft_reset(struct hubp *hubp, bool reset)
diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c
index 44e405e9bc971..13f9e9b439f6a 100644
--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c
@@ -1992,20 +1992,11 @@ static void delay_cursor_until_vupdate(struct dc *dc, struct pipe_ctx *pipe_ctx)
dc->hwss.get_position(&pipe_ctx, 1, &position);
vpos = position.vertical_count;
- /* Avoid wraparound calculation issues */
- vupdate_start += stream->timing.v_total;
- vupdate_end += stream->timing.v_total;
- vpos += stream->timing.v_total;
-
if (vpos <= vupdate_start) {
/* VPOS is in VACTIVE or back porch. */
lines_to_vupdate = vupdate_start - vpos;
- } else if (vpos > vupdate_end) {
- /* VPOS is in the front porch. */
- return;
} else {
- /* VPOS is in VUPDATE. */
- lines_to_vupdate = 0;
+ lines_to_vupdate = stream->timing.v_total - vpos + vupdate_start;
}
/* Calculate time until VUPDATE in microseconds. */
@@ -2013,13 +2004,18 @@ static void delay_cursor_until_vupdate(struct dc *dc, struct pipe_ctx *pipe_ctx)
stream->timing.h_total * 10000u / stream->timing.pix_clk_100hz;
us_to_vupdate = lines_to_vupdate * us_per_line;
+ /* Stall out until the cursor update completes. */
+ if (vupdate_end < vupdate_start)
+ vupdate_end += stream->timing.v_total;
+
+ /* Position is in the range of vupdate start and end*/
+ if (lines_to_vupdate > stream->timing.v_total - vupdate_end + vupdate_start)
+ us_to_vupdate = 0;
+
/* 70 us is a conservative estimate of cursor update time*/
if (us_to_vupdate > 70)
return;
- /* Stall out until the cursor update completes. */
- if (vupdate_end < vupdate_start)
- vupdate_end += stream->timing.v_total;
us_vupdate = (vupdate_end - vupdate_start + 1) * us_per_line;
udelay(us_to_vupdate + us_vupdate);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 152/449] drm/amd/display: Guard Possible Null Pointer Dereference
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 151/449] drm/amd/display: Update Cursor request mode to the beginning prefetch always Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 153/449] drm/amd/display: add workaround flag to link to force FFE preset Greg Kroah-Hartman
` (303 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Aberback, Sung Lee,
Zaeem Mohamed, Daniel Wheeler, Alex Deucher, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sung Lee <Sung.Lee@amd.com>
[ Upstream commit c87d202692de34ee71d1fd4679a549a29095658a ]
[WHY]
In some situations, dc->res_pool may be null.
[HOW]
Check if pointer is null before dereference.
Reviewed-by: Joshua Aberback <joshua.aberback@amd.com>
Signed-off-by: Sung Lee <Sung.Lee@amd.com>
Signed-off-by: Zaeem Mohamed <zaeem.mohamed@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/core/dc.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
index f84e795e35f58..4683c7ef4507f 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
@@ -5549,9 +5549,11 @@ void dc_allow_idle_optimizations_internal(struct dc *dc, bool allow, char const
if (dc->clk_mgr != NULL && dc->clk_mgr->funcs->get_hard_min_memclk)
idle_dramclk_khz = dc->clk_mgr->funcs->get_hard_min_memclk(dc->clk_mgr);
- for (i = 0; i < dc->res_pool->pipe_count; i++) {
- pipe = &context->res_ctx.pipe_ctx[i];
- subvp_pipe_type[i] = dc_state_get_pipe_subvp_type(context, pipe);
+ if (dc->res_pool && context) {
+ for (i = 0; i < dc->res_pool->pipe_count; i++) {
+ pipe = &context->res_ctx.pipe_ctx[i];
+ subvp_pipe_type[i] = dc_state_get_pipe_subvp_type(context, pipe);
+ }
}
DC_LOG_DC("%s: allow_idle=%d\n HardMinUClk_Khz=%d HardMinDramclk_Khz=%d\n Pipe_0=%d Pipe_1=%d Pipe_2=%d Pipe_3=%d Pipe_4=%d Pipe_5=%d (caller=%s)\n",
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 153/449] drm/amd/display: add workaround flag to link to force FFE preset
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 152/449] drm/amd/display: Guard Possible Null Pointer Dereference Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 154/449] drm/amdgpu: Unlocked unmap only clear page table leaves Greg Kroah-Hartman
` (302 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenjing Liu, Brendan Tam,
Aurabindo Pillai, Daniel Wheeler, Alex Deucher, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brendan Tam <Brendan.Tam@amd.com>
[ Upstream commit 51d1b338541dea83fec8e6f95d3e46fa469a73a8 ]
[Why]
There have been instances of some monitors being unable to link train on
their reported link speed using their selected FFE preset. If a different
FFE preset is found that has a higher rate of success during link training
this workaround can be used to force its FFE preset.
[How]
A new link workaround flag is made called force_dp_ffe_preset. The flag is
checked in override_training_settings and will set lt_settings->ffe_preset
which is null if the flag is not set. The flag is then set in
override_lane_settings.
Reviewed-by: Wenjing Liu <wenjing.liu@amd.com>
Signed-off-by: Brendan Tam <Brendan.Tam@amd.com>
Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dc.h | 2 ++
.../gpu/drm/amd/display/dc/link/protocols/link_dp_training.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/dc.h b/drivers/gpu/drm/amd/display/dc/dc.h
index 053481ab69efb..ab77dcbc10584 100644
--- a/drivers/gpu/drm/amd/display/dc/dc.h
+++ b/drivers/gpu/drm/amd/display/dc/dc.h
@@ -1788,7 +1788,9 @@ struct dc_link {
bool dongle_mode_timing_override;
bool blank_stream_on_ocs_change;
bool read_dpcd204h_on_irq_hpd;
+ bool force_dp_ffe_preset;
} wa_flags;
+ union dc_dp_ffe_preset forced_dp_ffe_preset;
struct link_mst_stream_allocation_table mst_stream_alloc_table;
struct dc_link_status link_status;
diff --git a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c
index 88d4288cde0f5..751c18e592ea5 100644
--- a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c
+++ b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c
@@ -736,6 +736,8 @@ void override_training_settings(
lt_settings->pre_emphasis = overrides->pre_emphasis;
if (overrides->post_cursor2 != NULL)
lt_settings->post_cursor2 = overrides->post_cursor2;
+ if (link->wa_flags.force_dp_ffe_preset && !dp_is_lttpr_present(link))
+ lt_settings->ffe_preset = &link->forced_dp_ffe_preset;
if (overrides->ffe_preset != NULL)
lt_settings->ffe_preset = overrides->ffe_preset;
/* Override HW lane settings with BIOS forced values if present */
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 154/449] drm/amdgpu: Unlocked unmap only clear page table leaves
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 153/449] drm/amd/display: add workaround flag to link to force FFE preset Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 155/449] drm: panel-orientation-quirks: Add support for AYANEO 2S Greg Kroah-Hartman
` (301 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Yang, Christian König,
Alex Deucher, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
[ Upstream commit 23b645231eeffdaf44021debac881d2f26824150 ]
SVM migration unmap pages from GPU and then update mapping to GPU to
recover page fault. Currently unmap clears the PDE entry for range
length >= huge page and free PTB bo, update mapping to alloc new PT bo.
There is race bug that the freed entry bo maybe still on the pt_free
list, reused when updating mapping and then freed, leave invalid PDE
entry and cause GPU page fault.
By setting the update to clear only one PDE entry or clear PTB, to
avoid unmap to free PTE bo. This fixes the race bug and improve the
unmap and map to GPU performance. Update mapping to huge page will
still free the PTB bo.
With this change, the vm->pt_freed list and work is not needed. Add
WARN_ON(unlocked) in amdgpu_vm_pt_free_dfs to catch if unmap to free the
PTB.
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 4 ---
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h | 4 ---
drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c | 43 +++++++----------------
3 files changed, 13 insertions(+), 38 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
index 5c07777d3239e..22aa4a8f11891 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
@@ -2534,8 +2534,6 @@ int amdgpu_vm_init(struct amdgpu_device *adev, struct amdgpu_vm *vm,
spin_lock_init(&vm->status_lock);
INIT_LIST_HEAD(&vm->freed);
INIT_LIST_HEAD(&vm->done);
- INIT_LIST_HEAD(&vm->pt_freed);
- INIT_WORK(&vm->pt_free_work, amdgpu_vm_pt_free_work);
INIT_KFIFO(vm->faults);
r = amdgpu_vm_init_entities(adev, vm);
@@ -2717,8 +2715,6 @@ void amdgpu_vm_fini(struct amdgpu_device *adev, struct amdgpu_vm *vm)
amdgpu_amdkfd_gpuvm_destroy_cb(adev, vm);
- flush_work(&vm->pt_free_work);
-
root = amdgpu_bo_ref(vm->root.bo);
amdgpu_bo_reserve(root, true);
amdgpu_vm_set_pasid(adev, vm, 0);
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h
index a3e128e373bc6..5010a3107bf89 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h
@@ -374,10 +374,6 @@ struct amdgpu_vm {
/* BOs which are invalidated, has been updated in the PTs */
struct list_head done;
- /* PT BOs scheduled to free and fill with zero if vm_resv is not hold */
- struct list_head pt_freed;
- struct work_struct pt_free_work;
-
/* contains the page directory */
struct amdgpu_vm_bo_base root;
struct dma_fence *last_update;
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c
index b0bf216821152..30022123b0bf6 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c
@@ -547,27 +547,6 @@ static void amdgpu_vm_pt_free(struct amdgpu_vm_bo_base *entry)
amdgpu_bo_unref(&entry->bo);
}
-void amdgpu_vm_pt_free_work(struct work_struct *work)
-{
- struct amdgpu_vm_bo_base *entry, *next;
- struct amdgpu_vm *vm;
- LIST_HEAD(pt_freed);
-
- vm = container_of(work, struct amdgpu_vm, pt_free_work);
-
- spin_lock(&vm->status_lock);
- list_splice_init(&vm->pt_freed, &pt_freed);
- spin_unlock(&vm->status_lock);
-
- /* flush_work in amdgpu_vm_fini ensure vm->root.bo is valid. */
- amdgpu_bo_reserve(vm->root.bo, true);
-
- list_for_each_entry_safe(entry, next, &pt_freed, vm_status)
- amdgpu_vm_pt_free(entry);
-
- amdgpu_bo_unreserve(vm->root.bo);
-}
-
/**
* amdgpu_vm_pt_free_list - free PD/PT levels
*
@@ -580,19 +559,15 @@ void amdgpu_vm_pt_free_list(struct amdgpu_device *adev,
struct amdgpu_vm_update_params *params)
{
struct amdgpu_vm_bo_base *entry, *next;
- struct amdgpu_vm *vm = params->vm;
bool unlocked = params->unlocked;
if (list_empty(¶ms->tlb_flush_waitlist))
return;
- if (unlocked) {
- spin_lock(&vm->status_lock);
- list_splice_init(¶ms->tlb_flush_waitlist, &vm->pt_freed);
- spin_unlock(&vm->status_lock);
- schedule_work(&vm->pt_free_work);
- return;
- }
+ /*
+ * unlocked unmap clear page table leaves, warning to free the page entry.
+ */
+ WARN_ON(unlocked);
list_for_each_entry_safe(entry, next, ¶ms->tlb_flush_waitlist, vm_status)
amdgpu_vm_pt_free(entry);
@@ -900,7 +875,15 @@ int amdgpu_vm_ptes_update(struct amdgpu_vm_update_params *params,
incr = (uint64_t)AMDGPU_GPU_PAGE_SIZE << shift;
mask = amdgpu_vm_pt_entries_mask(adev, cursor.level);
pe_start = ((cursor.pfn >> shift) & mask) * 8;
- entry_end = ((uint64_t)mask + 1) << shift;
+
+ if (cursor.level < AMDGPU_VM_PTB && params->unlocked)
+ /*
+ * MMU notifier callback unlocked unmap huge page, leave is PDE entry,
+ * only clear one entry. Next entry search again for PDE or PTE leave.
+ */
+ entry_end = 1ULL << shift;
+ else
+ entry_end = ((uint64_t)mask + 1) << shift;
entry_end += cursor.pfn & ~(entry_end - 1);
entry_end = min(entry_end, end);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 155/449] drm: panel-orientation-quirks: Add support for AYANEO 2S
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 154/449] drm/amdgpu: Unlocked unmap only clear page table leaves Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 156/449] drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB Greg Kroah-Hartman
` (300 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Wyatt, John Edwards,
Thomas Zimmermann, Hans de Goede, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Wyatt <fewtarius@steamfork.org>
[ Upstream commit eb8f1e3e8ee10cff591d4a47437dfd34d850d454 ]
AYANEO 2S uses the same panel and orientation as the AYANEO 2.
Update the AYANEO 2 DMI match to also match AYANEO 2S.
Signed-off-by: Andrew Wyatt <fewtarius@steamfork.org>
Signed-off-by: John Edwards <uejji@uejji.net>
Tested-by: John Edwards <uejji@uejji.net>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-2-uejji@uejji.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index 4a73821b81f6f..f9c975338fc9e 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -184,10 +184,10 @@ static const struct dmi_system_id orientation_data[] = {
DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T103HAF"),
},
.driver_data = (void *)&lcd800x1280_rightside_up,
- }, { /* AYA NEO AYANEO 2 */
+ }, { /* AYA NEO AYANEO 2/2S */
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"),
- DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "AYANEO 2"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "AYANEO 2"),
},
.driver_data = (void *)&lcd1200x1920_rightside_up,
}, { /* AYA NEO 2021 */
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 156/449] drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 155/449] drm: panel-orientation-quirks: Add support for AYANEO 2S Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 157/449] drm: panel-orientation-quirks: Add quirk for AYA NEO Slide Greg Kroah-Hartman
` (299 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Wyatt, John Edwards,
Paco Avelar, Thomas Zimmermann, Hans de Goede, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Wyatt <fewtarius@steamfork.org>
[ Upstream commit 529741c331da1fbf54f86c6ec3a4558b9b0b16dc ]
The AYA NEO Flip DS and KB both use a 1080x1920 portrait LCD panel. The
Flip DS additionally uses a 640x960 portrait LCD panel as a second display.
Add DMI matches to correctly rotate these panels.
Signed-off-by: Andrew Wyatt <fewtarius@steamfork.org>
Co-developed-by: John Edwards <uejji@uejji.net>
Signed-off-by: John Edwards <uejji@uejji.net>
Tested-by: Paco Avelar <pacoavelar@hotmail.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-3-uejji@uejji.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index f9c975338fc9e..b5f6ae0459459 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -93,6 +93,12 @@ static const struct drm_dmi_panel_orientation_data onegx1_pro = {
.orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
};
+static const struct drm_dmi_panel_orientation_data lcd640x960_leftside_up = {
+ .width = 640,
+ .height = 960,
+ .orientation = DRM_MODE_PANEL_ORIENTATION_LEFT_UP,
+};
+
static const struct drm_dmi_panel_orientation_data lcd720x1280_rightside_up = {
.width = 720,
.height = 1280,
@@ -202,6 +208,18 @@ static const struct dmi_system_id orientation_data[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "AIR"),
},
.driver_data = (void *)&lcd1080x1920_leftside_up,
+ }, { /* AYA NEO Flip DS Bottom Screen */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "FLIP DS"),
+ },
+ .driver_data = (void *)&lcd640x960_leftside_up,
+ }, { /* AYA NEO Flip KB/DS Top Screen */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "FLIP"),
+ },
+ .driver_data = (void *)&lcd1080x1920_leftside_up,
}, { /* AYA NEO Founder */
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYA NEO"),
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 157/449] drm: panel-orientation-quirks: Add quirk for AYA NEO Slide
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 156/449] drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 158/449] drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Greg Kroah-Hartman
` (298 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Wyatt, John Edwards,
Thomas Zimmermann, Hans de Goede, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Wyatt <fewtarius@steamfork.org>
[ Upstream commit 132c89ef8872e602cfb909377815111d121fe8d7 ]
The AYANEO Slide uses a 1080x1920 portrait LCD panel. This is the same
panel used on the AYANEO Air Plus, but the DMI data is too different to
match both with one entry.
Add a DMI match to correctly rotate the panel on the AYANEO Slide.
This also covers the Antec Core HS, which is a rebranded AYANEO Slide with
the exact same hardware and DMI strings.
Signed-off-by: Andrew Wyatt <fewtarius@steamfork.org>
Signed-off-by: John Edwards <uejji@uejji.net>
Tested-by: John Edwards <uejji@uejji.net>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-4-uejji@uejji.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index b5f6ae0459459..b57078cfdd80f 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -244,6 +244,12 @@ static const struct dmi_system_id orientation_data[] = {
DMI_MATCH(DMI_BOARD_NAME, "KUN"),
},
.driver_data = (void *)&lcd1600x2560_rightside_up,
+ }, { /* AYA NEO SLIDE */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "SLIDE"),
+ },
+ .driver_data = (void *)&lcd1080x1920_leftside_up,
}, { /* AYN Loki Max */
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ayn"),
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 158/449] drm: panel-orientation-quirks: Add new quirk for GPD Win 2
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 157/449] drm: panel-orientation-quirks: Add quirk for AYA NEO Slide Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 159/449] drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) Greg Kroah-Hartman
` (297 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Wyatt, John Edwards,
Paco Avelar, Thomas Zimmermann, Hans de Goede, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Wyatt <fewtarius@steamfork.org>
[ Upstream commit a860eb9c6ba6cdbf32e3e01a606556e5a90a2931 ]
Some GPD Win 2 units shipped with the correct DMI strings.
Add a DMI match to correctly rotate the panel on these units.
Signed-off-by: Andrew Wyatt <fewtarius@steamfork.org>
Signed-off-by: John Edwards <uejji@uejji.net>
Tested-by: Paco Avelar <pacoavelar@hotmail.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-5-uejji@uejji.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index b57078cfdd80f..384a8dcf454fb 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -339,6 +339,12 @@ static const struct dmi_system_id orientation_data[] = {
DMI_EXACT_MATCH(DMI_BOARD_NAME, "Default string"),
},
.driver_data = (void *)&gpd_win2,
+ }, { /* GPD Win 2 (correct DMI strings) */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "GPD"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "WIN2")
+ },
+ .driver_data = (void *)&lcd720x1280_rightside_up,
}, { /* GPD Win 3 */
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "GPD"),
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 159/449] drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel)
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 158/449] drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 160/449] drm/debugfs: fix printk format for bridge index Greg Kroah-Hartman
` (296 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Wyatt, John Edwards,
João Pedro Kurtz, Thomas Zimmermann, Hans de Goede,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Wyatt <fewtarius@steamfork.org>
[ Upstream commit b24dcc183583fc360ae0f0899e286a68f46abbd0 ]
The Intel model of the OneXPlayer Mini uses a 1200x1920 portrait LCD panel.
The DMI strings are the same as the OneXPlayer, which already has a DMI
quirk, but the panel is different.
Add a DMI match to correctly rotate this panel.
Signed-off-by: Andrew Wyatt <fewtarius@steamfork.org>
Co-developed-by: John Edwards <uejji@uejji.net>
Signed-off-by: John Edwards <uejji@uejji.net>
Tested-by: João Pedro Kurtz <joexkurtz@gmail.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-6-uejji@uejji.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index 384a8dcf454fb..c554ad8f246b6 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -129,6 +129,12 @@ static const struct drm_dmi_panel_orientation_data lcd1080x1920_rightside_up = {
.orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
};
+static const struct drm_dmi_panel_orientation_data lcd1200x1920_leftside_up = {
+ .width = 1200,
+ .height = 1920,
+ .orientation = DRM_MODE_PANEL_ORIENTATION_LEFT_UP,
+};
+
static const struct drm_dmi_panel_orientation_data lcd1200x1920_rightside_up = {
.width = 1200,
.height = 1920,
@@ -473,6 +479,12 @@ static const struct dmi_system_id orientation_data[] = {
DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "ONE XPLAYER"),
},
.driver_data = (void *)&lcd1600x2560_leftside_up,
+ }, { /* OneXPlayer Mini (Intel) */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ONE-NETBOOK TECHNOLOGY CO., LTD."),
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "ONE XPLAYER"),
+ },
+ .driver_data = (void *)&lcd1200x1920_leftside_up,
}, { /* OrangePi Neo */
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "OrangePi"),
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 160/449] drm/debugfs: fix printk format for bridge index
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 159/449] drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 161/449] drm/bridge: panel: forbid initializing a panel with unknown connector type Greg Kroah-Hartman
` (295 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Luca Ceresoli,
Robert Foss, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
[ Upstream commit 72443c730b7a7b5670a921ea928e17b9b99bd934 ]
idx is an unsigned int, use %u for printk-style strings.
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Robert Foss <rfoss@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20250214-drm-assorted-cleanups-v7-1-88ca5827d7af@bootlin.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_debugfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_debugfs.c b/drivers/gpu/drm/drm_debugfs.c
index 536409a35df40..6b2178864c7ee 100644
--- a/drivers/gpu/drm/drm_debugfs.c
+++ b/drivers/gpu/drm/drm_debugfs.c
@@ -748,7 +748,7 @@ static int bridges_show(struct seq_file *m, void *data)
unsigned int idx = 0;
drm_for_each_bridge_in_chain(encoder, bridge) {
- drm_printf(&p, "bridge[%d]: %ps\n", idx++, bridge->funcs);
+ drm_printf(&p, "bridge[%u]: %ps\n", idx++, bridge->funcs);
drm_printf(&p, "\ttype: [%d] %s\n",
bridge->type,
drm_get_connector_type_name(bridge->type));
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 161/449] drm/bridge: panel: forbid initializing a panel with unknown connector type
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 160/449] drm/debugfs: fix printk format for bridge index Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 162/449] drm/amd/display: Update FIXED_VS Link Rate Toggle Workaround Usage Greg Kroah-Hartman
` (294 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Luca Ceresoli,
Robert Foss, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
[ Upstream commit b296955b3a740ecc8b3b08e34fd64f1ceabb8fb4 ]
Having an DRM_MODE_CONNECTOR_Unknown connector type is considered bad, and
drm_panel_bridge_add_typed() and derivatives are deprecated for this.
drm_panel_init() won't prevent initializing a panel with a
DRM_MODE_CONNECTOR_Unknown connector type. Luckily there are no in-tree
users doing it, so take this as an opportinuty to document a valid
connector type must be passed.
Returning an error if this rule is violated is not possible because
drm_panel_init() is a void function. Add at least a warning to make any
violations noticeable, especially to non-upstream drivers.
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Robert Foss <rfoss@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20250214-drm-assorted-cleanups-v7-5-88ca5827d7af@bootlin.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_panel.c b/drivers/gpu/drm/drm_panel.c
index 9940e96d35e30..c627e42a7ce70 100644
--- a/drivers/gpu/drm/drm_panel.c
+++ b/drivers/gpu/drm/drm_panel.c
@@ -50,7 +50,7 @@ static LIST_HEAD(panel_list);
* @dev: parent device of the panel
* @funcs: panel operations
* @connector_type: the connector type (DRM_MODE_CONNECTOR_*) corresponding to
- * the panel interface
+ * the panel interface (must NOT be DRM_MODE_CONNECTOR_Unknown)
*
* Initialize the panel structure for subsequent registration with
* drm_panel_add().
@@ -58,6 +58,9 @@ static LIST_HEAD(panel_list);
void drm_panel_init(struct drm_panel *panel, struct device *dev,
const struct drm_panel_funcs *funcs, int connector_type)
{
+ if (connector_type == DRM_MODE_CONNECTOR_Unknown)
+ DRM_WARN("%s: %s: a valid connector type is required!\n", __func__, dev_name(dev));
+
INIT_LIST_HEAD(&panel->list);
INIT_LIST_HEAD(&panel->followers);
mutex_init(&panel->follower_lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 162/449] drm/amd/display: Update FIXED_VS Link Rate Toggle Workaround Usage
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 161/449] drm/bridge: panel: forbid initializing a panel with unknown connector type Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 163/449] drm/amd/display: stop DML2 from removing pipes based on planes Greg Kroah-Hartman
` (293 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenjing Liu, Michael Strauss,
Zaeem Mohamed, Daniel Wheeler, Alex Deucher, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Strauss <michael.strauss@amd.com>
[ Upstream commit 7c6518c1c73199a230b5fc55ddfed3e5b9dc3290 ]
[WHY]
Previously the 128b/132b LTTPR support DPCD field was used to decide if
FIXED_VS training sequence required a rate toggle before initiating LT.
When running DP2.1 4.9.x.x compliance tests, emulated LTTPRs can report
no-128b/132b support which is then forwarded by the FIXED_VS retimer.
As a result this test exposes the rate toggle again, erroneously causing
failures as certain compliance sinks don't expect this behaviour.
[HOW]
Add new DPCD register defines/reads to read LTTPR IEEE OUI and device ID.
Decide whether to perform the rate toggle based on the LTTPR's IEEE OUI
which guarantees that we only perform the toggle on affected retimers.
Reviewed-by: Wenjing Liu <wenjing.liu@amd.com>
Signed-off-by: Michael Strauss <michael.strauss@amd.com>
Signed-off-by: Zaeem Mohamed <zaeem.mohamed@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dc_dp_types.h | 8 ++++++++
.../display/dc/link/protocols/link_dp_capability.c | 12 ++++++++++--
.../protocols/link_dp_training_fixed_vs_pe_retimer.c | 3 ++-
3 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dc_dp_types.h b/drivers/gpu/drm/amd/display/dc/dc_dp_types.h
index 94ce8fe744810..cc005da75ce4c 100644
--- a/drivers/gpu/drm/amd/display/dc/dc_dp_types.h
+++ b/drivers/gpu/drm/amd/display/dc/dc_dp_types.h
@@ -1119,6 +1119,8 @@ struct dc_lttpr_caps {
union dp_main_link_channel_coding_lttpr_cap main_link_channel_coding;
union dp_128b_132b_supported_lttpr_link_rates supported_128b_132b_rates;
uint8_t aux_rd_interval[MAX_REPEATER_CNT - 1];
+ uint8_t lttpr_ieee_oui[3];
+ uint8_t lttpr_device_id[6];
};
struct dc_dongle_dfp_cap_ext {
@@ -1379,6 +1381,12 @@ struct dp_trace {
#ifndef DP_BRANCH_VENDOR_SPECIFIC_START
#define DP_BRANCH_VENDOR_SPECIFIC_START 0x50C
#endif
+#ifndef DP_LTTPR_IEEE_OUI
+#define DP_LTTPR_IEEE_OUI 0xF003D
+#endif
+#ifndef DP_LTTPR_DEVICE_ID
+#define DP_LTTPR_DEVICE_ID 0xF0040
+#endif
/** USB4 DPCD BW Allocation Registers Chapter 10.7 **/
#ifndef DP_TUNNELING_CAPABILITIES
#define DP_TUNNELING_CAPABILITIES 0xE000D /* 1.4a */
diff --git a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c
index 44c3023a77318..44f33e3bc1c59 100644
--- a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c
+++ b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c
@@ -1568,10 +1568,18 @@ enum dc_status dp_retrieve_lttpr_cap(struct dc_link *link)
/* Attempt to train in LTTPR transparent mode if repeater count exceeds 8. */
is_lttpr_present = dp_is_lttpr_present(link);
- if (is_lttpr_present)
+ DC_LOG_DC("is_lttpr_present = %d\n", is_lttpr_present);
+
+ if (is_lttpr_present) {
CONN_DATA_DETECT(link, lttpr_dpcd_data, sizeof(lttpr_dpcd_data), "LTTPR Caps: ");
- DC_LOG_DC("is_lttpr_present = %d\n", is_lttpr_present);
+ core_link_read_dpcd(link, DP_LTTPR_IEEE_OUI, link->dpcd_caps.lttpr_caps.lttpr_ieee_oui, sizeof(link->dpcd_caps.lttpr_caps.lttpr_ieee_oui));
+ CONN_DATA_DETECT(link, link->dpcd_caps.lttpr_caps.lttpr_ieee_oui, sizeof(link->dpcd_caps.lttpr_caps.lttpr_ieee_oui), "LTTPR IEEE OUI: ");
+
+ core_link_read_dpcd(link, DP_LTTPR_DEVICE_ID, link->dpcd_caps.lttpr_caps.lttpr_device_id, sizeof(link->dpcd_caps.lttpr_caps.lttpr_device_id));
+ CONN_DATA_DETECT(link, link->dpcd_caps.lttpr_caps.lttpr_device_id, sizeof(link->dpcd_caps.lttpr_caps.lttpr_device_id), "LTTPR Device ID: ");
+ }
+
return status;
}
diff --git a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_fixed_vs_pe_retimer.c b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_fixed_vs_pe_retimer.c
index ccf8096dde290..ce174ce5579c0 100644
--- a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_fixed_vs_pe_retimer.c
+++ b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_fixed_vs_pe_retimer.c
@@ -270,7 +270,8 @@ enum link_training_result dp_perform_fixed_vs_pe_training_sequence(
rate = get_dpcd_link_rate(<_settings->link_settings);
- if (!link->dpcd_caps.lttpr_caps.main_link_channel_coding.bits.DP_128b_132b_SUPPORTED) {
+ // Only perform toggle if FIXED_VS LTTPR reports no IEEE OUI
+ if (memcmp("\x0,\x0,\x0", &link->dpcd_caps.lttpr_caps.lttpr_ieee_oui[0], 3) == 0) {
/* Vendor specific: Toggle link rate */
toggle_rate = (rate == 0x6) ? 0xA : 0x6;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 163/449] drm/amd/display: stop DML2 from removing pipes based on planes
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 162/449] drm/amd/display: Update FIXED_VS Link Rate Toggle Workaround Usage Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 164/449] drivers: base: devres: Allow to release group on device release Greg Kroah-Hartman
` (292 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ovidiu Bunea, Mike Katsnelson,
Zaeem Mohamed, Daniel Wheeler, Alex Deucher, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Katsnelson <mike.katsnelson@amd.com>
[ Upstream commit 8adeff83a3b07fa6d0958ed51e1b38ba7469e448 ]
[Why]
Transitioning from low to high resolutions at high refresh rates caused grey corruption.
During the transition state, there is a period where plane size is based on low resultion
state and ODM slices are based on high resoultion state, causing the entire plane to be
contained in one ODM slice. DML2 would turn off the pipe for the ODM slice with no plane,
causing an underflow since the pixel rate for the higher resolution cannot be supported on
one pipe. This change stops DML2 from turning off pipes that are mapped to an ODM slice
with no plane. This is possible to do without negative consequences because pipes can now
take the minimum viewport and draw with zero recout size, removing the need to have the
pipe turned off.
[How]
In map_pipes_from_plane(), remove "check" that skips ODM slices that are not covered by
the plane. This prevents the pipes for those ODM slices from being freed.
Reviewed-by: Ovidiu Bunea <ovidiu.bunea@amd.com>
Signed-off-by: Mike Katsnelson <mike.katsnelson@amd.com>
Signed-off-by: Zaeem Mohamed <zaeem.mohamed@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../display/dc/dml2/dml2_dc_resource_mgmt.c | 26 -------------------
1 file changed, 26 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_dc_resource_mgmt.c b/drivers/gpu/drm/amd/display/dc/dml2/dml2_dc_resource_mgmt.c
index 1ed21c1b86a5b..a966abd407881 100644
--- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_dc_resource_mgmt.c
+++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_dc_resource_mgmt.c
@@ -532,26 +532,6 @@ static void calculate_odm_slices(const struct dc_stream_state *stream, unsigned
odm_slice_end_x[odm_factor - 1] = stream->src.width - 1;
}
-static bool is_plane_in_odm_slice(const struct dc_plane_state *plane, unsigned int slice_index, unsigned int *odm_slice_end_x, unsigned int num_slices)
-{
- unsigned int slice_start_x, slice_end_x;
-
- if (slice_index == 0)
- slice_start_x = 0;
- else
- slice_start_x = odm_slice_end_x[slice_index - 1] + 1;
-
- slice_end_x = odm_slice_end_x[slice_index];
-
- if (plane->clip_rect.x + plane->clip_rect.width < slice_start_x)
- return false;
-
- if (plane->clip_rect.x > slice_end_x)
- return false;
-
- return true;
-}
-
static void add_odm_slice_to_odm_tree(struct dml2_context *ctx,
struct dc_state *state,
struct dc_pipe_mapping_scratch *scratch,
@@ -791,12 +771,6 @@ static void map_pipes_for_plane(struct dml2_context *ctx, struct dc_state *state
sort_pipes_for_splitting(&scratch->pipe_pool);
for (odm_slice_index = 0; odm_slice_index < scratch->odm_info.odm_factor; odm_slice_index++) {
- // We build the tree for one ODM slice at a time.
- // Each ODM slice shares a common OPP
- if (!is_plane_in_odm_slice(plane, odm_slice_index, scratch->odm_info.odm_slice_end_x, scratch->odm_info.odm_factor)) {
- continue;
- }
-
// Now we have a list of all pipes to be used for this plane/stream, now setup the tree.
scratch->odm_info.next_higher_pipe_for_odm_slice[odm_slice_index] = add_plane_to_blend_tree(ctx, state,
plane,
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 164/449] drivers: base: devres: Allow to release group on device release
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 163/449] drm/amd/display: stop DML2 from removing pipes based on planes Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 165/449] drm/amdkfd: clamp queue size to minimum Greg Kroah-Hartman
` (291 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Vivi, Lucas De Marchi,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lucas De Marchi <lucas.demarchi@intel.com>
[ Upstream commit 8e1ddfada4530939a8cb64ee9251aef780474274 ]
When releasing a device, if the release action causes a group to be
released, a warning is emitted because it can't find the group. This
happens because devres_release_all() moves the entire list to a todo
list and also move the group markers. Considering r* normal resource
nodes and g1 a group resource node:
g1 -----------.
v v
r1 -> r2 -> g1[0] -> r3-> g[1] -> r4
After devres_release_all(), dev->devres_head becomes empty and the todo
list it iterates on becomes:
g1
v
r1 -> r2 -> r3-> r4 -> g1[0]
When a call to component_del() is made and takes down the aggregate
device, a warning like this happen:
RIP: 0010:devres_release_group+0x362/0x530
...
Call Trace:
<TASK>
component_unbind+0x156/0x380
component_unbind_all+0x1d0/0x270
mei_component_master_unbind+0x28/0x80 [mei_hdcp]
take_down_aggregate_device+0xc1/0x160
component_del+0x1c6/0x3e0
intel_hdcp_component_fini+0xf1/0x170 [xe]
xe_display_fini+0x1e/0x40 [xe]
Because the devres group corresponding to the hdcp component cannot be
found. Just ignore this corner case: if the dev->devres_head is empty
and the caller is trying to remove a group, it's likely in the process
of device cleanup so just ignore it instead of warning.
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250222001051.3012936-2-lucas.demarchi@intel.com
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/devres.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/base/devres.c b/drivers/base/devres.c
index 93e7779ef21e8..b955a2f9520bf 100644
--- a/drivers/base/devres.c
+++ b/drivers/base/devres.c
@@ -687,6 +687,13 @@ int devres_release_group(struct device *dev, void *id)
spin_unlock_irqrestore(&dev->devres_lock, flags);
release_nodes(dev, &todo);
+ } else if (list_empty(&dev->devres_head)) {
+ /*
+ * dev is probably dying via devres_release_all(): groups
+ * have already been removed and are on the process of
+ * being released - don't touch and don't warn.
+ */
+ spin_unlock_irqrestore(&dev->devres_lock, flags);
} else {
WARN_ON(1);
spin_unlock_irqrestore(&dev->devres_lock, flags);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 165/449] drm/amdkfd: clamp queue size to minimum
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 164/449] drivers: base: devres: Allow to release group on device release Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 166/449] drm/amdkfd: Fix mode1 reset crash issue Greg Kroah-Hartman
` (290 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Yat Sin, Jay Cornwall,
Harish Kasiviswanathan, Alex Deucher, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Yat Sin <David.YatSin@amd.com>
[ Upstream commit e90711946b53590371ecce32e8fcc381a99d6333 ]
If queue size is less than minimum, clamp it to minimum to prevent
underflow when writing queue mqd.
Signed-off-by: David Yat Sin <David.YatSin@amd.com>
Reviewed-by: Jay Cornwall <jay.cornwall@amd.com>
Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 ++++++++++
include/uapi/linux/kfd_ioctl.h | 2 ++
2 files changed, 12 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index 065d878414591..33df35cab4679 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -212,6 +212,11 @@ static int set_queue_properties_from_user(struct queue_properties *q_properties,
return -EINVAL;
}
+ if (args->ring_size < KFD_MIN_QUEUE_RING_SIZE) {
+ args->ring_size = KFD_MIN_QUEUE_RING_SIZE;
+ pr_debug("Size lower. clamped to KFD_MIN_QUEUE_RING_SIZE");
+ }
+
if (!access_ok((const void __user *) args->read_pointer_address,
sizeof(uint32_t))) {
pr_err("Can't access read pointer\n");
@@ -461,6 +466,11 @@ static int kfd_ioctl_update_queue(struct file *filp, struct kfd_process *p,
return -EINVAL;
}
+ if (args->ring_size < KFD_MIN_QUEUE_RING_SIZE) {
+ args->ring_size = KFD_MIN_QUEUE_RING_SIZE;
+ pr_debug("Size lower. clamped to KFD_MIN_QUEUE_RING_SIZE");
+ }
+
properties.queue_address = args->ring_base_address;
properties.queue_size = args->ring_size;
properties.queue_percent = args->queue_percentage & 0xFF;
diff --git a/include/uapi/linux/kfd_ioctl.h b/include/uapi/linux/kfd_ioctl.h
index fa9f9846b88e4..b0160b09987c1 100644
--- a/include/uapi/linux/kfd_ioctl.h
+++ b/include/uapi/linux/kfd_ioctl.h
@@ -62,6 +62,8 @@ struct kfd_ioctl_get_version_args {
#define KFD_MAX_QUEUE_PERCENTAGE 100
#define KFD_MAX_QUEUE_PRIORITY 15
+#define KFD_MIN_QUEUE_RING_SIZE 1024
+
struct kfd_ioctl_create_queue_args {
__u64 ring_base_address; /* to KFD */
__u64 write_pointer_address; /* from KFD */
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 166/449] drm/amdkfd: Fix mode1 reset crash issue
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 165/449] drm/amdkfd: clamp queue size to minimum Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 167/449] drm/amdkfd: Fix pqm_destroy_queue race with GPU reset Greg Kroah-Hartman
` (289 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Yang, Lijo Lazar,
Felix Kuehling, Alex Deucher, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
[ Upstream commit f0b4440cdc1807bb6ec3dce0d6de81170803569b ]
If HW scheduler hangs and mode1 reset is used to recover GPU, KFD signal
user space to abort the processes. After process abort exit, user queues
still use the GPU to access system memory before h/w is reset while KFD
cleanup worker free system memory and free VRAM.
There is use-after-free race bug that KFD allocate and reuse the freed
system memory, and user queue write to the same system memory to corrupt
the data structure and cause driver crash.
To fix this race, KFD cleanup worker terminate user queues, then flush
reset_domain wq to wait for any GPU ongoing reset complete, and then
free outstanding BOs.
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_process.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
index 083f83c945318..c3f2c0428e013 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
@@ -35,6 +35,7 @@
#include <linux/pm_runtime.h>
#include "amdgpu_amdkfd.h"
#include "amdgpu.h"
+#include "amdgpu_reset.h"
struct mm_struct;
@@ -1140,6 +1141,17 @@ static void kfd_process_remove_sysfs(struct kfd_process *p)
p->kobj = NULL;
}
+/*
+ * If any GPU is ongoing reset, wait for reset complete.
+ */
+static void kfd_process_wait_gpu_reset_complete(struct kfd_process *p)
+{
+ int i;
+
+ for (i = 0; i < p->n_pdds; i++)
+ flush_workqueue(p->pdds[i]->dev->adev->reset_domain->wq);
+}
+
/* No process locking is needed in this function, because the process
* is not findable any more. We must assume that no other thread is
* using it any more, otherwise we couldn't safely free the process
@@ -1154,6 +1166,11 @@ static void kfd_process_wq_release(struct work_struct *work)
kfd_process_dequeue_from_all_devices(p);
pqm_uninit(&p->pqm);
+ /*
+ * If GPU in reset, user queues may still running, wait for reset complete.
+ */
+ kfd_process_wait_gpu_reset_complete(p);
+
/* Signal the eviction fence after user mode queues are
* destroyed. This allows any BOs to be freed without
* triggering pointless evictions or waiting for fences.
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 167/449] drm/amdkfd: Fix pqm_destroy_queue race with GPU reset
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 166/449] drm/amdkfd: Fix mode1 reset crash issue Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 168/449] drm/amdkfd: debugfs hang_hws skip GPU with MES Greg Kroah-Hartman
` (288 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Yang, Felix Kuehling,
Alex Deucher, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
[ Upstream commit 7919b4cad5545ed93778f11881ceee72e4dbed66 ]
If GPU in reset, destroy_queue return -EIO, pqm_destroy_queue should
delete the queue from process_queue_list and free the resource.
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
index 6c02bc36d6344..d79caa1a68676 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
@@ -548,7 +548,7 @@ int pqm_destroy_queue(struct process_queue_manager *pqm, unsigned int qid)
pr_err("Pasid 0x%x destroy queue %d failed, ret %d\n",
pqm->process->pasid,
pqn->q->properties.queue_id, retval);
- if (retval != -ETIME)
+ if (retval != -ETIME && retval != -EIO)
goto err_destroy_queue;
}
kfd_procfs_del_queue(pqn->q);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 168/449] drm/amdkfd: debugfs hang_hws skip GPU with MES
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 167/449] drm/amdkfd: Fix pqm_destroy_queue race with GPU reset Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 169/449] drm/xe/xelp: Move Wa_16011163337 from tunings to workarounds Greg Kroah-Hartman
` (287 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Yang, Kent Russell,
Felix Kuehling, Alex Deucher, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
[ Upstream commit fe9d0061c413f8fb8c529b18b592b04170850ded ]
debugfs hang_hws is used by GPU reset test with HWS, for MES this crash
the kernel with NULL pointer access because dqm->packet_mgr is not setup
for MES path.
Skip GPU with MES for now, MES hang_hws debugfs interface will be
supported later.
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Kent Russell <kent.russell@amd.com>
Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_device.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
index a29374c864056..6cefd338f23de 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
@@ -1593,6 +1593,11 @@ int kfd_debugfs_hang_hws(struct kfd_node *dev)
return -EINVAL;
}
+ if (dev->kfd->shared_resources.enable_mes) {
+ dev_err(dev->adev->dev, "Inducing MES hang is not supported\n");
+ return -EINVAL;
+ }
+
return dqm_debugfs_hang_hws(dev->dqm);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 169/449] drm/xe/xelp: Move Wa_16011163337 from tunings to workarounds
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 168/449] drm/amdkfd: debugfs hang_hws skip GPU with MES Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 170/449] drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data Greg Kroah-Hartman
` (286 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tvrtko Ursulin, Lucas De Marchi,
Matt Roper, Gustavo Sousa, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
[ Upstream commit d9b5d83c5a4d720af6ddbefe2825c78f0325a3fd ]
Workaround database specifies 16011163337 as a workaround so lets move it
there.
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Cc: Lucas De Marchi <lucas.demarchi@intel.com>
Cc: Matt Roper <matthew.d.roper@intel.com>
Cc: Gustavo Sousa <gustavo.sousa@intel.com>
Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250227101304.46660-3-tvrtko.ursulin@igalia.com
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_tuning.c | 8 --------
drivers/gpu/drm/xe/xe_wa.c | 7 +++++++
2 files changed, 7 insertions(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_tuning.c b/drivers/gpu/drm/xe/xe_tuning.c
index d449de0fb6ecb..3c78f3d715591 100644
--- a/drivers/gpu/drm/xe/xe_tuning.c
+++ b/drivers/gpu/drm/xe/xe_tuning.c
@@ -97,14 +97,6 @@ static const struct xe_rtp_entry_sr engine_tunings[] = {
};
static const struct xe_rtp_entry_sr lrc_tunings[] = {
- { XE_RTP_NAME("Tuning: ganged timer, also known as 16011163337"),
- XE_RTP_RULES(GRAPHICS_VERSION_RANGE(1200, 1210), ENGINE_CLASS(RENDER)),
- /* read verification is ignored due to 1608008084. */
- XE_RTP_ACTIONS(FIELD_SET_NO_READ_MASK(FF_MODE2,
- FF_MODE2_GS_TIMER_MASK,
- FF_MODE2_GS_TIMER_224))
- },
-
/* DG2 */
{ XE_RTP_NAME("Tuning: L3 cache"),
diff --git a/drivers/gpu/drm/xe/xe_wa.c b/drivers/gpu/drm/xe/xe_wa.c
index 570fe03764025..2553accf8c517 100644
--- a/drivers/gpu/drm/xe/xe_wa.c
+++ b/drivers/gpu/drm/xe/xe_wa.c
@@ -618,6 +618,13 @@ static const struct xe_rtp_entry_sr engine_was[] = {
};
static const struct xe_rtp_entry_sr lrc_was[] = {
+ { XE_RTP_NAME("16011163337"),
+ XE_RTP_RULES(GRAPHICS_VERSION_RANGE(1200, 1210), ENGINE_CLASS(RENDER)),
+ /* read verification is ignored due to 1608008084. */
+ XE_RTP_ACTIONS(FIELD_SET_NO_READ_MASK(FF_MODE2,
+ FF_MODE2_GS_TIMER_MASK,
+ FF_MODE2_GS_TIMER_224))
+ },
{ XE_RTP_NAME("1409342910, 14010698770, 14010443199, 1408979724, 1409178076, 1409207793, 1409217633, 1409252684, 1409347922, 1409142259"),
XE_RTP_RULES(GRAPHICS_VERSION_RANGE(1200, 1210)),
XE_RTP_ACTIONS(SET(COMMON_SLICE_CHICKEN3,
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 170/449] drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 169/449] drm/xe/xelp: Move Wa_16011163337 from tunings to workarounds Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 171/449] drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off Greg Kroah-Hartman
` (285 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, CK Hu, AngeloGioacchino Del Regno,
Chun-Kuang Hu, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit c90876a695dd83e76680b88b40067275a5982811 ]
In preparation for adding support for MT8195's HDMI reserved DPI
instance, move the input_2p_en bit for DP_INTF to platform data.
While at it, remove the input_2pixel member from platform data as
having this bit implies that the 2pixel feature must be enabled.
Reviewed-by: CK Hu <ck.hu@mediatek.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250217154836.108895-7-angelogioacchino.delregno@collabora.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/mediatek/mtk_dpi.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/mediatek/mtk_dpi.c b/drivers/gpu/drm/mediatek/mtk_dpi.c
index 1864eb02dbf50..c3fc85764c973 100644
--- a/drivers/gpu/drm/mediatek/mtk_dpi.c
+++ b/drivers/gpu/drm/mediatek/mtk_dpi.c
@@ -127,14 +127,14 @@ struct mtk_dpi_yc_limit {
* @is_ck_de_pol: Support CK/DE polarity.
* @swap_input_support: Support input swap function.
* @support_direct_pin: IP supports direct connection to dpi panels.
- * @input_2pixel: Input pixel of dp_intf is 2 pixel per round, so enable this
- * config to enable this feature.
* @dimension_mask: Mask used for HWIDTH, HPORCH, VSYNC_WIDTH and VSYNC_PORCH
* (no shift).
* @hvsize_mask: Mask of HSIZE and VSIZE mask (no shift).
* @channel_swap_shift: Shift value of channel swap.
* @yuv422_en_bit: Enable bit of yuv422.
* @csc_enable_bit: Enable bit of CSC.
+ * @input_2p_en_bit: Enable bit for input two pixel per round feature.
+ * If present, implies that the feature must be enabled.
* @pixels_per_iter: Quantity of transferred pixels per iteration.
* @edge_cfg_in_mmsys: If the edge configuration for DPI's output needs to be set in MMSYS.
*/
@@ -148,12 +148,12 @@ struct mtk_dpi_conf {
bool is_ck_de_pol;
bool swap_input_support;
bool support_direct_pin;
- bool input_2pixel;
u32 dimension_mask;
u32 hvsize_mask;
u32 channel_swap_shift;
u32 yuv422_en_bit;
u32 csc_enable_bit;
+ u32 input_2p_en_bit;
u32 pixels_per_iter;
bool edge_cfg_in_mmsys;
};
@@ -610,9 +610,9 @@ static int mtk_dpi_set_display_mode(struct mtk_dpi *dpi,
mtk_dpi_dual_edge(dpi);
mtk_dpi_config_disable_edge(dpi);
}
- if (dpi->conf->input_2pixel) {
- mtk_dpi_mask(dpi, DPI_CON, DPINTF_INPUT_2P_EN,
- DPINTF_INPUT_2P_EN);
+ if (dpi->conf->input_2p_en_bit) {
+ mtk_dpi_mask(dpi, DPI_CON, dpi->conf->input_2p_en_bit,
+ dpi->conf->input_2p_en_bit);
}
mtk_dpi_sw_reset(dpi, false);
@@ -1006,12 +1006,12 @@ static const struct mtk_dpi_conf mt8195_dpintf_conf = {
.output_fmts = mt8195_output_fmts,
.num_output_fmts = ARRAY_SIZE(mt8195_output_fmts),
.pixels_per_iter = 4,
- .input_2pixel = true,
.dimension_mask = DPINTF_HPW_MASK,
.hvsize_mask = DPINTF_HSIZE_MASK,
.channel_swap_shift = DPINTF_CH_SWAP,
.yuv422_en_bit = DPINTF_YUV422_EN,
.csc_enable_bit = DPINTF_CSC_ENABLE,
+ .input_2p_en_bit = DPINTF_INPUT_2P_EN,
};
static int mtk_dpi_probe(struct platform_device *pdev)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 171/449] drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 170/449] drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 172/449] drm/rockchip: stop passing non struct drm_device to drm_err() and friends Greg Kroah-Hartman
` (284 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, CK Hu, AngeloGioacchino Del Regno,
Chun-Kuang Hu, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 473c33f5ce651365468503c76f33158aaa1c7dd2 ]
In preparation for adding support for MT8195's HDMI reserved
DPI, add calls to clk_prepare_enable() / clk_disable_unprepare()
for the TVD clock: in this particular case, the aforementioned
clock is not (and cannot be) parented to neither pixel or engine
clocks hence it won't get enabled automatically by the clock
framework.
Please note that on all of the currently supported MediaTek
platforms, the TVD clock is always a parent of either pixel or
engine clocks, and this means that the common clock framework
is already enabling this clock before the children.
On such platforms, this commit will only increase the refcount
of the TVD clock without any functional change.
Reviewed-by: CK Hu <ck.hu@mediatek.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250217154836.108895-10-angelogioacchino.delregno@collabora.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/mediatek/mtk_dpi.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/gpu/drm/mediatek/mtk_dpi.c b/drivers/gpu/drm/mediatek/mtk_dpi.c
index c3fc85764c973..a12ef24c77423 100644
--- a/drivers/gpu/drm/mediatek/mtk_dpi.c
+++ b/drivers/gpu/drm/mediatek/mtk_dpi.c
@@ -471,6 +471,7 @@ static void mtk_dpi_power_off(struct mtk_dpi *dpi)
mtk_dpi_disable(dpi);
clk_disable_unprepare(dpi->pixel_clk);
+ clk_disable_unprepare(dpi->tvd_clk);
clk_disable_unprepare(dpi->engine_clk);
}
@@ -487,6 +488,12 @@ static int mtk_dpi_power_on(struct mtk_dpi *dpi)
goto err_refcount;
}
+ ret = clk_prepare_enable(dpi->tvd_clk);
+ if (ret) {
+ dev_err(dpi->dev, "Failed to enable tvd pll: %d\n", ret);
+ goto err_engine;
+ }
+
ret = clk_prepare_enable(dpi->pixel_clk);
if (ret) {
dev_err(dpi->dev, "Failed to enable pixel clock: %d\n", ret);
@@ -496,6 +503,8 @@ static int mtk_dpi_power_on(struct mtk_dpi *dpi)
return 0;
err_pixel:
+ clk_disable_unprepare(dpi->tvd_clk);
+err_engine:
clk_disable_unprepare(dpi->engine_clk);
err_refcount:
dpi->refcount--;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 172/449] drm/rockchip: stop passing non struct drm_device to drm_err() and friends
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 171/449] drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 173/449] PCI: Add Rockchip Vendor ID Greg Kroah-Hartman
` (283 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simona Vetter, Louis Chauvet,
Jani Nikula, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jani Nikula <jani.nikula@intel.com>
[ Upstream commit abeef1f9eaf9301cc98a6841dab5f72de5c95360 ]
The expectation is that the struct drm_device based logging helpers get
passed an actual struct drm_device pointer rather than some random
struct pointer where you can dereference the ->dev member.
Convert drm_err(hdmi, ...) to dev_err(hdmi->dev, ...). This matches
current usage, but drops "[drm] *ERROR*" prefix from logging.
Reviewed-by: Simona Vetter <simona.vetter@ffwll.ch>
Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/f42da4c9943a2f2a9de4272b7849e72236d4c3f9.1737644530.git.jani.nikula@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c | 16 ++++++++--------
drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c | 16 ++++++++--------
2 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c b/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c
index e7a6669c46b07..f737e7d46e667 100644
--- a/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c
+++ b/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c
@@ -203,7 +203,7 @@ static int rockchip_hdmi_parse_dt(struct rockchip_hdmi *hdmi)
hdmi->regmap = syscon_regmap_lookup_by_phandle(np, "rockchip,grf");
if (IS_ERR(hdmi->regmap)) {
- drm_err(hdmi, "Unable to get rockchip,grf\n");
+ dev_err(hdmi->dev, "Unable to get rockchip,grf\n");
return PTR_ERR(hdmi->regmap);
}
@@ -214,7 +214,7 @@ static int rockchip_hdmi_parse_dt(struct rockchip_hdmi *hdmi)
if (IS_ERR(hdmi->ref_clk)) {
ret = PTR_ERR(hdmi->ref_clk);
if (ret != -EPROBE_DEFER)
- drm_err(hdmi, "failed to get reference clock\n");
+ dev_err(hdmi->dev, "failed to get reference clock\n");
return ret;
}
@@ -222,7 +222,7 @@ static int rockchip_hdmi_parse_dt(struct rockchip_hdmi *hdmi)
if (IS_ERR(hdmi->grf_clk)) {
ret = PTR_ERR(hdmi->grf_clk);
if (ret != -EPROBE_DEFER)
- drm_err(hdmi, "failed to get grf clock\n");
+ dev_err(hdmi->dev, "failed to get grf clock\n");
return ret;
}
@@ -302,16 +302,16 @@ static void dw_hdmi_rockchip_encoder_enable(struct drm_encoder *encoder)
ret = clk_prepare_enable(hdmi->grf_clk);
if (ret < 0) {
- drm_err(hdmi, "failed to enable grfclk %d\n", ret);
+ dev_err(hdmi->dev, "failed to enable grfclk %d\n", ret);
return;
}
ret = regmap_write(hdmi->regmap, hdmi->chip_data->lcdsel_grf_reg, val);
if (ret != 0)
- drm_err(hdmi, "Could not write to GRF: %d\n", ret);
+ dev_err(hdmi->dev, "Could not write to GRF: %d\n", ret);
clk_disable_unprepare(hdmi->grf_clk);
- drm_dbg(hdmi, "vop %s output to hdmi\n", ret ? "LIT" : "BIG");
+ dev_dbg(hdmi->dev, "vop %s output to hdmi\n", ret ? "LIT" : "BIG");
}
static int
@@ -574,7 +574,7 @@ static int dw_hdmi_rockchip_bind(struct device *dev, struct device *master,
ret = rockchip_hdmi_parse_dt(hdmi);
if (ret) {
if (ret != -EPROBE_DEFER)
- drm_err(hdmi, "Unable to parse OF data\n");
+ dev_err(hdmi->dev, "Unable to parse OF data\n");
return ret;
}
@@ -582,7 +582,7 @@ static int dw_hdmi_rockchip_bind(struct device *dev, struct device *master,
if (IS_ERR(hdmi->phy)) {
ret = PTR_ERR(hdmi->phy);
if (ret != -EPROBE_DEFER)
- drm_err(hdmi, "failed to get phy\n");
+ dev_err(hdmi->dev, "failed to get phy\n");
return ret;
}
diff --git a/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c b/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c
index cebd72bf1ef25..6bbc84c5d716d 100644
--- a/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c
+++ b/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c
@@ -170,7 +170,7 @@ static void dw_hdmi_qp_rk3588_hpd_work(struct work_struct *work)
if (drm) {
changed = drm_helper_hpd_irq_event(drm);
if (changed)
- drm_dbg(hdmi, "connector status changed\n");
+ dev_dbg(hdmi->dev, "connector status changed\n");
}
}
@@ -287,7 +287,7 @@ static int dw_hdmi_qp_rockchip_bind(struct device *dev, struct device *master,
}
}
if (hdmi->port_id < 0) {
- drm_err(hdmi, "Failed to match HDMI port ID\n");
+ dev_err(hdmi->dev, "Failed to match HDMI port ID\n");
return hdmi->port_id;
}
@@ -311,20 +311,20 @@ static int dw_hdmi_qp_rockchip_bind(struct device *dev, struct device *master,
hdmi->regmap = syscon_regmap_lookup_by_phandle(dev->of_node,
"rockchip,grf");
if (IS_ERR(hdmi->regmap)) {
- drm_err(hdmi, "Unable to get rockchip,grf\n");
+ dev_err(hdmi->dev, "Unable to get rockchip,grf\n");
return PTR_ERR(hdmi->regmap);
}
hdmi->vo_regmap = syscon_regmap_lookup_by_phandle(dev->of_node,
"rockchip,vo-grf");
if (IS_ERR(hdmi->vo_regmap)) {
- drm_err(hdmi, "Unable to get rockchip,vo-grf\n");
+ dev_err(hdmi->dev, "Unable to get rockchip,vo-grf\n");
return PTR_ERR(hdmi->vo_regmap);
}
ret = devm_clk_bulk_get_all_enabled(hdmi->dev, &clks);
if (ret < 0) {
- drm_err(hdmi, "Failed to get clocks: %d\n", ret);
+ dev_err(hdmi->dev, "Failed to get clocks: %d\n", ret);
return ret;
}
@@ -332,7 +332,7 @@ static int dw_hdmi_qp_rockchip_bind(struct device *dev, struct device *master,
GPIOD_OUT_HIGH);
if (IS_ERR(hdmi->enable_gpio)) {
ret = PTR_ERR(hdmi->enable_gpio);
- drm_err(hdmi, "Failed to request enable GPIO: %d\n", ret);
+ dev_err(hdmi->dev, "Failed to request enable GPIO: %d\n", ret);
return ret;
}
@@ -340,7 +340,7 @@ static int dw_hdmi_qp_rockchip_bind(struct device *dev, struct device *master,
if (IS_ERR(hdmi->phy)) {
ret = PTR_ERR(hdmi->phy);
if (ret != -EPROBE_DEFER)
- drm_err(hdmi, "failed to get phy: %d\n", ret);
+ dev_err(hdmi->dev, "failed to get phy: %d\n", ret);
return ret;
}
@@ -403,7 +403,7 @@ static int dw_hdmi_qp_rockchip_bind(struct device *dev, struct device *master,
connector = drm_bridge_connector_init(drm, encoder);
if (IS_ERR(connector)) {
ret = PTR_ERR(connector);
- drm_err(hdmi, "failed to init bridge connector: %d\n", ret);
+ dev_err(hdmi->dev, "failed to init bridge connector: %d\n", ret);
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 173/449] PCI: Add Rockchip Vendor ID
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 172/449] drm/rockchip: stop passing non struct drm_device to drm_err() and friends Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 174/449] drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() Greg Kroah-Hartman
` (282 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shawn Lin, Niklas Cassel,
Bjorn Helgaas, Krzysztof Wilczyński, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
[ Upstream commit 20bbb083bbc9d3f8db390f2e35e168f1b23dae8a ]
Move PCI_VENDOR_ID_ROCKCHIP from pci_endpoint_test.c to pci_ids.h and
reuse it in pcie-rockchip-host.c.
Link: https://lore.kernel.org/r/20250218092120.2322784-2-cassel@kernel.org
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/pci_endpoint_test.c | 1 -
drivers/pci/controller/pcie-rockchip-host.c | 2 +-
drivers/pci/controller/pcie-rockchip.h | 1 -
include/linux/pci_ids.h | 2 ++
4 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/misc/pci_endpoint_test.c b/drivers/misc/pci_endpoint_test.c
index 9dac7cbe8748c..57e0f618fee5e 100644
--- a/drivers/misc/pci_endpoint_test.c
+++ b/drivers/misc/pci_endpoint_test.c
@@ -88,7 +88,6 @@
#define PCI_DEVICE_ID_RENESAS_R8A774E1 0x0025
#define PCI_DEVICE_ID_RENESAS_R8A779F0 0x0031
-#define PCI_VENDOR_ID_ROCKCHIP 0x1d87
#define PCI_DEVICE_ID_ROCKCHIP_RK3588 0x3588
static DEFINE_IDA(pci_endpoint_test_ida);
diff --git a/drivers/pci/controller/pcie-rockchip-host.c b/drivers/pci/controller/pcie-rockchip-host.c
index 5adac6adc046f..6a46be17aa91b 100644
--- a/drivers/pci/controller/pcie-rockchip-host.c
+++ b/drivers/pci/controller/pcie-rockchip-host.c
@@ -367,7 +367,7 @@ static int rockchip_pcie_host_init_port(struct rockchip_pcie *rockchip)
}
}
- rockchip_pcie_write(rockchip, ROCKCHIP_VENDOR_ID,
+ rockchip_pcie_write(rockchip, PCI_VENDOR_ID_ROCKCHIP,
PCIE_CORE_CONFIG_VENDOR);
rockchip_pcie_write(rockchip,
PCI_CLASS_BRIDGE_PCI_NORMAL << 8,
diff --git a/drivers/pci/controller/pcie-rockchip.h b/drivers/pci/controller/pcie-rockchip.h
index 11def598534b2..14954f43e5e9a 100644
--- a/drivers/pci/controller/pcie-rockchip.h
+++ b/drivers/pci/controller/pcie-rockchip.h
@@ -200,7 +200,6 @@
#define AXI_WRAPPER_NOR_MSG 0xc
#define PCIE_RC_SEND_PME_OFF 0x11960
-#define ROCKCHIP_VENDOR_ID 0x1d87
#define PCIE_LINK_IS_L2(x) \
(((x) & PCIE_CLIENT_DEBUG_LTSSM_MASK) == PCIE_CLIENT_DEBUG_LTSSM_L2)
#define PCIE_LINK_TRAINING_DONE(x) \
diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h
index 1a2594a38199f..2a9ca3dbaa0e9 100644
--- a/include/linux/pci_ids.h
+++ b/include/linux/pci_ids.h
@@ -2609,6 +2609,8 @@
#define PCI_VENDOR_ID_ZHAOXIN 0x1d17
+#define PCI_VENDOR_ID_ROCKCHIP 0x1d87
+
#define PCI_VENDOR_ID_HYGON 0x1d94
#define PCI_VENDOR_ID_META 0x1d9b
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 174/449] drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 173/449] PCI: Add Rockchip Vendor ID Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 175/449] drm/amd/display: Prevent VStartup Overflow Greg Kroah-Hartman
` (281 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Alex Deucher,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
[ Upstream commit 1435e895d4fc967d64e9f5bf81e992ac32f5ac76 ]
Add error handling to propagate amdgpu_cgs_create_device() failures
to the caller. When amdgpu_cgs_create_device() fails, release hwmgr
and return -ENOMEM to prevent null pointer dereference.
[v1]->[v2]: Change error code from -EINVAL to -ENOMEM. Free hwmgr.
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
index 686345f75f264..6cd327fecebbc 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
@@ -51,6 +51,11 @@ static int amd_powerplay_create(struct amdgpu_device *adev)
hwmgr->adev = adev;
hwmgr->not_vf = !amdgpu_sriov_vf(adev);
hwmgr->device = amdgpu_cgs_create_device(adev);
+ if (!hwmgr->device) {
+ kfree(hwmgr);
+ return -ENOMEM;
+ }
+
mutex_init(&hwmgr->msg_lock);
hwmgr->chip_family = adev->family;
hwmgr->chip_id = adev->asic_type;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 175/449] drm/amd/display: Prevent VStartup Overflow
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 174/449] drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 176/449] PCI: Enable Configuration RRS SV early Greg Kroah-Hartman
` (280 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dillon Varone, Ryan Seto, Tom Chung,
Daniel Wheeler, Alex Deucher, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryan Seto <ryanseto@amd.com>
[ Upstream commit 29c1c20496a7a9bafe2bc2f833d69aa52e0f2c2d ]
[Why]
For some VR headsets with large blanks, it's possible
to overflow the OTG_VSTARTUP_PARAM:VSTARTUP_START
register. This can lead to incorrect DML calculations
and underflow downstream.
[How]
Min the calcualted max_vstartup_lines with the max
value of the register.
Reviewed-by: Dillon Varone <dillon.varone@amd.com>
Signed-off-by: Ryan Seto <ryanseto@amd.com>
Signed-off-by: Tom Chung <chiahsuan.chung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c b/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c
index 8ed49a9df3780..c1ff869512f27 100644
--- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c
+++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c
@@ -15,6 +15,7 @@
//#define DML_MODE_SUPPORT_USE_DPM_DRAM_BW
//#define DML_GLOBAL_PREFETCH_CHECK
#define ALLOW_SDPIF_RATE_LIMIT_PRE_CSTATE
+#define DML_MAX_VSTARTUP_START 1023
const char *dml2_core_internal_bw_type_str(enum dml2_core_internal_bw_type bw_type)
{
@@ -3726,6 +3727,7 @@ static unsigned int CalculateMaxVStartup(
dml2_printf("DML::%s: vblank_avail = %u\n", __func__, vblank_avail);
dml2_printf("DML::%s: max_vstartup_lines = %u\n", __func__, max_vstartup_lines);
#endif
+ max_vstartup_lines = (unsigned int)math_min2(max_vstartup_lines, DML_MAX_VSTARTUP_START);
return max_vstartup_lines;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 176/449] PCI: Enable Configuration RRS SV early
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 175/449] drm/amd/display: Prevent VStartup Overflow Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 177/449] drm/amdgpu: Fix the race condition for draining retry fault Greg Kroah-Hartman
` (279 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bjorn Helgaas, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
[ Upstream commit 3f8c4959fc18e477801386a625e726c59f52a2c4 ]
Following a reset, a Function may respond to Config Requests with Request
Retry Status (RRS) Completion Status to indicate that it is temporarily
unable to process the Request, but will be able to process the Request in
the future (PCIe r6.0, sec 2.3.1).
If the Configuration RRS Software Visibility feature is enabled and a Root
Complex receives RRS for a config read of the Vendor ID, the Root Complex
completes the Request to the host by returning PCI_VENDOR_ID_PCI_SIG,
0x0001 (sec 2.3.2).
The Config RRS SV feature applies only to Root Ports and is not directly
related to pci_scan_bridge_extend(). Move the RRS SV enable to
set_pcie_port_type() where we handle other PCIe-specific configuration.
Link: https://lore.kernel.org/r/20250303210217.199504-1-helgaas@kernel.org
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/probe.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 0154b48bfbd7b..b4093f470d2d8 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -1373,8 +1373,6 @@ static int pci_scan_bridge_extend(struct pci_bus *bus, struct pci_dev *dev,
pci_write_config_word(dev, PCI_BRIDGE_CONTROL,
bctl & ~PCI_BRIDGE_CTL_MASTER_ABORT);
- pci_enable_rrs_sv(dev);
-
if ((secondary || subordinate) && !pcibios_assign_all_busses() &&
!is_cardbus && !broken) {
unsigned int cmax, buses;
@@ -1615,6 +1613,11 @@ void set_pcie_port_type(struct pci_dev *pdev)
pdev->pcie_cap = pos;
pci_read_config_word(pdev, pos + PCI_EXP_FLAGS, ®16);
pdev->pcie_flags_reg = reg16;
+
+ type = pci_pcie_type(pdev);
+ if (type == PCI_EXP_TYPE_ROOT_PORT)
+ pci_enable_rrs_sv(pdev);
+
pci_read_config_dword(pdev, pos + PCI_EXP_DEVCAP, &pdev->devcap);
pdev->pcie_mpss = FIELD_GET(PCI_EXP_DEVCAP_PAYLOAD, pdev->devcap);
@@ -1631,7 +1634,6 @@ void set_pcie_port_type(struct pci_dev *pdev)
* correctly so detect impossible configurations here and correct
* the port type accordingly.
*/
- type = pci_pcie_type(pdev);
if (type == PCI_EXP_TYPE_DOWNSTREAM) {
/*
* If pdev claims to be downstream port but the parent
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 177/449] drm/amdgpu: Fix the race condition for draining retry fault
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 176/449] PCI: Enable Configuration RRS SV early Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 178/449] PCI: Check BAR index for validity Greg Kroah-Hartman
` (278 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emily Deng, Felix Kuehling,
Alex Deucher, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emily Deng <Emily.Deng@amd.com>
[ Upstream commit f844732e3ad9c4b78df7436232949b8d2096d1a6 ]
Issue:
In the scenario where svm_range_restore_pages is called, but
svm->checkpoint_ts has not been set and the retry fault has not been
drained, svm_range_unmap_from_cpu is triggered and calls svm_range_free.
Meanwhile, svm_range_restore_pages continues execution and reaches
svm_range_from_addr. This results in a "failed to find prange..." error,
causing the page recovery to fail.
How to fix:
Move the timestamp check code under the protection of svm->lock.
v2:
Make sure all right locks are released before go out.
v3:
Directly goto out_unlock_svms, and return -EAGAIN.
v4:
Refine code.
Signed-off-by: Emily Deng <Emily.Deng@amd.com>
Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 31 +++++++++++++++-------------
1 file changed, 17 insertions(+), 14 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
index 9477a4adcd36d..d1cf9dd352904 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
@@ -3002,19 +3002,6 @@ svm_range_restore_pages(struct amdgpu_device *adev, unsigned int pasid,
goto out;
}
- /* check if this page fault time stamp is before svms->checkpoint_ts */
- if (svms->checkpoint_ts[gpuidx] != 0) {
- if (amdgpu_ih_ts_after(ts, svms->checkpoint_ts[gpuidx])) {
- pr_debug("draining retry fault, drop fault 0x%llx\n", addr);
- r = 0;
- goto out;
- } else
- /* ts is after svms->checkpoint_ts now, reset svms->checkpoint_ts
- * to zero to avoid following ts wrap around give wrong comparing
- */
- svms->checkpoint_ts[gpuidx] = 0;
- }
-
if (!p->xnack_enabled) {
pr_debug("XNACK not enabled for pasid 0x%x\n", pasid);
r = -EFAULT;
@@ -3034,6 +3021,21 @@ svm_range_restore_pages(struct amdgpu_device *adev, unsigned int pasid,
mmap_read_lock(mm);
retry_write_locked:
mutex_lock(&svms->lock);
+
+ /* check if this page fault time stamp is before svms->checkpoint_ts */
+ if (svms->checkpoint_ts[gpuidx] != 0) {
+ if (amdgpu_ih_ts_after(ts, svms->checkpoint_ts[gpuidx])) {
+ pr_debug("draining retry fault, drop fault 0x%llx\n", addr);
+ r = -EAGAIN;
+ goto out_unlock_svms;
+ } else {
+ /* ts is after svms->checkpoint_ts now, reset svms->checkpoint_ts
+ * to zero to avoid following ts wrap around give wrong comparing
+ */
+ svms->checkpoint_ts[gpuidx] = 0;
+ }
+ }
+
prange = svm_range_from_addr(svms, addr, NULL);
if (!prange) {
pr_debug("failed to find prange svms 0x%p address [0x%llx]\n",
@@ -3159,7 +3161,8 @@ svm_range_restore_pages(struct amdgpu_device *adev, unsigned int pasid,
mutex_unlock(&svms->lock);
mmap_read_unlock(mm);
- svm_range_count_fault(node, p, gpuidx);
+ if (r != -EAGAIN)
+ svm_range_count_fault(node, p, gpuidx);
mmput(mm);
out:
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 178/449] PCI: Check BAR index for validity
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 177/449] drm/amdgpu: Fix the race condition for draining retry fault Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 179/449] PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type Greg Kroah-Hartman
` (277 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bingbu Cao, Philipp Stanner,
Krzysztof Wilczyński, Bjorn Helgaas, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philipp Stanner <phasta@kernel.org>
[ Upstream commit b1a7f99967fc0c052db8e65b449c7b32b1e9177f ]
Many functions in PCI use accessor macros such as pci_resource_len(),
which take a BAR index. That index, however, is never checked for
validity, potentially resulting in undefined behavior by overflowing the
array pci_dev.resource in the macro pci_resource_n().
Since many users of those macros directly assign the accessed value to
an unsigned integer, the macros cannot be changed easily anymore to
return -EINVAL for invalid indexes. Consequently, the problem has to be
mitigated in higher layers.
Add pci_bar_index_valid(). Use it where appropriate.
Link: https://lore.kernel.org/r/20250312080634.13731-4-phasta@kernel.org
Closes: https://lore.kernel.org/all/adb53b1f-29e1-3d14-0e61-351fd2d3ff0d@linux.intel.com/
Reported-by: Bingbu Cao <bingbu.cao@linux.intel.com>
Signed-off-by: Philipp Stanner <phasta@kernel.org>
[kwilczynski: correct if-statement condition the pci_bar_index_is_valid()
helper function uses, tidy up code comments]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
[bhelgaas: fix typo]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/devres.c | 16 ++++++++++++++--
drivers/pci/iomap.c | 29 +++++++++++++++++++++--------
drivers/pci/pci.c | 6 ++++++
drivers/pci/pci.h | 16 ++++++++++++++++
4 files changed, 57 insertions(+), 10 deletions(-)
diff --git a/drivers/pci/devres.c b/drivers/pci/devres.c
index 3431a7df3e0d9..d2c09589c537e 100644
--- a/drivers/pci/devres.c
+++ b/drivers/pci/devres.c
@@ -577,7 +577,7 @@ static int pcim_add_mapping_to_legacy_table(struct pci_dev *pdev,
{
void __iomem **legacy_iomap_table;
- if (bar >= PCI_STD_NUM_BARS)
+ if (!pci_bar_index_is_valid(bar))
return -EINVAL;
legacy_iomap_table = (void __iomem **)pcim_iomap_table(pdev);
@@ -622,7 +622,7 @@ static void pcim_remove_bar_from_legacy_table(struct pci_dev *pdev, int bar)
{
void __iomem **legacy_iomap_table;
- if (bar >= PCI_STD_NUM_BARS)
+ if (!pci_bar_index_is_valid(bar))
return;
legacy_iomap_table = (void __iomem **)pcim_iomap_table(pdev);
@@ -655,6 +655,9 @@ void __iomem *pcim_iomap(struct pci_dev *pdev, int bar, unsigned long maxlen)
void __iomem *mapping;
struct pcim_addr_devres *res;
+ if (!pci_bar_index_is_valid(bar))
+ return NULL;
+
res = pcim_addr_devres_alloc(pdev);
if (!res)
return NULL;
@@ -722,6 +725,9 @@ void __iomem *pcim_iomap_region(struct pci_dev *pdev, int bar,
int ret;
struct pcim_addr_devres *res;
+ if (!pci_bar_index_is_valid(bar))
+ return IOMEM_ERR_PTR(-EINVAL);
+
res = pcim_addr_devres_alloc(pdev);
if (!res)
return IOMEM_ERR_PTR(-ENOMEM);
@@ -823,6 +829,9 @@ static int _pcim_request_region(struct pci_dev *pdev, int bar, const char *name,
int ret;
struct pcim_addr_devres *res;
+ if (!pci_bar_index_is_valid(bar))
+ return -EINVAL;
+
res = pcim_addr_devres_alloc(pdev);
if (!res)
return -ENOMEM;
@@ -991,6 +1000,9 @@ void __iomem *pcim_iomap_range(struct pci_dev *pdev, int bar,
void __iomem *mapping;
struct pcim_addr_devres *res;
+ if (!pci_bar_index_is_valid(bar))
+ return IOMEM_ERR_PTR(-EINVAL);
+
res = pcim_addr_devres_alloc(pdev);
if (!res)
return IOMEM_ERR_PTR(-ENOMEM);
diff --git a/drivers/pci/iomap.c b/drivers/pci/iomap.c
index 9fb7cacc15cde..fe706ed946dfd 100644
--- a/drivers/pci/iomap.c
+++ b/drivers/pci/iomap.c
@@ -9,6 +9,8 @@
#include <linux/export.h>
+#include "pci.h" /* for pci_bar_index_is_valid() */
+
/**
* pci_iomap_range - create a virtual mapping cookie for a PCI BAR
* @dev: PCI device that owns the BAR
@@ -33,12 +35,19 @@ void __iomem *pci_iomap_range(struct pci_dev *dev,
unsigned long offset,
unsigned long maxlen)
{
- resource_size_t start = pci_resource_start(dev, bar);
- resource_size_t len = pci_resource_len(dev, bar);
- unsigned long flags = pci_resource_flags(dev, bar);
+ resource_size_t start, len;
+ unsigned long flags;
+
+ if (!pci_bar_index_is_valid(bar))
+ return NULL;
+
+ start = pci_resource_start(dev, bar);
+ len = pci_resource_len(dev, bar);
+ flags = pci_resource_flags(dev, bar);
if (len <= offset || !start)
return NULL;
+
len -= offset;
start += offset;
if (maxlen && len > maxlen)
@@ -77,16 +86,20 @@ void __iomem *pci_iomap_wc_range(struct pci_dev *dev,
unsigned long offset,
unsigned long maxlen)
{
- resource_size_t start = pci_resource_start(dev, bar);
- resource_size_t len = pci_resource_len(dev, bar);
- unsigned long flags = pci_resource_flags(dev, bar);
+ resource_size_t start, len;
+ unsigned long flags;
-
- if (flags & IORESOURCE_IO)
+ if (!pci_bar_index_is_valid(bar))
return NULL;
+ start = pci_resource_start(dev, bar);
+ len = pci_resource_len(dev, bar);
+ flags = pci_resource_flags(dev, bar);
+
if (len <= offset || !start)
return NULL;
+ if (flags & IORESOURCE_IO)
+ return NULL;
len -= offset;
start += offset;
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 3e78cf86ef03b..3152750aab2fc 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -3929,6 +3929,9 @@ EXPORT_SYMBOL(pci_enable_atomic_ops_to_root);
*/
void pci_release_region(struct pci_dev *pdev, int bar)
{
+ if (!pci_bar_index_is_valid(bar))
+ return;
+
/*
* This is done for backwards compatibility, because the old PCI devres
* API had a mode in which the function became managed if it had been
@@ -3973,6 +3976,9 @@ EXPORT_SYMBOL(pci_release_region);
static int __pci_request_region(struct pci_dev *pdev, int bar,
const char *name, int exclusive)
{
+ if (!pci_bar_index_is_valid(bar))
+ return -EINVAL;
+
if (pci_is_managed(pdev)) {
if (exclusive == IORESOURCE_EXCLUSIVE)
return pcim_request_region_exclusive(pdev, bar, name);
diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
index 01e51db8d285a..d22755de688b8 100644
--- a/drivers/pci/pci.h
+++ b/drivers/pci/pci.h
@@ -167,6 +167,22 @@ static inline void pci_wakeup_event(struct pci_dev *dev)
pm_wakeup_event(&dev->dev, 100);
}
+/**
+ * pci_bar_index_is_valid - Check whether a BAR index is within valid range
+ * @bar: BAR index
+ *
+ * Protects against overflowing &struct pci_dev.resource array.
+ *
+ * Return: true for valid index, false otherwise.
+ */
+static inline bool pci_bar_index_is_valid(int bar)
+{
+ if (bar >= 0 && bar < PCI_NUM_RESOURCES)
+ return true;
+
+ return false;
+}
+
static inline bool pci_has_subordinate(struct pci_dev *pci_dev)
{
return !!(pci_dev->subordinate);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 179/449] PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 178/449] PCI: Check BAR index for validity Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 180/449] drm/amdgpu: grab an additional reference on the gang fence v2 Greg Kroah-Hartman
` (276 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryo Takakura,
Luis Claudio R. Goncalves, Sebastian Andrzej Siewior,
Krzysztof Wilczyński, Bjorn Helgaas, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryo Takakura <ryotkkr98@gmail.com>
[ Upstream commit 18056a48669a040bef491e63b25896561ee14d90 ]
The access to the PCI config space via pci_ops::read and pci_ops::write is
a low-level hardware access. The functions can be accessed with disabled
interrupts even on PREEMPT_RT. The pci_lock is a raw_spinlock_t for this
purpose.
A spinlock_t becomes a sleeping lock on PREEMPT_RT, so it cannot be
acquired with disabled interrupts. The vmd_dev::cfg_lock is accessed in
the same context as the pci_lock.
Make vmd_dev::cfg_lock a raw_spinlock_t type so it can be used with
interrupts disabled.
This was reported as:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
Call Trace:
rt_spin_lock+0x4e/0x130
vmd_pci_read+0x8d/0x100 [vmd]
pci_user_read_config_byte+0x6f/0xe0
pci_read_config+0xfe/0x290
sysfs_kf_bin_read+0x68/0x90
Signed-off-by: Ryo Takakura <ryotkkr98@gmail.com>
Tested-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Acked-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
[bigeasy: reword commit message]
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Tested-off-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Link: https://lore.kernel.org/r/20250218080830.ufw3IgyX@linutronix.de
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
[bhelgaas: add back report info from
https://lore.kernel.org/lkml/20241218115951.83062-1-ryotkkr98@gmail.com/]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/vmd.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/pci/controller/vmd.c b/drivers/pci/controller/vmd.c
index 9d9596947350f..94ceec50a2b94 100644
--- a/drivers/pci/controller/vmd.c
+++ b/drivers/pci/controller/vmd.c
@@ -125,7 +125,7 @@ struct vmd_irq_list {
struct vmd_dev {
struct pci_dev *dev;
- spinlock_t cfg_lock;
+ raw_spinlock_t cfg_lock;
void __iomem *cfgbar;
int msix_count;
@@ -391,7 +391,7 @@ static int vmd_pci_read(struct pci_bus *bus, unsigned int devfn, int reg,
if (!addr)
return -EFAULT;
- spin_lock_irqsave(&vmd->cfg_lock, flags);
+ raw_spin_lock_irqsave(&vmd->cfg_lock, flags);
switch (len) {
case 1:
*value = readb(addr);
@@ -406,7 +406,7 @@ static int vmd_pci_read(struct pci_bus *bus, unsigned int devfn, int reg,
ret = -EINVAL;
break;
}
- spin_unlock_irqrestore(&vmd->cfg_lock, flags);
+ raw_spin_unlock_irqrestore(&vmd->cfg_lock, flags);
return ret;
}
@@ -426,7 +426,7 @@ static int vmd_pci_write(struct pci_bus *bus, unsigned int devfn, int reg,
if (!addr)
return -EFAULT;
- spin_lock_irqsave(&vmd->cfg_lock, flags);
+ raw_spin_lock_irqsave(&vmd->cfg_lock, flags);
switch (len) {
case 1:
writeb(value, addr);
@@ -444,7 +444,7 @@ static int vmd_pci_write(struct pci_bus *bus, unsigned int devfn, int reg,
ret = -EINVAL;
break;
}
- spin_unlock_irqrestore(&vmd->cfg_lock, flags);
+ raw_spin_unlock_irqrestore(&vmd->cfg_lock, flags);
return ret;
}
@@ -1009,7 +1009,7 @@ static int vmd_probe(struct pci_dev *dev, const struct pci_device_id *id)
if (features & VMD_FEAT_OFFSET_FIRST_VECTOR)
vmd->first_vec = 1;
- spin_lock_init(&vmd->cfg_lock);
+ raw_spin_lock_init(&vmd->cfg_lock);
pci_set_drvdata(dev, vmd);
err = vmd_enable_domain(vmd, features);
if (err)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 180/449] drm/amdgpu: grab an additional reference on the gang fence v2
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 179/449] PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 181/449] s390/pci: Support mmap() of PCI resources except for ISM devices Greg Kroah-Hartman
` (275 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König,
Srinivasan Shanmugam, Alex Deucher, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian König <christian.koenig@amd.com>
[ Upstream commit 0d9a95099dcb05b5f4719c830d15bf4fdcad0dc2 ]
We keep the gang submission fence around in adev, make sure that it
stays alive.
v2: fix memory leak on retry
Signed-off-by: Christian König <christian.koenig@amd.com>
Acked-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
index f5909977eed4b..9a8f6cb2b8360 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -6851,18 +6851,26 @@ struct dma_fence *amdgpu_device_switch_gang(struct amdgpu_device *adev,
{
struct dma_fence *old = NULL;
+ dma_fence_get(gang);
do {
dma_fence_put(old);
old = amdgpu_device_get_gang(adev);
if (old == gang)
break;
- if (!dma_fence_is_signaled(old))
+ if (!dma_fence_is_signaled(old)) {
+ dma_fence_put(gang);
return old;
+ }
} while (cmpxchg((struct dma_fence __force **)&adev->gang_submit,
old, gang) != old);
+ /*
+ * Drop it once for the exchanged reference in adev and once for the
+ * thread local reference acquired in amdgpu_device_get_gang().
+ */
+ dma_fence_put(old);
dma_fence_put(old);
return NULL;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 181/449] s390/pci: Support mmap() of PCI resources except for ISM devices
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 180/449] drm/amdgpu: grab an additional reference on the gang fence v2 Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 182/449] fbdev: omapfb: Add plane value check Greg Kroah-Hartman
` (274 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Schnelle, Bjorn Helgaas,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Schnelle <schnelle@linux.ibm.com>
[ Upstream commit aa9f168d55dc47c0de564f7dfe0e90467c9fee71 ]
So far s390 does not allow mmap() of PCI resources to user-space via the
usual mechanisms, though it does use it for RDMA. For the PCI sysfs
resource files and /proc/bus/pci it defines neither HAVE_PCI_MMAP nor
ARCH_GENERIC_PCI_MMAP_RESOURCE. For vfio-pci s390 previously relied on
disabled VFIO_PCI_MMAP and now relies on setting pdev->non_mappable_bars
for all devices.
This is partly because access to mapped PCI resources from user-space
requires special PCI load/store memory-I/O (MIO) instructions, or the
special MMIO syscalls when these are not available. Still, such access is
possible and useful not just for RDMA, in fact not being able to mmap() PCI
resources has previously caused extra work when testing devices.
One thing that doesn't work with PCI resources mapped to user-space though
is the s390 specific virtual ISM device. Not only because the BAR size of
256 TiB prevents mapping the whole BAR but also because access requires use
of the legacy PCI instructions which are not accessible to user-space on
systems with the newer MIO PCI instructions.
Now with the pdev->non_mappable_bars flag ISM can be excluded from mapping
its resources while making this functionality available for all other PCI
devices. To this end introduce a minimal implementation of PCI_QUIRKS and
use that to set pdev->non_mappable_bars for ISM devices only. Then also set
ARCH_GENERIC_PCI_MMAP_RESOURCE to take advantage of the generic
implementation of pci_mmap_resource_range() enabling only the newer sysfs
mmap() interface. This follows the recommendation in
Documentation/PCI/sysfs-pci.rst.
Link: https://lore.kernel.org/r/20250226-vfio_pci_mmap-v7-3-c5c0f1d26efd@linux.ibm.com
Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/Kconfig | 4 +---
arch/s390/include/asm/pci.h | 3 +++
arch/s390/pci/Makefile | 2 +-
arch/s390/pci/pci_fixup.c | 23 +++++++++++++++++++++++
drivers/s390/net/ism_drv.c | 1 -
include/linux/pci_ids.h | 1 +
6 files changed, 29 insertions(+), 5 deletions(-)
create mode 100644 arch/s390/pci/pci_fixup.c
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 9c9ec08d78c71..e48741e001476 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -41,9 +41,6 @@ config AUDIT_ARCH
config NO_IOPORT_MAP
def_bool y
-config PCI_QUIRKS
- def_bool n
-
config ARCH_SUPPORTS_UPROBES
def_bool y
@@ -258,6 +255,7 @@ config S390
select PCI_DOMAINS if PCI
select PCI_MSI if PCI
select PCI_MSI_ARCH_FALLBACKS if PCI_MSI
+ select PCI_QUIRKS if PCI
select SPARSE_IRQ
select SWIOTLB
select SYSCTL_EXCEPTION_TRACE
diff --git a/arch/s390/include/asm/pci.h b/arch/s390/include/asm/pci.h
index 474e1f8d1d3c2..d2086af3434c0 100644
--- a/arch/s390/include/asm/pci.h
+++ b/arch/s390/include/asm/pci.h
@@ -11,6 +11,9 @@
#include <asm/pci_insn.h>
#include <asm/sclp.h>
+#define ARCH_GENERIC_PCI_MMAP_RESOURCE 1
+#define arch_can_pci_mmap_wc() 1
+
#define PCIBIOS_MIN_IO 0x1000
#define PCIBIOS_MIN_MEM 0x10000000
diff --git a/arch/s390/pci/Makefile b/arch/s390/pci/Makefile
index df73c5182990a..1810e0944a4ed 100644
--- a/arch/s390/pci/Makefile
+++ b/arch/s390/pci/Makefile
@@ -5,6 +5,6 @@
obj-$(CONFIG_PCI) += pci.o pci_irq.o pci_clp.o \
pci_event.o pci_debug.o pci_insn.o pci_mmio.o \
- pci_bus.o pci_kvm_hook.o pci_report.o
+ pci_bus.o pci_kvm_hook.o pci_report.o pci_fixup.o
obj-$(CONFIG_PCI_IOV) += pci_iov.o
obj-$(CONFIG_SYSFS) += pci_sysfs.o
diff --git a/arch/s390/pci/pci_fixup.c b/arch/s390/pci/pci_fixup.c
new file mode 100644
index 0000000000000..35688b6450983
--- /dev/null
+++ b/arch/s390/pci/pci_fixup.c
@@ -0,0 +1,23 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Exceptions for specific devices,
+ *
+ * Copyright IBM Corp. 2025
+ *
+ * Author(s):
+ * Niklas Schnelle <schnelle@linux.ibm.com>
+ */
+#include <linux/pci.h>
+
+static void zpci_ism_bar_no_mmap(struct pci_dev *pdev)
+{
+ /*
+ * ISM's BAR is special. Drivers written for ISM know
+ * how to handle this but others need to be aware of their
+ * special nature e.g. to prevent attempts to mmap() it.
+ */
+ pdev->non_mappable_bars = 1;
+}
+DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_IBM,
+ PCI_DEVICE_ID_IBM_ISM,
+ zpci_ism_bar_no_mmap);
diff --git a/drivers/s390/net/ism_drv.c b/drivers/s390/net/ism_drv.c
index 2f34761e64135..60ed70a39d2cc 100644
--- a/drivers/s390/net/ism_drv.c
+++ b/drivers/s390/net/ism_drv.c
@@ -20,7 +20,6 @@
MODULE_DESCRIPTION("ISM driver for s390");
MODULE_LICENSE("GPL");
-#define PCI_DEVICE_ID_IBM_ISM 0x04ED
#define DRV_NAME "ism"
static const struct pci_device_id ism_device_table[] = {
diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h
index 2a9ca3dbaa0e9..5bd122a9afdc6 100644
--- a/include/linux/pci_ids.h
+++ b/include/linux/pci_ids.h
@@ -518,6 +518,7 @@
#define PCI_DEVICE_ID_IBM_ICOM_V2_ONE_PORT_RVX_ONE_PORT_MDM 0x0251
#define PCI_DEVICE_ID_IBM_ICOM_V2_ONE_PORT_RVX_ONE_PORT_MDM_PCIE 0x0361
#define PCI_DEVICE_ID_IBM_ICOM_FOUR_PORT_MODEL 0x252
+#define PCI_DEVICE_ID_IBM_ISM 0x04ed
#define PCI_SUBVENDOR_ID_IBM 0x1014
#define PCI_SUBDEVICE_ID_IBM_SATURN_SERIAL_ONE_PORT 0x03d4
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 182/449] fbdev: omapfb: Add plane value check
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 181/449] s390/pci: Support mmap() of PCI resources except for ISM devices Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 183/449] tracing: probe-events: Log error for exceeding the number of arguments Greg Kroah-Hartman
` (273 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leonid Arapov, Helge Deller,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leonid Arapov <arapovl839@gmail.com>
[ Upstream commit 3e411827f31db7f938a30a3c7a7599839401ec30 ]
Function dispc_ovl_setup is not intended to work with the value OMAP_DSS_WB
of the enum parameter plane.
The value of this parameter is initialized in dss_init_overlays and in the
current state of the code it cannot take this value so it's not a real
problem.
For the purposes of defensive coding it wouldn't be superfluous to check
the parameter value, because some functions down the call stack process
this value correctly and some not.
For example, in dispc_ovl_setup_global_alpha it may lead to buffer
overflow.
Add check for this value.
Found by Linux Verification Center (linuxtesting.org) with SVACE static
analysis tool.
Signed-off-by: Leonid Arapov <arapovl839@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c
index ccb96a5be07e4..139476f9d9189 100644
--- a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c
+++ b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c
@@ -2738,9 +2738,13 @@ int dispc_ovl_setup(enum omap_plane plane, const struct omap_overlay_info *oi,
bool mem_to_mem)
{
int r;
- enum omap_overlay_caps caps = dss_feat_get_overlay_caps(plane);
+ enum omap_overlay_caps caps;
enum omap_channel channel;
+ if (plane == OMAP_DSS_WB)
+ return -EINVAL;
+
+ caps = dss_feat_get_overlay_caps(plane);
channel = dispc_ovl_get_channel_out(plane);
DSSDBG("dispc_ovl_setup %d, pa %pad, pa_uv %pad, sw %d, %d,%d, %dx%d ->"
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 183/449] tracing: probe-events: Log error for exceeding the number of arguments
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 182/449] fbdev: omapfb: Add plane value check Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 184/449] tracing: probe-events: Add comments about entry data storing code Greg Kroah-Hartman
` (272 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu (Google),
Steven Rostedt (Google), Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
[ Upstream commit 57faaa04804ccbf16582f7fc7a6b986fd0c0e78c ]
Add error message when the number of arguments exceeds the limitation.
Link: https://lore.kernel.org/all/174055075075.4079315.10916648136898316476.stgit@mhiramat.tok.corp.google.com/
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_eprobe.c | 2 ++
kernel/trace/trace_fprobe.c | 5 ++++-
kernel/trace/trace_kprobe.c | 5 ++++-
kernel/trace/trace_probe.h | 1 +
kernel/trace/trace_uprobe.c | 9 +++++++--
5 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/kernel/trace/trace_eprobe.c b/kernel/trace/trace_eprobe.c
index 82fd637cfc19e..af9fa0632b574 100644
--- a/kernel/trace/trace_eprobe.c
+++ b/kernel/trace/trace_eprobe.c
@@ -913,6 +913,8 @@ static int __trace_eprobe_create(int argc, const char *argv[])
}
if (argc - 2 > MAX_TRACE_ARGS) {
+ trace_probe_log_set_index(2);
+ trace_probe_log_err(0, TOO_MANY_ARGS);
ret = -E2BIG;
goto error;
}
diff --git a/kernel/trace/trace_fprobe.c b/kernel/trace/trace_fprobe.c
index 985ff98272da8..5d7ca80173ea2 100644
--- a/kernel/trace/trace_fprobe.c
+++ b/kernel/trace/trace_fprobe.c
@@ -1199,8 +1199,11 @@ static int trace_fprobe_create_internal(int argc, const char *argv[],
argc = new_argc;
argv = new_argv;
}
- if (argc > MAX_TRACE_ARGS)
+ if (argc > MAX_TRACE_ARGS) {
+ trace_probe_log_set_index(2);
+ trace_probe_log_err(0, TOO_MANY_ARGS);
return -E2BIG;
+ }
ret = traceprobe_expand_dentry_args(argc, argv, &dbuf);
if (ret)
diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
index d8d5f18a141ad..8287b175667f3 100644
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -1007,8 +1007,11 @@ static int trace_kprobe_create_internal(int argc, const char *argv[],
argc = new_argc;
argv = new_argv;
}
- if (argc > MAX_TRACE_ARGS)
+ if (argc > MAX_TRACE_ARGS) {
+ trace_probe_log_set_index(2);
+ trace_probe_log_err(0, TOO_MANY_ARGS);
return -E2BIG;
+ }
ret = traceprobe_expand_dentry_args(argc, argv, &dbuf);
if (ret)
diff --git a/kernel/trace/trace_probe.h b/kernel/trace/trace_probe.h
index 96792bc4b0924..854e5668f5ee5 100644
--- a/kernel/trace/trace_probe.h
+++ b/kernel/trace/trace_probe.h
@@ -545,6 +545,7 @@ extern int traceprobe_define_arg_fields(struct trace_event_call *event_call,
C(BAD_BTF_TID, "Failed to get BTF type info."),\
C(BAD_TYPE4STR, "This type does not fit for string."),\
C(NEED_STRING_TYPE, "$comm and immediate-string only accepts string type"),\
+ C(TOO_MANY_ARGS, "Too many arguments are specified"), \
C(TOO_MANY_EARGS, "Too many entry arguments specified"),
#undef C
diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
index ccc762fbb69cd..3386439ec9f67 100644
--- a/kernel/trace/trace_uprobe.c
+++ b/kernel/trace/trace_uprobe.c
@@ -562,8 +562,14 @@ static int __trace_uprobe_create(int argc, const char **argv)
if (argc < 2)
return -ECANCELED;
- if (argc - 2 > MAX_TRACE_ARGS)
+
+ trace_probe_log_init("trace_uprobe", argc, argv);
+
+ if (argc - 2 > MAX_TRACE_ARGS) {
+ trace_probe_log_set_index(2);
+ trace_probe_log_err(0, TOO_MANY_ARGS);
return -E2BIG;
+ }
if (argv[0][1] == ':')
event = &argv[0][2];
@@ -582,7 +588,6 @@ static int __trace_uprobe_create(int argc, const char **argv)
return -ECANCELED;
}
- trace_probe_log_init("trace_uprobe", argc, argv);
trace_probe_log_set_index(1); /* filename is the 2nd argument */
*arg++ = '\0';
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 184/449] tracing: probe-events: Add comments about entry data storing code
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 183/449] tracing: probe-events: Log error for exceeding the number of arguments Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 185/449] ktest: Fix Test Failures Due to Missing LOG_FILE Directories Greg Kroah-Hartman
` (271 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steven Rostedt,
Masami Hiramatsu (Google), Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
[ Upstream commit bb9c6020f4c3a07a90dc36826cb5fbe83f09efd5 ]
Add comments about entry data storing code to __store_entry_arg() and
traceprobe_get_entry_data_size(). These are a bit complicated because of
building the entry data storing code and scanning it.
This just add comments, no behavior change.
Link: https://lore.kernel.org/all/174061715004.501424.333819546601401102.stgit@devnote2/
Reported-by: Steven Rostedt <rostedt@goodmis.org>
Closes: https://lore.kernel.org/all/20250226102223.586d7119@gandalf.local.home/
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_probe.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
index 8f58ee1e8858a..2eeecb6c95eea 100644
--- a/kernel/trace/trace_probe.c
+++ b/kernel/trace/trace_probe.c
@@ -770,6 +770,10 @@ static int check_prepare_btf_string_fetch(char *typename,
#ifdef CONFIG_HAVE_FUNCTION_ARG_ACCESS_API
+/*
+ * Add the entry code to store the 'argnum'th parameter and return the offset
+ * in the entry data buffer where the data will be stored.
+ */
static int __store_entry_arg(struct trace_probe *tp, int argnum)
{
struct probe_entry_arg *earg = tp->entry_arg;
@@ -793,6 +797,20 @@ static int __store_entry_arg(struct trace_probe *tp, int argnum)
tp->entry_arg = earg;
}
+ /*
+ * The entry code array is repeating the pair of
+ * [FETCH_OP_ARG(argnum)][FETCH_OP_ST_EDATA(offset of entry data buffer)]
+ * and the rest of entries are filled with [FETCH_OP_END].
+ *
+ * To reduce the redundant function parameter fetching, we scan the entry
+ * code array to find the FETCH_OP_ARG which already fetches the 'argnum'
+ * parameter. If it doesn't match, update 'offset' to find the last
+ * offset.
+ * If we find the FETCH_OP_END without matching FETCH_OP_ARG entry, we
+ * will save the entry with FETCH_OP_ARG and FETCH_OP_ST_EDATA, and
+ * return data offset so that caller can find the data offset in the entry
+ * data buffer.
+ */
offset = 0;
for (i = 0; i < earg->size - 1; i++) {
switch (earg->code[i].op) {
@@ -826,6 +844,16 @@ int traceprobe_get_entry_data_size(struct trace_probe *tp)
if (!earg)
return 0;
+ /*
+ * earg->code[] array has an operation sequence which is run in
+ * the entry handler.
+ * The sequence stopped by FETCH_OP_END and each data stored in
+ * the entry data buffer by FETCH_OP_ST_EDATA. The FETCH_OP_ST_EDATA
+ * stores the data at the data buffer + its offset, and all data are
+ * "unsigned long" size. The offset must be increased when a data is
+ * stored. Thus we need to find the last FETCH_OP_ST_EDATA in the
+ * code array.
+ */
for (i = 0; i < earg->size; i++) {
switch (earg->code[i].op) {
case FETCH_OP_END:
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 185/449] ktest: Fix Test Failures Due to Missing LOG_FILE Directories
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 184/449] tracing: probe-events: Add comments about entry data storing code Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 186/449] tpm, tpm_tis: Workaround failed command reception on Infineon devices Greg Kroah-Hartman
` (270 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, warthog9, Ayush Jain, Steven Rostedt,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ayush Jain <Ayush.jain3@amd.com>
[ Upstream commit 5a1bed232781d356f842576daacc260f0d0c8d2e ]
Handle missing parent directories for LOG_FILE path to prevent test
failures. If the parent directories don't exist, create them to ensure
the tests proceed successfully.
Cc: <warthog9@eaglescrag.net>
Link: https://lore.kernel.org/20250307043854.2518539-1-Ayush.jain3@amd.com
Signed-off-by: Ayush Jain <Ayush.jain3@amd.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/ktest/ktest.pl | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
index 8c8da966c641b..a5f7fdd0c1fbb 100755
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -4303,6 +4303,14 @@ if (defined($opt{"LOG_FILE"})) {
if ($opt{"CLEAR_LOG"}) {
unlink $opt{"LOG_FILE"};
}
+
+ if (! -e $opt{"LOG_FILE"} && $opt{"LOG_FILE"} =~ m,^(.*/),) {
+ my $dir = $1;
+ if (! -d $dir) {
+ mkpath($dir) or die "Failed to create directories '$dir': $!";
+ print "\nThe log directory $dir did not exist, so it was created.\n";
+ }
+ }
open(LOG, ">> $opt{LOG_FILE}") or die "Can't write to $opt{LOG_FILE}";
LOG->autoflush(1);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 186/449] tpm, tpm_tis: Workaround failed command reception on Infineon devices
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 185/449] ktest: Fix Test Failures Due to Missing LOG_FILE Directories Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 187/449] tpm: End any active auth session before shutdown Greg Kroah-Hartman
` (269 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan McDowell, Jarkko Sakkinen,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan McDowell <noodles@meta.com>
[ Upstream commit de9e33df7762abbfc2a1568291f2c3a3154c6a9d ]
Some Infineon devices have a issue where the status register will get
stuck with a quick REQUEST_USE / COMMAND_READY sequence. This is not
simply a matter of requiring a longer timeout; the work around is to
retry the command submission. Add appropriate logic to do this in the
send path.
This is fixed in later firmware revisions, but those are not always
available, and cannot generally be easily updated from outside a
firmware environment.
Testing has been performed with a simple repeated loop of doing a
TPM2_CC_GET_CAPABILITY for TPM_CAP_PROP_MANUFACTURER using the Go code
at:
https://the.earth.li/~noodles/tpm-stuff/timeout-reproducer-simple.go
It can take several hours to reproduce, and several million operations.
Signed-off-by: Jonathan McDowell <noodles@meta.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/tpm/tpm_tis_core.c | 17 ++++++++++++++---
drivers/char/tpm/tpm_tis_core.h | 1 +
include/linux/tpm.h | 1 +
3 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
index fdef214b9f6bf..4cc2ab2d16cc5 100644
--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -464,7 +464,10 @@ static int tpm_tis_send_data(struct tpm_chip *chip, const u8 *buf, size_t len)
if (wait_for_tpm_stat(chip, TPM_STS_VALID, chip->timeout_c,
&priv->int_queue, false) < 0) {
- rc = -ETIME;
+ if (test_bit(TPM_TIS_STATUS_VALID_RETRY, &priv->flags))
+ rc = -EAGAIN;
+ else
+ rc = -ETIME;
goto out_err;
}
status = tpm_tis_status(chip);
@@ -481,7 +484,10 @@ static int tpm_tis_send_data(struct tpm_chip *chip, const u8 *buf, size_t len)
if (wait_for_tpm_stat(chip, TPM_STS_VALID, chip->timeout_c,
&priv->int_queue, false) < 0) {
- rc = -ETIME;
+ if (test_bit(TPM_TIS_STATUS_VALID_RETRY, &priv->flags))
+ rc = -EAGAIN;
+ else
+ rc = -ETIME;
goto out_err;
}
status = tpm_tis_status(chip);
@@ -546,9 +552,11 @@ static int tpm_tis_send_main(struct tpm_chip *chip, const u8 *buf, size_t len)
if (rc >= 0)
/* Data transfer done successfully */
break;
- else if (rc != -EIO)
+ else if (rc != -EAGAIN && rc != -EIO)
/* Data transfer failed, not recoverable */
return rc;
+
+ usleep_range(priv->timeout_min, priv->timeout_max);
}
/* go and do it */
@@ -1144,6 +1152,9 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq,
priv->timeout_max = TIS_TIMEOUT_MAX_ATML;
}
+ if (priv->manufacturer_id == TPM_VID_IFX)
+ set_bit(TPM_TIS_STATUS_VALID_RETRY, &priv->flags);
+
if (is_bsw()) {
priv->ilb_base_addr = ioremap(INTEL_LEGACY_BLK_BASE_ADDR,
ILB_REMAP_SIZE);
diff --git a/drivers/char/tpm/tpm_tis_core.h b/drivers/char/tpm/tpm_tis_core.h
index 690ad8e9b7319..970d02c337c7f 100644
--- a/drivers/char/tpm/tpm_tis_core.h
+++ b/drivers/char/tpm/tpm_tis_core.h
@@ -89,6 +89,7 @@ enum tpm_tis_flags {
TPM_TIS_INVALID_STATUS = 1,
TPM_TIS_DEFAULT_CANCELLATION = 2,
TPM_TIS_IRQ_TESTED = 3,
+ TPM_TIS_STATUS_VALID_RETRY = 4,
};
struct tpm_tis_data {
diff --git a/include/linux/tpm.h b/include/linux/tpm.h
index 20a40ade80308..6c3125300c009 100644
--- a/include/linux/tpm.h
+++ b/include/linux/tpm.h
@@ -335,6 +335,7 @@ enum tpm2_cc_attrs {
#define TPM_VID_WINBOND 0x1050
#define TPM_VID_STM 0x104A
#define TPM_VID_ATML 0x1114
+#define TPM_VID_IFX 0x15D1
enum tpm_chip_flags {
TPM_CHIP_FLAG_BOOTSTRAPPED = BIT(0),
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 187/449] tpm: End any active auth session before shutdown
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 186/449] tpm, tpm_tis: Workaround failed command reception on Infineon devices Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 188/449] pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Greg Kroah-Hartman
` (268 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan McDowell, Jarkko Sakkinen,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan McDowell <noodles@meta.com>
[ Upstream commit 1dbf74e00a5f882b04b398399b6def65cd51ef21 ]
Lazy flushing of TPM auth sessions can interact badly with IMA + kexec,
resulting in loaded session handles being leaked across the kexec and
not cleaned up. Fix by ensuring any active auth session is ended before
the TPM is told about the shutdown, matching what is done when
suspending.
Before:
root@debian-qemu-efi:~# tpm2_getcap handles-loaded-session
root@debian-qemu-efi:~# tpm2_getcap handles-saved-session
root@debian-qemu-efi:~# kexec --load --kexec-file-syscall …
root@debian-qemu-efi:~# systemctl kexec
…
root@debian-qemu-efi:~# tpm2_getcap handles-loaded-session
- 0x2000000
root@debian-qemu-efi:~# tpm2_getcap handles-saved-session
root@debian-qemu-efi:~#
(repeat kexec steps)
root@debian-qemu-efi:~# tpm2_getcap handles-loaded-session
- 0x2000000
- 0x2000001
root@debian-qemu-efi:~# tpm2_getcap handles-saved-session
root@debian-qemu-efi:~#
After:
root@debian-qemu-efi:~# tpm2_getcap handles-loaded-session
root@debian-qemu-efi:~# tpm2_getcap handles-saved-session
root@debian-qemu-efi:~# kexec --load --kexec-file-syscall …
root@debian-qemu-efi:~# systemctl kexec
…
root@debian-qemu-efi:~# tpm2_getcap handles-loaded-session
root@debian-qemu-efi:~# tpm2_getcap handles-saved-session
root@debian-qemu-efi:~#
Signed-off-by: Jonathan McDowell <noodles@meta.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/tpm/tpm-chip.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index 7df7abaf3e526..87f01269b9b53 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -300,6 +300,7 @@ int tpm_class_shutdown(struct device *dev)
down_write(&chip->ops_sem);
if (chip->flags & TPM_CHIP_FLAG_TPM2) {
if (!tpm_chip_start(chip)) {
+ tpm2_end_auth_session(chip);
tpm2_shutdown(chip, TPM2_SU_CLEAR);
tpm_chip_stop(chip);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 188/449] pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 187/449] tpm: End any active auth session before shutdown Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 189/449] pwm: rcar: Improve register calculation Greg Kroah-Hartman
` (267 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josh Poimboeuf,
Uwe Kleine-König, Uwe Kleine-König, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit 7ca59947b5fcf94e7ea4029d1bd0f7c41500a161 ]
With CONFIG_COMPILE_TEST && !CONFIG_HAVE_CLK, pwm_mediatek_config() has a
divide-by-zero in the following line:
do_div(resolution, clk_get_rate(pc->clk_pwms[pwm->hwpwm]));
due to the fact that the !CONFIG_HAVE_CLK version of clk_get_rate()
returns zero.
This is presumably just a theoretical problem: COMPILE_TEST overrides
the dependency on RALINK which would select COMMON_CLK. Regardless it's
a good idea to check for the error explicitly to avoid divide-by-zero.
Fixes the following warning:
drivers/pwm/pwm-mediatek.o: warning: objtool: .text: unexpected end of section
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Link: https://lore.kernel.org/r/fb56444939325cc173e752ba199abd7aeae3bf12.1742852847.git.jpoimboe@kernel.org
[ukleinek: s/CONFIG_CLK/CONFIG_HAVE_CLK/]
Fixes: caf065f8fd58 ("pwm: Add MediaTek PWM support")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/9e78a0796acba3435553ed7db1c7965dcffa6215.1743501688.git.u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-mediatek.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/pwm/pwm-mediatek.c b/drivers/pwm/pwm-mediatek.c
index 01dfa0fab80a4..7eaab58314995 100644
--- a/drivers/pwm/pwm-mediatek.c
+++ b/drivers/pwm/pwm-mediatek.c
@@ -121,21 +121,25 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm,
struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
u32 clkdiv = 0, cnt_period, cnt_duty, reg_width = PWMDWIDTH,
reg_thres = PWMTHRES;
+ unsigned long clk_rate;
u64 resolution;
int ret;
ret = pwm_mediatek_clk_enable(chip, pwm);
-
if (ret < 0)
return ret;
+ clk_rate = clk_get_rate(pc->clk_pwms[pwm->hwpwm]);
+ if (!clk_rate)
+ return -EINVAL;
+
/* Make sure we use the bus clock and not the 26MHz clock */
if (pc->soc->has_ck_26m_sel)
writel(0, pc->regs + PWM_CK_26M_SEL);
/* Using resolution in picosecond gets accuracy higher */
resolution = (u64)NSEC_PER_SEC * 1000;
- do_div(resolution, clk_get_rate(pc->clk_pwms[pwm->hwpwm]));
+ do_div(resolution, clk_rate);
cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000, resolution);
while (cnt_period > 8191) {
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 189/449] pwm: rcar: Improve register calculation
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 188/449] pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 190/449] pwm: fsl-ftm: Handle clk_get_rate() returning 0 Greg Kroah-Hartman
` (266 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Geert Uytterhoeven, Uwe Kleine-König, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit e7327c193014a4d8666e9c1cda09cf2c060518e8 ]
There were several issues in the function rcar_pwm_set_counter():
- The u64 values period_ns and duty_ns were cast to int on function
call which might loose bits on 32 bit architectures.
Fix: Make parameters to rcar_pwm_set_counter() u64
- The algorithm divided by the result of a division which looses
precision.
Fix: Make use of mul_u64_u64_div_u64()
- The calculated values were just masked to fit the respective register
fields which again might loose bits.
Fix: Explicitly check for overlow
Implement the respective fixes.
A side effect of fixing the 2nd issue is that there is no division by 0
if clk_get_rate() returns 0.
Fixes: ed6c1476bf7f ("pwm: Add support for R-Car PWM Timer")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/ab3dac794b2216cc1cc56d65c93dd164f8bd461b.1743501688.git.u.kleine-koenig@baylibre.com
[ukleinek: Added an explicit #include <linux/bitfield.h> to please the
0day build bot]
Link: https://lore.kernel.org/oe-kbuild-all/202504031354.VJtxScP5-lkp@intel.com/
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-rcar.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/drivers/pwm/pwm-rcar.c b/drivers/pwm/pwm-rcar.c
index 2261789cc27da..578dbdd2d5a72 100644
--- a/drivers/pwm/pwm-rcar.c
+++ b/drivers/pwm/pwm-rcar.c
@@ -8,6 +8,7 @@
* - The hardware cannot generate a 0% duty cycle.
*/
+#include <linux/bitfield.h>
#include <linux/clk.h>
#include <linux/err.h>
#include <linux/io.h>
@@ -102,23 +103,24 @@ static void rcar_pwm_set_clock_control(struct rcar_pwm_chip *rp,
rcar_pwm_write(rp, value, RCAR_PWMCR);
}
-static int rcar_pwm_set_counter(struct rcar_pwm_chip *rp, int div, int duty_ns,
- int period_ns)
+static int rcar_pwm_set_counter(struct rcar_pwm_chip *rp, int div, u64 duty_ns,
+ u64 period_ns)
{
- unsigned long long one_cycle, tmp; /* 0.01 nanoseconds */
+ unsigned long long tmp;
unsigned long clk_rate = clk_get_rate(rp->clk);
u32 cyc, ph;
- one_cycle = NSEC_PER_SEC * 100ULL << div;
- do_div(one_cycle, clk_rate);
+ /* div <= 24 == RCAR_PWM_MAX_DIVISION, so the shift doesn't overflow. */
+ tmp = mul_u64_u64_div_u64(period_ns, clk_rate, (u64)NSEC_PER_SEC << div);
+ if (tmp > FIELD_MAX(RCAR_PWMCNT_CYC0_MASK))
+ tmp = FIELD_MAX(RCAR_PWMCNT_CYC0_MASK);
- tmp = period_ns * 100ULL;
- do_div(tmp, one_cycle);
- cyc = (tmp << RCAR_PWMCNT_CYC0_SHIFT) & RCAR_PWMCNT_CYC0_MASK;
+ cyc = FIELD_PREP(RCAR_PWMCNT_CYC0_MASK, tmp);
- tmp = duty_ns * 100ULL;
- do_div(tmp, one_cycle);
- ph = tmp & RCAR_PWMCNT_PH0_MASK;
+ tmp = mul_u64_u64_div_u64(duty_ns, clk_rate, (u64)NSEC_PER_SEC << div);
+ if (tmp > FIELD_MAX(RCAR_PWMCNT_PH0_MASK))
+ tmp = FIELD_MAX(RCAR_PWMCNT_PH0_MASK);
+ ph = FIELD_PREP(RCAR_PWMCNT_PH0_MASK, tmp);
/* Avoid prohibited setting */
if (cyc == 0 || ph == 0)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 190/449] pwm: fsl-ftm: Handle clk_get_rate() returning 0
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 189/449] pwm: rcar: Improve register calculation Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 191/449] pwm: stm32: Search an appropriate duty_cycle if period cannot be modified Greg Kroah-Hartman
` (265 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Uwe Kleine-König, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit 928446a5302eee30ebb32075c0db5dda5a138fb7 ]
Considering that the driver doesn't enable the used clocks (and also
that clk_get_rate() returns 0 if CONFIG_HAVE_CLK is unset) better check
the return value of clk_get_rate() for being non-zero before dividing by
it.
Fixes: 3479bbd1e1f8 ("pwm: fsl-ftm: More relaxed permissions for updating period")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/b68351a51017035651bc62ad3146afcb706874f0.1743501688.git.u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-fsl-ftm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/pwm/pwm-fsl-ftm.c b/drivers/pwm/pwm-fsl-ftm.c
index 2510c10ca4730..c45a5fca4cbbd 100644
--- a/drivers/pwm/pwm-fsl-ftm.c
+++ b/drivers/pwm/pwm-fsl-ftm.c
@@ -118,6 +118,9 @@ static unsigned int fsl_pwm_ticks_to_ns(struct fsl_pwm_chip *fpc,
unsigned long long exval;
rate = clk_get_rate(fpc->clk[fpc->period.clk_select]);
+ if (rate >> fpc->period.clk_ps == 0)
+ return 0;
+
exval = ticks;
exval *= 1000000000UL;
do_div(exval, rate >> fpc->period.clk_ps);
@@ -190,6 +193,9 @@ static unsigned int fsl_pwm_calculate_duty(struct fsl_pwm_chip *fpc,
unsigned int period = fpc->period.mod_period + 1;
unsigned int period_ns = fsl_pwm_ticks_to_ns(fpc, period);
+ if (!period_ns)
+ return 0;
+
duty = (unsigned long long)duty_ns * period;
do_div(duty, period_ns);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 191/449] pwm: stm32: Search an appropriate duty_cycle if period cannot be modified
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 190/449] pwm: fsl-ftm: Handle clk_get_rate() returning 0 Greg Kroah-Hartman
@ 2025-04-17 17:47 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 192/449] erofs: set error to bio if file-backed IO fails Greg Kroah-Hartman
` (264 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Uwe Kleine-König, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit fda6e0034e9da64e1cec31f4539b6c7abd9ed8be ]
If another channel is already enabled period must not be modified. If
the requested period is smaller than this unchangable period the driver
is still supposed to search a duty_cycle according to the usual rounding
rules.
So don't set the duty_cycle to 0 but continue to determine an
appropriate value for ccr.
Fixes: deaba9cff809 ("pwm: stm32: Implementation of the waveform callbacks")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/f0c50df31daa3d6069bfa8d7fb3e71fae241b026.1743844730.git.u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-stm32.c | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)
diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c
index a59de4de18b6e..ec2c05c9ee7a6 100644
--- a/drivers/pwm/pwm-stm32.c
+++ b/drivers/pwm/pwm-stm32.c
@@ -103,22 +103,16 @@ static int stm32_pwm_round_waveform_tohw(struct pwm_chip *chip,
if (ret)
goto out;
- /*
- * calculate the best value for ARR for the given PSC, refuse if
- * the resulting period gets bigger than the requested one.
- */
arr = mul_u64_u64_div_u64(wf->period_length_ns, rate,
(u64)NSEC_PER_SEC * (wfhw->psc + 1));
if (arr <= wfhw->arr) {
/*
- * requested period is small than the currently
+ * requested period is smaller than the currently
* configured and unchangable period, report back the smallest
- * possible period, i.e. the current state; Initialize
- * ccr to anything valid.
+ * possible period, i.e. the current state and return 1
+ * to indicate the wrong rounding direction.
*/
- wfhw->ccr = 0;
ret = 1;
- goto out;
}
} else {
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 192/449] erofs: set error to bio if file-backed IO fails
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2025-04-17 17:47 ` [PATCH 6.14 191/449] pwm: stm32: Search an appropriate duty_cycle if period cannot be modified Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 193/449] bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Greg Kroah-Hartman
` (263 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sheng Yong, Gao Xiang, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sheng Yong <shengyong1@xiaomi.com>
[ Upstream commit 1595f15391b81815e4ef91c339991913d556c1b6 ]
If a file-backed IO fails before submitting the bio to the lower
filesystem, an error is returned, but the bio->bi_status is not
marked as an error. However, the error information should be passed
to the end_io handler. Otherwise, the IO request will be treated as
successful.
Fixes: 283213718f5d ("erofs: support compressed inodes for fileio")
Signed-off-by: Sheng Yong <shengyong1@xiaomi.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Link: https://lore.kernel.org/r/20250408122351.2104507-1-shengyong1@xiaomi.com
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/erofs/fileio.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/erofs/fileio.c b/fs/erofs/fileio.c
index 0ffd1c63beeb9..abb9c6d3b1aa2 100644
--- a/fs/erofs/fileio.c
+++ b/fs/erofs/fileio.c
@@ -32,6 +32,8 @@ static void erofs_fileio_ki_complete(struct kiocb *iocb, long ret)
ret = 0;
}
if (rq->bio.bi_end_io) {
+ if (ret < 0 && !rq->bio.bi_status)
+ rq->bio.bi_status = errno_to_blk_status(ret);
rq->bio.bi_end_io(&rq->bio);
} else {
bio_for_each_folio_all(fi, &rq->bio) {
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 193/449] bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 192/449] erofs: set error to bio if file-backed IO fails Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 194/449] ext4: dont treat fhandle lookup of ea_inode as FS corruption Greg Kroah-Hartman
` (262 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Moeller,
Maciej Żenczykowski, Willem de Bruijn, Stanislav Fomichev,
Alexei Starovoitov, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
[ Upstream commit d4bac0288a2b444e468e6df9cb4ed69479ddf14a ]
Classic BPF socket filters with SKB_NET_OFF and SKB_LL_OFF fail to
read when these offsets extend into frags.
This has been observed with iwlwifi and reproduced with tun with
IFF_NAPI_FRAGS. The below straightforward socket filter on UDP port,
applied to a RAW socket, will silently miss matching packets.
const int offset_proto = offsetof(struct ip6_hdr, ip6_nxt);
const int offset_dport = sizeof(struct ip6_hdr) + offsetof(struct udphdr, dest);
struct sock_filter filter_code[] = {
BPF_STMT(BPF_LD + BPF_B + BPF_ABS, SKF_AD_OFF + SKF_AD_PKTTYPE),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, PACKET_HOST, 0, 4),
BPF_STMT(BPF_LD + BPF_B + BPF_ABS, SKF_NET_OFF + offset_proto),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 0, 2),
BPF_STMT(BPF_LD + BPF_H + BPF_ABS, SKF_NET_OFF + offset_dport),
This is unexpected behavior. Socket filter programs should be
consistent regardless of environment. Silent misses are
particularly concerning as hard to detect.
Use skb_copy_bits for offsets outside linear, same as done for
non-SKF_(LL|NET) offsets.
Offset is always positive after subtracting the reference threshold
SKB_(LL|NET)_OFF, so is always >= skb_(mac|network)_offset. The sum of
the two is an offset against skb->data, and may be negative, but it
cannot point before skb->head, as skb_(mac|network)_offset would too.
This appears to go back to when frag support was introduced to
sk_run_filter in linux-2.4.4, before the introduction of git.
The amount of code change and 8/16/32 bit duplication are unfortunate.
But any attempt I made to be smarter saved very few LoC while
complicating the code.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Link: https://lore.kernel.org/netdev/20250122200402.3461154-1-maze@google.com/
Link: https://elixir.bootlin.com/linux/2.4.4/source/net/core/filter.c#L244
Reported-by: Matt Moeller <moeller.matt@gmail.com>
Co-developed-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Link: https://lore.kernel.org/r/20250408132833.195491-2-willemdebruijn.kernel@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 80 ++++++++++++++++++++++++++---------------------
1 file changed, 44 insertions(+), 36 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 2ec162dd83c46..b0df9b7d16d3f 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -218,24 +218,36 @@ BPF_CALL_3(bpf_skb_get_nlattr_nest, struct sk_buff *, skb, u32, a, u32, x)
return 0;
}
+static int bpf_skb_load_helper_convert_offset(const struct sk_buff *skb, int offset)
+{
+ if (likely(offset >= 0))
+ return offset;
+
+ if (offset >= SKF_NET_OFF)
+ return offset - SKF_NET_OFF + skb_network_offset(skb);
+
+ if (offset >= SKF_LL_OFF && skb_mac_header_was_set(skb))
+ return offset - SKF_LL_OFF + skb_mac_offset(skb);
+
+ return INT_MIN;
+}
+
BPF_CALL_4(bpf_skb_load_helper_8, const struct sk_buff *, skb, const void *,
data, int, headlen, int, offset)
{
- u8 tmp, *ptr;
+ u8 tmp;
const int len = sizeof(tmp);
- if (offset >= 0) {
- if (headlen - offset >= len)
- return *(u8 *)(data + offset);
- if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
- return tmp;
- } else {
- ptr = bpf_internal_load_pointer_neg_helper(skb, offset, len);
- if (likely(ptr))
- return *(u8 *)ptr;
- }
+ offset = bpf_skb_load_helper_convert_offset(skb, offset);
+ if (offset == INT_MIN)
+ return -EFAULT;
- return -EFAULT;
+ if (headlen - offset >= len)
+ return *(u8 *)(data + offset);
+ if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
+ return tmp;
+ else
+ return -EFAULT;
}
BPF_CALL_2(bpf_skb_load_helper_8_no_cache, const struct sk_buff *, skb,
@@ -248,21 +260,19 @@ BPF_CALL_2(bpf_skb_load_helper_8_no_cache, const struct sk_buff *, skb,
BPF_CALL_4(bpf_skb_load_helper_16, const struct sk_buff *, skb, const void *,
data, int, headlen, int, offset)
{
- __be16 tmp, *ptr;
+ __be16 tmp;
const int len = sizeof(tmp);
- if (offset >= 0) {
- if (headlen - offset >= len)
- return get_unaligned_be16(data + offset);
- if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
- return be16_to_cpu(tmp);
- } else {
- ptr = bpf_internal_load_pointer_neg_helper(skb, offset, len);
- if (likely(ptr))
- return get_unaligned_be16(ptr);
- }
+ offset = bpf_skb_load_helper_convert_offset(skb, offset);
+ if (offset == INT_MIN)
+ return -EFAULT;
- return -EFAULT;
+ if (headlen - offset >= len)
+ return get_unaligned_be16(data + offset);
+ if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
+ return be16_to_cpu(tmp);
+ else
+ return -EFAULT;
}
BPF_CALL_2(bpf_skb_load_helper_16_no_cache, const struct sk_buff *, skb,
@@ -275,21 +285,19 @@ BPF_CALL_2(bpf_skb_load_helper_16_no_cache, const struct sk_buff *, skb,
BPF_CALL_4(bpf_skb_load_helper_32, const struct sk_buff *, skb, const void *,
data, int, headlen, int, offset)
{
- __be32 tmp, *ptr;
+ __be32 tmp;
const int len = sizeof(tmp);
- if (likely(offset >= 0)) {
- if (headlen - offset >= len)
- return get_unaligned_be32(data + offset);
- if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
- return be32_to_cpu(tmp);
- } else {
- ptr = bpf_internal_load_pointer_neg_helper(skb, offset, len);
- if (likely(ptr))
- return get_unaligned_be32(ptr);
- }
+ offset = bpf_skb_load_helper_convert_offset(skb, offset);
+ if (offset == INT_MIN)
+ return -EFAULT;
- return -EFAULT;
+ if (headlen - offset >= len)
+ return get_unaligned_be32(data + offset);
+ if (!skb_copy_bits(skb, offset, &tmp, sizeof(tmp)))
+ return be32_to_cpu(tmp);
+ else
+ return -EFAULT;
}
BPF_CALL_2(bpf_skb_load_helper_32_no_cache, const struct sk_buff *, skb,
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 194/449] ext4: dont treat fhandle lookup of ea_inode as FS corruption
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 193/449] bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 195/449] s390/pci: Fix s390_mmio_read/write syscall page fault handling Greg Kroah-Hartman
` (261 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Jan Kara, Theodore Tso,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
[ Upstream commit 642335f3ea2b3fd6dba03e57e01fa9587843a497 ]
A file handle that userspace provides to open_by_handle_at() can
legitimately contain an outdated inode number that has since been reused
for another purpose - that's why the file handle also contains a generation
number.
But if the inode number has been reused for an ea_inode, check_igot_inode()
will notice, __ext4_iget() will go through ext4_error_inode(), and if the
inode was newly created, it will also be marked as bad by iget_failed().
This all happens before the point where the inode generation is checked.
ext4_error_inode() is supposed to only be used on filesystem corruption; it
should not be used when userspace just got unlucky with a stale file
handle. So when this happens, let __ext4_iget() just return an error.
Fixes: b3e6bcb94590 ("ext4: add EA_INODE checking to ext4_iget()")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20241129-ext4-ignore-ea-fhandle-v1-1-e532c0d1cee0@google.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/inode.c | 68 ++++++++++++++++++++++++++++++++++---------------
1 file changed, 48 insertions(+), 20 deletions(-)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 4009f9017a0e9..4108b7d1696ff 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4710,22 +4710,43 @@ static inline void ext4_inode_set_iversion_queried(struct inode *inode, u64 val)
inode_set_iversion_queried(inode, val);
}
-static const char *check_igot_inode(struct inode *inode, ext4_iget_flags flags)
-
+static int check_igot_inode(struct inode *inode, ext4_iget_flags flags,
+ const char *function, unsigned int line)
{
+ const char *err_str;
+
if (flags & EXT4_IGET_EA_INODE) {
- if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
- return "missing EA_INODE flag";
+ if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) {
+ err_str = "missing EA_INODE flag";
+ goto error;
+ }
if (ext4_test_inode_state(inode, EXT4_STATE_XATTR) ||
- EXT4_I(inode)->i_file_acl)
- return "ea_inode with extended attributes";
+ EXT4_I(inode)->i_file_acl) {
+ err_str = "ea_inode with extended attributes";
+ goto error;
+ }
} else {
- if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
- return "unexpected EA_INODE flag";
+ if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) {
+ /*
+ * open_by_handle_at() could provide an old inode number
+ * that has since been reused for an ea_inode; this does
+ * not indicate filesystem corruption
+ */
+ if (flags & EXT4_IGET_HANDLE)
+ return -ESTALE;
+ err_str = "unexpected EA_INODE flag";
+ goto error;
+ }
+ }
+ if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD)) {
+ err_str = "unexpected bad inode w/o EXT4_IGET_BAD";
+ goto error;
}
- if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD))
- return "unexpected bad inode w/o EXT4_IGET_BAD";
- return NULL;
+ return 0;
+
+error:
+ ext4_error_inode(inode, function, line, 0, err_str);
+ return -EFSCORRUPTED;
}
struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
@@ -4737,7 +4758,6 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
struct ext4_inode_info *ei;
struct ext4_super_block *es = EXT4_SB(sb)->s_es;
struct inode *inode;
- const char *err_str;
journal_t *journal = EXT4_SB(sb)->s_journal;
long ret;
loff_t size;
@@ -4766,10 +4786,10 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
if (!inode)
return ERR_PTR(-ENOMEM);
if (!(inode->i_state & I_NEW)) {
- if ((err_str = check_igot_inode(inode, flags)) != NULL) {
- ext4_error_inode(inode, function, line, 0, err_str);
+ ret = check_igot_inode(inode, flags, function, line);
+ if (ret) {
iput(inode);
- return ERR_PTR(-EFSCORRUPTED);
+ return ERR_PTR(ret);
}
return inode;
}
@@ -5050,13 +5070,21 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
ret = -EFSCORRUPTED;
goto bad_inode;
}
- if ((err_str = check_igot_inode(inode, flags)) != NULL) {
- ext4_error_inode(inode, function, line, 0, err_str);
- ret = -EFSCORRUPTED;
- goto bad_inode;
+ ret = check_igot_inode(inode, flags, function, line);
+ /*
+ * -ESTALE here means there is nothing inherently wrong with the inode,
+ * it's just not an inode we can return for an fhandle lookup.
+ */
+ if (ret == -ESTALE) {
+ brelse(iloc.bh);
+ unlock_new_inode(inode);
+ iput(inode);
+ return ERR_PTR(-ESTALE);
}
-
+ if (ret)
+ goto bad_inode;
brelse(iloc.bh);
+
unlock_new_inode(inode);
return inode;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 195/449] s390/pci: Fix s390_mmio_read/write syscall page fault handling
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 194/449] ext4: dont treat fhandle lookup of ea_inode as FS corruption Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 196/449] HID: pidff: Clamp PERIODIC effect period to devices logical range Greg Kroah-Hartman
` (260 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Schnelle, Bjorn Helgaas,
Matthew Rosato, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Schnelle <schnelle@linux.ibm.com>
[ Upstream commit 41a0926e82f4963046876ed9a1b5f681be8087a8 ]
The s390 MMIO syscalls when using the classic PCI instructions do not
cause a page fault when follow_pfnmap_start() fails due to the page not
being present. Besides being a general deficiency this breaks vfio-pci's
mmap() handling once VFIO_PCI_MMAP gets enabled as this lazily maps on
first access. Fix this by following a failed follow_pfnmap_start() with
fixup_user_page() and retrying the follow_pfnmap_start(). Also fix
a VM_READ vs VM_WRITE mixup in the read syscall.
Link: https://lore.kernel.org/r/20250226-vfio_pci_mmap-v7-1-c5c0f1d26efd@linux.ibm.com
Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/pci/pci_mmio.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/arch/s390/pci/pci_mmio.c b/arch/s390/pci/pci_mmio.c
index 46f99dc164ade..1997d9b7965df 100644
--- a/arch/s390/pci/pci_mmio.c
+++ b/arch/s390/pci/pci_mmio.c
@@ -175,8 +175,12 @@ SYSCALL_DEFINE3(s390_pci_mmio_write, unsigned long, mmio_addr,
args.address = mmio_addr;
args.vma = vma;
ret = follow_pfnmap_start(&args);
- if (ret)
- goto out_unlock_mmap;
+ if (ret) {
+ fixup_user_fault(current->mm, mmio_addr, FAULT_FLAG_WRITE, NULL);
+ ret = follow_pfnmap_start(&args);
+ if (ret)
+ goto out_unlock_mmap;
+ }
io_addr = (void __iomem *)((args.pfn << PAGE_SHIFT) |
(mmio_addr & ~PAGE_MASK));
@@ -315,14 +319,18 @@ SYSCALL_DEFINE3(s390_pci_mmio_read, unsigned long, mmio_addr,
if (!(vma->vm_flags & (VM_IO | VM_PFNMAP)))
goto out_unlock_mmap;
ret = -EACCES;
- if (!(vma->vm_flags & VM_WRITE))
+ if (!(vma->vm_flags & VM_READ))
goto out_unlock_mmap;
args.vma = vma;
args.address = mmio_addr;
ret = follow_pfnmap_start(&args);
- if (ret)
- goto out_unlock_mmap;
+ if (ret) {
+ fixup_user_fault(current->mm, mmio_addr, 0, NULL);
+ ret = follow_pfnmap_start(&args);
+ if (ret)
+ goto out_unlock_mmap;
+ }
io_addr = (void __iomem *)((args.pfn << PAGE_SHIFT) |
(mmio_addr & ~PAGE_MASK));
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 196/449] HID: pidff: Clamp PERIODIC effect period to devices logical range
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 195/449] s390/pci: Fix s390_mmio_read/write syscall page fault handling Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 197/449] HID: pidff: Stop all effects before enabling actuators Greg Kroah-Hartman
` (259 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit f538183e997a9fb6087e94e71e372de967b9e56a ]
This ensures the effect can actually be played on the connected force
feedback device. Adds clamping functions used instead of rescaling, as we
don't want to change the characteristics of the periodic effects.
Fixes edge cases found on Moza Racing and some other hardware where
the effects would not play if the period is outside the defined
logical range.
Changes in v6:
- Use in-kernel clamp macro instead of a custom solution
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 25dbed076f530..6b55345ce75ac 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -15,10 +15,9 @@
#include <linux/input.h>
#include <linux/slab.h>
#include <linux/usb.h>
-
#include <linux/hid.h>
+#include <linux/minmax.h>
-#include "usbhid.h"
#define PID_EFFECTS_MAX 64
#define PID_INFINITE 0xffff
@@ -192,6 +191,16 @@ struct pidff_device {
u32 quirks;
};
+/*
+ * Clamp value for a given field
+ */
+static s32 pidff_clamp(s32 i, struct hid_field *field)
+{
+ s32 clamped = clamp(i, field->logical_minimum, field->logical_maximum);
+ pr_debug("clamped from %d to %d", i, clamped);
+ return clamped;
+}
+
/*
* Scale an unsigned value with range 0..max for the given field
*/
@@ -372,7 +381,11 @@ static void pidff_set_periodic_report(struct pidff_device *pidff,
pidff_set_signed(&pidff->set_periodic[PID_OFFSET],
effect->u.periodic.offset);
pidff_set(&pidff->set_periodic[PID_PHASE], effect->u.periodic.phase);
- pidff->set_periodic[PID_PERIOD].value[0] = effect->u.periodic.period;
+
+ /* Clamp period to ensure the device can play the effect */
+ pidff->set_periodic[PID_PERIOD].value[0] =
+ pidff_clamp(effect->u.periodic.period,
+ pidff->set_periodic[PID_PERIOD].field);
hid_hw_request(pidff->hid, pidff->reports[PID_SET_PERIODIC],
HID_REQ_SET_REPORT);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 197/449] HID: pidff: Stop all effects before enabling actuators
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 196/449] HID: pidff: Clamp PERIODIC effect period to devices logical range Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
[not found] ` <763f6566-9806-4e09-a633-b27fe1767f38@orange.fr>
2025-04-17 17:48 ` [PATCH 6.14 198/449] HID: pidff: Completely rework and fix pidff_reset function Greg Kroah-Hartman
` (258 subsequent siblings)
455 siblings, 1 reply; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jules Noirant, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit ce52c0c939fcb568d1abe454821d5623de38b424 ]
Some PID compliant devices automatically play effects after boot (i.e.
autocenter spring) that prevent the rendering of other effects since
it is done outside the kernel driver.
This makes sure all the effects currently played are stopped after
resetting the device.
It brings compatibility to the Brunner CLS-P joystick and others
Reported-by: Jules Noirant <jules.noirant@orange.fr>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 6b55345ce75ac..635596a57c75d 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -109,8 +109,9 @@ static const u8 pidff_pool[] = { 0x80, 0x83, 0xa9 };
/* Special field key tables used to put special field keys into arrays */
#define PID_ENABLE_ACTUATORS 0
-#define PID_RESET 1
-static const u8 pidff_device_control[] = { 0x97, 0x9a };
+#define PID_STOP_ALL_EFFECTS 1
+#define PID_RESET 2
+static const u8 pidff_device_control[] = { 0x97, 0x99, 0x9a };
#define PID_CONSTANT 0
#define PID_RAMP 1
@@ -1235,6 +1236,10 @@ static void pidff_reset(struct pidff_device *pidff)
hid_hw_request(hid, pidff->reports[PID_DEVICE_CONTROL], HID_REQ_SET_REPORT);
hid_hw_wait(hid);
+ pidff->device_control->value[0] = pidff->control_id[PID_STOP_ALL_EFFECTS];
+ hid_hw_request(hid, pidff->reports[PID_DEVICE_CONTROL], HID_REQ_SET_REPORT);
+ hid_hw_wait(hid);
+
pidff->device_control->value[0] =
pidff->control_id[PID_ENABLE_ACTUATORS];
hid_hw_request(hid, pidff->reports[PID_DEVICE_CONTROL], HID_REQ_SET_REPORT);
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 198/449] HID: pidff: Completely rework and fix pidff_reset function
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 197/449] HID: pidff: Stop all effects before enabling actuators Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 199/449] HID: pidff: Simplify pidff_upload_effect function Greg Kroah-Hartman
` (257 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Makarenko Oleg, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit cb3fd788e3fa5358602a49809c4eb4911539c9d0 ]
Previously, it was assumed that DEVICE_CONTROL usage is always an array
but a lot of devices implements it as a bitmask variable. This led to
the pidff_reset function not working and causing errors in such cases.
Selectors can come in three types. One selection of a set, N selections
and Any selection in form of bitmask as from USB Hid Usage Tables v1.5,
subsection 3.4.2.1
Added pidff_send_device_control which handles usage flag check which
decides whether DEVICE_CONTROL should be handled as "One selection of a
set" or "Any selection of a set".
Reset was triggered once, on device initialization. Now, it's triggered
every time when uploading an effect to an empty device (no currently
stored effects), tracked by pidff->effect_count variable.
Co-developed-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 138 +++++++++++++++++++++------------
1 file changed, 89 insertions(+), 49 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 635596a57c75d..99b5d3deb40d0 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -109,9 +109,10 @@ static const u8 pidff_pool[] = { 0x80, 0x83, 0xa9 };
/* Special field key tables used to put special field keys into arrays */
#define PID_ENABLE_ACTUATORS 0
-#define PID_STOP_ALL_EFFECTS 1
-#define PID_RESET 2
-static const u8 pidff_device_control[] = { 0x97, 0x99, 0x9a };
+#define PID_DISABLE_ACTUATORS 1
+#define PID_STOP_ALL_EFFECTS 2
+#define PID_RESET 3
+static const u8 pidff_device_control[] = { 0x97, 0x98, 0x99, 0x9a };
#define PID_CONSTANT 0
#define PID_RAMP 1
@@ -190,6 +191,7 @@ struct pidff_device {
int pid_id[PID_EFFECTS_MAX];
u32 quirks;
+ u8 effect_count;
};
/*
@@ -490,9 +492,83 @@ static int pidff_needs_set_ramp(struct ff_effect *effect, struct ff_effect *old)
effect->u.ramp.end_level != old->u.ramp.end_level;
}
+/*
+ * Clear device control report
+ */
+static void pidff_send_device_control(struct pidff_device *pidff, int field)
+{
+ int i, tmp;
+ int field_index = pidff->control_id[field];
+
+ /* Detect if the field is a bitmask variable or an array */
+ if (pidff->device_control->flags & HID_MAIN_ITEM_VARIABLE) {
+ hid_dbg(pidff->hid, "DEVICE_CONTROL is a bitmask\n");
+ /* Clear current bitmask */
+ for(i = 0; i < sizeof(pidff_device_control); i++) {
+ tmp = pidff->control_id[i];
+ pidff->device_control->value[tmp] = 0;
+ }
+ pidff->device_control->value[field_index - 1] = 1;
+ } else {
+ hid_dbg(pidff->hid, "DEVICE_CONTROL is an array\n");
+ pidff->device_control->value[0] = field_index;
+ }
+
+ hid_hw_request(pidff->hid, pidff->reports[PID_DEVICE_CONTROL], HID_REQ_SET_REPORT);
+ hid_hw_wait(pidff->hid);
+}
+
+/*
+ * Modify actuators state
+ */
+static void pidff_modify_actuators_state(struct pidff_device *pidff, bool enable)
+{
+ hid_dbg(pidff->hid, "%s actuators\n", enable ? "Enable" : "Disable");
+ pidff_send_device_control(pidff,
+ enable ? PID_ENABLE_ACTUATORS : PID_DISABLE_ACTUATORS);
+}
+
+/*
+ * Reset the device, stop all effects, enable actuators
+ * Refetch pool report
+ */
+static void pidff_reset(struct pidff_device *pidff)
+{
+ int i = 0;
+
+ /* We reset twice as sometimes hid_wait_io isn't waiting long enough */
+ pidff_send_device_control(pidff, PID_RESET);
+ pidff_send_device_control(pidff, PID_RESET);
+ pidff->effect_count = 0;
+
+ pidff_send_device_control(pidff, PID_STOP_ALL_EFFECTS);
+ pidff_modify_actuators_state(pidff, 1);
+
+ /* pool report is sometimes messed up, refetch it */
+ hid_hw_request(pidff->hid, pidff->reports[PID_POOL], HID_REQ_GET_REPORT);
+ hid_hw_wait(pidff->hid);
+
+ if (pidff->pool[PID_SIMULTANEOUS_MAX].value) {
+ while (pidff->pool[PID_SIMULTANEOUS_MAX].value[0] < 2) {
+ if (i++ > 20) {
+ hid_warn(pidff->hid,
+ "device reports %d simultaneous effects\n",
+ pidff->pool[PID_SIMULTANEOUS_MAX].value[0]);
+ break;
+ }
+ hid_dbg(pidff->hid, "pid_pool requested again\n");
+ hid_hw_request(pidff->hid, pidff->reports[PID_POOL],
+ HID_REQ_GET_REPORT);
+ hid_hw_wait(pidff->hid);
+ }
+ }
+}
+
/*
* Send a request for effect upload to the device
*
+ * Reset and enable actuators if no effects were present on the device
+ *
* Returns 0 if device reported success, -ENOSPC if the device reported memory
* is full. Upon unknown response the function will retry for 60 times, if
* still unsuccessful -EIO is returned.
@@ -501,6 +577,9 @@ static int pidff_request_effect_upload(struct pidff_device *pidff, int efnum)
{
int j;
+ if (!pidff->effect_count)
+ pidff_reset(pidff);
+
pidff->create_new_effect_type->value[0] = efnum;
hid_hw_request(pidff->hid, pidff->reports[PID_CREATE_NEW_EFFECT],
HID_REQ_SET_REPORT);
@@ -520,6 +599,8 @@ static int pidff_request_effect_upload(struct pidff_device *pidff, int efnum)
hid_dbg(pidff->hid, "device reported free memory: %d bytes\n",
pidff->block_load[PID_RAM_POOL_AVAILABLE].value ?
pidff->block_load[PID_RAM_POOL_AVAILABLE].value[0] : -1);
+
+ pidff->effect_count++;
return 0;
}
if (pidff->block_load_status->value[0] ==
@@ -568,12 +649,16 @@ static int pidff_playback(struct input_dev *dev, int effect_id, int value)
/*
* Erase effect with PID id
+ * Decrease the device effect counter
*/
static void pidff_erase_pid(struct pidff_device *pidff, int pid_id)
{
pidff->block_free[PID_EFFECT_BLOCK_INDEX].value[0] = pid_id;
hid_hw_request(pidff->hid, pidff->reports[PID_BLOCK_FREE],
HID_REQ_SET_REPORT);
+
+ if (pidff->effect_count > 0)
+ pidff->effect_count--;
}
/*
@@ -1221,50 +1306,6 @@ static int pidff_init_fields(struct pidff_device *pidff, struct input_dev *dev)
return 0;
}
-/*
- * Reset the device
- */
-static void pidff_reset(struct pidff_device *pidff)
-{
- struct hid_device *hid = pidff->hid;
- int i = 0;
-
- pidff->device_control->value[0] = pidff->control_id[PID_RESET];
- /* We reset twice as sometimes hid_wait_io isn't waiting long enough */
- hid_hw_request(hid, pidff->reports[PID_DEVICE_CONTROL], HID_REQ_SET_REPORT);
- hid_hw_wait(hid);
- hid_hw_request(hid, pidff->reports[PID_DEVICE_CONTROL], HID_REQ_SET_REPORT);
- hid_hw_wait(hid);
-
- pidff->device_control->value[0] = pidff->control_id[PID_STOP_ALL_EFFECTS];
- hid_hw_request(hid, pidff->reports[PID_DEVICE_CONTROL], HID_REQ_SET_REPORT);
- hid_hw_wait(hid);
-
- pidff->device_control->value[0] =
- pidff->control_id[PID_ENABLE_ACTUATORS];
- hid_hw_request(hid, pidff->reports[PID_DEVICE_CONTROL], HID_REQ_SET_REPORT);
- hid_hw_wait(hid);
-
- /* pool report is sometimes messed up, refetch it */
- hid_hw_request(hid, pidff->reports[PID_POOL], HID_REQ_GET_REPORT);
- hid_hw_wait(hid);
-
- if (pidff->pool[PID_SIMULTANEOUS_MAX].value) {
- while (pidff->pool[PID_SIMULTANEOUS_MAX].value[0] < 2) {
- if (i++ > 20) {
- hid_warn(pidff->hid,
- "device reports %d simultaneous effects\n",
- pidff->pool[PID_SIMULTANEOUS_MAX].value[0]);
- break;
- }
- hid_dbg(pidff->hid, "pid_pool requested again\n");
- hid_hw_request(hid, pidff->reports[PID_POOL],
- HID_REQ_GET_REPORT);
- hid_hw_wait(hid);
- }
- }
-}
-
/*
* Test if autocenter modification is using the supported method
*/
@@ -1330,6 +1371,7 @@ int hid_pidff_init_with_quirks(struct hid_device *hid, __u32 initial_quirks)
pidff->hid = hid;
pidff->quirks = initial_quirks;
+ pidff->effect_count = 0;
hid_device_io_start(hid);
@@ -1346,8 +1388,6 @@ int hid_pidff_init_with_quirks(struct hid_device *hid, __u32 initial_quirks)
if (error)
goto fail;
- pidff_reset(pidff);
-
if (test_bit(FF_GAIN, dev->ffbit)) {
pidff_set(&pidff->device_gain[PID_DEVICE_GAIN_FIELD], 0xffff);
hid_hw_request(hid, pidff->reports[PID_DEVICE_GAIN],
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 199/449] HID: pidff: Simplify pidff_upload_effect function
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 198/449] HID: pidff: Completely rework and fix pidff_reset function Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 200/449] HID: pidff: Define values used in pidff_find_special_fields Greg Kroah-Hartman
` (256 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit e4bdc80ef14272ef56c38d8ca2f365fdf59cd0ba ]
Merge a bit of code that reqeusts conditional effects upload.
Makes it clear, that effect handling should be identical for
SPRING, DAMPER, INERTIA and FRICTION.
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 54 ++++++++++------------------------
1 file changed, 16 insertions(+), 38 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 99b5d3deb40d0..42c951a1d65bf 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -770,48 +770,26 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect,
break;
case FF_SPRING:
- if (!old) {
- error = pidff_request_effect_upload(pidff,
- pidff->type_id[PID_SPRING]);
- if (error)
- return error;
- }
- if (!old || pidff_needs_set_effect(effect, old))
- pidff_set_effect_report(pidff, effect);
- if (!old || pidff_needs_set_condition(effect, old))
- pidff_set_condition_report(pidff, effect);
- break;
-
- case FF_FRICTION:
- if (!old) {
- error = pidff_request_effect_upload(pidff,
- pidff->type_id[PID_FRICTION]);
- if (error)
- return error;
- }
- if (!old || pidff_needs_set_effect(effect, old))
- pidff_set_effect_report(pidff, effect);
- if (!old || pidff_needs_set_condition(effect, old))
- pidff_set_condition_report(pidff, effect);
- break;
-
case FF_DAMPER:
- if (!old) {
- error = pidff_request_effect_upload(pidff,
- pidff->type_id[PID_DAMPER]);
- if (error)
- return error;
- }
- if (!old || pidff_needs_set_effect(effect, old))
- pidff_set_effect_report(pidff, effect);
- if (!old || pidff_needs_set_condition(effect, old))
- pidff_set_condition_report(pidff, effect);
- break;
-
case FF_INERTIA:
+ case FF_FRICTION:
if (!old) {
+ switch(effect->type) {
+ case FF_SPRING:
+ type_id = PID_SPRING;
+ break;
+ case FF_DAMPER:
+ type_id = PID_DAMPER;
+ break;
+ case FF_INERTIA:
+ type_id = PID_INERTIA;
+ break;
+ case FF_FRICTION:
+ type_id = PID_FRICTION;
+ break;
+ }
error = pidff_request_effect_upload(pidff,
- pidff->type_id[PID_INERTIA]);
+ pidff->type_id[type_id]);
if (error)
return error;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 200/449] HID: pidff: Define values used in pidff_find_special_fields
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 199/449] HID: pidff: Simplify pidff_upload_effect function Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 201/449] HID: pidff: Rescale time values to match field units Greg Kroah-Hartman
` (255 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 1c12f136891cf4d2d4e6aa202d671a9d2171a716 ]
Makes it clear where did these values came from
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 42c951a1d65bf..bd913d57e4d75 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -48,6 +48,14 @@ static const u8 pidff_reports[] = {
/* device_control is really 0x95, but 0x96 specified as it is the usage of
the only field in that report */
+/* PID special fields */
+
+#define PID_EFFECT_TYPE 0x25
+#define PID_DIRECTION 0x57
+#define PID_EFFECT_OPERATION_ARRAY 0x78
+#define PID_BLOCK_LOAD_STATUS 0x8b
+#define PID_DEVICE_CONTROL_ARRAY 0x96
+
/* Value usage tables used to put fields and values into arrays */
#define PID_EFFECT_BLOCK_INDEX 0
@@ -1056,23 +1064,24 @@ static int pidff_find_special_fields(struct pidff_device *pidff)
pidff->create_new_effect_type =
pidff_find_special_field(pidff->reports[PID_CREATE_NEW_EFFECT],
- 0x25, 1);
+ PID_EFFECT_TYPE, 1);
pidff->set_effect_type =
pidff_find_special_field(pidff->reports[PID_SET_EFFECT],
- 0x25, 1);
+ PID_EFFECT_TYPE, 1);
pidff->effect_direction =
pidff_find_special_field(pidff->reports[PID_SET_EFFECT],
- 0x57, 0);
+ PID_DIRECTION, 0);
pidff->device_control =
pidff_find_special_field(pidff->reports[PID_DEVICE_CONTROL],
- 0x96, !(pidff->quirks & HID_PIDFF_QUIRK_PERMISSIVE_CONTROL));
+ PID_DEVICE_CONTROL_ARRAY,
+ !(pidff->quirks & HID_PIDFF_QUIRK_PERMISSIVE_CONTROL));
pidff->block_load_status =
pidff_find_special_field(pidff->reports[PID_BLOCK_LOAD],
- 0x8b, 1);
+ PID_BLOCK_LOAD_STATUS, 1);
pidff->effect_operation_status =
pidff_find_special_field(pidff->reports[PID_EFFECT_OPERATION],
- 0x78, 1);
+ PID_EFFECT_OPERATION_ARRAY, 1);
hid_dbg(pidff->hid, "search done\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 201/449] HID: pidff: Rescale time values to match field units
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 200/449] HID: pidff: Define values used in pidff_find_special_fields Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 202/449] HID: pidff: Factor out code for setting gain Greg Kroah-Hartman
` (254 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Makarenko Oleg, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 8713107221a8ce4021ec5fa12bb50ecc8165cf08 ]
PID devices can use different exponents for time fields, while Linux
Force Feedback API only supports miliseconds.
Read the exponent of a given time field and scale its value accordingly.
Changes in v7:
- Rescale all time fields, not only period
changes in v9:
- Properly assign fade_lenght, not attack_length to PID_FADE_TIME
Co-developed-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Makarenko Oleg <oleg@makarenk.ooo>
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 69 ++++++++++++++++++++++++++--------
1 file changed, 54 insertions(+), 15 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index bd913d57e4d75..180b2cf66e4c7 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -22,6 +22,9 @@
#define PID_EFFECTS_MAX 64
#define PID_INFINITE 0xffff
+/* Linux Force Feedback API uses miliseconds as time unit */
+#define FF_TIME_EXPONENT -3
+
/* Report usage table used to put reports into an array */
#define PID_SET_EFFECT 0
@@ -231,6 +234,24 @@ static int pidff_rescale_signed(int i, struct hid_field *field)
field->logical_minimum / -0x8000;
}
+/*
+ * Scale time value from Linux default (ms) to field units
+ */
+static u32 pidff_rescale_time(u16 time, struct hid_field *field)
+{
+ u32 scaled_time = time;
+ int exponent = field->unit_exponent;
+ pr_debug("time field exponent: %d\n", exponent);
+
+ for (;exponent < FF_TIME_EXPONENT; exponent++)
+ scaled_time *= 10;
+ for (;exponent > FF_TIME_EXPONENT; exponent--)
+ scaled_time /= 10;
+
+ pr_debug("time calculated from %d to %d\n", time, scaled_time);
+ return scaled_time;
+}
+
static void pidff_set(struct pidff_usage *usage, u16 value)
{
usage->value[0] = pidff_rescale(value, 0xffff, usage->field);
@@ -252,6 +273,27 @@ static void pidff_set_signed(struct pidff_usage *usage, s16 value)
pr_debug("calculated from %d to %d\n", value, usage->value[0]);
}
+static void pidff_set_time(struct pidff_usage *usage, u16 time)
+{
+ u32 modified_time = pidff_rescale_time(time, usage->field);
+ usage->value[0] = pidff_clamp(modified_time, usage->field);
+}
+
+static void pidff_set_duration(struct pidff_usage *usage, u16 duration)
+{
+ /* Convert infinite length from Linux API (0)
+ to PID standard (NULL) if needed */
+ if (duration == 0)
+ duration = PID_INFINITE;
+
+ if (duration == PID_INFINITE) {
+ usage->value[0] = PID_INFINITE;
+ return;
+ }
+
+ pidff_set_time(usage, duration);
+}
+
/*
* Send envelope report to the device
*/
@@ -270,8 +312,10 @@ static void pidff_set_envelope_report(struct pidff_device *pidff,
0x7fff ? 0x7fff : envelope->fade_level, 0x7fff,
pidff->set_envelope[PID_FADE_LEVEL].field);
- pidff->set_envelope[PID_ATTACK_TIME].value[0] = envelope->attack_length;
- pidff->set_envelope[PID_FADE_TIME].value[0] = envelope->fade_length;
+ pidff_set_time(&pidff->set_envelope[PID_ATTACK_TIME],
+ envelope->attack_length);
+ pidff_set_time(&pidff->set_envelope[PID_FADE_TIME],
+ envelope->fade_length);
hid_dbg(pidff->hid, "attack %u => %d\n",
envelope->attack_level,
@@ -340,14 +384,12 @@ static void pidff_set_effect_report(struct pidff_device *pidff,
pidff->set_effect_type->value[0] =
pidff->create_new_effect_type->value[0];
- /* Convert infinite length from Linux API (0)
- to PID standard (NULL) if needed */
- pidff->set_effect[PID_DURATION].value[0] =
- effect->replay.length == 0 ? PID_INFINITE : effect->replay.length;
+ pidff_set_duration(&pidff->set_effect[PID_DURATION],
+ effect->replay.length);
pidff->set_effect[PID_TRIGGER_BUTTON].value[0] = effect->trigger.button;
- pidff->set_effect[PID_TRIGGER_REPEAT_INT].value[0] =
- effect->trigger.interval;
+ pidff_set_time(&pidff->set_effect[PID_TRIGGER_REPEAT_INT],
+ effect->trigger.interval);
pidff->set_effect[PID_GAIN].value[0] =
pidff->set_effect[PID_GAIN].field->logical_maximum;
pidff->set_effect[PID_DIRECTION_ENABLE].value[0] = 1;
@@ -360,7 +402,8 @@ static void pidff_set_effect_report(struct pidff_device *pidff,
/* Omit setting delay field if it's missing */
if (!(pidff->quirks & HID_PIDFF_QUIRK_MISSING_DELAY))
- pidff->set_effect[PID_START_DELAY].value[0] = effect->replay.delay;
+ pidff_set_time(&pidff->set_effect[PID_START_DELAY],
+ effect->replay.delay);
hid_hw_request(pidff->hid, pidff->reports[PID_SET_EFFECT],
HID_REQ_SET_REPORT);
@@ -392,15 +435,11 @@ static void pidff_set_periodic_report(struct pidff_device *pidff,
pidff_set_signed(&pidff->set_periodic[PID_OFFSET],
effect->u.periodic.offset);
pidff_set(&pidff->set_periodic[PID_PHASE], effect->u.periodic.phase);
-
- /* Clamp period to ensure the device can play the effect */
- pidff->set_periodic[PID_PERIOD].value[0] =
- pidff_clamp(effect->u.periodic.period,
- pidff->set_periodic[PID_PERIOD].field);
+ pidff_set_time(&pidff->set_periodic[PID_PERIOD],
+ effect->u.periodic.period);
hid_hw_request(pidff->hid, pidff->reports[PID_SET_PERIODIC],
HID_REQ_SET_REPORT);
-
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 202/449] HID: pidff: Factor out code for setting gain
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 201/449] HID: pidff: Rescale time values to match field units Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 203/449] HID: pidff: Move all hid-pidff definitions to a dedicated header Greg Kroah-Hartman
` (253 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit f7ebf0b11b9e04bf59c438ad14f0115b12aa2f44 ]
Makes it possible to easily set gain from inside hid-pidff.c
Changes in v7:
- Check if device gain field exists before setting device gain
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 180b2cf66e4c7..ac6f940abd901 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -539,6 +539,19 @@ static int pidff_needs_set_ramp(struct ff_effect *effect, struct ff_effect *old)
effect->u.ramp.end_level != old->u.ramp.end_level;
}
+/*
+ * Set device gain
+ */
+static void pidff_set_gain_report(struct pidff_device *pidff, u16 gain)
+{
+ if (!pidff->device_gain[PID_DEVICE_GAIN_FIELD].field)
+ return;
+
+ pidff_set(&pidff->device_gain[PID_DEVICE_GAIN_FIELD], gain);
+ hid_hw_request(pidff->hid, pidff->reports[PID_DEVICE_GAIN],
+ HID_REQ_SET_REPORT);
+}
+
/*
* Clear device control report
*/
@@ -865,11 +878,7 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect,
*/
static void pidff_set_gain(struct input_dev *dev, u16 gain)
{
- struct pidff_device *pidff = dev->ff->private;
-
- pidff_set(&pidff->device_gain[PID_DEVICE_GAIN_FIELD], gain);
- hid_hw_request(pidff->hid, pidff->reports[PID_DEVICE_GAIN],
- HID_REQ_SET_REPORT);
+ pidff_set_gain_report(dev->ff->private, gain);
}
static void pidff_autocenter(struct pidff_device *pidff, u16 magnitude)
@@ -1414,12 +1423,7 @@ int hid_pidff_init_with_quirks(struct hid_device *hid, __u32 initial_quirks)
if (error)
goto fail;
- if (test_bit(FF_GAIN, dev->ffbit)) {
- pidff_set(&pidff->device_gain[PID_DEVICE_GAIN_FIELD], 0xffff);
- hid_hw_request(hid, pidff->reports[PID_DEVICE_GAIN],
- HID_REQ_SET_REPORT);
- }
-
+ pidff_set_gain_report(pidff, 0xffff);
error = pidff_check_autocenter(pidff, dev);
if (error)
goto fail;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 203/449] HID: pidff: Move all hid-pidff definitions to a dedicated header
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 202/449] HID: pidff: Factor out code for setting gain Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 204/449] HID: pidff: Simplify pidff_rescale_signed Greg Kroah-Hartman
` (252 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 0d24d4b1da96df9fc5ff36966f40f980ef864d46 ]
Do not clutter hid includes with stuff not needed outside of
the kernel.
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-universal-pidff.c | 3 ++-
drivers/hid/usbhid/hid-core.c | 1 +
drivers/hid/usbhid/hid-pidff.c | 3 ++-
drivers/hid/usbhid/hid-pidff.h | 33 +++++++++++++++++++++++++++++++
include/linux/hid.h | 15 --------------
5 files changed, 38 insertions(+), 17 deletions(-)
create mode 100644 drivers/hid/usbhid/hid-pidff.h
diff --git a/drivers/hid/hid-universal-pidff.c b/drivers/hid/hid-universal-pidff.c
index 7ef5ab9146b1c..1b713b741d192 100644
--- a/drivers/hid/hid-universal-pidff.c
+++ b/drivers/hid/hid-universal-pidff.c
@@ -13,6 +13,7 @@
#include <linux/module.h>
#include <linux/input-event-codes.h>
#include "hid-ids.h"
+#include "usbhid/hid-pidff.h"
#define JOY_RANGE (BTN_DEAD - BTN_JOYSTICK + 1)
@@ -89,7 +90,7 @@ static int universal_pidff_probe(struct hid_device *hdev,
}
/* Check if HID_PID support is enabled */
- int (*init_function)(struct hid_device *, __u32);
+ int (*init_function)(struct hid_device *, u32);
init_function = hid_pidff_init_with_quirks;
if (!init_function) {
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index a6eb6fe6130d1..44c2351b870fa 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -35,6 +35,7 @@
#include <linux/hid-debug.h>
#include <linux/hidraw.h>
#include "usbhid.h"
+#include "hid-pidff.h"
/*
* Version Information
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index ac6f940abd901..a8eaa77e80be3 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -12,6 +12,7 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include "hid-pidff.h"
#include <linux/input.h>
#include <linux/slab.h>
#include <linux/usb.h>
@@ -1383,7 +1384,7 @@ static int pidff_check_autocenter(struct pidff_device *pidff,
* Check if the device is PID and initialize it
* Set initial quirks
*/
-int hid_pidff_init_with_quirks(struct hid_device *hid, __u32 initial_quirks)
+int hid_pidff_init_with_quirks(struct hid_device *hid, u32 initial_quirks)
{
struct pidff_device *pidff;
struct hid_input *hidinput = list_entry(hid->inputs.next,
diff --git a/drivers/hid/usbhid/hid-pidff.h b/drivers/hid/usbhid/hid-pidff.h
new file mode 100644
index 0000000000000..dda571e0a5bd3
--- /dev/null
+++ b/drivers/hid/usbhid/hid-pidff.h
@@ -0,0 +1,33 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+#ifndef __HID_PIDFF_H
+#define __HID_PIDFF_H
+
+#include <linux/hid.h>
+
+/* HID PIDFF quirks */
+
+/* Delay field (0xA7) missing. Skip it during set effect report upload */
+#define HID_PIDFF_QUIRK_MISSING_DELAY BIT(0)
+
+/* Missing Paramter block offset (0x23). Skip it during SET_CONDITION
+ report upload */
+#define HID_PIDFF_QUIRK_MISSING_PBO BIT(1)
+
+/* Initialise device control field even if logical_minimum != 1 */
+#define HID_PIDFF_QUIRK_PERMISSIVE_CONTROL BIT(2)
+
+/* Use fixed 0x4000 direction during SET_EFFECT report upload */
+#define HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION BIT(3)
+
+/* Force all periodic effects to be uploaded as SINE */
+#define HID_PIDFF_QUIRK_PERIODIC_SINE_ONLY BIT(4)
+
+#ifdef CONFIG_HID_PID
+int hid_pidff_init(struct hid_device *hid);
+int hid_pidff_init_with_quirks(struct hid_device *hid, u32 initial_quirks);
+#else
+#define hid_pidff_init NULL
+#define hid_pidff_init_with_quirks NULL
+#endif
+
+#endif
diff --git a/include/linux/hid.h b/include/linux/hid.h
index e180679ab284c..9ca7e26ac4e92 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1222,21 +1222,6 @@ unsigned long hid_lookup_quirk(const struct hid_device *hdev);
int hid_quirks_init(char **quirks_param, __u16 bus, int count);
void hid_quirks_exit(__u16 bus);
-#ifdef CONFIG_HID_PID
-int hid_pidff_init(struct hid_device *hid);
-int hid_pidff_init_with_quirks(struct hid_device *hid, __u32 initial_quirks);
-#else
-#define hid_pidff_init NULL
-#define hid_pidff_init_with_quirks NULL
-#endif
-
-/* HID PIDFF quirks */
-#define HID_PIDFF_QUIRK_MISSING_DELAY BIT(0)
-#define HID_PIDFF_QUIRK_MISSING_PBO BIT(1)
-#define HID_PIDFF_QUIRK_PERMISSIVE_CONTROL BIT(2)
-#define HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION BIT(3)
-#define HID_PIDFF_QUIRK_PERIODIC_SINE_ONLY BIT(4)
-
#define dbg_hid(fmt, ...) pr_debug("%s: " fmt, __FILE__, ##__VA_ARGS__)
#define hid_err(hid, fmt, ...) \
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 204/449] HID: pidff: Simplify pidff_rescale_signed
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 203/449] HID: pidff: Move all hid-pidff definitions to a dedicated header Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 205/449] HID: pidff: Use macros instead of hardcoded min/max values for shorts Greg Kroah-Hartman
` (251 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 4eb9c2ee538b62dc5dcae192297c3a4044b7ade5 ]
This function overrelies on ternary operators and makes it hard to parse
it mentally. New version makes it very easy to understand.
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index a8eaa77e80be3..8083eb7684e5e 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -230,9 +230,9 @@ static int pidff_rescale(int i, int max, struct hid_field *field)
*/
static int pidff_rescale_signed(int i, struct hid_field *field)
{
- return i == 0 ? 0 : i >
- 0 ? i * field->logical_maximum / 0x7fff : i *
- field->logical_minimum / -0x8000;
+ if (i > 0) return i * field->logical_maximum / 0x7fff;
+ if (i < 0) return i * field->logical_minimum / -0x8000;
+ return 0;
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 205/449] HID: pidff: Use macros instead of hardcoded min/max values for shorts
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 204/449] HID: pidff: Simplify pidff_rescale_signed Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 206/449] HID: pidff: Factor out pool report fetch and remove excess declaration Greg Kroah-Hartman
` (250 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 21755162456902998f8d9897086b8c980c540df5 ]
Makes it obvious these magic values ARE in fact derived from min and
max values for s16 and u16
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 8083eb7684e5e..b21e844f5f3a3 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -21,7 +21,7 @@
#define PID_EFFECTS_MAX 64
-#define PID_INFINITE 0xffff
+#define PID_INFINITE U16_MAX
/* Linux Force Feedback API uses miliseconds as time unit */
#define FF_TIME_EXPONENT -3
@@ -226,12 +226,12 @@ static int pidff_rescale(int i, int max, struct hid_field *field)
}
/*
- * Scale a signed value in range -0x8000..0x7fff for the given field
+ * Scale a signed value in range S16_MIN..S16_MAX for the given field
*/
static int pidff_rescale_signed(int i, struct hid_field *field)
{
- if (i > 0) return i * field->logical_maximum / 0x7fff;
- if (i < 0) return i * field->logical_minimum / -0x8000;
+ if (i > 0) return i * field->logical_maximum / S16_MAX;
+ if (i < 0) return i * field->logical_minimum / S16_MIN;
return 0;
}
@@ -255,7 +255,7 @@ static u32 pidff_rescale_time(u16 time, struct hid_field *field)
static void pidff_set(struct pidff_usage *usage, u16 value)
{
- usage->value[0] = pidff_rescale(value, 0xffff, usage->field);
+ usage->value[0] = pidff_rescale(value, U16_MAX, usage->field);
pr_debug("calculated from %d to %d\n", value, usage->value[0]);
}
@@ -266,10 +266,10 @@ static void pidff_set_signed(struct pidff_usage *usage, s16 value)
else {
if (value < 0)
usage->value[0] =
- pidff_rescale(-value, 0x8000, usage->field);
+ pidff_rescale(-value, -S16_MIN, usage->field);
else
usage->value[0] =
- pidff_rescale(value, 0x7fff, usage->field);
+ pidff_rescale(value, S16_MAX, usage->field);
}
pr_debug("calculated from %d to %d\n", value, usage->value[0]);
}
@@ -306,11 +306,11 @@ static void pidff_set_envelope_report(struct pidff_device *pidff,
pidff->set_envelope[PID_ATTACK_LEVEL].value[0] =
pidff_rescale(envelope->attack_level >
- 0x7fff ? 0x7fff : envelope->attack_level, 0x7fff,
+ S16_MAX ? S16_MAX : envelope->attack_level, S16_MAX,
pidff->set_envelope[PID_ATTACK_LEVEL].field);
pidff->set_envelope[PID_FADE_LEVEL].value[0] =
pidff_rescale(envelope->fade_level >
- 0x7fff ? 0x7fff : envelope->fade_level, 0x7fff,
+ S16_MAX ? S16_MAX : envelope->fade_level, S16_MAX,
pidff->set_envelope[PID_FADE_LEVEL].field);
pidff_set_time(&pidff->set_envelope[PID_ATTACK_TIME],
@@ -399,7 +399,7 @@ static void pidff_set_effect_report(struct pidff_device *pidff,
pidff->effect_direction->value[0] = pidff_rescale(
pidff->quirks & HID_PIDFF_QUIRK_FIX_WHEEL_DIRECTION ?
PIDFF_FIXED_WHEEL_DIRECTION : effect->direction,
- 0xffff, pidff->effect_direction);
+ U16_MAX, pidff->effect_direction);
/* Omit setting delay field if it's missing */
if (!(pidff->quirks & HID_PIDFF_QUIRK_MISSING_DELAY))
@@ -1366,7 +1366,7 @@ static int pidff_check_autocenter(struct pidff_device *pidff,
if (pidff->block_load[PID_EFFECT_BLOCK_INDEX].value[0] ==
pidff->block_load[PID_EFFECT_BLOCK_INDEX].field->logical_minimum + 1) {
- pidff_autocenter(pidff, 0xffff);
+ pidff_autocenter(pidff, U16_MAX);
set_bit(FF_AUTOCENTER, dev->ffbit);
} else {
hid_notice(pidff->hid,
@@ -1424,7 +1424,7 @@ int hid_pidff_init_with_quirks(struct hid_device *hid, u32 initial_quirks)
if (error)
goto fail;
- pidff_set_gain_report(pidff, 0xffff);
+ pidff_set_gain_report(pidff, U16_MAX);
error = pidff_check_autocenter(pidff, dev);
if (error)
goto fail;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 206/449] HID: pidff: Factor out pool report fetch and remove excess declaration
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 205/449] HID: pidff: Use macros instead of hardcoded min/max values for shorts Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 207/449] HID: pidff: Make sure to fetch pool before checking SIMULTANEOUS_MAX Greg Kroah-Hartman
` (249 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła,
Michał Kopeć, Paul Dino Jones, Cristóferson Bueno,
Pablo Cisneros, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 5d98079b2d0186e1f586301a9c00144a669416a8 ]
We only want to refetch the pool report during device init. Reset
function is now called when uploading effects to an empty device so
extract pool fetch to separate function and call it from init before
autocenter check (autocenter check triggered reset during init).
Remove a superfluous pointer declaration and assigment as well.
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Reviewed-by: Michał Kopeć <michal@nozomi.space>
Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
Tested-by: Pablo Cisneros <patchkez@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 45 ++++++++++++++++++----------------
1 file changed, 24 insertions(+), 21 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index b21e844f5f3a3..f23381b6e3447 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -591,12 +591,9 @@ static void pidff_modify_actuators_state(struct pidff_device *pidff, bool enable
/*
* Reset the device, stop all effects, enable actuators
- * Refetch pool report
*/
static void pidff_reset(struct pidff_device *pidff)
{
- int i = 0;
-
/* We reset twice as sometimes hid_wait_io isn't waiting long enough */
pidff_send_device_control(pidff, PID_RESET);
pidff_send_device_control(pidff, PID_RESET);
@@ -604,23 +601,29 @@ static void pidff_reset(struct pidff_device *pidff)
pidff_send_device_control(pidff, PID_STOP_ALL_EFFECTS);
pidff_modify_actuators_state(pidff, 1);
+}
- /* pool report is sometimes messed up, refetch it */
- hid_hw_request(pidff->hid, pidff->reports[PID_POOL], HID_REQ_GET_REPORT);
- hid_hw_wait(pidff->hid);
+/*
+ * Refetch pool report
+ */
+static void pidff_fetch_pool(struct pidff_device *pidff)
+{
+ if (!pidff->pool[PID_SIMULTANEOUS_MAX].value)
+ return;
- if (pidff->pool[PID_SIMULTANEOUS_MAX].value) {
- while (pidff->pool[PID_SIMULTANEOUS_MAX].value[0] < 2) {
- if (i++ > 20) {
- hid_warn(pidff->hid,
- "device reports %d simultaneous effects\n",
- pidff->pool[PID_SIMULTANEOUS_MAX].value[0]);
- break;
- }
- hid_dbg(pidff->hid, "pid_pool requested again\n");
- hid_hw_request(pidff->hid, pidff->reports[PID_POOL],
- HID_REQ_GET_REPORT);
- hid_hw_wait(pidff->hid);
+ int i = 0;
+ while (pidff->pool[PID_SIMULTANEOUS_MAX].value[0] < 2) {
+ hid_dbg(pidff->hid, "pid_pool requested again\n");
+ hid_hw_request(pidff->hid, pidff->reports[PID_POOL],
+ HID_REQ_GET_REPORT);
+ hid_hw_wait(pidff->hid);
+
+ /* break after 20 tries with SIMULTANEOUS_MAX < 2 */
+ if (i++ > 20) {
+ hid_warn(pidff->hid,
+ "device reports %d simultaneous effects\n",
+ pidff->pool[PID_SIMULTANEOUS_MAX].value[0]);
+ break;
}
}
}
@@ -916,9 +919,7 @@ static void pidff_autocenter(struct pidff_device *pidff, u16 magnitude)
*/
static void pidff_set_autocenter(struct input_dev *dev, u16 magnitude)
{
- struct pidff_device *pidff = dev->ff->private;
-
- pidff_autocenter(pidff, magnitude);
+ pidff_autocenter(dev->ff->private, magnitude);
}
/*
@@ -1424,6 +1425,8 @@ int hid_pidff_init_with_quirks(struct hid_device *hid, u32 initial_quirks)
if (error)
goto fail;
+ /* pool report is sometimes messed up, refetch it */
+ pidff_fetch_pool(pidff);
pidff_set_gain_report(pidff, U16_MAX);
error = pidff_check_autocenter(pidff, dev);
if (error)
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 207/449] HID: pidff: Make sure to fetch pool before checking SIMULTANEOUS_MAX
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 206/449] HID: pidff: Factor out pool report fetch and remove excess declaration Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 208/449] HID: hid-universal-pidff: Add Asetek wheelbases support Greg Kroah-Hartman
` (248 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła, Jiri Kosina,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 1f650dcec32d22deb1d6db12300a2b98483099a9 ]
As noted by Anssi some 20 years ago, pool report is sometimes messed up.
This worked fine on many devices but casued oops on VRS DirectForce PRO.
Here, we're making sure pool report is refetched before trying to access
any of it's fields. While loop was replaced with a for loop + exit
conditions were moved aroud to decrease the possibility of creating an
infinite loop scenario.
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 29 +++++++++++++----------------
1 file changed, 13 insertions(+), 16 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index f23381b6e3447..503f643b59cad 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -604,28 +604,25 @@ static void pidff_reset(struct pidff_device *pidff)
}
/*
- * Refetch pool report
+ * Fetch pool report
*/
static void pidff_fetch_pool(struct pidff_device *pidff)
{
- if (!pidff->pool[PID_SIMULTANEOUS_MAX].value)
- return;
+ int i;
+ struct hid_device *hid = pidff->hid;
- int i = 0;
- while (pidff->pool[PID_SIMULTANEOUS_MAX].value[0] < 2) {
- hid_dbg(pidff->hid, "pid_pool requested again\n");
- hid_hw_request(pidff->hid, pidff->reports[PID_POOL],
- HID_REQ_GET_REPORT);
- hid_hw_wait(pidff->hid);
+ /* Repeat if PID_SIMULTANEOUS_MAX < 2 to make sure it's correct */
+ for(i = 0; i < 20; i++) {
+ hid_hw_request(hid, pidff->reports[PID_POOL], HID_REQ_GET_REPORT);
+ hid_hw_wait(hid);
- /* break after 20 tries with SIMULTANEOUS_MAX < 2 */
- if (i++ > 20) {
- hid_warn(pidff->hid,
- "device reports %d simultaneous effects\n",
- pidff->pool[PID_SIMULTANEOUS_MAX].value[0]);
- break;
- }
+ if (!pidff->pool[PID_SIMULTANEOUS_MAX].value)
+ return;
+ if (pidff->pool[PID_SIMULTANEOUS_MAX].value[0] >= 2)
+ return;
}
+ hid_warn(hid, "device reports %d simultaneous effects\n",
+ pidff->pool[PID_SIMULTANEOUS_MAX].value[0]);
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 208/449] HID: hid-universal-pidff: Add Asetek wheelbases support
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 207/449] HID: pidff: Make sure to fetch pool before checking SIMULTANEOUS_MAX Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 209/449] HID: pidff: Comment and code style update Greg Kroah-Hartman
` (247 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła, Jiri Kosina,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit c385f61108d403633e8cfbdae15b35ccf7cee686 ]
Adds Asetek vendor id and product ids for:
- Invicta
- Forte
- La Prima
- Tony Kanaan
v2:
- Misc spelling fix in driver loaded info
v3:
- Chanage Oleg's name order
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-ids.h | 6 ++++++
drivers/hid/hid-universal-pidff.c | 10 +++++++---
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index d54b2b302ad7b..288a2b864cc41 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -190,6 +190,12 @@
#define USB_DEVICE_ID_APPLE_TOUCHBAR_BACKLIGHT 0x8102
#define USB_DEVICE_ID_APPLE_TOUCHBAR_DISPLAY 0x8302
+#define USB_VENDOR_ID_ASETEK 0x2433
+#define USB_DEVICE_ID_ASETEK_INVICTA 0xf300
+#define USB_DEVICE_ID_ASETEK_FORTE 0xf301
+#define USB_DEVICE_ID_ASETEK_LA_PRIMA 0xf303
+#define USB_DEVICE_ID_ASETEK_TONY_KANAAN 0xf306
+
#define USB_VENDOR_ID_ASUS 0x0486
#define USB_DEVICE_ID_ASUS_T91MT 0x0185
#define USB_DEVICE_ID_ASUSTEK_MULTITOUCH_YFO 0x0186
diff --git a/drivers/hid/hid-universal-pidff.c b/drivers/hid/hid-universal-pidff.c
index 1b713b741d192..5b89ec7b5c26c 100644
--- a/drivers/hid/hid-universal-pidff.c
+++ b/drivers/hid/hid-universal-pidff.c
@@ -4,7 +4,7 @@
* hid-pidff wrapper for PID-enabled devices
* Handles device reports, quirks and extends usable button range
*
- * Copyright (c) 2024, 2025 Makarenko Oleg
+ * Copyright (c) 2024, 2025 Oleg Makarenko
* Copyright (c) 2024, 2025 Tomasz Pakuła
*/
@@ -104,7 +104,7 @@ static int universal_pidff_probe(struct hid_device *hdev,
goto err;
}
- hid_info(hdev, "Universal pidff driver loaded sucesfully!");
+ hid_info(hdev, "Universal pidff driver loaded sucessfully!");
return 0;
err:
@@ -179,6 +179,10 @@ static const struct hid_device_id universal_pidff_devices[] = {
.driver_data = HID_PIDFF_QUIRK_PERIODIC_SINE_ONLY },
{ HID_USB_DEVICE(USB_VENDOR_ID_LITE_STAR, USB_DEVICE_LITE_STAR_GT987_FF),
.driver_data = HID_PIDFF_QUIRK_PERIODIC_SINE_ONLY },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ASETEK, USB_DEVICE_ID_ASETEK_INVICTA) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ASETEK, USB_DEVICE_ID_ASETEK_FORTE) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ASETEK, USB_DEVICE_ID_ASETEK_LA_PRIMA) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ASETEK, USB_DEVICE_ID_ASETEK_TONY_KANAAN) },
{ }
};
MODULE_DEVICE_TABLE(hid, universal_pidff_devices);
@@ -194,5 +198,5 @@ module_hid_driver(universal_pidff);
MODULE_DESCRIPTION("Universal driver for USB PID Force Feedback devices");
MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Makarenko Oleg <oleg@makarenk.ooo>");
+MODULE_AUTHOR("Oleg Makarenko <oleg@makarenk.ooo>");
MODULE_AUTHOR("Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>");
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 209/449] HID: pidff: Comment and code style update
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 208/449] HID: hid-universal-pidff: Add Asetek wheelbases support Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 210/449] HID: pidff: Support device error response from PID_BLOCK_LOAD Greg Kroah-Hartman
` (246 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła, Jiri Kosina,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit e19675c2477491401b236ed939ad5a43ddc339af ]
Update comments to fully conform to the Linux comment styling.
Define Linux infinite effect duration (0) as FF_INFINITE
Chanage Oleg's name order
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 57 +++++++++++++++-------------------
1 file changed, 25 insertions(+), 32 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 503f643b59cad..e2508a4d754d3 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -3,13 +3,9 @@
* Force feedback driver for USB HID PID compliant devices
*
* Copyright (c) 2005, 2006 Anssi Hannula <anssi.hannula@gmail.com>
+ * Upgraded 2025 by Oleg Makarenko and Tomasz Pakuła
*/
-/*
- */
-
-/* #define DEBUG */
-
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include "hid-pidff.h"
@@ -25,9 +21,9 @@
/* Linux Force Feedback API uses miliseconds as time unit */
#define FF_TIME_EXPONENT -3
+#define FF_INFINITE 0
/* Report usage table used to put reports into an array */
-
#define PID_SET_EFFECT 0
#define PID_EFFECT_OPERATION 1
#define PID_DEVICE_GAIN 2
@@ -48,12 +44,12 @@ static const u8 pidff_reports[] = {
0x21, 0x77, 0x7d, 0x7f, 0x89, 0x90, 0x96, 0xab,
0x5a, 0x5f, 0x6e, 0x73, 0x74
};
-
-/* device_control is really 0x95, but 0x96 specified as it is the usage of
-the only field in that report */
+/*
+ * device_control is really 0x95, but 0x96 specified
+ * as it is the usage of the only field in that report.
+ */
/* PID special fields */
-
#define PID_EFFECT_TYPE 0x25
#define PID_DIRECTION 0x57
#define PID_EFFECT_OPERATION_ARRAY 0x78
@@ -61,7 +57,6 @@ the only field in that report */
#define PID_DEVICE_CONTROL_ARRAY 0x96
/* Value usage tables used to put fields and values into arrays */
-
#define PID_EFFECT_BLOCK_INDEX 0
#define PID_DURATION 1
@@ -119,7 +114,6 @@ static const u8 pidff_device_gain[] = { 0x7e };
static const u8 pidff_pool[] = { 0x80, 0x83, 0xa9 };
/* Special field key tables used to put special field keys into arrays */
-
#define PID_ENABLE_ACTUATORS 0
#define PID_DISABLE_ACTUATORS 1
#define PID_STOP_ALL_EFFECTS 2
@@ -176,8 +170,10 @@ struct pidff_device {
struct pidff_usage effect_operation[sizeof(pidff_effect_operation)];
struct pidff_usage block_free[sizeof(pidff_block_free)];
- /* Special field is a field that is not composed of
- usage<->value pairs that pidff_usage values are */
+ /*
+ * Special field is a field that is not composed of
+ * usage<->value pairs that pidff_usage values are
+ */
/* Special field in create_new_effect */
struct hid_field *create_new_effect_type;
@@ -222,7 +218,7 @@ static s32 pidff_clamp(s32 i, struct hid_field *field)
static int pidff_rescale(int i, int max, struct hid_field *field)
{
return i * (field->logical_maximum - field->logical_minimum) / max +
- field->logical_minimum;
+ field->logical_minimum;
}
/*
@@ -282,9 +278,8 @@ static void pidff_set_time(struct pidff_usage *usage, u16 time)
static void pidff_set_duration(struct pidff_usage *usage, u16 duration)
{
- /* Convert infinite length from Linux API (0)
- to PID standard (NULL) if needed */
- if (duration == 0)
+ /* Infinite value conversion from Linux API -> PID */
+ if (duration == FF_INFINITE)
duration = PID_INFINITE;
if (duration == PID_INFINITE) {
@@ -302,16 +297,16 @@ static void pidff_set_envelope_report(struct pidff_device *pidff,
struct ff_envelope *envelope)
{
pidff->set_envelope[PID_EFFECT_BLOCK_INDEX].value[0] =
- pidff->block_load[PID_EFFECT_BLOCK_INDEX].value[0];
+ pidff->block_load[PID_EFFECT_BLOCK_INDEX].value[0];
pidff->set_envelope[PID_ATTACK_LEVEL].value[0] =
- pidff_rescale(envelope->attack_level >
- S16_MAX ? S16_MAX : envelope->attack_level, S16_MAX,
- pidff->set_envelope[PID_ATTACK_LEVEL].field);
+ pidff_rescale(envelope->attack_level >
+ S16_MAX ? S16_MAX : envelope->attack_level, S16_MAX,
+ pidff->set_envelope[PID_ATTACK_LEVEL].field);
pidff->set_envelope[PID_FADE_LEVEL].value[0] =
- pidff_rescale(envelope->fade_level >
- S16_MAX ? S16_MAX : envelope->fade_level, S16_MAX,
- pidff->set_envelope[PID_FADE_LEVEL].field);
+ pidff_rescale(envelope->fade_level >
+ S16_MAX ? S16_MAX : envelope->fade_level, S16_MAX,
+ pidff->set_envelope[PID_FADE_LEVEL].field);
pidff_set_time(&pidff->set_envelope[PID_ATTACK_TIME],
envelope->attack_length);
@@ -702,9 +697,7 @@ static void pidff_playback_pid(struct pidff_device *pidff, int pid_id, int n)
static int pidff_playback(struct input_dev *dev, int effect_id, int value)
{
struct pidff_device *pidff = dev->ff->private;
-
pidff_playback_pid(pidff, pidff->pid_id[effect_id], value);
-
return 0;
}
@@ -732,8 +725,11 @@ static int pidff_erase_effect(struct input_dev *dev, int effect_id)
hid_dbg(pidff->hid, "starting to erase %d/%d\n",
effect_id, pidff->pid_id[effect_id]);
- /* Wait for the queue to clear. We do not want a full fifo to
- prevent the effect removal. */
+
+ /*
+ * Wait for the queue to clear. We do not want
+ * a full fifo to prevent the effect removal.
+ */
hid_hw_wait(pidff->hid);
pidff_playback_pid(pidff, pid_id, 0);
pidff_erase_pid(pidff, pid_id);
@@ -1239,7 +1235,6 @@ static int pidff_find_effects(struct pidff_device *pidff,
set_bit(FF_FRICTION, dev->ffbit);
return 0;
-
}
#define PIDFF_FIND_FIELDS(name, report, strict) \
@@ -1370,12 +1365,10 @@ static int pidff_check_autocenter(struct pidff_device *pidff,
hid_notice(pidff->hid,
"device has unknown autocenter control method\n");
}
-
pidff_erase_pid(pidff,
pidff->block_load[PID_EFFECT_BLOCK_INDEX].value[0]);
return 0;
-
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 210/449] HID: pidff: Support device error response from PID_BLOCK_LOAD
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 209/449] HID: pidff: Comment and code style update Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 211/449] HID: pidff: Remove redundant call to pidff_find_special_keys Greg Kroah-Hartman
` (245 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła, Jiri Kosina,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 9d4174dc4a234408d91fd83725e1899766cd1731 ]
If an error happens on the device, the driver will no longer fall
into the trap of reading this status 60 times before it decides that
this reply won't change to success/memory full.
Greatly reduces communication overhead during device error situation.
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index e2508a4d754d3..d5734cbf745d1 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -138,7 +138,8 @@ static const u8 pidff_effect_types[] = {
#define PID_BLOCK_LOAD_SUCCESS 0
#define PID_BLOCK_LOAD_FULL 1
-static const u8 pidff_block_load_status[] = { 0x8c, 0x8d };
+#define PID_BLOCK_LOAD_ERROR 2
+static const u8 pidff_block_load_status[] = { 0x8c, 0x8d, 0x8e};
#define PID_EFFECT_START 0
#define PID_EFFECT_STOP 1
@@ -666,6 +667,11 @@ static int pidff_request_effect_upload(struct pidff_device *pidff, int efnum)
pidff->block_load[PID_RAM_POOL_AVAILABLE].value[0] : -1);
return -ENOSPC;
}
+ if (pidff->block_load_status->value[0] ==
+ pidff->status_id[PID_BLOCK_LOAD_ERROR]) {
+ hid_dbg(pidff->hid, "device error during effect creation\n");
+ return -EREMOTEIO;
+ }
}
hid_err(pidff->hid, "pid_block_load failed 60 times\n");
return -EIO;
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 211/449] HID: pidff: Remove redundant call to pidff_find_special_keys
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 210/449] HID: pidff: Support device error response from PID_BLOCK_LOAD Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 212/449] HID: pidff: Rename two functions to align them with naming convention Greg Kroah-Hartman
` (244 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła, Jiri Kosina,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 1bd55e79cbc0ea2d6a65f51e06c891806359c2f2 ]
Probably left out as a mistake after Anssi created the helper macro
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index d5734cbf745d1..6f6c47bd57eaa 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -1159,10 +1159,6 @@ static int pidff_find_special_fields(struct pidff_device *pidff)
return -1;
}
- pidff_find_special_keys(pidff->control_id, pidff->device_control,
- pidff_device_control,
- sizeof(pidff_device_control));
-
PIDFF_FIND_SPECIAL_KEYS(control_id, device_control, device_control);
if (!PIDFF_FIND_SPECIAL_KEYS(type_id, create_new_effect_type,
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 212/449] HID: pidff: Rename two functions to align them with naming convention
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 211/449] HID: pidff: Remove redundant call to pidff_find_special_keys Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 213/449] HID: pidff: Clamp effect playback LOOP_COUNT value Greg Kroah-Hartman
` (243 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła, Jiri Kosina,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit bbeface1051142bcb0473fdcc89102ea5b31607d ]
Driver uses "set" everywhere to indicate setting report values and
requesting HID_REQ_SET_REPORT
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 6f6c47bd57eaa..ffecc712be003 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -552,7 +552,7 @@ static void pidff_set_gain_report(struct pidff_device *pidff, u16 gain)
/*
* Clear device control report
*/
-static void pidff_send_device_control(struct pidff_device *pidff, int field)
+static void pidff_set_device_control(struct pidff_device *pidff, int field)
{
int i, tmp;
int field_index = pidff->control_id[field];
@@ -578,10 +578,10 @@ static void pidff_send_device_control(struct pidff_device *pidff, int field)
/*
* Modify actuators state
*/
-static void pidff_modify_actuators_state(struct pidff_device *pidff, bool enable)
+static void pidff_set_actuators(struct pidff_device *pidff, bool enable)
{
hid_dbg(pidff->hid, "%s actuators\n", enable ? "Enable" : "Disable");
- pidff_send_device_control(pidff,
+ pidff_set_device_control(pidff,
enable ? PID_ENABLE_ACTUATORS : PID_DISABLE_ACTUATORS);
}
@@ -591,12 +591,12 @@ static void pidff_modify_actuators_state(struct pidff_device *pidff, bool enable
static void pidff_reset(struct pidff_device *pidff)
{
/* We reset twice as sometimes hid_wait_io isn't waiting long enough */
- pidff_send_device_control(pidff, PID_RESET);
- pidff_send_device_control(pidff, PID_RESET);
+ pidff_set_device_control(pidff, PID_RESET);
+ pidff_set_device_control(pidff, PID_RESET);
pidff->effect_count = 0;
- pidff_send_device_control(pidff, PID_STOP_ALL_EFFECTS);
- pidff_modify_actuators_state(pidff, 1);
+ pidff_set_device_control(pidff, PID_STOP_ALL_EFFECTS);
+ pidff_set_actuators(pidff, 1);
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 213/449] HID: pidff: Clamp effect playback LOOP_COUNT value
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 212/449] HID: pidff: Rename two functions to align them with naming convention Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 214/449] HID: pidff: Compute INFINITE value instead of using hardcoded 0xffff Greg Kroah-Hartman
` (242 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła, Jiri Kosina,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 0c6673e3d17b258b8c5c7331d28bf6c49f25ed30 ]
Ensures the loop count will never exceed the logical_maximum.
Fixes implementation errors happening when applications use the max
value of int32/DWORD as the effect iterations. This could be observed
when running software both native and in wine.
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index ffecc712be003..74b033a4ac1b8 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -690,7 +690,8 @@ static void pidff_playback_pid(struct pidff_device *pidff, int pid_id, int n)
} else {
pidff->effect_operation_status->value[0] =
pidff->operation_id[PID_EFFECT_START];
- pidff->effect_operation[PID_LOOP_COUNT].value[0] = n;
+ pidff->effect_operation[PID_LOOP_COUNT].value[0] =
+ pidff_clamp(n, pidff->effect_operation[PID_LOOP_COUNT].field);
}
hid_hw_request(pidff->hid, pidff->reports[PID_EFFECT_OPERATION],
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 214/449] HID: pidff: Compute INFINITE value instead of using hardcoded 0xffff
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 213/449] HID: pidff: Clamp effect playback LOOP_COUNT value Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 215/449] HID: pidff: Fix 90 degrees direction name North -> East Greg Kroah-Hartman
` (241 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Pakuła, Jiri Kosina,
Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit 1a575044d516972a1d036d54c0180b9085e21dc6 ]
As per USB PID standard:
INFINITE - Referrers to the maximum value of a range. i.e. if in an 8
bit unsigned field the value of 255 would indicate INFINITE.
Detecting 0xffff (U16_MAX) is still important as we MIGHT get this value
as infinite from some native software as 0 was never actually defined
in Linux' FF api as the infinite value. I'm working on it though.
Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 74b033a4ac1b8..a614438e43bd8 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -283,8 +283,9 @@ static void pidff_set_duration(struct pidff_usage *usage, u16 duration)
if (duration == FF_INFINITE)
duration = PID_INFINITE;
+ /* PID defines INFINITE as the max possible value for duration field */
if (duration == PID_INFINITE) {
- usage->value[0] = PID_INFINITE;
+ usage->value[0] = (1U << usage->field->report_size) - 1;
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 215/449] HID: pidff: Fix 90 degrees direction name North -> East
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 214/449] HID: pidff: Compute INFINITE value instead of using hardcoded 0xffff Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 216/449] HID: pidff: Fix set_device_control() Greg Kroah-Hartman
` (240 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit f98ecedbeca34a8df1460c3a03cce32639c99a9d ]
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index a614438e43bd8..6eb7934c8f53b 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -145,7 +145,7 @@ static const u8 pidff_block_load_status[] = { 0x8c, 0x8d, 0x8e};
#define PID_EFFECT_STOP 1
static const u8 pidff_effect_operation_status[] = { 0x79, 0x7b };
-/* Polar direction 90 degrees (North) */
+/* Polar direction 90 degrees (East) */
#define PIDFF_FIXED_WHEEL_DIRECTION 0x4000
struct pidff_usage {
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 216/449] HID: pidff: Fix set_device_control()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 215/449] HID: pidff: Fix 90 degrees direction name North -> East Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 217/449] auxdisplay: hd44780: Fix an API misuse in hd44780.c Greg Kroah-Hartman
` (239 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiri Kosina, Sasha Levin
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
[ Upstream commit e2fa0bdf08a70623f24ed52f2037a330999d9800 ]
As the search for Device Control report is permissive, make sure the
desired field was actually found, before trying to set it.
Fix bitmask clearing as it was erronously using index instead of
index - 1 (HID arrays index is 1-based).
Add last two missing Device Control usages to the defined array.
PID_PAUSE and PID_CONTINUE.
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-pidff.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index 6eb7934c8f53b..8dfd2c554a276 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -118,7 +118,9 @@ static const u8 pidff_pool[] = { 0x80, 0x83, 0xa9 };
#define PID_DISABLE_ACTUATORS 1
#define PID_STOP_ALL_EFFECTS 2
#define PID_RESET 3
-static const u8 pidff_device_control[] = { 0x97, 0x98, 0x99, 0x9a };
+#define PID_PAUSE 4
+#define PID_CONTINUE 5
+static const u8 pidff_device_control[] = { 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c };
#define PID_CONSTANT 0
#define PID_RAMP 1
@@ -551,21 +553,29 @@ static void pidff_set_gain_report(struct pidff_device *pidff, u16 gain)
}
/*
- * Clear device control report
+ * Send device control report to the device
*/
static void pidff_set_device_control(struct pidff_device *pidff, int field)
{
- int i, tmp;
+ int i, index;
int field_index = pidff->control_id[field];
+ if (field_index < 1)
+ return;
+
/* Detect if the field is a bitmask variable or an array */
if (pidff->device_control->flags & HID_MAIN_ITEM_VARIABLE) {
hid_dbg(pidff->hid, "DEVICE_CONTROL is a bitmask\n");
+
/* Clear current bitmask */
for(i = 0; i < sizeof(pidff_device_control); i++) {
- tmp = pidff->control_id[i];
- pidff->device_control->value[tmp] = 0;
+ index = pidff->control_id[i];
+ if (index < 1)
+ continue;
+
+ pidff->device_control->value[index - 1] = 0;
}
+
pidff->device_control->value[field_index - 1] = 1;
} else {
hid_dbg(pidff->hid, "DEVICE_CONTROL is an array\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 217/449] auxdisplay: hd44780: Fix an API misuse in hd44780.c
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 216/449] HID: pidff: Fix set_device_control() Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 218/449] dt-bindings: media: st,stmipid02: correct lane-polarities maxItems Greg Kroah-Hartman
` (238 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Geert Uytterhoeven,
Andy Shevchenko
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit 9b98a7d2e5f4e2beeff88f6571da0cdc5883c7fb upstream.
Variable allocated by charlcd_alloc() should be released
by charlcd_free(). The following patch changed kfree() to
charlcd_free() to fix an API misuse.
Fixes: 718e05ed92ec ("auxdisplay: Introduce hd44780_common.[ch]")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/auxdisplay/hd44780.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/auxdisplay/hd44780.c
+++ b/drivers/auxdisplay/hd44780.c
@@ -313,7 +313,7 @@ static int hd44780_probe(struct platform
fail3:
kfree(hd);
fail2:
- kfree(lcd);
+ charlcd_free(lcd);
fail1:
kfree(hdc);
return ret;
@@ -328,7 +328,7 @@ static void hd44780_remove(struct platfo
kfree(hdc->hd44780);
kfree(lcd->drvdata);
- kfree(lcd);
+ charlcd_free(lcd);
}
static const struct of_device_id hd44780_of_match[] = {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 218/449] dt-bindings: media: st,stmipid02: correct lane-polarities maxItems
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 217/449] auxdisplay: hd44780: Fix an API misuse in hd44780.c Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 219/449] media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization Greg Kroah-Hartman
` (237 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alain Volmat, Conor Dooley,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alain Volmat <alain.volmat@foss.st.com>
commit 3a544a39e0a4c492e3026dfbed018321d2bd6caa upstream.
The MIPID02 can use up to 2 data lanes which leads to having a maximum
item number of 3 for the lane-polarities since this also contains the
clock lane.
CC: stable@vger.kernel.org
Fixes: c2741cbe7f8a ("dt-bindings: media: st,stmipid02: Convert the text bindings to YAML")
Signed-off-by: Alain Volmat <alain.volmat@foss.st.com>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/media/i2c/st,st-mipid02.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Documentation/devicetree/bindings/media/i2c/st,st-mipid02.yaml
+++ b/Documentation/devicetree/bindings/media/i2c/st,st-mipid02.yaml
@@ -71,7 +71,7 @@ properties:
description:
Any lane can be inverted or not.
minItems: 1
- maxItems: 2
+ maxItems: 3
required:
- data-lanes
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 219/449] media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 218/449] dt-bindings: media: st,stmipid02: correct lane-polarities maxItems Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 220/449] media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning Greg Kroah-Hartman
` (236 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit 4936cd5817af35d23e4d283f48fa59a18ef481e4 upstream.
On Mediatek devices with a system companion processor (SCP) the mtk_scp
structure has to be removed explicitly to avoid a resource leak.
Free the structure in case the allocation of the firmware structure fails
during the firmware initialization.
Fixes: 53dbe0850444 ("media: mtk-vcodec: potential null pointer deference in SCP")
Cc: stable@vger.kernel.org
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c
+++ b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c
@@ -79,8 +79,11 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_scp_
}
fw = devm_kzalloc(&plat_dev->dev, sizeof(*fw), GFP_KERNEL);
- if (!fw)
+ if (!fw) {
+ scp_put(scp);
return ERR_PTR(-ENOMEM);
+ }
+
fw->type = SCP;
fw->ops = &mtk_vcodec_rproc_msg;
fw->scp = scp;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 220/449] media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 219/449] media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 221/449] media: uapi: rkisp1-config: Fix typo in extensible params example Greg Kroah-Hartman
` (235 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Nathan Chancellor,
Alexandre Courbot, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 07df4f23ef3ffe6fee697cd2e03623ad27108843 upstream.
This is one of three clang warnings about incompatible enum types
in a conditional expression:
drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c:597:29: error: conditional expression between different enumeration types ('enum scp_ipi_id' and 'enum ipi_id') [-Werror,-Wenum-compare-conditional]
597 | inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264;
| ^ ~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~
The code is correct, so just rework it to avoid the warning.
Fixes: 0dc4b3286125 ("media: mtk-vcodec: venc: support SCP firmware")
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Alexandre Courbot <acourbot@google.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c
+++ b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c
@@ -594,7 +594,11 @@ static int h264_enc_init(struct mtk_vcod
inst->ctx = ctx;
inst->vpu_inst.ctx = ctx;
- inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264;
+ if (is_ext)
+ inst->vpu_inst.id = SCP_IPI_VENC_H264;
+ else
+ inst->vpu_inst.id = IPI_VENC_H264;
+
inst->hw_base = mtk_vcodec_get_reg_addr(inst->ctx->dev->reg_base, VENC_SYS);
ret = vpu_enc_init(&inst->vpu_inst);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 221/449] media: uapi: rkisp1-config: Fix typo in extensible params example
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 220/449] media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 222/449] media: mgb4: Fix CMT registers update logic Greg Kroah-Hartman
` (234 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Söderlund,
Laurent Pinchart, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
commit 7b0ee2de7c76e5518e2235a927fd211bc785d320 upstream.
The define used for the version in the example diagram does not match what
is defined in enum rksip1_ext_param_buffer_version, nor the description
above it. Correct the typo to make it clear which define to use.
Fixes: e9d05e9d5db1 ("media: uapi: rkisp1-config: Add extensible params format")
Cc: stable@vger.kernel.org
Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/rkisp1-config.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/uapi/linux/rkisp1-config.h
+++ b/include/uapi/linux/rkisp1-config.h
@@ -1528,7 +1528,7 @@ enum rksip1_ext_param_buffer_version {
* The expected memory layout of the parameters buffer is::
*
* +-------------------- struct rkisp1_ext_params_cfg -------------------+
- * | version = RKISP_EXT_PARAMS_BUFFER_V1; |
+ * | version = RKISP1_EXT_PARAM_BUFFER_V1; |
* | data_size = sizeof(struct rkisp1_ext_params_bls_config) |
* | + sizeof(struct rkisp1_ext_params_dpcc_config); |
* | +------------------------- data ---------------------------------+ |
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 222/449] media: mgb4: Fix CMT registers update logic
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 221/449] media: uapi: rkisp1-config: Fix typo in extensible params example Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 223/449] media: i2c: adv748x: Fix test pattern selection mask Greg Kroah-Hartman
` (233 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Martin Tůma, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Tůma <martin.tuma@digiteqautomotive.com>
commit dd05443189f9ae175dd806594b67bf55ddb6539e upstream.
The CMT "magic values" registers must be updated while the CMT reset
registers are active.
Fixes: 0ab13674a9bd ("media: pci: mgb4: Added Digiteq Automotive MGB4 driver")
Cc: stable@vger.kernel.org
Signed-off-by: Martin Tůma <martin.tuma@digiteqautomotive.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/pci/mgb4/mgb4_cmt.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/media/pci/mgb4/mgb4_cmt.c
+++ b/drivers/media/pci/mgb4/mgb4_cmt.c
@@ -206,10 +206,11 @@ u32 mgb4_cmt_set_vout_freq(struct mgb4_v
mgb4_write_reg(video, regs->config, 0x1 | (config & ~0x3));
+ mgb4_mask_reg(video, regs->config, 0x100, 0x100);
+
for (i = 0; i < ARRAY_SIZE(cmt_addrs_out[0]); i++)
mgb4_write_reg(&voutdev->mgbdev->cmt, addr[i], reg_set[i]);
- mgb4_mask_reg(video, regs->config, 0x100, 0x100);
mgb4_mask_reg(video, regs->config, 0x100, 0x0);
mgb4_write_reg(video, regs->config, config & ~0x1);
@@ -236,10 +237,11 @@ void mgb4_cmt_set_vin_freq_range(struct
mgb4_write_reg(video, regs->config, 0x1 | (config & ~0x3));
+ mgb4_mask_reg(video, regs->config, 0x1000, 0x1000);
+
for (i = 0; i < ARRAY_SIZE(cmt_addrs_in[0]); i++)
mgb4_write_reg(&vindev->mgbdev->cmt, addr[i], reg_set[i]);
- mgb4_mask_reg(video, regs->config, 0x1000, 0x1000);
mgb4_mask_reg(video, regs->config, 0x1000, 0x0);
mgb4_write_reg(video, regs->config, config & ~0x1);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 223/449] media: i2c: adv748x: Fix test pattern selection mask
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 222/449] media: mgb4: Fix CMT registers update logic Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 224/449] media: mgb4: Fix switched CMT frequency range "magic values" sets Greg Kroah-Hartman
` (232 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Söderlund,
Kieran Bingham, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
commit 9e38acacb9d809b97a0bdc5c76e725355a47158a upstream.
The mask to select the test-pattern in register ADV748X_SDP_FRP is
incorrect, it's the lower 3 bits which controls the pattern. The
GENMASK() macro is used incorrectly and the generated mask is 0x0e
instead of 0x07.
The result is that not all test patterns are selectable, and that in
some cases the wrong test pattern is activated. Fix this by correcting
the GENMASK().
Fixes: 3e89586a64df ("media: i2c: adv748x: add adv748x driver")
Cc: stable@vger.kernel.org
Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
[hverkuil: fixed tiny typo in commit log: my -> by]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/adv748x/adv748x.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/i2c/adv748x/adv748x.h
+++ b/drivers/media/i2c/adv748x/adv748x.h
@@ -320,7 +320,7 @@ struct adv748x_state {
/* Free run pattern select */
#define ADV748X_SDP_FRP 0x14
-#define ADV748X_SDP_FRP_MASK GENMASK(3, 1)
+#define ADV748X_SDP_FRP_MASK GENMASK(2, 0)
/* Saturation */
#define ADV748X_SDP_SD_SAT_U 0xe3 /* user_map_rw_reg_e3 */
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 224/449] media: mgb4: Fix switched CMT frequency range "magic values" sets
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 223/449] media: i2c: adv748x: Fix test pattern selection mask Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 225/449] media: intel/ipu6: set the dev_parent of video device to pdev Greg Kroah-Hartman
` (231 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Martin Tůma, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Tůma <martin.tuma@digiteqautomotive.com>
commit 450acf0840232eaf6eb7a80da11cf492e57498e8 upstream.
The reason why this passed unnoticed is that most infotainment systems
use frequencies near enough the middle (50MHz) where both sets work.
Fixes: 0ab13674a9bd ("media: pci: mgb4: Added Digiteq Automotive MGB4 driver")
Cc: stable@vger.kernel.org
Signed-off-by: Martin Tůma <martin.tuma@digiteqautomotive.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/pci/mgb4/mgb4_cmt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/pci/mgb4/mgb4_cmt.c
+++ b/drivers/media/pci/mgb4/mgb4_cmt.c
@@ -135,8 +135,8 @@ static const u16 cmt_vals_out[][15] = {
};
static const u16 cmt_vals_in[][13] = {
- {0x1082, 0x0000, 0x5104, 0x0000, 0x11C7, 0x0000, 0x1041, 0x02BC, 0x7C01, 0xFFE9, 0x9900, 0x9908, 0x8100},
{0x1104, 0x0000, 0x9208, 0x0000, 0x138E, 0x0000, 0x1041, 0x015E, 0x7C01, 0xFFE9, 0x0100, 0x0908, 0x1000},
+ {0x1082, 0x0000, 0x5104, 0x0000, 0x11C7, 0x0000, 0x1041, 0x02BC, 0x7C01, 0xFFE9, 0x9900, 0x9908, 0x8100},
};
static const u32 cmt_addrs_out[][15] = {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 225/449] media: intel/ipu6: set the dev_parent of video device to pdev
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 224/449] media: mgb4: Fix switched CMT frequency range "magic values" sets Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 226/449] media: venus: hfi: add a check to handle OOB in sfr region Greg Kroah-Hartman
` (230 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hidenori Kobayashi, Bingbu Cao,
Sakari Ailus, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bingbu Cao <bingbu.cao@intel.com>
commit 6f0ab5d3671f7cbb326c8cab6fb69cb7ab9901cc upstream.
The bus_info in v4l2_capability of IPU6 isys v4l2_dev is missing.
The driver didn't set the dev_parent of v4l2_dev, its parent is set
to its parent auxdev which is neither platform nor PCI device, thus
media_set_bus_info() will not set the bus_info of v4l2_capability, then
`v4l2-ctl --all` cannot show the bus_info.
This patch fixes it by setting the dev_parent of video_device and v4l2
framework can detect the device type and set the bus_info instead.
Fixes: 3c1dfb5a69cf ("media: intel/ipu6: input system video nodes and buffer queues")
Cc: stable@vger.kernel.org
Signed-off-by: Hidenori Kobayashi <hidenorik@chromium.org>
Signed-off-by: Bingbu Cao <bingbu.cao@intel.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/pci/intel/ipu6/ipu6-isys-video.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/pci/intel/ipu6/ipu6-isys-video.c
+++ b/drivers/media/pci/intel/ipu6/ipu6-isys-video.c
@@ -1296,6 +1296,7 @@ int ipu6_isys_video_init(struct ipu6_isy
av->vdev.release = video_device_release_empty;
av->vdev.fops = &isys_fops;
av->vdev.v4l2_dev = &av->isys->v4l2_dev;
+ av->vdev.dev_parent = &av->isys->adev->isp->pdev->dev;
if (!av->vdev.ioctl_ops)
av->vdev.ioctl_ops = &ipu6_v4l2_ioctl_ops;
av->vdev.queue = &av->aq.vbq;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 226/449] media: venus: hfi: add a check to handle OOB in sfr region
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 225/449] media: intel/ipu6: set the dev_parent of video device to pdev Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 227/449] media: venus: hfi: add check to handle incorrect queue size Greg Kroah-Hartman
` (229 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Vikash Garodia,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vikash Garodia <quic_vgarodia@quicinc.com>
commit f4b211714bcc70effa60c34d9fa613d182e3ef1e upstream.
sfr->buf_size is in shared memory and can be modified by malicious user.
OOB write is possible when the size is made higher than actual sfr data
buffer. Cap the size to allocated size for such cases.
Cc: stable@vger.kernel.org
Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_venus.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/media/platform/qcom/venus/hfi_venus.c
+++ b/drivers/media/platform/qcom/venus/hfi_venus.c
@@ -1035,18 +1035,26 @@ static void venus_sfr_print(struct venus
{
struct device *dev = hdev->core->dev;
struct hfi_sfr *sfr = hdev->sfr.kva;
+ u32 size;
void *p;
if (!sfr)
return;
- p = memchr(sfr->data, '\0', sfr->buf_size);
+ size = sfr->buf_size;
+ if (!size)
+ return;
+
+ if (size > ALIGNED_SFR_SIZE)
+ size = ALIGNED_SFR_SIZE;
+
+ p = memchr(sfr->data, '\0', size);
/*
* SFR isn't guaranteed to be NULL terminated since SYS_ERROR indicates
* that Venus is in the process of crashing.
*/
if (!p)
- sfr->data[sfr->buf_size - 1] = '\0';
+ sfr->data[size - 1] = '\0';
dev_err_ratelimited(dev, "SFR message from FW: %s\n", sfr->data);
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 227/449] media: venus: hfi: add check to handle incorrect queue size
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 226/449] media: venus: hfi: add a check to handle OOB in sfr region Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 228/449] media: vim2m: print device name after registering device Greg Kroah-Hartman
` (228 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Vikash Garodia,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vikash Garodia <quic_vgarodia@quicinc.com>
commit 69baf245b23e20efda0079238b27fc63ecf13de1 upstream.
qsize represents size of shared queued between driver and video
firmware. Firmware can modify this value to an invalid large value. In
such situation, empty_space will be bigger than the space actually
available. Since new_wr_idx is not checked, so the following code will
result in an OOB write.
...
qsize = qhdr->q_size
if (wr_idx >= rd_idx)
empty_space = qsize - (wr_idx - rd_idx)
....
if (new_wr_idx < qsize) {
memcpy(wr_ptr, packet, dwords << 2) --> OOB write
Add check to ensure qsize is within the allocated size while
reading and writing packets into the queue.
Cc: stable@vger.kernel.org
Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_venus.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/media/platform/qcom/venus/hfi_venus.c
+++ b/drivers/media/platform/qcom/venus/hfi_venus.c
@@ -187,6 +187,9 @@ static int venus_write_queue(struct venu
/* ensure rd/wr indices's are read from memory */
rmb();
+ if (qsize > IFACEQ_QUEUE_SIZE / 4)
+ return -EINVAL;
+
if (wr_idx >= rd_idx)
empty_space = qsize - (wr_idx - rd_idx);
else
@@ -255,6 +258,9 @@ static int venus_read_queue(struct venus
wr_idx = qhdr->write_idx;
qsize = qhdr->q_size;
+ if (qsize > IFACEQ_QUEUE_SIZE / 4)
+ return -EINVAL;
+
/* make sure data is valid before using it */
rmb();
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 228/449] media: vim2m: print device name after registering device
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 227/449] media: venus: hfi: add check to handle incorrect queue size Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 229/449] media: siano: Fix error handling in smsdvb_module_init() Greg Kroah-Hartman
` (227 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matthew Majewski, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Majewski <mattwmajewski@gmail.com>
commit 143d75583f2427f3a97dba62413c4f0604867ebf upstream.
Move the v4l2_info() call displaying the video device name after the
device is actually registered.
This fixes a bug where the driver was always displaying "/dev/video0"
since it was reading from the vfd before it was registered.
Fixes: cf7f34777a5b ("media: vim2m: Register video device after setting up internals")
Cc: stable@vger.kernel.org
Signed-off-by: Matthew Majewski <mattwmajewski@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/vim2m.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/media/test-drivers/vim2m.c
+++ b/drivers/media/test-drivers/vim2m.c
@@ -1314,9 +1314,6 @@ static int vim2m_probe(struct platform_d
vfd->v4l2_dev = &dev->v4l2_dev;
video_set_drvdata(vfd, dev);
- v4l2_info(&dev->v4l2_dev,
- "Device registered as /dev/video%d\n", vfd->num);
-
platform_set_drvdata(pdev, dev);
dev->m2m_dev = v4l2_m2m_init(&m2m_ops);
@@ -1343,6 +1340,9 @@ static int vim2m_probe(struct platform_d
goto error_m2m;
}
+ v4l2_info(&dev->v4l2_dev,
+ "Device registered as /dev/video%d\n", vfd->num);
+
#ifdef CONFIG_MEDIA_CONTROLLER
ret = v4l2_m2m_register_media_controller(dev->m2m_dev, vfd,
MEDIA_ENT_F_PROC_VIDEO_SCALER);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 229/449] media: siano: Fix error handling in smsdvb_module_init()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 228/449] media: vim2m: print device name after registering device Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 230/449] media: rockchip: rga: fix rga offset lookup Greg Kroah-Hartman
` (226 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuan Can, Ricardo Ribalda,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuan Can <yuancan@huawei.com>
commit 734ac57e47b3bdd140a1119e2c4e8e6f8ef8b33d upstream.
The smsdvb_module_init() returns without checking the retval from
smscore_register_hotplug().
If the smscore_register_hotplug() failed, the module failed to install,
leaving the smsdvb_debugfs not unregistered.
Fixes: 3f6b87cff66b ("[media] siano: allow showing the complete statistics via debugfs")
Cc: stable@vger.kernel.org
Signed-off-by: Yuan Can <yuancan@huawei.com>
Acked-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/common/siano/smsdvb-main.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/common/siano/smsdvb-main.c
+++ b/drivers/media/common/siano/smsdvb-main.c
@@ -1243,6 +1243,8 @@ static int __init smsdvb_module_init(voi
smsdvb_debugfs_register();
rc = smscore_register_hotplug(smsdvb_hotplug);
+ if (rc)
+ smsdvb_debugfs_unregister();
pr_debug("\n");
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 230/449] media: rockchip: rga: fix rga offset lookup
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 229/449] media: siano: Fix error handling in smsdvb_module_init() Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 231/449] xenfs/xensyms: respect hypervisors "next" indication Greg Kroah-Hartman
` (225 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Keeping, Michael Tretter,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Keeping <jkeeping@inmusicbrands.com>
commit 11de3582675cc0b7136e12f3971f1da3e5a05382 upstream.
The arguments to rga_lookup_draw_pos() are passed in the wrong order,
rotate mode should be before mirror mode.
Fixes: 558c248f930e6 ("media: rockchip: rga: split src and dst buffer setup")
Cc: stable@vger.kernel.org
Signed-off-by: John Keeping <jkeeping@inmusicbrands.com>
Reviewed-by: Michael Tretter <m.tretter@pengutronix.de>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/rockchip/rga/rga-hw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/platform/rockchip/rga/rga-hw.c
+++ b/drivers/media/platform/rockchip/rga/rga-hw.c
@@ -376,7 +376,7 @@ static void rga_cmd_set_dst_info(struct
* Configure the dest framebuffer base address with pixel offset.
*/
offsets = rga_get_addr_offset(&ctx->out, offset, dst_x, dst_y, dst_w, dst_h);
- dst_offset = rga_lookup_draw_pos(&offsets, mir_mode, rot_mode);
+ dst_offset = rga_lookup_draw_pos(&offsets, rot_mode, mir_mode);
dest[(RGA_DST_Y_RGB_BASE_ADDR - RGA_MODE_BASE_REG) >> 2] =
dst_offset->y_off;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 231/449] xenfs/xensyms: respect hypervisors "next" indication
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 230/449] media: rockchip: rga: fix rga offset lookup Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 232/449] KVM: arm64: PMU: Set raw values from user to PM{C,I}NTEN{SET,CLR}, PMOVS{SET,CLR} Greg Kroah-Hartman
` (224 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jan Beulich, Juergen Gross
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <jbeulich@suse.com>
commit 5c4e79e29a9fe4ea132118ac40c2bc97cfe23077 upstream.
The interface specifies the symnum field as an input and output; the
hypervisor sets it to the next sequential symbol's index. xensyms_next()
incrementing the position explicitly (and xensyms_next_sym()
decrementing it to "rewind") is only correct as long as the sequence of
symbol indexes is non-sparse. Use the hypervisor-supplied value instead
to update the position in xensyms_next(), and use the saved incoming
index in xensyms_next_sym().
Cc: stable@kernel.org
Fixes: a11f4f0a4e18 ("xen: xensyms support")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Message-ID: <15d5e7fa-ec5d-422f-9319-d28bed916349@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/xenfs/xensyms.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/xen/xenfs/xensyms.c
+++ b/drivers/xen/xenfs/xensyms.c
@@ -48,7 +48,7 @@ static int xensyms_next_sym(struct xensy
return -ENOMEM;
set_xen_guest_handle(symdata->name, xs->name);
- symdata->symnum--; /* Rewind */
+ symdata->symnum = symnum; /* Rewind */
ret = HYPERVISOR_platform_op(&xs->op);
if (ret < 0)
@@ -78,7 +78,7 @@ static void *xensyms_next(struct seq_fil
{
struct xensyms *xs = m->private;
- xs->op.u.symdata.symnum = ++(*pos);
+ *pos = xs->op.u.symdata.symnum;
if (xensyms_next_sym(xs))
return NULL;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 232/449] KVM: arm64: PMU: Set raw values from user to PM{C,I}NTEN{SET,CLR}, PMOVS{SET,CLR}
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 231/449] xenfs/xensyms: respect hypervisors "next" indication Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 233/449] arm64: cputype: Add MIDR_CORTEX_A76AE Greg Kroah-Hartman
` (223 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akihiko Odaki, Marc Zyngier,
Oliver Upton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akihiko Odaki <akihiko.odaki@daynix.com>
commit f2aeb7bbd5745fbcf7f0769e29a184e24924b9a9 upstream.
Commit a45f41d754e0 ("KVM: arm64: Add {get,set}_user for
PM{C,I}NTEN{SET,CLR}, PMOVS{SET,CLR}") changed KVM_SET_ONE_REG to update
the mentioned registers in a way matching with the behavior of guest
register writes. This is a breaking change of a UAPI though the new
semantics looks cleaner and VMMs are not prepared for this.
Firecracker, QEMU, and crosvm perform migration by listing registers
with KVM_GET_REG_LIST, getting their values with KVM_GET_ONE_REG and
setting them with KVM_SET_ONE_REG. This algorithm assumes
KVM_SET_ONE_REG restores the values retrieved with KVM_GET_ONE_REG
without any alteration. However, bit operations added by the earlier
commit do not preserve the values retried with KVM_GET_ONE_REG and
potentially break migration.
Remove the bit operations that alter the values retrieved with
KVM_GET_ONE_REG.
Cc: stable@vger.kernel.org
Fixes: a45f41d754e0 ("KVM: arm64: Add {get,set}_user for PM{C,I}NTEN{SET,CLR}, PMOVS{SET,CLR}")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20250315-pmc-v5-1-ecee87dab216@daynix.com
Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/sys_regs.c | 21 ++-------------------
1 file changed, 2 insertions(+), 19 deletions(-)
--- a/arch/arm64/kvm/sys_regs.c
+++ b/arch/arm64/kvm/sys_regs.c
@@ -1051,26 +1051,9 @@ static bool access_pmu_evtyper(struct kv
static int set_pmreg(struct kvm_vcpu *vcpu, const struct sys_reg_desc *r, u64 val)
{
- bool set;
-
- val &= kvm_pmu_accessible_counter_mask(vcpu);
-
- switch (r->reg) {
- case PMOVSSET_EL0:
- /* CRm[1] being set indicates a SET register, and CLR otherwise */
- set = r->CRm & 2;
- break;
- default:
- /* Op2[0] being set indicates a SET register, and CLR otherwise */
- set = r->Op2 & 1;
- break;
- }
-
- if (set)
- __vcpu_sys_reg(vcpu, r->reg) |= val;
- else
- __vcpu_sys_reg(vcpu, r->reg) &= ~val;
+ u64 mask = kvm_pmu_accessible_counter_mask(vcpu);
+ __vcpu_sys_reg(vcpu, r->reg) = val & mask;
return 0;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 233/449] arm64: cputype: Add MIDR_CORTEX_A76AE
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 232/449] KVM: arm64: PMU: Set raw values from user to PM{C,I}NTEN{SET,CLR}, PMOVS{SET,CLR} Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 234/449] arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list Greg Kroah-Hartman
` (222 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Douglas Anderson, Catalin Marinas
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit a9b5bd81b294d30a747edd125e9f6aef2def7c79 upstream.
>From the TRM, MIDR_CORTEX_A76AE has a partnum of 0xDOE and an
implementor of 0x41 (ARM). Add the values.
Cc: stable@vger.kernel.org # dependency of the next fix in the series
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://lore.kernel.org/r/20250107120555.v4.4.I151f3b7ee323bcc3082179b8c60c3cd03308aa94@changeid
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -75,6 +75,7 @@
#define ARM_CPU_PART_CORTEX_A76 0xD0B
#define ARM_CPU_PART_NEOVERSE_N1 0xD0C
#define ARM_CPU_PART_CORTEX_A77 0xD0D
+#define ARM_CPU_PART_CORTEX_A76AE 0xD0E
#define ARM_CPU_PART_NEOVERSE_V1 0xD40
#define ARM_CPU_PART_CORTEX_A78 0xD41
#define ARM_CPU_PART_CORTEX_A78AE 0xD42
@@ -160,6 +161,7 @@
#define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76)
#define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1)
#define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77)
+#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE)
#define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1)
#define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78)
#define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 234/449] arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 233/449] arm64: cputype: Add MIDR_CORTEX_A76AE Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 235/449] arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB Greg Kroah-Hartman
` (221 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Scott Bauer, Douglas Anderson,
Trilok Soni, Catalin Marinas
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit ed1ce841245d8febe3badf51c57e81c3619d0a1d upstream.
Qualcomm Kryo 400-series Gold cores have a derivative of an ARM Cortex
A76 in them. Since A76 needs Spectre mitigation via looping then the
Kyro 400-series Gold cores also need Spectre mitigation via looping.
Qualcomm has confirmed that the proper "k" value for Kryo 400-series
Gold cores is 24.
Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
Cc: stable@vger.kernel.org
Cc: Scott Bauer <sbauer@quicinc.com>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Acked-by: Trilok Soni <quic_tsoni@quicinc.com>
Link: https://lore.kernel.org/r/20250107120555.v4.1.Ie4ef54abe02e7eb0eee50f830575719bf23bda48@changeid
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/proton-pack.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -866,6 +866,7 @@ u8 spectre_bhb_loop_affected(int scope)
MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
{},
};
static const struct midr_range spectre_bhb_k11_list[] = {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 235/449] arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 234/449] arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 236/449] arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list Greg Kroah-Hartman
` (220 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julius Werner, Douglas Anderson,
Catalin Marinas
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit e403e8538359d8580cbee1976ff71813e947101e upstream.
The code for detecting CPUs that are vulnerable to Spectre BHB was
based on a hardcoded list of CPU IDs that were known to be affected.
Unfortunately, the list mostly only contained the IDs of standard ARM
cores. The IDs for many cores that are minor variants of the standard
ARM cores (like many Qualcomm Kyro CPUs) weren't listed. This led the
code to assume that those variants were not affected.
Flip the code on its head and instead assume that a core is vulnerable
if it doesn't have CSV2_3 but is unrecognized as being safe. This
involves creating a "Spectre BHB safe" list.
As of right now, the only CPU IDs added to the "Spectre BHB safe" list
are ARM Cortex A35, A53, A55, A510, and A520. This list was created by
looking for cores that weren't listed in ARM's list [1] as per review
feedback on v2 of this patch [2]. Additionally Brahma A53 is added as
per mailing list feedback [3].
NOTE: this patch will not actually _mitigate_ anyone, it will simply
cause them to report themselves as vulnerable. If any cores in the
system are reported as vulnerable but not mitigated then the whole
system will be reported as vulnerable though the system will attempt
to mitigate with the information it has about the known cores.
[1] https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB
[2] https://lore.kernel.org/r/20241219175128.GA25477@willie-the-truck
[3] https://lore.kernel.org/r/18dbd7d1-a46c-4112-a425-320c99f67a8d@broadcom.com
Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
Cc: stable@vger.kernel.org
Reviewed-by: Julius Werner <jwerner@chromium.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://lore.kernel.org/r/20250107120555.v4.2.I2040fa004dafe196243f67ebcc647cbedbb516e6@changeid
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/spectre.h | 1
arch/arm64/kernel/proton-pack.c | 201 +++++++++++++++++++--------------------
2 files changed, 101 insertions(+), 101 deletions(-)
--- a/arch/arm64/include/asm/spectre.h
+++ b/arch/arm64/include/asm/spectre.h
@@ -97,7 +97,6 @@ enum mitigation_state arm64_get_meltdown
enum mitigation_state arm64_get_spectre_bhb_state(void);
bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope);
-u8 spectre_bhb_loop_affected(int scope);
void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused);
bool try_emulate_el1_ssbs(struct pt_regs *regs, u32 instr);
--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -845,53 +845,70 @@ static unsigned long system_bhb_mitigati
* This must be called with SCOPE_LOCAL_CPU for each type of CPU, before any
* SCOPE_SYSTEM call will give the right answer.
*/
-u8 spectre_bhb_loop_affected(int scope)
+static bool is_spectre_bhb_safe(int scope)
+{
+ static const struct midr_range spectre_bhb_safe_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A35),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A53),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A55),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A510),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A520),
+ MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53),
+ {},
+ };
+ static bool all_safe = true;
+
+ if (scope != SCOPE_LOCAL_CPU)
+ return all_safe;
+
+ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_safe_list))
+ return true;
+
+ all_safe = false;
+
+ return false;
+}
+
+static u8 spectre_bhb_loop_affected(void)
{
u8 k = 0;
- static u8 max_bhb_k;
- if (scope == SCOPE_LOCAL_CPU) {
- static const struct midr_range spectre_bhb_k32_list[] = {
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
- {},
- };
- static const struct midr_range spectre_bhb_k24_list[] = {
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
- MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
- {},
- };
- static const struct midr_range spectre_bhb_k11_list[] = {
- MIDR_ALL_VERSIONS(MIDR_AMPERE1),
- {},
- };
- static const struct midr_range spectre_bhb_k8_list[] = {
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
- {},
- };
-
- if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
- k = 32;
- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
- k = 24;
- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list))
- k = 11;
- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list))
- k = 8;
-
- max_bhb_k = max(max_bhb_k, k);
- } else {
- k = max_bhb_k;
- }
+ static const struct midr_range spectre_bhb_k32_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
+ {},
+ };
+ static const struct midr_range spectre_bhb_k24_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
+ {},
+ };
+ static const struct midr_range spectre_bhb_k11_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_AMPERE1),
+ {},
+ };
+ static const struct midr_range spectre_bhb_k8_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
+ {},
+ };
+
+ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
+ k = 32;
+ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
+ k = 24;
+ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list))
+ k = 11;
+ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list))
+ k = 8;
return k;
}
@@ -917,29 +934,13 @@ static enum mitigation_state spectre_bhb
}
}
-static bool is_spectre_bhb_fw_affected(int scope)
+static bool has_spectre_bhb_fw_mitigation(void)
{
- static bool system_affected;
enum mitigation_state fw_state;
bool has_smccc = arm_smccc_1_1_get_conduit() != SMCCC_CONDUIT_NONE;
- static const struct midr_range spectre_bhb_firmware_mitigated_list[] = {
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A73),
- MIDR_ALL_VERSIONS(MIDR_CORTEX_A75),
- {},
- };
- bool cpu_in_list = is_midr_in_range_list(read_cpuid_id(),
- spectre_bhb_firmware_mitigated_list);
-
- if (scope != SCOPE_LOCAL_CPU)
- return system_affected;
fw_state = spectre_bhb_get_cpu_fw_mitigation_state();
- if (cpu_in_list || (has_smccc && fw_state == SPECTRE_MITIGATED)) {
- system_affected = true;
- return true;
- }
-
- return false;
+ return has_smccc && fw_state == SPECTRE_MITIGATED;
}
static bool supports_ecbhb(int scope)
@@ -955,6 +956,8 @@ static bool supports_ecbhb(int scope)
ID_AA64MMFR1_EL1_ECBHB_SHIFT);
}
+static u8 max_bhb_k;
+
bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry,
int scope)
{
@@ -963,16 +966,18 @@ bool is_spectre_bhb_affected(const struc
if (supports_csv2p3(scope))
return false;
- if (supports_clearbhb(scope))
- return true;
-
- if (spectre_bhb_loop_affected(scope))
- return true;
+ if (is_spectre_bhb_safe(scope))
+ return false;
- if (is_spectre_bhb_fw_affected(scope))
- return true;
+ /*
+ * At this point the core isn't known to be "safe" so we're going to
+ * assume it's vulnerable. We still need to update `max_bhb_k` though,
+ * but only if we aren't mitigating with clearbhb though.
+ */
+ if (scope == SCOPE_LOCAL_CPU && !supports_clearbhb(SCOPE_LOCAL_CPU))
+ max_bhb_k = max(max_bhb_k, spectre_bhb_loop_affected());
- return false;
+ return true;
}
static void this_cpu_set_vectors(enum arm64_bp_harden_el1_vectors slot)
@@ -1003,7 +1008,7 @@ early_param("nospectre_bhb", parse_spect
void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry)
{
bp_hardening_cb_t cpu_cb;
- enum mitigation_state fw_state, state = SPECTRE_VULNERABLE;
+ enum mitigation_state state = SPECTRE_VULNERABLE;
struct bp_hardening_data *data = this_cpu_ptr(&bp_hardening_data);
if (!is_spectre_bhb_affected(entry, SCOPE_LOCAL_CPU))
@@ -1029,7 +1034,7 @@ void spectre_bhb_enable_mitigation(const
this_cpu_set_vectors(EL1_VECTOR_BHB_CLEAR_INSN);
state = SPECTRE_MITIGATED;
set_bit(BHB_INSN, &system_bhb_mitigations);
- } else if (spectre_bhb_loop_affected(SCOPE_LOCAL_CPU)) {
+ } else if (spectre_bhb_loop_affected()) {
/*
* Ensure KVM uses the indirect vector which will have the
* branchy-loop added. A57/A72-r0 will already have selected
@@ -1042,32 +1047,29 @@ void spectre_bhb_enable_mitigation(const
this_cpu_set_vectors(EL1_VECTOR_BHB_LOOP);
state = SPECTRE_MITIGATED;
set_bit(BHB_LOOP, &system_bhb_mitigations);
- } else if (is_spectre_bhb_fw_affected(SCOPE_LOCAL_CPU)) {
- fw_state = spectre_bhb_get_cpu_fw_mitigation_state();
- if (fw_state == SPECTRE_MITIGATED) {
- /*
- * Ensure KVM uses one of the spectre bp_hardening
- * vectors. The indirect vector doesn't include the EL3
- * call, so needs upgrading to
- * HYP_VECTOR_SPECTRE_INDIRECT.
- */
- if (!data->slot || data->slot == HYP_VECTOR_INDIRECT)
- data->slot += 1;
-
- this_cpu_set_vectors(EL1_VECTOR_BHB_FW);
-
- /*
- * The WA3 call in the vectors supersedes the WA1 call
- * made during context-switch. Uninstall any firmware
- * bp_hardening callback.
- */
- cpu_cb = spectre_v2_get_sw_mitigation_cb();
- if (__this_cpu_read(bp_hardening_data.fn) != cpu_cb)
- __this_cpu_write(bp_hardening_data.fn, NULL);
-
- state = SPECTRE_MITIGATED;
- set_bit(BHB_FW, &system_bhb_mitigations);
- }
+ } else if (has_spectre_bhb_fw_mitigation()) {
+ /*
+ * Ensure KVM uses one of the spectre bp_hardening
+ * vectors. The indirect vector doesn't include the EL3
+ * call, so needs upgrading to
+ * HYP_VECTOR_SPECTRE_INDIRECT.
+ */
+ if (!data->slot || data->slot == HYP_VECTOR_INDIRECT)
+ data->slot += 1;
+
+ this_cpu_set_vectors(EL1_VECTOR_BHB_FW);
+
+ /*
+ * The WA3 call in the vectors supersedes the WA1 call
+ * made during context-switch. Uninstall any firmware
+ * bp_hardening callback.
+ */
+ cpu_cb = spectre_v2_get_sw_mitigation_cb();
+ if (__this_cpu_read(bp_hardening_data.fn) != cpu_cb)
+ __this_cpu_write(bp_hardening_data.fn, NULL);
+
+ state = SPECTRE_MITIGATED;
+ set_bit(BHB_FW, &system_bhb_mitigations);
}
update_mitigation_state(&spectre_bhb_state, state);
@@ -1101,7 +1103,6 @@ void noinstr spectre_bhb_patch_loop_iter
{
u8 rd;
u32 insn;
- u16 loop_count = spectre_bhb_loop_affected(SCOPE_SYSTEM);
BUG_ON(nr_inst != 1); /* MOV -> MOV */
@@ -1110,7 +1111,7 @@ void noinstr spectre_bhb_patch_loop_iter
insn = le32_to_cpu(*origptr);
rd = aarch64_insn_decode_register(AARCH64_INSN_REGTYPE_RD, insn);
- insn = aarch64_insn_gen_movewide(rd, loop_count, 0,
+ insn = aarch64_insn_gen_movewide(rd, max_bhb_k, 0,
AARCH64_INSN_VARIANT_64BIT,
AARCH64_INSN_MOVEWIDE_ZERO);
*updptr++ = cpu_to_le32(insn);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 236/449] arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 235/449] arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 237/449] KVM: arm64: Tear down vGIC on failed vCPU creation Greg Kroah-Hartman
` (219 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Scott Bauer, Douglas Anderson,
Trilok Soni, Catalin Marinas
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit 0c9fc6e652cd5aed48c5f700c32b7642bea7f453 upstream.
Qualcomm has confirmed that, much like Cortex A53 and A55, KRYO
2XX/3XX/4XX silver cores are unaffected by Spectre BHB. Add them to
the safe list.
Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
Cc: stable@vger.kernel.org
Cc: Scott Bauer <sbauer@quicinc.com>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Acked-by: Trilok Soni <quic_tsoni@quicinc.com>
Link: https://lore.kernel.org/r/20250107120555.v4.3.Iab8dbfb5c9b1e143e7a29f410bce5f9525a0ba32@changeid
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/proton-pack.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -854,6 +854,9 @@ static bool is_spectre_bhb_safe(int scop
MIDR_ALL_VERSIONS(MIDR_CORTEX_A510),
MIDR_ALL_VERSIONS(MIDR_CORTEX_A520),
MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53),
+ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_2XX_SILVER),
+ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_3XX_SILVER),
+ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_SILVER),
{},
};
static bool all_safe = true;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 237/449] KVM: arm64: Tear down vGIC on failed vCPU creation
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 236/449] arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 238/449] KVM: arm64: Set HCR_EL2.TID1 unconditionally Greg Kroah-Hartman
` (218 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Zyngier, Oliver Upton,
Quentin Perret, Will Deacon
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
commit 250f25367b58d8c65a1b060a2dda037eea09a672 upstream.
If kvm_arch_vcpu_create() fails to share the vCPU page with the
hypervisor, we propagate the error back to the ioctl but leave the
vGIC vCPU data initialised. Note only does this leak the corresponding
memory when the vCPU is destroyed but it can also lead to use-after-free
if the redistributor device handling tries to walk into the vCPU.
Add the missing cleanup to kvm_arch_vcpu_create(), ensuring that the
vGIC vCPU structures are destroyed on error.
Cc: <stable@vger.kernel.org>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Cc: Quentin Perret <qperret@google.com>
Signed-off-by: Will Deacon <will@kernel.org>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20250314133409.9123-1-will@kernel.org
Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/arm.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -466,7 +466,11 @@ int kvm_arch_vcpu_create(struct kvm_vcpu
if (err)
return err;
- return kvm_share_hyp(vcpu, vcpu + 1);
+ err = kvm_share_hyp(vcpu, vcpu + 1);
+ if (err)
+ kvm_vgic_vcpu_destroy(vcpu);
+
+ return err;
}
void kvm_arch_vcpu_postcreate(struct kvm_vcpu *vcpu)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 238/449] KVM: arm64: Set HCR_EL2.TID1 unconditionally
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 237/449] KVM: arm64: Tear down vGIC on failed vCPU creation Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 239/449] spi: cadence-qspi: Fix probe on AM62A LP SK Greg Kroah-Hartman
` (217 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mark Brown, Marc Zyngier,
Oliver Upton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Upton <oliver.upton@linux.dev>
commit 4cd48565b0e5df398e7253c0d2d8c0403d69e7bf upstream.
commit 90807748ca3a ("KVM: arm64: Hide SME system registers from
guests") added trap handling for SMIDR_EL1, treating it as UNDEFINED as
KVM does not support SME. This is right for the most part, however KVM
needs to set HCR_EL2.TID1 to _actually_ trap the register.
Unfortunately, this comes with some collateral damage as TID1 forces
REVIDR_EL1 and AIDR_EL1 to trap as well. KVM has long treated these
registers as "invariant" which is an awful term for the following:
- Userspace sees the boot CPU values on all vCPUs
- The guest sees the hardware values of the CPU on which a vCPU is
scheduled
Keep the plates spinning by adding trap handling for the affected
registers and repaint all of the "invariant" crud into terms of
identifying an implementation. Yes, at this point we only need to
set TID1 on SME hardware, but REVIDR_EL1 and AIDR_EL1 are about to
become mutable anyway.
Cc: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Fixes: 90807748ca3a ("KVM: arm64: Hide SME system registers from guests")
[maz: handle traps from 32bit]
Co-developed-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20250225005401.679536-2-oliver.upton@linux.dev
Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/kvm_arm.h | 4
arch/arm64/kvm/sys_regs.c | 183 ++++++++++++++++++++-------------------
2 files changed, 100 insertions(+), 87 deletions(-)
--- a/arch/arm64/include/asm/kvm_arm.h
+++ b/arch/arm64/include/asm/kvm_arm.h
@@ -92,12 +92,12 @@
* SWIO: Turn set/way invalidates into set/way clean+invalidate
* PTW: Take a stage2 fault if a stage1 walk steps in device memory
* TID3: Trap EL1 reads of group 3 ID registers
- * TID2: Trap CTR_EL0, CCSIDR2_EL1, CLIDR_EL1, and CSSELR_EL1
+ * TID1: Trap REVIDR_EL1, AIDR_EL1, and SMIDR_EL1
*/
#define HCR_GUEST_FLAGS (HCR_TSC | HCR_TSW | HCR_TWE | HCR_TWI | HCR_VM | \
HCR_BSU_IS | HCR_FB | HCR_TACR | \
HCR_AMO | HCR_SWIO | HCR_TIDCP | HCR_RW | HCR_TLOR | \
- HCR_FMO | HCR_IMO | HCR_PTW | HCR_TID3)
+ HCR_FMO | HCR_IMO | HCR_PTW | HCR_TID3 | HCR_TID1)
#define HCR_HOST_NVHE_FLAGS (HCR_RW | HCR_API | HCR_APK | HCR_ATA)
#define HCR_HOST_NVHE_PROTECTED_FLAGS (HCR_HOST_NVHE_FLAGS | HCR_TSC)
#define HCR_HOST_VHE_FLAGS (HCR_RW | HCR_TGE | HCR_E2H)
--- a/arch/arm64/kvm/sys_regs.c
+++ b/arch/arm64/kvm/sys_regs.c
@@ -2476,6 +2476,93 @@ static bool access_mdcr(struct kvm_vcpu
return true;
}
+/*
+ * For historical (ahem ABI) reasons, KVM treated MIDR_EL1, REVIDR_EL1, and
+ * AIDR_EL1 as "invariant" registers, meaning userspace cannot change them.
+ * The values made visible to userspace were the register values of the boot
+ * CPU.
+ *
+ * At the same time, reads from these registers at EL1 previously were not
+ * trapped, allowing the guest to read the actual hardware value. On big-little
+ * machines, this means the VM can see different values depending on where a
+ * given vCPU got scheduled.
+ *
+ * These registers are now trapped as collateral damage from SME, and what
+ * follows attempts to give a user / guest view consistent with the existing
+ * ABI.
+ */
+static bool access_imp_id_reg(struct kvm_vcpu *vcpu,
+ struct sys_reg_params *p,
+ const struct sys_reg_desc *r)
+{
+ if (p->is_write)
+ return write_to_read_only(vcpu, p, r);
+
+ switch (reg_to_encoding(r)) {
+ case SYS_REVIDR_EL1:
+ p->regval = read_sysreg(revidr_el1);
+ break;
+ case SYS_AIDR_EL1:
+ p->regval = read_sysreg(aidr_el1);
+ break;
+ default:
+ WARN_ON_ONCE(1);
+ }
+
+ return true;
+}
+
+static u64 __ro_after_init boot_cpu_midr_val;
+static u64 __ro_after_init boot_cpu_revidr_val;
+static u64 __ro_after_init boot_cpu_aidr_val;
+
+static void init_imp_id_regs(void)
+{
+ boot_cpu_midr_val = read_sysreg(midr_el1);
+ boot_cpu_revidr_val = read_sysreg(revidr_el1);
+ boot_cpu_aidr_val = read_sysreg(aidr_el1);
+}
+
+static int get_imp_id_reg(struct kvm_vcpu *vcpu, const struct sys_reg_desc *r,
+ u64 *val)
+{
+ switch (reg_to_encoding(r)) {
+ case SYS_MIDR_EL1:
+ *val = boot_cpu_midr_val;
+ break;
+ case SYS_REVIDR_EL1:
+ *val = boot_cpu_revidr_val;
+ break;
+ case SYS_AIDR_EL1:
+ *val = boot_cpu_aidr_val;
+ break;
+ default:
+ WARN_ON_ONCE(1);
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static int set_imp_id_reg(struct kvm_vcpu *vcpu, const struct sys_reg_desc *r,
+ u64 val)
+{
+ u64 expected;
+ int ret;
+
+ ret = get_imp_id_reg(vcpu, r, &expected);
+ if (ret)
+ return ret;
+
+ return (expected == val) ? 0 : -EINVAL;
+}
+
+#define IMPLEMENTATION_ID(reg) { \
+ SYS_DESC(SYS_##reg), \
+ .access = access_imp_id_reg, \
+ .get_user = get_imp_id_reg, \
+ .set_user = set_imp_id_reg, \
+}
/*
* Architected system registers.
@@ -2525,7 +2612,9 @@ static const struct sys_reg_desc sys_reg
{ SYS_DESC(SYS_DBGVCR32_EL2), undef_access, reset_val, DBGVCR32_EL2, 0 },
+ IMPLEMENTATION_ID(MIDR_EL1),
{ SYS_DESC(SYS_MPIDR_EL1), NULL, reset_mpidr, MPIDR_EL1 },
+ IMPLEMENTATION_ID(REVIDR_EL1),
/*
* ID regs: all ID_SANITISED() entries here must have corresponding
@@ -2797,6 +2886,7 @@ static const struct sys_reg_desc sys_reg
.set_user = set_clidr, .val = ~CLIDR_EL1_RES0 },
{ SYS_DESC(SYS_CCSIDR2_EL1), undef_access },
{ SYS_DESC(SYS_SMIDR_EL1), undef_access },
+ IMPLEMENTATION_ID(AIDR_EL1),
{ SYS_DESC(SYS_CSSELR_EL1), access_csselr, reset_unknown, CSSELR_EL1 },
ID_FILTERED(CTR_EL0, ctr_el0,
CTR_EL0_DIC_MASK |
@@ -4255,9 +4345,13 @@ int kvm_handle_cp15_32(struct kvm_vcpu *
* Certain AArch32 ID registers are handled by rerouting to the AArch64
* system register table. Registers in the ID range where CRm=0 are
* excluded from this scheme as they do not trivially map into AArch64
- * system register encodings.
+ * system register encodings, except for AIDR/REVIDR.
*/
- if (params.Op1 == 0 && params.CRn == 0 && params.CRm)
+ if (params.Op1 == 0 && params.CRn == 0 &&
+ (params.CRm || params.Op2 == 6 /* REVIDR */))
+ return kvm_emulate_cp15_id_reg(vcpu, ¶ms);
+ if (params.Op1 == 1 && params.CRn == 0 &&
+ params.CRm == 0 && params.Op2 == 7 /* AIDR */)
return kvm_emulate_cp15_id_reg(vcpu, ¶ms);
return kvm_handle_cp_32(vcpu, ¶ms, cp15_regs, ARRAY_SIZE(cp15_regs));
@@ -4561,65 +4655,6 @@ id_to_sys_reg_desc(struct kvm_vcpu *vcpu
return r;
}
-/*
- * These are the invariant sys_reg registers: we let the guest see the
- * host versions of these, so they're part of the guest state.
- *
- * A future CPU may provide a mechanism to present different values to
- * the guest, or a future kvm may trap them.
- */
-
-#define FUNCTION_INVARIANT(reg) \
- static u64 reset_##reg(struct kvm_vcpu *v, \
- const struct sys_reg_desc *r) \
- { \
- ((struct sys_reg_desc *)r)->val = read_sysreg(reg); \
- return ((struct sys_reg_desc *)r)->val; \
- }
-
-FUNCTION_INVARIANT(midr_el1)
-FUNCTION_INVARIANT(revidr_el1)
-FUNCTION_INVARIANT(aidr_el1)
-
-/* ->val is filled in by kvm_sys_reg_table_init() */
-static struct sys_reg_desc invariant_sys_regs[] __ro_after_init = {
- { SYS_DESC(SYS_MIDR_EL1), NULL, reset_midr_el1 },
- { SYS_DESC(SYS_REVIDR_EL1), NULL, reset_revidr_el1 },
- { SYS_DESC(SYS_AIDR_EL1), NULL, reset_aidr_el1 },
-};
-
-static int get_invariant_sys_reg(u64 id, u64 __user *uaddr)
-{
- const struct sys_reg_desc *r;
-
- r = get_reg_by_id(id, invariant_sys_regs,
- ARRAY_SIZE(invariant_sys_regs));
- if (!r)
- return -ENOENT;
-
- return put_user(r->val, uaddr);
-}
-
-static int set_invariant_sys_reg(u64 id, u64 __user *uaddr)
-{
- const struct sys_reg_desc *r;
- u64 val;
-
- r = get_reg_by_id(id, invariant_sys_regs,
- ARRAY_SIZE(invariant_sys_regs));
- if (!r)
- return -ENOENT;
-
- if (get_user(val, uaddr))
- return -EFAULT;
-
- /* This is what we mean by invariant: you can't change it. */
- if (r->val != val)
- return -EINVAL;
-
- return 0;
-}
-
static int demux_c15_get(struct kvm_vcpu *vcpu, u64 id, void __user *uaddr)
{
u32 val;
@@ -4701,15 +4736,10 @@ int kvm_sys_reg_get_user(struct kvm_vcpu
int kvm_arm_sys_reg_get_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
{
void __user *uaddr = (void __user *)(unsigned long)reg->addr;
- int err;
if ((reg->id & KVM_REG_ARM_COPROC_MASK) == KVM_REG_ARM_DEMUX)
return demux_c15_get(vcpu, reg->id, uaddr);
- err = get_invariant_sys_reg(reg->id, uaddr);
- if (err != -ENOENT)
- return err;
-
return kvm_sys_reg_get_user(vcpu, reg,
sys_reg_descs, ARRAY_SIZE(sys_reg_descs));
}
@@ -4745,15 +4775,10 @@ int kvm_sys_reg_set_user(struct kvm_vcpu
int kvm_arm_sys_reg_set_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
{
void __user *uaddr = (void __user *)(unsigned long)reg->addr;
- int err;
if ((reg->id & KVM_REG_ARM_COPROC_MASK) == KVM_REG_ARM_DEMUX)
return demux_c15_set(vcpu, reg->id, uaddr);
- err = set_invariant_sys_reg(reg->id, uaddr);
- if (err != -ENOENT)
- return err;
-
return kvm_sys_reg_set_user(vcpu, reg,
sys_reg_descs, ARRAY_SIZE(sys_reg_descs));
}
@@ -4842,23 +4867,14 @@ static int walk_sys_regs(struct kvm_vcpu
unsigned long kvm_arm_num_sys_reg_descs(struct kvm_vcpu *vcpu)
{
- return ARRAY_SIZE(invariant_sys_regs)
- + num_demux_regs()
+ return num_demux_regs()
+ walk_sys_regs(vcpu, (u64 __user *)NULL);
}
int kvm_arm_copy_sys_reg_indices(struct kvm_vcpu *vcpu, u64 __user *uindices)
{
- unsigned int i;
int err;
- /* Then give them all the invariant registers' indices. */
- for (i = 0; i < ARRAY_SIZE(invariant_sys_regs); i++) {
- if (put_user(sys_reg_to_index(&invariant_sys_regs[i]), uindices))
- return -EFAULT;
- uindices++;
- }
-
err = walk_sys_regs(vcpu, uindices);
if (err < 0)
return err;
@@ -5084,15 +5100,12 @@ int __init kvm_sys_reg_table_init(void)
valid &= check_sysreg_table(cp14_64_regs, ARRAY_SIZE(cp14_64_regs), true);
valid &= check_sysreg_table(cp15_regs, ARRAY_SIZE(cp15_regs), true);
valid &= check_sysreg_table(cp15_64_regs, ARRAY_SIZE(cp15_64_regs), true);
- valid &= check_sysreg_table(invariant_sys_regs, ARRAY_SIZE(invariant_sys_regs), false);
valid &= check_sysreg_table(sys_insn_descs, ARRAY_SIZE(sys_insn_descs), false);
if (!valid)
return -EINVAL;
- /* We abuse the reset function to overwrite the table itself. */
- for (i = 0; i < ARRAY_SIZE(invariant_sys_regs); i++)
- invariant_sys_regs[i].reset(NULL, &invariant_sys_regs[i]);
+ init_imp_id_regs();
ret = populate_nv_trap_config();
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 239/449] spi: cadence-qspi: Fix probe on AM62A LP SK
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 238/449] KVM: arm64: Set HCR_EL2.TID1 unconditionally Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 240/449] mtd: rawnand: brcmnand: fix PM resume warning Greg Kroah-Hartman
` (216 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Mark Brown
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit b8665a1b49f5498edb7b21d730030c06b7348a3c upstream.
In 2020, there's been an unnoticed change which rightfully attempted to
report probe deferrals upon DMA absence by checking the return value of
dma_request_chan_by_mask(). By doing so, it also reported errors which
were simply ignored otherwise, likely on purpose.
This change actually turned a void return into an error code. Hence, not
only the -EPROBE_DEFER error codes but all error codes got reported to
the callers, now failing to probe in the absence of Rx DMA channel,
despite the fact that DMA seems to not be supported natively by many
implementations.
Looking at the history, this change probably led to:
ad2775dc3fc5 ("spi: cadence-quadspi: Disable the DAC for Intel LGM SoC")
f724c296f2f2 ("spi: cadence-quadspi: fix Direct Access Mode disable for SoCFPGA")
In my case, the AM62A LP SK core octo-SPI node from TI does not
advertise any DMA channel, hinting that there is likely no support for
it, but yet when the support for the am654 compatible was added, DMA
seemed to be used, so just discarding its use with the
CQSPI_DISABLE_DAC_MODE quirk for this compatible does not seem the
correct approach.
Let's get change the return condition back to:
- return a probe deferral error if we get one
- ignore the return value otherwise
The "error" log level was however likely too high for something that is
expected to fail, so let's lower it arbitrarily to the info level.
Fixes: 935da5e5100f ("mtd: spi-nor: cadence-quadspi: Handle probe deferral while requesting DMA channel")
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20250305200933.2512925-2-miquel.raynal@bootlin.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-cadence-quadspi.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/spi/spi-cadence-quadspi.c
+++ b/drivers/spi/spi-cadence-quadspi.c
@@ -1658,6 +1658,12 @@ static int cqspi_request_mmap_dma(struct
int ret = PTR_ERR(cqspi->rx_chan);
cqspi->rx_chan = NULL;
+ if (ret == -ENODEV) {
+ /* DMA support is not mandatory */
+ dev_info(&cqspi->pdev->dev, "No Rx DMA available\n");
+ return 0;
+ }
+
return dev_err_probe(&cqspi->pdev->dev, ret, "No Rx DMA available\n");
}
init_completion(&cqspi->rx_dma_complete);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 240/449] mtd: rawnand: brcmnand: fix PM resume warning
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 239/449] spi: cadence-qspi: Fix probe on AM62A LP SK Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 241/449] tpm, tpm_tis: Fix timeout handling when waiting for TPM status Greg Kroah-Hartman
` (215 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kamal Dasu, Florian Fainelli,
Miquel Raynal
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Dasu <kamal.dasu@broadcom.com>
commit ddc210cf8b8a8be68051ad958bf3e2cef6b681c2 upstream.
Fixed warning on PM resume as shown below caused due to uninitialized
struct nand_operation that checks chip select field :
WARN_ON(op->cs >= nanddev_ntargets(&chip->base)
[ 14.588522] ------------[ cut here ]------------
[ 14.588529] WARNING: CPU: 0 PID: 1392 at drivers/mtd/nand/raw/internals.h:139 nand_reset_op+0x1e0/0x1f8
[ 14.588553] Modules linked in: bdc udc_core
[ 14.588579] CPU: 0 UID: 0 PID: 1392 Comm: rtcwake Tainted: G W 6.14.0-rc4-g5394eea10651 #16
[ 14.588590] Tainted: [W]=WARN
[ 14.588593] Hardware name: Broadcom STB (Flattened Device Tree)
[ 14.588598] Call trace:
[ 14.588604] dump_backtrace from show_stack+0x18/0x1c
[ 14.588622] r7:00000009 r6:0000008b r5:60000153 r4:c0fa558c
[ 14.588625] show_stack from dump_stack_lvl+0x70/0x7c
[ 14.588639] dump_stack_lvl from dump_stack+0x18/0x1c
[ 14.588653] r5:c08d40b0 r4:c1003cb0
[ 14.588656] dump_stack from __warn+0x84/0xe4
[ 14.588668] __warn from warn_slowpath_fmt+0x18c/0x194
[ 14.588678] r7:c08d40b0 r6:c1003cb0 r5:00000000 r4:00000000
[ 14.588681] warn_slowpath_fmt from nand_reset_op+0x1e0/0x1f8
[ 14.588695] r8:70c40dff r7:89705f41 r6:36b4a597 r5:c26c9444 r4:c26b0048
[ 14.588697] nand_reset_op from brcmnand_resume+0x13c/0x150
[ 14.588714] r9:00000000 r8:00000000 r7:c24f8010 r6:c228a3f8 r5:c26c94bc r4:c26b0040
[ 14.588717] brcmnand_resume from platform_pm_resume+0x34/0x54
[ 14.588735] r5:00000010 r4:c0840a50
[ 14.588738] platform_pm_resume from dpm_run_callback+0x5c/0x14c
[ 14.588757] dpm_run_callback from device_resume+0xc0/0x324
[ 14.588776] r9:c24f8054 r8:c24f80a0 r7:00000000 r6:00000000 r5:00000010 r4:c24f8010
[ 14.588779] device_resume from dpm_resume+0x130/0x160
[ 14.588799] r9:c22539e4 r8:00000010 r7:c22bebb0 r6:c24f8010 r5:c22539dc r4:c22539b0
[ 14.588802] dpm_resume from dpm_resume_end+0x14/0x20
[ 14.588822] r10:c2204e40 r9:00000000 r8:c228a3fc r7:00000000 r6:00000003 r5:c228a414
[ 14.588826] r4:00000010
[ 14.588828] dpm_resume_end from suspend_devices_and_enter+0x274/0x6f8
[ 14.588848] r5:c228a414 r4:00000000
[ 14.588851] suspend_devices_and_enter from pm_suspend+0x228/0x2bc
[ 14.588868] r10:c3502910 r9:c3501f40 r8:00000004 r7:c228a438 r6:c0f95e18 r5:00000000
[ 14.588871] r4:00000003
[ 14.588874] pm_suspend from state_store+0x74/0xd0
[ 14.588889] r7:c228a438 r6:c0f934c8 r5:00000003 r4:00000003
[ 14.588892] state_store from kobj_attr_store+0x1c/0x28
[ 14.588913] r9:00000000 r8:00000000 r7:f09f9f08 r6:00000004 r5:c3502900 r4:c0283250
[ 14.588916] kobj_attr_store from sysfs_kf_write+0x40/0x4c
[ 14.588936] r5:c3502900 r4:c0d92a48
[ 14.588939] sysfs_kf_write from kernfs_fop_write_iter+0x104/0x1f0
[ 14.588956] r5:c3502900 r4:c3501f40
[ 14.588960] kernfs_fop_write_iter from vfs_write+0x250/0x420
[ 14.588980] r10:c0e14b48 r9:00000000 r8:c25f5780 r7:00443398 r6:f09f9f68 r5:c34f7f00
[ 14.588983] r4:c042a88c
[ 14.588987] vfs_write from ksys_write+0x74/0xe4
[ 14.589005] r10:00000004 r9:c25f5780 r8:c02002fA0 r7:00000000 r6:00000000 r5:c34f7f00
[ 14.589008] r4:c34f7f00
[ 14.589011] ksys_write from sys_write+0x10/0x14
[ 14.589029] r7:00000004 r6:004421c0 r5:00443398 r4:00000004
[ 14.589032] sys_write from ret_fast_syscall+0x0/0x5c
[ 14.589044] Exception stack(0xf09f9fa8 to 0xf09f9ff0)
[ 14.589050] 9fa0: 00000004 00443398 00000004 00443398 00000004 00000001
[ 14.589056] 9fc0: 00000004 00443398 004421c0 00000004 b6ecbd58 00000008 bebfbc38 0043eb78
[ 14.589062] 9fe0: 00440eb0 bebfbaf8 b6de18a0 b6e579e8
[ 14.589065] ---[ end trace 0000000000000000 ]---
The fix uses the higher level nand_reset(chip, chipnr); where chipnr = 0, when
doing PM resume operation in compliance with the controller support for single
die nand chip. Switching from nand_reset_op() to nand_reset() implies more
than just setting the cs field op->cs, it also reconfigures the data interface
(ie. the timings). Tested and confirmed the NAND chip is in sync timing wise
with host after the fix.
Fixes: 97d90da8a886 ("mtd: nand: provide several helpers to do common NAND operations")
Cc: stable@vger.kernel.org
Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
@@ -3008,7 +3008,7 @@ static int brcmnand_resume(struct device
brcmnand_save_restore_cs_config(host, 1);
/* Reset the chip, required by some chips after power-up */
- nand_reset_op(chip);
+ nand_reset(chip, 0);
}
return 0;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 241/449] tpm, tpm_tis: Fix timeout handling when waiting for TPM status
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 240/449] mtd: rawnand: brcmnand: fix PM resume warning Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 242/449] accel/ivpu: Fix PM related deadlocks in MS IOCTLs Greg Kroah-Hartman
` (214 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan McDowell,
Michal Suchánek, Lino Sanfilippo, Jarkko Sakkinen
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan McDowell <noodles@meta.com>
commit 7146dffa875cd00e7a7f918e1fce79c7593ac1fa upstream.
The change to only use interrupts to handle supported status changes
introduced an issue when it is necessary to poll for the status. Rather
than checking for the status after sleeping the code now sleeps after
the check. This means a correct, but slower, status change on the part
of the TPM can be missed, resulting in a spurious timeout error,
especially on a more loaded system. Switch back to sleeping *then*
checking. An up front check of the status has been done at the start of
the function, so this does not cause an additional delay when the status
is already what we're looking for.
Cc: stable@vger.kernel.org # v6.4+
Fixes: e87fcf0dc2b4 ("tpm, tpm_tis: Only handle supported interrupts")
Signed-off-by: Jonathan McDowell <noodles@meta.com>
Reviewed-by: Michal Suchánek <msuchanek@suse.de>
Reviewed-by: Lino Sanfilippo <l.sanfilippo@kunbus.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm_tis_core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -114,11 +114,10 @@ again:
return 0;
/* process status changes without irq support */
do {
+ usleep_range(priv->timeout_min, priv->timeout_max);
status = chip->ops->status(chip);
if ((status & mask) == mask)
return 0;
- usleep_range(priv->timeout_min,
- priv->timeout_max);
} while (time_before(jiffies, stop));
return -ETIME;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 242/449] accel/ivpu: Fix PM related deadlocks in MS IOCTLs
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 241/449] tpm, tpm_tis: Fix timeout handling when waiting for TPM status Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 243/449] media: ov08x40: Properly turn sensor on/off when runtime-suspended Greg Kroah-Hartman
` (213 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej Falkowski, Lizhi Hou,
Jacek Lawrynowicz
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
commit d893da85e06edf54737bb80648bb58ba8fd56d9f upstream.
Prevent runtime resume/suspend while MS IOCTLs are in progress.
Failed suspend will call ivpu_ms_cleanup() that would try to acquire
file_priv->ms_lock, which is already held by the IOCTLs.
Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support")
Cc: stable@vger.kernel.org # v6.11+
Signed-off-by: Maciej Falkowski <maciej.falkowski@linux.intel.com>
Reviewed-by: Lizhi Hou <lizhi.hou@amd.com>
Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
Link: https://lore.kernel.org/r/20250325114306.3740022-3-maciej.falkowski@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ivpu/ivpu_debugfs.c | 4 ++--
drivers/accel/ivpu/ivpu_ms.c | 18 ++++++++++++++++++
2 files changed, 20 insertions(+), 2 deletions(-)
--- a/drivers/accel/ivpu/ivpu_debugfs.c
+++ b/drivers/accel/ivpu/ivpu_debugfs.c
@@ -331,7 +331,7 @@ ivpu_force_recovery_fn(struct file *file
return -EINVAL;
ret = ivpu_rpm_get(vdev);
- if (ret)
+ if (ret < 0)
return ret;
ivpu_pm_trigger_recovery(vdev, "debugfs");
@@ -382,7 +382,7 @@ static int dct_active_set(void *data, u6
return -EINVAL;
ret = ivpu_rpm_get(vdev);
- if (ret)
+ if (ret < 0)
return ret;
if (active_percent)
--- a/drivers/accel/ivpu/ivpu_ms.c
+++ b/drivers/accel/ivpu/ivpu_ms.c
@@ -44,6 +44,10 @@ int ivpu_ms_start_ioctl(struct drm_devic
args->sampling_period_ns < MS_MIN_SAMPLE_PERIOD_NS)
return -EINVAL;
+ ret = ivpu_rpm_get(vdev);
+ if (ret < 0)
+ return ret;
+
mutex_lock(&file_priv->ms_lock);
if (get_instance_by_mask(file_priv, args->metric_group_mask)) {
@@ -96,6 +100,8 @@ err_free_ms:
kfree(ms);
unlock:
mutex_unlock(&file_priv->ms_lock);
+
+ ivpu_rpm_put(vdev);
return ret;
}
@@ -160,6 +166,10 @@ int ivpu_ms_get_data_ioctl(struct drm_de
if (!args->metric_group_mask)
return -EINVAL;
+ ret = ivpu_rpm_get(vdev);
+ if (ret < 0)
+ return ret;
+
mutex_lock(&file_priv->ms_lock);
ms = get_instance_by_mask(file_priv, args->metric_group_mask);
@@ -187,6 +197,7 @@ int ivpu_ms_get_data_ioctl(struct drm_de
unlock:
mutex_unlock(&file_priv->ms_lock);
+ ivpu_rpm_put(vdev);
return ret;
}
@@ -204,11 +215,17 @@ int ivpu_ms_stop_ioctl(struct drm_device
{
struct ivpu_file_priv *file_priv = file->driver_priv;
struct drm_ivpu_metric_streamer_stop *args = data;
+ struct ivpu_device *vdev = file_priv->vdev;
struct ivpu_ms_instance *ms;
+ int ret;
if (!args->metric_group_mask)
return -EINVAL;
+ ret = ivpu_rpm_get(vdev);
+ if (ret < 0)
+ return ret;
+
mutex_lock(&file_priv->ms_lock);
ms = get_instance_by_mask(file_priv, args->metric_group_mask);
@@ -217,6 +234,7 @@ int ivpu_ms_stop_ioctl(struct drm_device
mutex_unlock(&file_priv->ms_lock);
+ ivpu_rpm_put(vdev);
return ms ? 0 : -EINVAL;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 243/449] media: ov08x40: Properly turn sensor on/off when runtime-suspended
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 242/449] accel/ivpu: Fix PM related deadlocks in MS IOCTLs Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 244/449] media: streamzap: prevent processing IR data on URB failure Greg Kroah-Hartman
` (212 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Hans de Goede,
Sakari Ailus, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 69dea0ed84611b2b83f4f5fb4f5a1ec4b6bc902d upstream.
Commit df1ae2251a50 ("media: ov08x40: Add OF probe support") added support
for a reset GPIO, regulators and a clk provider controlled through new
ov08x40_power_off() and ov08x40_power_on() functions.
But it missed adding a pm ops structure to call these functions on
runtime suspend/resume. Add the missing pm ops and only call
ov08x40_power_off() on remove() when not already runtime-suspended
to avoid unbalanced regulator / clock disable calls.
Fixes: df1ae2251a50 ("media: ov08x40: Add OF probe support")
Cc: stable@vger.kernel.org
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov08x40.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/media/i2c/ov08x40.c
+++ b/drivers/media/i2c/ov08x40.c
@@ -2324,11 +2324,14 @@ static void ov08x40_remove(struct i2c_cl
ov08x40_free_controls(ov08x);
pm_runtime_disable(&client->dev);
+ if (!pm_runtime_status_suspended(&client->dev))
+ ov08x40_power_off(&client->dev);
pm_runtime_set_suspended(&client->dev);
-
- ov08x40_power_off(&client->dev);
}
+static DEFINE_RUNTIME_DEV_PM_OPS(ov08x40_pm_ops, ov08x40_power_off,
+ ov08x40_power_on, NULL);
+
#ifdef CONFIG_ACPI
static const struct acpi_device_id ov08x40_acpi_ids[] = {
{"OVTI08F4"},
@@ -2349,6 +2352,7 @@ static struct i2c_driver ov08x40_i2c_dri
.name = "ov08x40",
.acpi_match_table = ACPI_PTR(ov08x40_acpi_ids),
.of_match_table = ov08x40_of_match,
+ .pm = pm_sleep_ptr(&ov08x40_pm_ops),
},
.probe = ov08x40_probe,
.remove = ov08x40_remove,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 244/449] media: streamzap: prevent processing IR data on URB failure
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 243/449] media: ov08x40: Properly turn sensor on/off when runtime-suspended Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 245/449] media: hi556: Fix memory leak (on error) in hi556_check_hwcfg() Greg Kroah-Hartman
` (211 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Murad Masimov, Sean Young,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Murad Masimov <m.masimov@mt-integration.ru>
commit 549f6d348167fb2f7800ed7c8d4bce9630c74498 upstream.
If streamzap_callback() receives an urb with any non-critical error
status, i.e. any error code other than -ECONNRESET, -ENOENT or -ESHUTDOWN,
it will try to process IR data, ignoring a possible transfer failure.
Make streamzap_callback() process IR data only when urb->status is 0.
Move processing logic to a separate function to make code cleaner and
more similar to the URB completion handlers in other RC drivers.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 19770693c354 ("V4L/DVB: staging/lirc: add lirc_streamzap driver")
Cc: stable@vger.kernel.org
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/streamzap.c | 68 ++++++++++++++++++++++++-------------------
1 file changed, 38 insertions(+), 30 deletions(-)
--- a/drivers/media/rc/streamzap.c
+++ b/drivers/media/rc/streamzap.c
@@ -138,39 +138,10 @@ static void sz_push_half_space(struct st
sz_push_full_space(sz, value & SZ_SPACE_MASK);
}
-/*
- * streamzap_callback - usb IRQ handler callback
- *
- * This procedure is invoked on reception of data from
- * the usb remote.
- */
-static void streamzap_callback(struct urb *urb)
+static void sz_process_ir_data(struct streamzap_ir *sz, int len)
{
- struct streamzap_ir *sz;
unsigned int i;
- int len;
-
- if (!urb)
- return;
-
- sz = urb->context;
- len = urb->actual_length;
-
- switch (urb->status) {
- case -ECONNRESET:
- case -ENOENT:
- case -ESHUTDOWN:
- /*
- * this urb is terminated, clean up.
- * sz might already be invalid at this point
- */
- dev_err(sz->dev, "urb terminated, status: %d\n", urb->status);
- return;
- default:
- break;
- }
- dev_dbg(sz->dev, "%s: received urb, len %d\n", __func__, len);
for (i = 0; i < len; i++) {
dev_dbg(sz->dev, "sz->buf_in[%d]: %x\n",
i, (unsigned char)sz->buf_in[i]);
@@ -219,6 +190,43 @@ static void streamzap_callback(struct ur
}
ir_raw_event_handle(sz->rdev);
+}
+
+/*
+ * streamzap_callback - usb IRQ handler callback
+ *
+ * This procedure is invoked on reception of data from
+ * the usb remote.
+ */
+static void streamzap_callback(struct urb *urb)
+{
+ struct streamzap_ir *sz;
+ int len;
+
+ if (!urb)
+ return;
+
+ sz = urb->context;
+ len = urb->actual_length;
+
+ switch (urb->status) {
+ case 0:
+ dev_dbg(sz->dev, "%s: received urb, len %d\n", __func__, len);
+ sz_process_ir_data(sz, len);
+ break;
+ case -ECONNRESET:
+ case -ENOENT:
+ case -ESHUTDOWN:
+ /*
+ * this urb is terminated, clean up.
+ * sz might already be invalid at this point
+ */
+ dev_err(sz->dev, "urb terminated, status: %d\n", urb->status);
+ return;
+ default:
+ break;
+ }
+
usb_submit_urb(urb, GFP_ATOMIC);
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 245/449] media: hi556: Fix memory leak (on error) in hi556_check_hwcfg()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 244/449] media: streamzap: prevent processing IR data on URB failure Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 246/449] media: visl: Fix ERANGE error when setting enum controls Greg Kroah-Hartman
` (210 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Sakari Ailus,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit ed554da65abd0c561e40d35272d1a61d030fe977 upstream.
Commit 7d968b5badfc ("media: hi556: Return -EPROBE_DEFER if no endpoint is
found") moved the v4l2_fwnode_endpoint_alloc_parse() call in
hi556_check_hwcfg() up, but it did not make the error-exit paths between
the old and new call-site use "goto check_hwcfg_error;" to free the bus_cfg
on errors.
Add the missing "goto check_hwcfg_error;" statements to fix a memleak on
early error-exits from hi556_check_hwcfg().
Fixes: 7d968b5badfc ("media: hi556: Return -EPROBE_DEFER if no endpoint is found")
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/hi556.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/media/i2c/hi556.c
+++ b/drivers/media/i2c/hi556.c
@@ -1230,12 +1230,13 @@ static int hi556_check_hwcfg(struct devi
ret = fwnode_property_read_u32(fwnode, "clock-frequency", &mclk);
if (ret) {
dev_err(dev, "can't get clock frequency");
- return ret;
+ goto check_hwcfg_error;
}
if (mclk != HI556_MCLK) {
dev_err(dev, "external clock %d is not supported", mclk);
- return -EINVAL;
+ ret = -EINVAL;
+ goto check_hwcfg_error;
}
if (bus_cfg.bus.mipi_csi2.num_data_lanes != 2) {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 246/449] media: visl: Fix ERANGE error when setting enum controls
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 245/449] media: hi556: Fix memory leak (on error) in hi556_check_hwcfg() Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 247/449] media: platform: stm32: Add check for clk_enable() Greg Kroah-Hartman
` (209 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolas Dufresne, Sebastian Fricke,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
commit d98e9213a768a3cc3a99f5e1abe09ad3baff2104 upstream.
The visl driver supports both frame and slice mode, with and without a
start-code. But, the range and default for these enum controls was not
set, which currently limits the decoder to enums with a value of 0. Fix
this by setting the decoder mode and start code controls for both the
H.264 and HEVC codecs.
Fixes: 0c078e310b6d ("media: visl: add virtual stateless decoder driver")
Cc: stable@vger.kernel.org
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/visl/visl-core.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/media/test-drivers/visl/visl-core.c
+++ b/drivers/media/test-drivers/visl/visl-core.c
@@ -161,9 +161,15 @@ static const struct visl_ctrl_desc visl_
},
{
.cfg.id = V4L2_CID_STATELESS_H264_DECODE_MODE,
+ .cfg.min = V4L2_STATELESS_H264_DECODE_MODE_SLICE_BASED,
+ .cfg.max = V4L2_STATELESS_H264_DECODE_MODE_FRAME_BASED,
+ .cfg.def = V4L2_STATELESS_H264_DECODE_MODE_SLICE_BASED,
},
{
.cfg.id = V4L2_CID_STATELESS_H264_START_CODE,
+ .cfg.min = V4L2_STATELESS_H264_START_CODE_NONE,
+ .cfg.max = V4L2_STATELESS_H264_START_CODE_ANNEX_B,
+ .cfg.def = V4L2_STATELESS_H264_START_CODE_NONE,
},
{
.cfg.id = V4L2_CID_STATELESS_H264_SLICE_PARAMS,
@@ -198,9 +204,15 @@ static const struct visl_ctrl_desc visl_
},
{
.cfg.id = V4L2_CID_STATELESS_HEVC_DECODE_MODE,
+ .cfg.min = V4L2_STATELESS_HEVC_DECODE_MODE_SLICE_BASED,
+ .cfg.max = V4L2_STATELESS_HEVC_DECODE_MODE_FRAME_BASED,
+ .cfg.def = V4L2_STATELESS_HEVC_DECODE_MODE_SLICE_BASED,
},
{
.cfg.id = V4L2_CID_STATELESS_HEVC_START_CODE,
+ .cfg.min = V4L2_STATELESS_HEVC_START_CODE_NONE,
+ .cfg.max = V4L2_STATELESS_HEVC_START_CODE_ANNEX_B,
+ .cfg.def = V4L2_STATELESS_HEVC_START_CODE_NONE,
},
{
.cfg.id = V4L2_CID_STATELESS_HEVC_ENTRY_POINT_OFFSETS,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 247/449] media: platform: stm32: Add check for clk_enable()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 246/449] media: visl: Fix ERANGE error when setting enum controls Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 248/449] media: xilinx-tpg: fix double put in xtpg_parse_of() Greg Kroah-Hartman
` (208 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit f883f34b6a46b1a09d44d7f94c3cd72fe0e8f93b upstream.
Add check for the return value of clk_enable() to gurantee the success.
Fixes: 002e8f0d5927 ("media: stm32-dma2d: STM32 DMA2D driver")
Cc: stable@vger.kernel.org
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/st/stm32/dma2d/dma2d.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/st/stm32/dma2d/dma2d.c
+++ b/drivers/media/platform/st/stm32/dma2d/dma2d.c
@@ -490,7 +490,8 @@ static void device_run(void *prv)
dst->sequence = frm_cap->sequence++;
v4l2_m2m_buf_copy_metadata(src, dst, true);
- clk_enable(dev->gate);
+ if (clk_enable(dev->gate))
+ goto end;
dma2d_config_fg(dev, frm_out,
vb2_dma_contig_plane_dma_addr(&src->vb2_buf, 0));
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 248/449] media: xilinx-tpg: fix double put in xtpg_parse_of()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 247/449] media: platform: stm32: Add check for clk_enable() Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 249/449] media: imx219: Adjust PLL settings based on the number of MIPI lanes Greg Kroah-Hartman
` (207 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Laurent Pinchart,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit 347d84833faac79a105e438168cedf0b9658445b upstream.
This loop was recently converted to use for_each_of_graph_port() which
automatically does __cleanup__ on the "port" iterator variable. Delete
the calls to of_node_put(port) to avoid a double put bug.
Fixes: 393194cdf11e ("media: xilinx-tpg: use new of_graph functions")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/xilinx/xilinx-tpg.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/media/platform/xilinx/xilinx-tpg.c
+++ b/drivers/media/platform/xilinx/xilinx-tpg.c
@@ -722,7 +722,6 @@ static int xtpg_parse_of(struct xtpg_dev
format = xvip_of_get_format(port);
if (IS_ERR(format)) {
dev_err(dev, "invalid format in DT");
- of_node_put(port);
return PTR_ERR(format);
}
@@ -731,7 +730,6 @@ static int xtpg_parse_of(struct xtpg_dev
xtpg->vip_format = format;
} else if (xtpg->vip_format != format) {
dev_err(dev, "in/out format mismatch in DT");
- of_node_put(port);
return -EINVAL;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 249/449] media: imx219: Adjust PLL settings based on the number of MIPI lanes
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 248/449] media: xilinx-tpg: fix double put in xtpg_parse_of() Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 250/449] media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Greg Kroah-Hartman
` (206 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peyton Howe, Dave Stevenson,
Sakari Ailus, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Stevenson <dave.stevenson@raspberrypi.com>
commit 591a07588c03437dbcc3addfff07675de95a461e upstream.
Commit ceddfd4493b3 ("media: i2c: imx219: Support four-lane operation")
added support for device tree to allow configuration of the sensor to
use 4 lanes with a link frequency of 363MHz, and amended the advertised
pixel rate to 280.8MPix/s.
However it didn't change any of the PLL settings, so actually it would
have been running overclocked in the MIPI block, and with the frame
rate and exposure calculations being wrong as the pixel rate was
unchanged.
The pixel rate and link frequency advertised were taken from the "Clock
Setting Example" section of the datasheet. However those are based on an
external clock of 12MHz, and are unachievable with a clock of 24MHz - it
seems PREPLLCLK_VT_DIV and PREPLLCK_OP_DIV can ONLY be set via the
automatic configuration documented in "9-1-2 EXCK_FREQ setting depend on
INCK frequency", not by writing the registers.
The closest we can get with a 24MHz clock is 281.6MPix/s and 364MHz.
Dropping all support for the 363MHz link frequency would cause problems
for existing users, so allow it, but log a warning that the requested
value is being changed to the supported one.
Fixes: ceddfd4493b3 ("media: i2c: imx219: Support four-lane operation")
Cc: stable@vger.kernel.org
Co-developed-by: Peyton Howe <peyton.howe@bellsouth.net>
Signed-off-by: Peyton Howe <peyton.howe@bellsouth.net>
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/imx219.c | 93 +++++++++++++++++++++++++++++++++------------
1 file changed, 69 insertions(+), 24 deletions(-)
--- a/drivers/media/i2c/imx219.c
+++ b/drivers/media/i2c/imx219.c
@@ -133,10 +133,11 @@
/* Pixel rate is fixed for all the modes */
#define IMX219_PIXEL_RATE 182400000
-#define IMX219_PIXEL_RATE_4LANE 280800000
+#define IMX219_PIXEL_RATE_4LANE 281600000
#define IMX219_DEFAULT_LINK_FREQ 456000000
-#define IMX219_DEFAULT_LINK_FREQ_4LANE 363000000
+#define IMX219_DEFAULT_LINK_FREQ_4LANE_UNSUPPORTED 363000000
+#define IMX219_DEFAULT_LINK_FREQ_4LANE 364000000
/* IMX219 native and active pixel array size. */
#define IMX219_NATIVE_WIDTH 3296U
@@ -168,15 +169,6 @@ static const struct cci_reg_sequence imx
{ CCI_REG8(0x30eb), 0x05 },
{ CCI_REG8(0x30eb), 0x09 },
- /* PLL Clock Table */
- { IMX219_REG_VTPXCK_DIV, 5 },
- { IMX219_REG_VTSYCK_DIV, 1 },
- { IMX219_REG_PREPLLCK_VT_DIV, 3 }, /* 0x03 = AUTO set */
- { IMX219_REG_PREPLLCK_OP_DIV, 3 }, /* 0x03 = AUTO set */
- { IMX219_REG_PLL_VT_MPY, 57 },
- { IMX219_REG_OPSYCK_DIV, 1 },
- { IMX219_REG_PLL_OP_MPY, 114 },
-
/* Undocumented registers */
{ CCI_REG8(0x455e), 0x00 },
{ CCI_REG8(0x471e), 0x4b },
@@ -201,12 +193,45 @@ static const struct cci_reg_sequence imx
{ IMX219_REG_EXCK_FREQ, IMX219_EXCK_FREQ(IMX219_XCLK_FREQ / 1000000) },
};
+static const struct cci_reg_sequence imx219_2lane_regs[] = {
+ /* PLL Clock Table */
+ { IMX219_REG_VTPXCK_DIV, 5 },
+ { IMX219_REG_VTSYCK_DIV, 1 },
+ { IMX219_REG_PREPLLCK_VT_DIV, 3 }, /* 0x03 = AUTO set */
+ { IMX219_REG_PREPLLCK_OP_DIV, 3 }, /* 0x03 = AUTO set */
+ { IMX219_REG_PLL_VT_MPY, 57 },
+ { IMX219_REG_OPSYCK_DIV, 1 },
+ { IMX219_REG_PLL_OP_MPY, 114 },
+
+ /* 2-Lane CSI Mode */
+ { IMX219_REG_CSI_LANE_MODE, IMX219_CSI_2_LANE_MODE },
+};
+
+static const struct cci_reg_sequence imx219_4lane_regs[] = {
+ /* PLL Clock Table */
+ { IMX219_REG_VTPXCK_DIV, 5 },
+ { IMX219_REG_VTSYCK_DIV, 1 },
+ { IMX219_REG_PREPLLCK_VT_DIV, 3 }, /* 0x03 = AUTO set */
+ { IMX219_REG_PREPLLCK_OP_DIV, 3 }, /* 0x03 = AUTO set */
+ { IMX219_REG_PLL_VT_MPY, 88 },
+ { IMX219_REG_OPSYCK_DIV, 1 },
+ { IMX219_REG_PLL_OP_MPY, 91 },
+
+ /* 4-Lane CSI Mode */
+ { IMX219_REG_CSI_LANE_MODE, IMX219_CSI_4_LANE_MODE },
+};
+
static const s64 imx219_link_freq_menu[] = {
IMX219_DEFAULT_LINK_FREQ,
};
static const s64 imx219_link_freq_4lane_menu[] = {
IMX219_DEFAULT_LINK_FREQ_4LANE,
+ /*
+ * This will never be advertised to userspace, but will be used for
+ * v4l2_link_freq_to_bitmap
+ */
+ IMX219_DEFAULT_LINK_FREQ_4LANE_UNSUPPORTED,
};
static const char * const imx219_test_pattern_menu[] = {
@@ -662,9 +687,11 @@ static int imx219_set_framefmt(struct im
static int imx219_configure_lanes(struct imx219 *imx219)
{
- return cci_write(imx219->regmap, IMX219_REG_CSI_LANE_MODE,
- imx219->lanes == 2 ? IMX219_CSI_2_LANE_MODE :
- IMX219_CSI_4_LANE_MODE, NULL);
+ /* Write the appropriate PLL settings for the number of MIPI lanes */
+ return cci_multi_reg_write(imx219->regmap,
+ imx219->lanes == 2 ? imx219_2lane_regs : imx219_4lane_regs,
+ imx219->lanes == 2 ? ARRAY_SIZE(imx219_2lane_regs) :
+ ARRAY_SIZE(imx219_4lane_regs), NULL);
};
static int imx219_start_streaming(struct imx219 *imx219,
@@ -1035,6 +1062,7 @@ static int imx219_check_hwcfg(struct dev
struct v4l2_fwnode_endpoint ep_cfg = {
.bus_type = V4L2_MBUS_CSI2_DPHY
};
+ unsigned long link_freq_bitmap;
int ret = -EINVAL;
endpoint = fwnode_graph_get_next_endpoint(dev_fwnode(dev), NULL);
@@ -1056,23 +1084,40 @@ static int imx219_check_hwcfg(struct dev
imx219->lanes = ep_cfg.bus.mipi_csi2.num_data_lanes;
/* Check the link frequency set in device tree */
- if (!ep_cfg.nr_of_link_frequencies) {
- dev_err_probe(dev, -EINVAL,
- "link-frequency property not found in DT\n");
- goto error_out;
+ switch (imx219->lanes) {
+ case 2:
+ ret = v4l2_link_freq_to_bitmap(dev,
+ ep_cfg.link_frequencies,
+ ep_cfg.nr_of_link_frequencies,
+ imx219_link_freq_menu,
+ ARRAY_SIZE(imx219_link_freq_menu),
+ &link_freq_bitmap);
+ break;
+ case 4:
+ ret = v4l2_link_freq_to_bitmap(dev,
+ ep_cfg.link_frequencies,
+ ep_cfg.nr_of_link_frequencies,
+ imx219_link_freq_4lane_menu,
+ ARRAY_SIZE(imx219_link_freq_4lane_menu),
+ &link_freq_bitmap);
+
+ if (!ret && (link_freq_bitmap & BIT(1))) {
+ dev_warn(dev, "Link frequency of %d not supported, but has been incorrectly advertised previously\n",
+ IMX219_DEFAULT_LINK_FREQ_4LANE_UNSUPPORTED);
+ dev_warn(dev, "Using link frequency of %d\n",
+ IMX219_DEFAULT_LINK_FREQ_4LANE);
+ link_freq_bitmap |= BIT(0);
+ }
+ break;
}
- if (ep_cfg.nr_of_link_frequencies != 1 ||
- (ep_cfg.link_frequencies[0] != ((imx219->lanes == 2) ?
- IMX219_DEFAULT_LINK_FREQ : IMX219_DEFAULT_LINK_FREQ_4LANE))) {
+ if (ret || !(link_freq_bitmap & BIT(0))) {
+ ret = -EINVAL;
dev_err_probe(dev, -EINVAL,
"Link frequency not supported: %lld\n",
ep_cfg.link_frequencies[0]);
- goto error_out;
}
- ret = 0;
-
error_out:
v4l2_fwnode_endpoint_free(&ep_cfg);
fwnode_handle_put(endpoint);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 250/449] media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 249/449] media: imx219: Adjust PLL settings based on the number of MIPI lanes Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 251/449] Revert "media: imx214: Fix the error handling in imx214_probe()" Greg Kroah-Hartman
` (205 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Karina Yankevich, Sergey Shtylyov,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karina Yankevich <k.yankevich@omp.ru>
commit 3edd1fc48d2c045e8259561797c89fe78f01717e upstream.
In v4l2_detect_gtf(), it seems safer to cast the 32-bit image_width
variable to the 64-bit type u64 before multiplying to avoid
a possible overflow. The resulting object code even seems to
look better, at least on x86_64.
Found by Linux Verification Center (linuxtesting.org) with Svace.
[Sergey: rewrote the patch subject/descripition]
Fixes: c9bc9f50753d ("[media] v4l2-dv-timings: fix overflow in gtf timings calculation")
Cc: stable@vger.kernel.org
Signed-off-by: Karina Yankevich <k.yankevich@omp.ru>
Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/v4l2-core/v4l2-dv-timings.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/v4l2-core/v4l2-dv-timings.c
+++ b/drivers/media/v4l2-core/v4l2-dv-timings.c
@@ -764,7 +764,7 @@ bool v4l2_detect_gtf(unsigned int frame_
u64 num;
u32 den;
- num = ((image_width * GTF_D_C_PRIME * (u64)hfreq) -
+ num = (((u64)image_width * GTF_D_C_PRIME * hfreq) -
((u64)image_width * GTF_D_M_PRIME * 1000));
den = (hfreq * (100 - GTF_D_C_PRIME) + GTF_D_M_PRIME * 1000) *
(2 * GTF_CELL_GRAN);
@@ -774,7 +774,7 @@ bool v4l2_detect_gtf(unsigned int frame_
u64 num;
u32 den;
- num = ((image_width * GTF_S_C_PRIME * (u64)hfreq) -
+ num = (((u64)image_width * GTF_S_C_PRIME * hfreq) -
((u64)image_width * GTF_S_M_PRIME * 1000));
den = (hfreq * (100 - GTF_S_C_PRIME) + GTF_S_M_PRIME * 1000) *
(2 * GTF_CELL_GRAN);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 251/449] Revert "media: imx214: Fix the error handling in imx214_probe()"
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 250/449] media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Greg Kroah-Hartman
@ 2025-04-17 17:48 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 252/449] media: i2c: ccs: Set the devices runtime PM status correctly in remove Greg Kroah-Hartman
` (204 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit abd88757252c2a2cea7909f3922de1f0e9e04002 upstream.
This reverts commit 9bc92332cc3f06fda3c6e2423995ca2da0a7ec9a.
Revert this "fix" as it's not really helpful but makes backporting a
proper fix harder.
Fixes: 9bc92332cc3f ("media: imx214: Fix the error handling in imx214_probe()")
Cc: stable@vger.kernel.org # for >= v6.12
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/imx214.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/media/i2c/imx214.c
+++ b/drivers/media/i2c/imx214.c
@@ -1114,7 +1114,6 @@ free_ctrl:
v4l2_ctrl_handler_free(&imx214->ctrls);
error_power_off:
pm_runtime_disable(imx214->dev);
- regulator_bulk_disable(IMX214_NUM_SUPPLIES, imx214->supplies);
return ret;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 252/449] media: i2c: ccs: Set the devices runtime PM status correctly in remove
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2025-04-17 17:48 ` [PATCH 6.14 251/449] Revert "media: imx214: Fix the error handling in imx214_probe()" Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 253/449] media: i2c: ccs: Set the devices runtime PM status correctly in probe Greg Kroah-Hartman
` (203 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit e04604583095faf455b3490b004254a225fd60d4 upstream.
Set the device's runtime PM status to suspended in device removal only if
it wasn't suspended already.
Fixes: 9447082ae666 ("[media] smiapp: Implement power-on and power-off sequences without runtime PM")
Cc: stable@vger.kernel.org # for >= v5.15
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ccs/ccs-core.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/media/i2c/ccs/ccs-core.c
+++ b/drivers/media/i2c/ccs/ccs-core.c
@@ -3595,9 +3595,10 @@ static void ccs_remove(struct i2c_client
v4l2_async_unregister_subdev(subdev);
pm_runtime_disable(&client->dev);
- if (!pm_runtime_status_suspended(&client->dev))
+ if (!pm_runtime_status_suspended(&client->dev)) {
ccs_power_off(&client->dev);
- pm_runtime_set_suspended(&client->dev);
+ pm_runtime_set_suspended(&client->dev);
+ }
for (i = 0; i < sensor->ssds_used; i++)
v4l2_device_unregister_subdev(&sensor->ssds[i].sd);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 253/449] media: i2c: ccs: Set the devices runtime PM status correctly in probe
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 252/449] media: i2c: ccs: Set the devices runtime PM status correctly in remove Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 254/449] media: i2c: ov7251: Set enable GPIO low " Greg Kroah-Hartman
` (202 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit 80704d14f1bd3628f578510e0a88b66824990ef6 upstream.
Set the device's runtime PM status to suspended in probe error paths where
it was previously set to active.
Fixes: 9447082ae666 ("[media] smiapp: Implement power-on and power-off sequences without runtime PM")
Cc: stable@vger.kernel.org # for >= v5.15
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ccs/ccs-core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/i2c/ccs/ccs-core.c
+++ b/drivers/media/i2c/ccs/ccs-core.c
@@ -3566,6 +3566,7 @@ static int ccs_probe(struct i2c_client *
out_disable_runtime_pm:
pm_runtime_put_noidle(&client->dev);
pm_runtime_disable(&client->dev);
+ pm_runtime_set_suspended(&client->dev);
out_cleanup:
ccs_cleanup(sensor);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 254/449] media: i2c: ov7251: Set enable GPIO low in probe
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 253/449] media: i2c: ccs: Set the devices runtime PM status correctly in probe Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 255/449] media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Greg Kroah-Hartman
` (201 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Dave Stevenson,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit a1963698d59cec83df640ded343af08b76c8e9c5 upstream.
Set the enable GPIO low when acquiring it.
Fixes: d30bb512da3d ("media: Add a driver for the ov7251 camera sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov7251.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/i2c/ov7251.c
+++ b/drivers/media/i2c/ov7251.c
@@ -1696,7 +1696,7 @@ static int ov7251_probe(struct i2c_clien
return PTR_ERR(ov7251->analog_regulator);
}
- ov7251->enable_gpio = devm_gpiod_get(dev, "enable", GPIOD_OUT_HIGH);
+ ov7251->enable_gpio = devm_gpiod_get(dev, "enable", GPIOD_OUT_LOW);
if (IS_ERR(ov7251->enable_gpio)) {
dev_err(dev, "cannot get enable gpio\n");
return PTR_ERR(ov7251->enable_gpio);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 255/449] media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 254/449] media: i2c: ov7251: Set enable GPIO low " Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 256/449] media: nuvoton: Fix reference handling of ece_node Greg Kroah-Hartman
` (200 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Dave Stevenson,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit 3d391292cdd53984ec1b9a1f6182a62a62751e03 upstream.
Lift the xshutdown (enable) GPIO 1 ms after enabling the regulators, as
required by the sensor's power-up sequence.
Fixes: d30bb512da3d ("media: Add a driver for the ov7251 camera sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov7251.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/i2c/ov7251.c
+++ b/drivers/media/i2c/ov7251.c
@@ -922,6 +922,8 @@ static int ov7251_set_power_on(struct de
return ret;
}
+ usleep_range(1000, 1100);
+
gpiod_set_value_cansleep(ov7251->enable_gpio, 1);
/* wait at least 65536 external clock cycles */
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 256/449] media: nuvoton: Fix reference handling of ece_node
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 255/449] media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 257/449] media: nuvoton: Fix reference handling of ece_pdev Greg Kroah-Hartman
` (199 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ricardo Ribalda, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit 8ba4ef40ad6ca62368292a69855324213181abfb upstream.
Make sure all the code paths call of_node_put().
Instead of manually calling of_node_put, use the __free macros/helpers.
Cc: stable@vger.kernel.org
Fixes: 46c15a4ff1f4 ("media: nuvoton: Add driver for NPCM video capture and encoding engine")
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/nuvoton/npcm-video.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/media/platform/nuvoton/npcm-video.c
+++ b/drivers/media/platform/nuvoton/npcm-video.c
@@ -1648,8 +1648,8 @@ rel_ctrl_handler:
static int npcm_video_ece_init(struct npcm_video *video)
{
+ struct device_node *ece_node __free(device_node) = NULL;
struct device *dev = video->dev;
- struct device_node *ece_node;
struct platform_device *ece_pdev;
void __iomem *regs;
@@ -1669,7 +1669,6 @@ static int npcm_video_ece_init(struct np
dev_err(dev, "Failed to find ECE device\n");
return -ENODEV;
}
- of_node_put(ece_node);
regs = devm_platform_ioremap_resource(ece_pdev, 0);
if (IS_ERR(regs)) {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 257/449] media: nuvoton: Fix reference handling of ece_pdev
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 256/449] media: nuvoton: Fix reference handling of ece_node Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 258/449] media: venus: hfi_parser: add check to avoid out of bound access Greg Kroah-Hartman
` (198 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ricardo Ribalda, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit 453d5cadab1bde8e6fdd5bd05f4200338cb21e72 upstream.
When we obtain a reference to of a platform_device, we need to release
it via put_device.
Found by cocci:
./platform/nuvoton/npcm-video.c:1677:3-9: ERROR: missing put_device; call of_find_device_by_node on line 1667, but without a corresponding object release within this function.
./platform/nuvoton/npcm-video.c:1684:3-9: ERROR: missing put_device; call of_find_device_by_node on line 1667, but without a corresponding object release within this function.
./platform/nuvoton/npcm-video.c:1690:3-9: ERROR: missing put_device; call of_find_device_by_node on line 1667, but without a corresponding object release within this function.
./platform/nuvoton/npcm-video.c:1694:1-7: ERROR: missing put_device; call of_find_device_by_node on line 1667, but without a corresponding object release within this function.
Instead of manually calling put_device, use the __free macros.
Cc: stable@vger.kernel.org
Fixes: 46c15a4ff1f4 ("media: nuvoton: Add driver for NPCM video capture and encoding engine")
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/nuvoton/npcm-video.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/nuvoton/npcm-video.c
+++ b/drivers/media/platform/nuvoton/npcm-video.c
@@ -1669,6 +1669,7 @@ static int npcm_video_ece_init(struct np
dev_err(dev, "Failed to find ECE device\n");
return -ENODEV;
}
+ struct device *ece_dev __free(put_device) = &ece_pdev->dev;
regs = devm_platform_ioremap_resource(ece_pdev, 0);
if (IS_ERR(regs)) {
@@ -1683,7 +1684,7 @@ static int npcm_video_ece_init(struct np
return PTR_ERR(video->ece.regmap);
}
- video->ece.reset = devm_reset_control_get(&ece_pdev->dev, NULL);
+ video->ece.reset = devm_reset_control_get(ece_dev, NULL);
if (IS_ERR(video->ece.reset)) {
dev_err(dev, "Failed to get ECE reset control in DTS\n");
return PTR_ERR(video->ece.reset);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 258/449] media: venus: hfi_parser: add check to avoid out of bound access
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 257/449] media: nuvoton: Fix reference handling of ece_pdev Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 259/449] media: venus: hfi_parser: refactor hfi packet parsing logic Greg Kroah-Hartman
` (197 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Vikash Garodia,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vikash Garodia <quic_vgarodia@quicinc.com>
commit 172bf5a9ef70a399bb227809db78442dc01d9e48 upstream.
There is a possibility that init_codecs is invoked multiple times during
manipulated payload from video firmware. In such case, if codecs_count
can get incremented to value more than MAX_CODEC_NUM, there can be OOB
access. Reset the count so that it always starts from beginning.
Cc: stable@vger.kernel.org
Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_parser.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/platform/qcom/venus/hfi_parser.c
+++ b/drivers/media/platform/qcom/venus/hfi_parser.c
@@ -19,6 +19,8 @@ static void init_codecs(struct venus_cor
struct hfi_plat_caps *caps = core->caps, *cap;
unsigned long bit;
+ core->codecs_count = 0;
+
if (hweight_long(core->dec_codecs) + hweight_long(core->enc_codecs) > MAX_CODEC_NUM)
return;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 259/449] media: venus: hfi_parser: refactor hfi packet parsing logic
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 258/449] media: venus: hfi_parser: add check to avoid out of bound access Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 260/449] media: i2c: imx319: Rectify runtime PM handling probe and remove Greg Kroah-Hartman
` (196 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikash Garodia, Bryan ODonoghue,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vikash Garodia <quic_vgarodia@quicinc.com>
commit 9edaaa8e3e15aab1ca413ab50556de1975bcb329 upstream.
words_count denotes the number of words in total payload, while data
points to payload of various property within it. When words_count
reaches last word, data can access memory beyond the total payload. This
can lead to OOB access. With this patch, the utility api for handling
individual properties now returns the size of data consumed. Accordingly
remaining bytes are calculated before parsing the payload, thereby
eliminates the OOB access possibilities.
Cc: stable@vger.kernel.org
Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_parser.c | 98 ++++++++++++++++++-------
1 file changed, 72 insertions(+), 26 deletions(-)
--- a/drivers/media/platform/qcom/venus/hfi_parser.c
+++ b/drivers/media/platform/qcom/venus/hfi_parser.c
@@ -64,7 +64,7 @@ fill_buf_mode(struct hfi_plat_caps *cap,
cap->cap_bufs_mode_dynamic = true;
}
-static void
+static int
parse_alloc_mode(struct venus_core *core, u32 codecs, u32 domain, void *data)
{
struct hfi_buffer_alloc_mode_supported *mode = data;
@@ -72,7 +72,7 @@ parse_alloc_mode(struct venus_core *core
u32 *type;
if (num_entries > MAX_ALLOC_MODE_ENTRIES)
- return;
+ return -EINVAL;
type = mode->data;
@@ -84,6 +84,8 @@ parse_alloc_mode(struct venus_core *core
type++;
}
+
+ return sizeof(*mode);
}
static void fill_profile_level(struct hfi_plat_caps *cap, const void *data,
@@ -98,7 +100,7 @@ static void fill_profile_level(struct hf
cap->num_pl += num;
}
-static void
+static int
parse_profile_level(struct venus_core *core, u32 codecs, u32 domain, void *data)
{
struct hfi_profile_level_supported *pl = data;
@@ -106,12 +108,14 @@ parse_profile_level(struct venus_core *c
struct hfi_profile_level pl_arr[HFI_MAX_PROFILE_COUNT] = {};
if (pl->profile_count > HFI_MAX_PROFILE_COUNT)
- return;
+ return -EINVAL;
memcpy(pl_arr, proflevel, pl->profile_count * sizeof(*proflevel));
for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
fill_profile_level, pl_arr, pl->profile_count);
+
+ return pl->profile_count * sizeof(*proflevel) + sizeof(u32);
}
static void
@@ -126,7 +130,7 @@ fill_caps(struct hfi_plat_caps *cap, con
cap->num_caps += num;
}
-static void
+static int
parse_caps(struct venus_core *core, u32 codecs, u32 domain, void *data)
{
struct hfi_capabilities *caps = data;
@@ -135,12 +139,14 @@ parse_caps(struct venus_core *core, u32
struct hfi_capability caps_arr[MAX_CAP_ENTRIES] = {};
if (num_caps > MAX_CAP_ENTRIES)
- return;
+ return -EINVAL;
memcpy(caps_arr, cap, num_caps * sizeof(*cap));
for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
fill_caps, caps_arr, num_caps);
+
+ return sizeof(*caps);
}
static void fill_raw_fmts(struct hfi_plat_caps *cap, const void *fmts,
@@ -155,7 +161,7 @@ static void fill_raw_fmts(struct hfi_pla
cap->num_fmts += num_fmts;
}
-static void
+static int
parse_raw_formats(struct venus_core *core, u32 codecs, u32 domain, void *data)
{
struct hfi_uncompressed_format_supported *fmt = data;
@@ -164,7 +170,8 @@ parse_raw_formats(struct venus_core *cor
struct raw_formats rawfmts[MAX_FMT_ENTRIES] = {};
u32 entries = fmt->format_entries;
unsigned int i = 0;
- u32 num_planes;
+ u32 num_planes = 0;
+ u32 size;
while (entries) {
num_planes = pinfo->num_planes;
@@ -174,7 +181,7 @@ parse_raw_formats(struct venus_core *cor
i++;
if (i >= MAX_FMT_ENTRIES)
- return;
+ return -EINVAL;
if (pinfo->num_planes > MAX_PLANES)
break;
@@ -186,9 +193,13 @@ parse_raw_formats(struct venus_core *cor
for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
fill_raw_fmts, rawfmts, i);
+ size = fmt->format_entries * (sizeof(*constr) * num_planes + 2 * sizeof(u32))
+ + 2 * sizeof(u32);
+
+ return size;
}
-static void parse_codecs(struct venus_core *core, void *data)
+static int parse_codecs(struct venus_core *core, void *data)
{
struct hfi_codec_supported *codecs = data;
@@ -200,21 +211,27 @@ static void parse_codecs(struct venus_co
core->dec_codecs &= ~HFI_VIDEO_CODEC_SPARK;
core->enc_codecs &= ~HFI_VIDEO_CODEC_HEVC;
}
+
+ return sizeof(*codecs);
}
-static void parse_max_sessions(struct venus_core *core, const void *data)
+static int parse_max_sessions(struct venus_core *core, const void *data)
{
const struct hfi_max_sessions_supported *sessions = data;
core->max_sessions_supported = sessions->max_sessions;
+
+ return sizeof(*sessions);
}
-static void parse_codecs_mask(u32 *codecs, u32 *domain, void *data)
+static int parse_codecs_mask(u32 *codecs, u32 *domain, void *data)
{
struct hfi_codec_mask_supported *mask = data;
*codecs = mask->codecs;
*domain = mask->video_domains;
+
+ return sizeof(*mask);
}
static void parser_init(struct venus_inst *inst, u32 *codecs, u32 *domain)
@@ -283,8 +300,9 @@ static int hfi_platform_parser(struct ve
u32 hfi_parser(struct venus_core *core, struct venus_inst *inst, void *buf,
u32 size)
{
- unsigned int words_count = size >> 2;
- u32 *word = buf, *data, codecs = 0, domain = 0;
+ u32 *words = buf, *payload, codecs = 0, domain = 0;
+ u32 *frame_size = buf + size;
+ u32 rem_bytes = size;
int ret;
ret = hfi_platform_parser(core, inst);
@@ -301,38 +319,66 @@ u32 hfi_parser(struct venus_core *core,
memset(core->caps, 0, sizeof(core->caps));
}
- while (words_count) {
- data = word + 1;
+ while (words < frame_size) {
+ payload = words + 1;
- switch (*word) {
+ switch (*words) {
case HFI_PROPERTY_PARAM_CODEC_SUPPORTED:
- parse_codecs(core, data);
+ if (rem_bytes <= sizeof(struct hfi_codec_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_codecs(core, payload);
+ if (ret < 0)
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
init_codecs(core);
break;
case HFI_PROPERTY_PARAM_MAX_SESSIONS_SUPPORTED:
- parse_max_sessions(core, data);
+ if (rem_bytes <= sizeof(struct hfi_max_sessions_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_max_sessions(core, payload);
break;
case HFI_PROPERTY_PARAM_CODEC_MASK_SUPPORTED:
- parse_codecs_mask(&codecs, &domain, data);
+ if (rem_bytes <= sizeof(struct hfi_codec_mask_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_codecs_mask(&codecs, &domain, payload);
break;
case HFI_PROPERTY_PARAM_UNCOMPRESSED_FORMAT_SUPPORTED:
- parse_raw_formats(core, codecs, domain, data);
+ if (rem_bytes <= sizeof(struct hfi_uncompressed_format_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_raw_formats(core, codecs, domain, payload);
break;
case HFI_PROPERTY_PARAM_CAPABILITY_SUPPORTED:
- parse_caps(core, codecs, domain, data);
+ if (rem_bytes <= sizeof(struct hfi_capabilities))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_caps(core, codecs, domain, payload);
break;
case HFI_PROPERTY_PARAM_PROFILE_LEVEL_SUPPORTED:
- parse_profile_level(core, codecs, domain, data);
+ if (rem_bytes <= sizeof(struct hfi_profile_level_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_profile_level(core, codecs, domain, payload);
break;
case HFI_PROPERTY_PARAM_BUFFER_ALLOC_MODE_SUPPORTED:
- parse_alloc_mode(core, codecs, domain, data);
+ if (rem_bytes <= sizeof(struct hfi_buffer_alloc_mode_supported))
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ ret = parse_alloc_mode(core, codecs, domain, payload);
break;
default:
+ ret = sizeof(u32);
break;
}
- word++;
- words_count--;
+ if (ret < 0)
+ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
+
+ words += ret / sizeof(u32);
+ rem_bytes -= ret;
}
if (!core->max_sessions_supported)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 260/449] media: i2c: imx319: Rectify runtime PM handling probe and remove
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 259/449] media: venus: hfi_parser: refactor hfi packet parsing logic Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 261/449] media: i2c: imx219: Rectify runtime PM handling in " Greg Kroah-Hartman
` (195 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit 5f5ffd3bc62b2e6c478061918b10473d8b90ac2d upstream.
Idle the device only after the async sub-device has been successfully
registered. In error handling, set the device's runtime PM status to
suspended only if it has been set to active previously in probe.
Also set the device's runtime PM status to suspended in remove only if it
wasn't so already.
Fixes: 8a89dc62f28c ("media: add imx319 camera sensor driver")
Cc: stable@vger.kernel.org # for >= v6.12
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/imx319.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/media/i2c/imx319.c
+++ b/drivers/media/i2c/imx319.c
@@ -2442,17 +2442,19 @@ static int imx319_probe(struct i2c_clien
if (full_power)
pm_runtime_set_active(&client->dev);
pm_runtime_enable(&client->dev);
- pm_runtime_idle(&client->dev);
ret = v4l2_async_register_subdev_sensor(&imx319->sd);
if (ret < 0)
goto error_media_entity_pm;
+ pm_runtime_idle(&client->dev);
+
return 0;
error_media_entity_pm:
pm_runtime_disable(&client->dev);
- pm_runtime_set_suspended(&client->dev);
+ if (full_power)
+ pm_runtime_set_suspended(&client->dev);
media_entity_cleanup(&imx319->sd.entity);
error_handler_free:
@@ -2474,7 +2476,8 @@ static void imx319_remove(struct i2c_cli
v4l2_ctrl_handler_free(sd->ctrl_handler);
pm_runtime_disable(&client->dev);
- pm_runtime_set_suspended(&client->dev);
+ if (!pm_runtime_status_suspended(&client->dev))
+ pm_runtime_set_suspended(&client->dev);
mutex_destroy(&imx319->mutex);
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 261/449] media: i2c: imx219: Rectify runtime PM handling in probe and remove
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 260/449] media: i2c: imx319: Rectify runtime PM handling probe and remove Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 262/449] media: i2c: imx214: Rectify probe error handling related to runtime PM Greg Kroah-Hartman
` (194 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bingbu Cao, Sakari Ailus,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit 42eceae9793566d0df53d509be3e416465c347f5 upstream.
Set the device's runtime PM status and enable runtime PM before
registering the async sub-device. This is needed to avoid the case where
the device is runtime PM resumed while runtime PM has not been enabled
yet.
Also set the device's runtime PM status to suspended in remove only if it
wasn't so already.
Fixes: 1283b3b8f82b ("media: i2c: Add driver for Sony IMX219 sensor")
Cc: stable@vger.kernel.org # for >= v6.6
Reviewed-by: Bingbu Cao <bingbu.cao@intel.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/imx219.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/media/i2c/imx219.c
+++ b/drivers/media/i2c/imx219.c
@@ -1223,6 +1223,9 @@ static int imx219_probe(struct i2c_clien
goto error_media_entity;
}
+ pm_runtime_set_active(dev);
+ pm_runtime_enable(dev);
+
ret = v4l2_async_register_subdev_sensor(&imx219->sd);
if (ret < 0) {
dev_err_probe(dev, ret,
@@ -1230,15 +1233,14 @@ static int imx219_probe(struct i2c_clien
goto error_subdev_cleanup;
}
- /* Enable runtime PM and turn off the device */
- pm_runtime_set_active(dev);
- pm_runtime_enable(dev);
pm_runtime_idle(dev);
return 0;
error_subdev_cleanup:
v4l2_subdev_cleanup(&imx219->sd);
+ pm_runtime_disable(dev);
+ pm_runtime_set_suspended(dev);
error_media_entity:
media_entity_cleanup(&imx219->sd.entity);
@@ -1263,9 +1265,10 @@ static void imx219_remove(struct i2c_cli
imx219_free_controls(imx219);
pm_runtime_disable(&client->dev);
- if (!pm_runtime_status_suspended(&client->dev))
+ if (!pm_runtime_status_suspended(&client->dev)) {
imx219_power_off(&client->dev);
- pm_runtime_set_suspended(&client->dev);
+ pm_runtime_set_suspended(&client->dev);
+ }
}
static const struct of_device_id imx219_dt_ids[] = {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 262/449] media: i2c: imx214: Rectify probe error handling related to runtime PM
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 261/449] media: i2c: imx219: Rectify runtime PM handling in " Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 263/449] media: chips-media: wave5: Fix gray color on screen Greg Kroah-Hartman
` (193 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, André Apitzsch,
Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit ccc888d1698b6f42d52ddf5cecfe50fe925c95e5 upstream.
There were multiple issues in the driver's probe function related to
error handling:
- Device's PM runtime status wasn't reverted to suspended on some errors
in probe.
- Runtime PM was left enabled for the device on some probe errors.
- Device was left powered on if a probe failure happened or when it
was removed when it was powered on.
- An extra pm_runtime_set_suspended() was issued in driver's remove
function when the device was suspended.
Fix these bugs.
Fixes: 436190596241 ("media: imx214: Add imx214 camera sensor driver")
Cc: stable@vger.kernel.org # for >= v6.12
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Acked-by: André Apitzsch <git@apitzsch.eu>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/imx214.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
--- a/drivers/media/i2c/imx214.c
+++ b/drivers/media/i2c/imx214.c
@@ -1075,10 +1075,6 @@ static int imx214_probe(struct i2c_clien
*/
imx214_power_on(imx214->dev);
- pm_runtime_set_active(imx214->dev);
- pm_runtime_enable(imx214->dev);
- pm_runtime_idle(imx214->dev);
-
ret = imx214_ctrls_init(imx214);
if (ret < 0)
goto error_power_off;
@@ -1099,21 +1095,30 @@ static int imx214_probe(struct i2c_clien
imx214_entity_init_state(&imx214->sd, NULL);
+ pm_runtime_set_active(imx214->dev);
+ pm_runtime_enable(imx214->dev);
+
ret = v4l2_async_register_subdev_sensor(&imx214->sd);
if (ret < 0) {
dev_err(dev, "could not register v4l2 device\n");
goto free_entity;
}
+ pm_runtime_idle(imx214->dev);
+
return 0;
free_entity:
+ pm_runtime_disable(imx214->dev);
+ pm_runtime_set_suspended(&client->dev);
media_entity_cleanup(&imx214->sd.entity);
+
free_ctrl:
mutex_destroy(&imx214->mutex);
v4l2_ctrl_handler_free(&imx214->ctrls);
+
error_power_off:
- pm_runtime_disable(imx214->dev);
+ imx214_power_off(imx214->dev);
return ret;
}
@@ -1126,11 +1131,12 @@ static void imx214_remove(struct i2c_cli
v4l2_async_unregister_subdev(&imx214->sd);
media_entity_cleanup(&imx214->sd.entity);
v4l2_ctrl_handler_free(&imx214->ctrls);
-
- pm_runtime_disable(&client->dev);
- pm_runtime_set_suspended(&client->dev);
-
mutex_destroy(&imx214->mutex);
+ pm_runtime_disable(&client->dev);
+ if (!pm_runtime_status_suspended(&client->dev)) {
+ imx214_power_off(imx214->dev);
+ pm_runtime_set_suspended(&client->dev);
+ }
}
static const struct of_device_id imx214_of_match[] = {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 263/449] media: chips-media: wave5: Fix gray color on screen
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 262/449] media: i2c: imx214: Rectify probe error handling related to runtime PM Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 264/449] media: chips-media: wave5: Avoid race condition in the interrupt handler Greg Kroah-Hartman
` (192 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jackson.lee, Nas Chung,
Nicolas Dufresne, Sebastian Fricke, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jackson.lee <jackson.lee@chipsnmedia.com>
commit 6bae4d5053da634eecb611118e7cd91a677a4bbf upstream.
When a decoder instance is created, the W5_CMD_ERR_CONCEAL register
should be initialized to 0. Otherwise, gray color is occasionally
displayed on the screen while decoding.
Fixes: 45d1a2b93277 ("media: chips-media: wave5: Add vpuapi layer")
Cc: stable@vger.kernel.org
Signed-off-by: Jackson.lee <jackson.lee@chipsnmedia.com>
Signed-off-by: Nas Chung <nas.chung@chipsnmedia.com>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/chips-media/wave5/wave5-hw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/platform/chips-media/wave5/wave5-hw.c
+++ b/drivers/media/platform/chips-media/wave5/wave5-hw.c
@@ -585,7 +585,7 @@ int wave5_vpu_build_up_dec_param(struct
vpu_write_reg(inst->dev, W5_CMD_NUM_CQ_DEPTH_M1,
WAVE521_COMMAND_QUEUE_DEPTH - 1);
}
-
+ vpu_write_reg(inst->dev, W5_CMD_ERR_CONCEAL, 0);
ret = send_firmware_command(inst, W5_CREATE_INSTANCE, true, NULL, NULL);
if (ret) {
wave5_vdi_free_dma_memory(vpu_dev, &p_dec_info->vb_work);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 264/449] media: chips-media: wave5: Avoid race condition in the interrupt handler
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 263/449] media: chips-media: wave5: Fix gray color on screen Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 265/449] media: chips-media: wave5: Fix a hang after seeking Greg Kroah-Hartman
` (191 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jackson.lee, Nas Chung,
Nicolas Dufresne, Sebastian Fricke, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jackson.lee <jackson.lee@chipsnmedia.com>
commit ac35f768986610480a1c01323d9cf9f5eaf3ee9b upstream.
In case of multiple active instances, new interrupts can occur as soon
as the current interrupt is cleared. If the driver reads the
instance_info after clearing the interrupt, then there is no guarantee,
that the instance_info is still valid for the current interrupt.
Read the instance_info register for each interrupt before clearing the
interrupt.
Fixes: ed7276ed2fd0 ("media: chips-media: wave5: Add hrtimer based polling support")
Cc: stable@vger.kernel.org
Signed-off-by: Jackson.lee <jackson.lee@chipsnmedia.com>
Signed-off-by: Nas Chung <nas.chung@chipsnmedia.com>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/chips-media/wave5/wave5-vpu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/platform/chips-media/wave5/wave5-vpu.c
+++ b/drivers/media/platform/chips-media/wave5/wave5-vpu.c
@@ -55,12 +55,12 @@ static void wave5_vpu_handle_irq(void *d
struct vpu_device *dev = dev_id;
irq_reason = wave5_vdi_read_register(dev, W5_VPU_VINT_REASON);
+ seq_done = wave5_vdi_read_register(dev, W5_RET_SEQ_DONE_INSTANCE_INFO);
+ cmd_done = wave5_vdi_read_register(dev, W5_RET_QUEUE_CMD_DONE_INST);
wave5_vdi_write_register(dev, W5_VPU_VINT_REASON_CLR, irq_reason);
wave5_vdi_write_register(dev, W5_VPU_VINT_CLEAR, 0x1);
list_for_each_entry(inst, &dev->instances, list) {
- seq_done = wave5_vdi_read_register(dev, W5_RET_SEQ_DONE_INSTANCE_INFO);
- cmd_done = wave5_vdi_read_register(dev, W5_RET_QUEUE_CMD_DONE_INST);
if (irq_reason & BIT(INT_WAVE5_INIT_SEQ) ||
irq_reason & BIT(INT_WAVE5_ENC_SET_PARAM)) {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 265/449] media: chips-media: wave5: Fix a hang after seeking
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 264/449] media: chips-media: wave5: Avoid race condition in the interrupt handler Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 266/449] media: chips-media: wave5: Fix timeout while testing 10bit hevc fluster Greg Kroah-Hartman
` (190 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jackson.lee, Nas Chung,
Nicolas Dufresne, Sebastian Fricke, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jackson.lee <jackson.lee@chipsnmedia.com>
commit a2c75e964e51b096e9fe6adfa3eaed53594a668b upstream.
While seeking, the driver calls the flush command. Before the flush
command is sent to the VPU, the driver should handle the display buffer
flags and should get all decoded information from the VPU if the VCORE
is running.
Fixes: 9707a6254a8a ("media: chips-media: wave5: Add the v4l2 layer")
Cc: stable@vger.kernel.org
Signed-off-by: Jackson.lee <jackson.lee@chipsnmedia.com>
Signed-off-by: Nas Chung <nas.chung@chipsnmedia.com>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c | 17 ++++++++++++++-
drivers/media/platform/chips-media/wave5/wave5-vpuapi.c | 10 ++++++++
2 files changed, 26 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c
+++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c
@@ -1369,6 +1369,16 @@ static int streamoff_output(struct vb2_q
struct vb2_v4l2_buffer *buf;
int ret;
dma_addr_t new_rd_ptr;
+ struct dec_output_info dec_info;
+ unsigned int i;
+
+ for (i = 0; i < v4l2_m2m_num_dst_bufs_ready(m2m_ctx); i++) {
+ ret = wave5_vpu_dec_set_disp_flag(inst, i);
+ if (ret)
+ dev_dbg(inst->dev->dev,
+ "%s: Setting display flag of buf index: %u, fail: %d\n",
+ __func__, i, ret);
+ }
while ((buf = v4l2_m2m_src_buf_remove(m2m_ctx))) {
dev_dbg(inst->dev->dev, "%s: (Multiplanar) buf type %4u | index %4u\n",
@@ -1376,6 +1386,11 @@ static int streamoff_output(struct vb2_q
v4l2_m2m_buf_done(buf, VB2_BUF_STATE_ERROR);
}
+ while (wave5_vpu_dec_get_output_info(inst, &dec_info) == 0) {
+ if (dec_info.index_frame_display >= 0)
+ wave5_vpu_dec_set_disp_flag(inst, dec_info.index_frame_display);
+ }
+
ret = wave5_vpu_flush_instance(inst);
if (ret)
return ret;
@@ -1459,7 +1474,7 @@ static void wave5_vpu_dec_stop_streaming
break;
if (wave5_vpu_dec_get_output_info(inst, &dec_output_info))
- dev_dbg(inst->dev->dev, "Getting decoding results from fw, fail\n");
+ dev_dbg(inst->dev->dev, "there is no output info\n");
}
v4l2_m2m_update_stop_streaming_state(m2m_ctx, q);
--- a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c
+++ b/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c
@@ -75,6 +75,16 @@ int wave5_vpu_flush_instance(struct vpu_
inst->type == VPU_INST_TYPE_DEC ? "DECODER" : "ENCODER", inst->id);
mutex_unlock(&inst->dev->hw_lock);
return -ETIMEDOUT;
+ } else if (ret == -EBUSY) {
+ struct dec_output_info dec_info;
+
+ mutex_unlock(&inst->dev->hw_lock);
+ wave5_vpu_dec_get_output_info(inst, &dec_info);
+ ret = mutex_lock_interruptible(&inst->dev->hw_lock);
+ if (ret)
+ return ret;
+ if (dec_info.index_frame_display > 0)
+ wave5_vpu_dec_set_disp_flag(inst, dec_info.index_frame_display);
}
} while (ret != 0);
mutex_unlock(&inst->dev->hw_lock);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 266/449] media: chips-media: wave5: Fix timeout while testing 10bit hevc fluster
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 265/449] media: chips-media: wave5: Fix a hang after seeking Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 267/449] irqchip/renesas-rzv2h: Fix wrong variable usage in rzv2h_tint_set_type() Greg Kroah-Hartman
` (189 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jackson.lee, Nas Chung,
Nicolas Dufresne, Sebastian Fricke, Hans Verkuil
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jackson.lee <jackson.lee@chipsnmedia.com>
commit 035371c9e5098018b8512efc6a8812912469480c upstream.
The Wave5 521C variant does not support 10 bit decoding. When 10 bit
decoding support was added for the 515 variant, a section of the code
was removed which returned an error. This removal causes a timeout for
the 521 variant, which was discovered during HEVC 10-bit decoding tests.
Fixes: 143e7ab4d9a0 ("media: chips-media: wave5: support decoding HEVC Main10 profile")
Cc: stable@vger.kernel.org
Signed-off-by: Jackson.lee <jackson.lee@chipsnmedia.com>
Signed-off-by: Nas Chung <nas.chung@chipsnmedia.com>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c
+++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c
@@ -1345,10 +1345,24 @@ static int wave5_vpu_dec_start_streaming
if (ret)
goto free_bitstream_vbuf;
} else if (q->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) {
+ struct dec_initial_info *initial_info =
+ &inst->codec_info->dec_info.initial_info;
+
if (inst->state == VPU_INST_STATE_STOP)
ret = switch_state(inst, VPU_INST_STATE_INIT_SEQ);
if (ret)
goto return_buffers;
+
+ if (inst->state == VPU_INST_STATE_INIT_SEQ &&
+ inst->dev->product_code == WAVE521C_CODE) {
+ if (initial_info->luma_bitdepth != 8) {
+ dev_info(inst->dev->dev, "%s: no support for %d bit depth",
+ __func__, initial_info->luma_bitdepth);
+ ret = -EINVAL;
+ goto return_buffers;
+ }
+ }
+
}
pm_runtime_mark_last_busy(inst->dev->dev);
pm_runtime_put_autosuspend(inst->dev->dev);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 267/449] irqchip/renesas-rzv2h: Fix wrong variable usage in rzv2h_tint_set_type()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 266/449] media: chips-media: wave5: Fix timeout while testing 10bit hevc fluster Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 268/449] gve: unlink old napi only if page pool exists Greg Kroah-Hartman
` (188 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Biju Das,
Thomas Gleixner
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
commit 72310650788ad3d3afe3810735656dd291fea885 upstream.
The variable tssel_n is used for selecting TINT source and titsel_n for
setting the interrupt type. The variable titsel_n is wrongly used for
enabling the TINT interrupt in rzv2h_tint_set_type(). Fix this issue by
using the correct variable tssel_n.
While at it, move the tien variable assignment near to tssr.
Fixes: 0d7605e75ac2 ("irqchip: Add RZ/V2H(P) Interrupt Control Unit (ICU) driver")
Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/20250224131253.134199-3-biju.das.jz@bp.renesas.com
Closes: https://lore.kernel.org/CAMuHMdU3xJpz-jh=j7t4JreBat2of2ksP_OR3+nKAoZBr4pSxg@mail.gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-renesas-rzv2h.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/irqchip/irq-renesas-rzv2h.c
+++ b/drivers/irqchip/irq-renesas-rzv2h.c
@@ -301,10 +301,10 @@ static int rzv2h_tint_set_type(struct ir
tssr_k = ICU_TSSR_K(tint_nr);
tssel_n = ICU_TSSR_TSSEL_N(tint_nr);
+ tien = ICU_TSSR_TIEN(tssel_n);
titsr_k = ICU_TITSR_K(tint_nr);
titsel_n = ICU_TITSR_TITSEL_N(tint_nr);
- tien = ICU_TSSR_TIEN(titsel_n);
guard(raw_spinlock)(&priv->lock);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 268/449] gve: unlink old napi only if page pool exists
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 267/449] irqchip/renesas-rzv2h: Fix wrong variable usage in rzv2h_tint_set_type() Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 269/449] mptcp: sockopt: fix getting IPV6_V6ONLY Greg Kroah-Hartman
` (187 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Washington,
Harshitha Ramamurthy, Simon Horman, Jakub Kicinski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harshitha Ramamurthy <hramamurthy@google.com>
commit 81273eb87af86d4a43244b553762348e364b2df7 upstream.
Commit de70981f295e ("gve: unlink old napi when stopping a queue using
queue API") unlinks the old napi when stopping a queue. But this breaks
QPL mode of the driver which does not use page pool. Fix this by checking
that there's a page pool associated with the ring.
Cc: stable@vger.kernel.org
Fixes: de70981f295e ("gve: unlink old napi when stopping a queue using queue API")
Reviewed-by: Joshua Washington <joshwash@google.com>
Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250317214141.286854-1-hramamurthy@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/google/gve/gve_rx_dqo.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/google/gve/gve_rx_dqo.c
+++ b/drivers/net/ethernet/google/gve/gve_rx_dqo.c
@@ -114,7 +114,8 @@ void gve_rx_stop_ring_dqo(struct gve_pri
if (!gve_rx_was_added_to_block(priv, idx))
return;
- page_pool_disable_direct_recycling(rx->dqo.page_pool);
+ if (rx->dqo.page_pool)
+ page_pool_disable_direct_recycling(rx->dqo.page_pool);
gve_remove_napi(priv, ntfy_idx);
gve_rx_remove_from_block(priv, idx);
gve_rx_reset_ring_dqo(priv, idx);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 269/449] mptcp: sockopt: fix getting IPV6_V6ONLY
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 268/449] gve: unlink old napi only if page pool exists Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 270/449] mptcp: sockopt: fix getting freebind & transparent Greg Kroah-Hartman
` (186 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Simon Horman, Paolo Abeni
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 8c39633759885b6ff85f6d96cf445560e74df5e8 upstream.
When adding a socket option support in MPTCP, both the get and set parts
are supposed to be implemented.
IPV6_V6ONLY support for the setsockopt part has been added a while ago,
but it looks like the get part got forgotten. It should have been
present as a way to verify a setting has been set as expected, and not
to act differently from TCP or any other socket types.
Not supporting this getsockopt(IPV6_V6ONLY) blocks some apps which want
to check the default value, before doing extra actions. On Linux, the
default value is 0, but this can be changed with the net.ipv6.bindv6only
sysctl knob. On Windows, it is set to 1 by default. So supporting the
get part, like for all other socket options, is important.
Everything was in place to expose it, just the last step was missing.
Only new code is added to cover this specific getsockopt(), that seems
safe.
Fixes: c9b95a135987 ("mptcp: support IPV6_V6ONLY setsockopt")
Cc: stable@vger.kernel.org
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/550
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250314-net-mptcp-fix-data-stream-corr-sockopt-v1-2-122dbb249db3@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/sockopt.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -1430,6 +1430,20 @@ static int mptcp_getsockopt_v4(struct mp
return -EOPNOTSUPP;
}
+static int mptcp_getsockopt_v6(struct mptcp_sock *msk, int optname,
+ char __user *optval, int __user *optlen)
+{
+ struct sock *sk = (void *)msk;
+
+ switch (optname) {
+ case IPV6_V6ONLY:
+ return mptcp_put_int_option(msk, optval, optlen,
+ sk->sk_ipv6only);
+ }
+
+ return -EOPNOTSUPP;
+}
+
static int mptcp_getsockopt_sol_mptcp(struct mptcp_sock *msk, int optname,
char __user *optval, int __user *optlen)
{
@@ -1469,6 +1483,8 @@ int mptcp_getsockopt(struct sock *sk, in
if (level == SOL_IP)
return mptcp_getsockopt_v4(msk, optname, optval, option);
+ if (level == SOL_IPV6)
+ return mptcp_getsockopt_v6(msk, optname, optval, option);
if (level == SOL_TCP)
return mptcp_getsockopt_sol_tcp(msk, optname, optval, option);
if (level == SOL_MPTCP)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 270/449] mptcp: sockopt: fix getting freebind & transparent
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 269/449] mptcp: sockopt: fix getting IPV6_V6ONLY Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 271/449] block: make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone Greg Kroah-Hartman
` (185 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Simon Horman, Paolo Abeni
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit e2f4ac7bab2205d3c4dd9464e6ffd82502177c51 upstream.
When adding a socket option support in MPTCP, both the get and set parts
are supposed to be implemented.
IP(V6)_FREEBIND and IP(V6)_TRANSPARENT support for the setsockopt part
has been added a while ago, but it looks like the get part got
forgotten. It should have been present as a way to verify a setting has
been set as expected, and not to act differently from TCP or any other
socket types.
Everything was in place to expose it, just the last step was missing.
Only new code is added to cover these specific getsockopt(), that seems
safe.
Fixes: c9406a23c116 ("mptcp: sockopt: add SOL_IP freebind & transparent options")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250314-net-mptcp-fix-data-stream-corr-sockopt-v1-3-122dbb249db3@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/sockopt.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -1419,6 +1419,12 @@ static int mptcp_getsockopt_v4(struct mp
switch (optname) {
case IP_TOS:
return mptcp_put_int_option(msk, optval, optlen, READ_ONCE(inet_sk(sk)->tos));
+ case IP_FREEBIND:
+ return mptcp_put_int_option(msk, optval, optlen,
+ inet_test_bit(FREEBIND, sk));
+ case IP_TRANSPARENT:
+ return mptcp_put_int_option(msk, optval, optlen,
+ inet_test_bit(TRANSPARENT, sk));
case IP_BIND_ADDRESS_NO_PORT:
return mptcp_put_int_option(msk, optval, optlen,
inet_test_bit(BIND_ADDRESS_NO_PORT, sk));
@@ -1439,6 +1445,12 @@ static int mptcp_getsockopt_v6(struct mp
case IPV6_V6ONLY:
return mptcp_put_int_option(msk, optval, optlen,
sk->sk_ipv6only);
+ case IPV6_TRANSPARENT:
+ return mptcp_put_int_option(msk, optval, optlen,
+ inet_test_bit(TRANSPARENT, sk));
+ case IPV6_FREEBIND:
+ return mptcp_put_int_option(msk, optval, optlen,
+ inet_test_bit(FREEBIND, sk));
}
return -EOPNOTSUPP;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 271/449] block: make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 270/449] mptcp: sockopt: fix getting freebind & transparent Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 272/449] mtd: Add check for devm_kcalloc() Greg Kroah-Hartman
` (184 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Ming Lei,
Christoph Hellwig, Jens Axboe
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
commit fc0e982b8a3a169b1c654d9a1aa45bf292943ef2 upstream.
Make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone(),
otherwise requests cloned by device-mapper multipath will not have the
proper nr_integrity_segments values set, then BUG() is hit from
sg_alloc_table_chained().
Fixes: b0fd271d5fba ("block: add request clone interface (v2)")
Cc: stable@vger.kernel.org
Cc: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250310115453.2271109-1-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-mq.c | 1 +
1 file changed, 1 insertion(+)
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -3314,6 +3314,7 @@ int blk_rq_prep_clone(struct request *rq
rq->special_vec = rq_src->special_vec;
}
rq->nr_phys_segments = rq_src->nr_phys_segments;
+ rq->nr_integrity_segments = rq_src->nr_integrity_segments;
if (rq->bio && blk_crypto_rq_bio_prep(rq, rq->bio, gfp_mask) < 0)
goto free_and_out;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 272/449] mtd: Add check for devm_kcalloc()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 271/449] block: make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 273/449] net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Greg Kroah-Hartman
` (183 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Miquel Raynal
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit 2aee30bb10d7bad0a60255059c9ce1b84cf0130e upstream.
Add a check for devm_kcalloc() to ensure successful allocation.
Fixes: 78c08247b9d3 ("mtd: Support kmsg dumper based on pstore/blk")
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/mtdpstore.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/mtd/mtdpstore.c
+++ b/drivers/mtd/mtdpstore.c
@@ -423,6 +423,9 @@ static void mtdpstore_notify_add(struct
longcnt = BITS_TO_LONGS(div_u64(mtd->size, mtd->erasesize));
cxt->badmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
+ if (!cxt->rmmap || !cxt->usedmap || !cxt->badmap)
+ return;
+
/* just support dmesg right now */
cxt->dev.flags = PSTORE_FLAGS_DMESG;
cxt->dev.zone.read = mtdpstore_read;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 273/449] net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 272/449] mtd: Add check for devm_kcalloc() Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 274/449] net: dsa: mv88e6xxx: fix internal PHYs " Greg Kroah-Hartman
` (182 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Behún, Andrew Lunn,
Jakub Kicinski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Behún <kabel@kernel.org>
commit 1ebc8e1ef906db9c08e9abe9776d85ddec837725 upstream.
Implement the workaround for erratum
3.3 RGMII timing may be out of spec when transmit delay is enabled
for the 6320 family, which says:
When transmit delay is enabled via Port register 1 bit 14 = 1, duty
cycle may be out of spec. Under very rare conditions this may cause
the attached device receive CRC errors.
Signed-off-by: Marek Behún <kabel@kernel.org>
Cc: <stable@vger.kernel.org> # 5.4.x
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250317173250.28780-8-kabel@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/mv88e6xxx/chip.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -3674,6 +3674,21 @@ static int mv88e6xxx_stats_setup(struct
return mv88e6xxx_g1_stats_clear(chip);
}
+static int mv88e6320_setup_errata(struct mv88e6xxx_chip *chip)
+{
+ u16 dummy;
+ int err;
+
+ /* Workaround for erratum
+ * 3.3 RGMII timing may be out of spec when transmit delay is enabled
+ */
+ err = mv88e6xxx_port_hidden_write(chip, 0, 0xf, 0x7, 0xe000);
+ if (err)
+ return err;
+
+ return mv88e6xxx_port_hidden_read(chip, 0, 0xf, 0x7, &dummy);
+}
+
/* Check if the errata has already been applied. */
static bool mv88e6390_setup_errata_applied(struct mv88e6xxx_chip *chip)
{
@@ -5130,6 +5145,7 @@ static const struct mv88e6xxx_ops mv88e6
static const struct mv88e6xxx_ops mv88e6320_ops = {
/* MV88E6XXX_FAMILY_6320 */
+ .setup_errata = mv88e6320_setup_errata,
.ieee_pri_map = mv88e6085_g1_ieee_pri_map,
.ip_pri_map = mv88e6085_g1_ip_pri_map,
.irl_init_all = mv88e6352_g2_irl_init_all,
@@ -5182,6 +5198,7 @@ static const struct mv88e6xxx_ops mv88e6
static const struct mv88e6xxx_ops mv88e6321_ops = {
/* MV88E6XXX_FAMILY_6320 */
+ .setup_errata = mv88e6320_setup_errata,
.ieee_pri_map = mv88e6085_g1_ieee_pri_map,
.ip_pri_map = mv88e6085_g1_ip_pri_map,
.irl_init_all = mv88e6352_g2_irl_init_all,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 274/449] net: dsa: mv88e6xxx: fix internal PHYs for 6320 family
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 273/449] net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 275/449] mtd: Replace kcalloc() with devm_kcalloc() Greg Kroah-Hartman
` (181 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Behún, Andrew Lunn,
Jakub Kicinski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Behún <kabel@kernel.org>
commit 52fdc41c3278c981066a461d03d5477ebfcf270c upstream.
Fix internal PHYs definition for the 6320 family, which has only 2
internal PHYs (on ports 3 and 4).
Fixes: bc3931557d1d ("net: dsa: mv88e6xxx: Add number of internal PHYs")
Signed-off-by: Marek Behún <kabel@kernel.org>
Cc: <stable@vger.kernel.org> # 6.6.x
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250317173250.28780-7-kabel@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/mv88e6xxx/chip.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -6259,7 +6259,8 @@ static const struct mv88e6xxx_info mv88e
.num_databases = 4096,
.num_macs = 8192,
.num_ports = 7,
- .num_internal_phys = 5,
+ .num_internal_phys = 2,
+ .internal_phys_offset = 3,
.num_gpio = 15,
.max_vid = 4095,
.max_sid = 63,
@@ -6286,7 +6287,8 @@ static const struct mv88e6xxx_info mv88e
.num_databases = 4096,
.num_macs = 8192,
.num_ports = 7,
- .num_internal_phys = 5,
+ .num_internal_phys = 2,
+ .internal_phys_offset = 3,
.num_gpio = 15,
.max_vid = 4095,
.max_sid = 63,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 275/449] mtd: Replace kcalloc() with devm_kcalloc()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 274/449] net: dsa: mv88e6xxx: fix internal PHYs " Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 276/449] clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Greg Kroah-Hartman
` (180 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Miquel Raynal
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit 1b61a59876f0eafc19b23007c522ee407f55dbec upstream.
Replace kcalloc() with devm_kcalloc() to prevent memory leaks in case of
errors.
Fixes: 78c08247b9d3 ("mtd: Support kmsg dumper based on pstore/blk")
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/mtdpstore.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--- a/drivers/mtd/mtdpstore.c
+++ b/drivers/mtd/mtdpstore.c
@@ -417,11 +417,11 @@ static void mtdpstore_notify_add(struct
}
longcnt = BITS_TO_LONGS(div_u64(mtd->size, info->kmsg_size));
- cxt->rmmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
- cxt->usedmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
+ cxt->rmmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL);
+ cxt->usedmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL);
longcnt = BITS_TO_LONGS(div_u64(mtd->size, mtd->erasesize));
- cxt->badmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
+ cxt->badmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL);
if (!cxt->rmmap || !cxt->usedmap || !cxt->badmap)
return;
@@ -530,9 +530,6 @@ static void mtdpstore_notify_remove(stru
mtdpstore_flush_removed(cxt);
unregister_pstore_device(&cxt->dev);
- kfree(cxt->badmap);
- kfree(cxt->usedmap);
- kfree(cxt->rmmap);
cxt->mtd = NULL;
cxt->index = -1;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 276/449] clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 275/449] mtd: Replace kcalloc() with devm_kcalloc() Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 277/449] Revert "wifi: mt76: mt7925: Update mt7925_mcu_uni_[tx,rx]_ba for MLO" Greg Kroah-Hartman
` (179 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Torgue, Fabrice Gasnier,
Daniel Lezcano
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Torgue <alexandre.torgue@foss.st.com>
commit 96bf4b89a6ab22426ad83ef76e66c72a5a8daca0 upstream.
"wakeup-source" property describes a device which has wakeup capability
but should not force this device as a wakeup source.
Fixes: 48b41c5e2de6 ("clocksource: Add Low Power STM32 timers driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
Rule: add
Link: https://lore.kernel.org/stable/20250306083407.2374894-1-fabrice.gasnier%40foss.st.com
Link: https://lore.kernel.org/r/20250306102501.2980153-1-fabrice.gasnier@foss.st.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clocksource/timer-stm32-lp.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/clocksource/timer-stm32-lp.c
+++ b/drivers/clocksource/timer-stm32-lp.c
@@ -168,9 +168,7 @@ static int stm32_clkevent_lp_probe(struc
}
if (of_property_read_bool(pdev->dev.parent->of_node, "wakeup-source")) {
- ret = device_init_wakeup(&pdev->dev, true);
- if (ret)
- goto out_clk_disable;
+ device_set_wakeup_capable(&pdev->dev, true);
ret = dev_pm_set_wake_irq(&pdev->dev, irq);
if (ret)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 277/449] Revert "wifi: mt76: mt7925: Update mt7925_mcu_uni_[tx,rx]_ba for MLO"
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 276/449] clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 278/449] wifi: mt76: Add check for devm_kstrdup() Greg Kroah-Hartman
` (178 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Yen Hsieh, Caleb Jorden,
Sean Wang, Felix Fietkau
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Wang <sean.wang@mediatek.com>
commit 766ea2cf5a398c7eed519b12c6c6cf1631143ea2 upstream.
For MLO, mac80211 will send the BA action for each link to
the driver, so the driver does not need to handle it itself.
Therefore, revert this patch.
Fixes: eb2a9a12c609 ("wifi: mt76: mt7925: Update mt7925_mcu_uni_[tx,rx]_ba for MLO")
Cc: stable@vger.kernel.org
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Tested-by: Caleb Jorden <cjorden@gmail.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Link: https://patch.msgid.link/20250305000851.493671-1-sean.wang@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/main.c | 10 ++--
drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 52 ++++-----------------
drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h | 2
3 files changed, 15 insertions(+), 49 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -1289,22 +1289,22 @@ mt7925_ampdu_action(struct ieee80211_hw
case IEEE80211_AMPDU_RX_START:
mt76_rx_aggr_start(&dev->mt76, &msta->deflink.wcid, tid, ssn,
params->buf_size);
- mt7925_mcu_uni_rx_ba(dev, vif, params, true);
+ mt7925_mcu_uni_rx_ba(dev, params, true);
break;
case IEEE80211_AMPDU_RX_STOP:
mt76_rx_aggr_stop(&dev->mt76, &msta->deflink.wcid, tid);
- mt7925_mcu_uni_rx_ba(dev, vif, params, false);
+ mt7925_mcu_uni_rx_ba(dev, params, false);
break;
case IEEE80211_AMPDU_TX_OPERATIONAL:
mtxq->aggr = true;
mtxq->send_bar = false;
- mt7925_mcu_uni_tx_ba(dev, vif, params, true);
+ mt7925_mcu_uni_tx_ba(dev, params, true);
break;
case IEEE80211_AMPDU_TX_STOP_FLUSH:
case IEEE80211_AMPDU_TX_STOP_FLUSH_CONT:
mtxq->aggr = false;
clear_bit(tid, &msta->deflink.wcid.ampdu_state);
- mt7925_mcu_uni_tx_ba(dev, vif, params, false);
+ mt7925_mcu_uni_tx_ba(dev, params, false);
break;
case IEEE80211_AMPDU_TX_START:
set_bit(tid, &msta->deflink.wcid.ampdu_state);
@@ -1313,7 +1313,7 @@ mt7925_ampdu_action(struct ieee80211_hw
case IEEE80211_AMPDU_TX_STOP_CONT:
mtxq->aggr = false;
clear_bit(tid, &msta->deflink.wcid.ampdu_state);
- mt7925_mcu_uni_tx_ba(dev, vif, params, false);
+ mt7925_mcu_uni_tx_ba(dev, params, false);
ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid);
break;
}
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -576,10 +576,10 @@ void mt7925_mcu_rx_event(struct mt792x_d
static int
mt7925_mcu_sta_ba(struct mt76_dev *dev, struct mt76_vif_link *mvif,
- struct mt76_wcid *wcid,
struct ieee80211_ampdu_params *params,
bool enable, bool tx)
{
+ struct mt76_wcid *wcid = (struct mt76_wcid *)params->sta->drv_priv;
struct sta_rec_ba_uni *ba;
struct sk_buff *skb;
struct tlv *tlv;
@@ -607,60 +607,28 @@ mt7925_mcu_sta_ba(struct mt76_dev *dev,
/** starec & wtbl **/
int mt7925_mcu_uni_tx_ba(struct mt792x_dev *dev,
- struct ieee80211_vif *vif,
struct ieee80211_ampdu_params *params,
bool enable)
{
struct mt792x_sta *msta = (struct mt792x_sta *)params->sta->drv_priv;
- struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
- struct mt792x_link_sta *mlink;
- struct mt792x_bss_conf *mconf;
- unsigned long usable_links = ieee80211_vif_usable_links(vif);
- struct mt76_wcid *wcid;
- u8 link_id, ret;
-
- for_each_set_bit(link_id, &usable_links, IEEE80211_MLD_MAX_NUM_LINKS) {
- mconf = mt792x_vif_to_link(mvif, link_id);
- mlink = mt792x_sta_to_link(msta, link_id);
- wcid = &mlink->wcid;
-
- if (enable && !params->amsdu)
- mlink->wcid.amsdu = false;
-
- ret = mt7925_mcu_sta_ba(&dev->mt76, &mconf->mt76, wcid, params,
- enable, true);
- if (ret < 0)
- break;
- }
+ struct mt792x_vif *mvif = msta->vif;
- return ret;
+ if (enable && !params->amsdu)
+ msta->deflink.wcid.amsdu = false;
+
+ return mt7925_mcu_sta_ba(&dev->mt76, &mvif->bss_conf.mt76, params,
+ enable, true);
}
int mt7925_mcu_uni_rx_ba(struct mt792x_dev *dev,
- struct ieee80211_vif *vif,
struct ieee80211_ampdu_params *params,
bool enable)
{
struct mt792x_sta *msta = (struct mt792x_sta *)params->sta->drv_priv;
- struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
- struct mt792x_link_sta *mlink;
- struct mt792x_bss_conf *mconf;
- unsigned long usable_links = ieee80211_vif_usable_links(vif);
- struct mt76_wcid *wcid;
- u8 link_id, ret;
-
- for_each_set_bit(link_id, &usable_links, IEEE80211_MLD_MAX_NUM_LINKS) {
- mconf = mt792x_vif_to_link(mvif, link_id);
- mlink = mt792x_sta_to_link(msta, link_id);
- wcid = &mlink->wcid;
-
- ret = mt7925_mcu_sta_ba(&dev->mt76, &mconf->mt76, wcid, params,
- enable, false);
- if (ret < 0)
- break;
- }
+ struct mt792x_vif *mvif = msta->vif;
- return ret;
+ return mt7925_mcu_sta_ba(&dev->mt76, &mvif->bss_conf.mt76, params,
+ enable, false);
}
static int mt7925_load_clc(struct mt792x_dev *dev, const char *fw_name)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
@@ -263,11 +263,9 @@ int mt7925_mcu_set_beacon_filter(struct
struct ieee80211_vif *vif,
bool enable);
int mt7925_mcu_uni_tx_ba(struct mt792x_dev *dev,
- struct ieee80211_vif *vif,
struct ieee80211_ampdu_params *params,
bool enable);
int mt7925_mcu_uni_rx_ba(struct mt792x_dev *dev,
- struct ieee80211_vif *vif,
struct ieee80211_ampdu_params *params,
bool enable);
void mt7925_scan_work(struct work_struct *work);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 278/449] wifi: mt76: Add check for devm_kstrdup()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 277/449] Revert "wifi: mt76: mt7925: Update mt7925_mcu_uni_[tx,rx]_ba for MLO" Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 279/449] wifi: mt76: mt792x: re-register CHANCTX_STA_CSA only for the mt7921 series Greg Kroah-Hartman
` (177 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Felix Fietkau
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit 4bc1da524b502999da28d287de4286c986a1af57 upstream.
Add check for the return value of devm_kstrdup() in
mt76_get_of_data_from_mtd() to catch potential exception.
Fixes: e7a6a044f9b9 ("mt76: testmode: move mtd part to mt76_dev")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Link: https://patch.msgid.link/20250219033645.2594753-1-haoxiang_li2024@163.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/eeprom.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/net/wireless/mediatek/mt76/eeprom.c
+++ b/drivers/net/wireless/mediatek/mt76/eeprom.c
@@ -95,6 +95,10 @@ int mt76_get_of_data_from_mtd(struct mt7
#ifdef CONFIG_NL80211_TESTMODE
dev->test_mtd.name = devm_kstrdup(dev->dev, part, GFP_KERNEL);
+ if (!dev->test_mtd.name) {
+ ret = -ENOMEM;
+ goto out_put_node;
+ }
dev->test_mtd.offset = offset;
#endif
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 279/449] wifi: mt76: mt792x: re-register CHANCTX_STA_CSA only for the mt7921 series
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 278/449] wifi: mt76: Add check for devm_kstrdup() Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 280/449] wifi: mac80211: fix integer overflow in hwmp_route_info_get() Greg Kroah-Hartman
` (176 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ming Yen Hsieh, Felix Fietkau
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
commit 06e70003d88218675c566584dd76867fcb39706d upstream.
CSA is currently not supported on mt7925, so CSA is only registered for
the mt7921 series
Cc: stable@vger.kernel.org
Fixes: 8aa2f59260eb ("wifi: mt76: mt7921: introduce CSA support")
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20250313054044.2638837-1-mingyen.hsieh@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt792x_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/mediatek/mt76/mt792x_core.c
+++ b/drivers/net/wireless/mediatek/mt76/mt792x_core.c
@@ -665,7 +665,8 @@ int mt792x_init_wiphy(struct ieee80211_h
ieee80211_hw_set(hw, SUPPORTS_DYNAMIC_PS);
ieee80211_hw_set(hw, SUPPORTS_VHT_EXT_NSS_BW);
ieee80211_hw_set(hw, CONNECTION_MONITOR);
- ieee80211_hw_set(hw, CHANCTX_STA_CSA);
+ if (is_mt7921(&dev->mt76))
+ ieee80211_hw_set(hw, CHANCTX_STA_CSA);
if (dev->pm.enable)
ieee80211_hw_set(hw, CONNECTION_MONITOR);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 280/449] wifi: mac80211: fix integer overflow in hwmp_route_info_get()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 279/449] wifi: mt76: mt792x: re-register CHANCTX_STA_CSA only for the mt7921 series Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 281/449] wifi: mt76: mt7925: ensure wow pattern command align fw format Greg Kroah-Hartman
` (175 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ilia Gavrilov, Johannes Berg
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
commit d00c0c4105e5ab8a6a13ed23d701cceb285761fa upstream.
Since the new_metric and last_hop_metric variables can reach
the MAX_METRIC(0xffffffff) value, an integer overflow may occur
when multiplying them by 10/9. It can lead to incorrect behavior.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Fixes: a8d418d9ac25 ("mac80211: mesh: only switch path when new metric is at least 10% better")
Cc: stable@vger.kernel.org
Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
Link: https://patch.msgid.link/20250212082124.4078236-1-Ilia.Gavrilov@infotecs.ru
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/mesh_hwmp.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -367,6 +367,12 @@ u32 airtime_link_metric_get(struct ieee8
return (u32)result;
}
+/* Check that the first metric is at least 10% better than the second one */
+static bool is_metric_better(u32 x, u32 y)
+{
+ return (x < y) && (x < (y - x / 10));
+}
+
/**
* hwmp_route_info_get - Update routing info to originator and transmitter
*
@@ -458,8 +464,8 @@ static u32 hwmp_route_info_get(struct ie
(mpath->sn == orig_sn &&
(rcu_access_pointer(mpath->next_hop) !=
sta ?
- mult_frac(new_metric, 10, 9) :
- new_metric) >= mpath->metric)) {
+ !is_metric_better(new_metric, mpath->metric) :
+ new_metric >= mpath->metric))) {
process = false;
fresh_info = false;
}
@@ -533,8 +539,8 @@ static u32 hwmp_route_info_get(struct ie
if ((mpath->flags & MESH_PATH_FIXED) ||
((mpath->flags & MESH_PATH_ACTIVE) &&
((rcu_access_pointer(mpath->next_hop) != sta ?
- mult_frac(last_hop_metric, 10, 9) :
- last_hop_metric) > mpath->metric)))
+ !is_metric_better(last_hop_metric, mpath->metric) :
+ last_hop_metric > mpath->metric))))
fresh_info = false;
} else {
mpath = mesh_path_add(sdata, ta);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 281/449] wifi: mt76: mt7925: ensure wow pattern command align fw format
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 280/449] wifi: mac80211: fix integer overflow in hwmp_route_info_get() Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 282/449] wifi: mt76: mt7925: fix country count limitation for CLC Greg Kroah-Hartman
` (174 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ming Yen Hsieh, Felix Fietkau
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
commit 8ae45b1f699bbc27ea8647093f794f671e77410b upstream.
Align the format of "struct mt7925_wow_pattern_tlv" with
firmware to ensure proper functionality.
Cc: stable@vger.kernel.org
Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20250116055925.3856856-1-mingyen.hsieh@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/mcu.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h
@@ -566,8 +566,8 @@ struct mt7925_wow_pattern_tlv {
u8 offset;
u8 mask[MT76_CONNAC_WOW_MASK_MAX_LEN];
u8 pattern[MT76_CONNAC_WOW_PATTEN_MAX_LEN];
- u8 rsv[7];
-} __packed;
+ u8 rsv[4];
+};
struct roc_acquire_tlv {
__le16 tag;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 282/449] wifi: mt76: mt7925: fix country count limitation for CLC
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 281/449] wifi: mt76: mt7925: ensure wow pattern command align fw format Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 283/449] wifi: mt76: mt7925: fix the wrong link_idx when a p2p_device is present Greg Kroah-Hartman
` (173 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ming Yen Hsieh, Felix Fietkau
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
commit 6458d760a0c0afd2fda11e83ed3e1125a252432f upstream.
Due to the increase in the number of power tables for 6Ghz on CLC,
the variable nr_country is no longer sufficient to represent the
total quantity. Therefore, we have switched to calculating the
length of clc buf to obtain the correct power table.
Cc: stable@vger.kernel.org
Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20250116062131.3860198-1-mingyen.hsieh@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -3125,13 +3125,14 @@ __mt7925_mcu_set_clc(struct mt792x_dev *
.env = env_cap,
};
int ret, valid_cnt = 0;
- u8 i, *pos;
+ u8 *pos, *last_pos;
if (!clc)
return 0;
pos = clc->data + sizeof(*seg) * clc->nr_seg;
- for (i = 0; i < clc->nr_country; i++) {
+ last_pos = clc->data + le32_to_cpu(*(__le32 *)(clc->data + 4));
+ while (pos < last_pos) {
struct mt7925_clc_rule *rule = (struct mt7925_clc_rule *)pos;
pos += sizeof(*rule);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 283/449] wifi: mt76: mt7925: fix the wrong link_idx when a p2p_device is present
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 282/449] wifi: mt76: mt7925: fix country count limitation for CLC Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 284/449] wifi: mt76: mt7925: fix the wrong simultaneous cap for MLO Greg Kroah-Hartman
` (172 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Wang, Caleb Jorden,
Ming Yen Hsieh, Felix Fietkau
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
commit 4bada9b0a29c185d45cc9512509edd6069fbfa79 upstream.
When the p2p device and MLO station are running concurrently, the p2p device
will occupy the wrong link_idx when the MLO secondary link is added.
Fixes: 9e4c3a007f01 ("wifi: mt76: connac: Extend mt76_connac_mcu_uni_add_dev for MLO")
Cc: stable@vger.kernel.org
Co-developed-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Tested-by: Caleb Jorden <cjorden@gmail.com>
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20250305000851.493671-2-sean.wang@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt76.h | 1 +
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 ++--
drivers/net/wireless/mediatek/mt76/mt7925/main.c | 14 ++++++++++----
3 files changed, 13 insertions(+), 6 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mt76.h
+++ b/drivers/net/wireless/mediatek/mt76/mt76.h
@@ -769,6 +769,7 @@ struct mt76_testmode_data {
struct mt76_vif_link {
u8 idx;
+ u8 link_idx;
u8 omac_idx;
u8 band_idx;
u8 wmm_idx;
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
@@ -1168,7 +1168,7 @@ int mt76_connac_mcu_uni_add_dev(struct m
.tag = cpu_to_le16(DEV_INFO_ACTIVE),
.len = cpu_to_le16(sizeof(struct req_tlv)),
.active = enable,
- .link_idx = mvif->idx,
+ .link_idx = mvif->link_idx,
},
};
struct {
@@ -1191,7 +1191,7 @@ int mt76_connac_mcu_uni_add_dev(struct m
.bmc_tx_wlan_idx = cpu_to_le16(wcid->idx),
.sta_idx = cpu_to_le16(wcid->idx),
.conn_state = 1,
- .link_idx = mvif->idx,
+ .link_idx = mvif->link_idx,
},
};
int err, idx, cmd, len;
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -360,10 +360,15 @@ static int mt7925_mac_link_bss_add(struc
struct mt76_txq *mtxq;
int idx, ret = 0;
- mconf->mt76.idx = __ffs64(~dev->mt76.vif_mask);
- if (mconf->mt76.idx >= MT792x_MAX_INTERFACES) {
- ret = -ENOSPC;
- goto out;
+ if (vif->type == NL80211_IFTYPE_P2P_DEVICE) {
+ mconf->mt76.idx = MT792x_MAX_INTERFACES;
+ } else {
+ mconf->mt76.idx = __ffs64(~dev->mt76.vif_mask);
+
+ if (mconf->mt76.idx >= MT792x_MAX_INTERFACES) {
+ ret = -ENOSPC;
+ goto out;
+ }
}
mconf->mt76.omac_idx = ieee80211_vif_is_mld(vif) ?
@@ -371,6 +376,7 @@ static int mt7925_mac_link_bss_add(struc
mconf->mt76.band_idx = 0xff;
mconf->mt76.wmm_idx = ieee80211_vif_is_mld(vif) ?
0 : mconf->mt76.idx % MT76_CONNAC_MAX_WMM_SETS;
+ mconf->mt76.link_idx = hweight16(mvif->valid_links);
if (mvif->phy->mt76->chandef.chan->band != NL80211_BAND_2GHZ)
mconf->mt76.basic_rates_idx = MT792x_BASIC_RATES_TBL + 4;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 284/449] wifi: mt76: mt7925: fix the wrong simultaneous cap for MLO
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 283/449] wifi: mt76: mt7925: fix the wrong link_idx when a p2p_device is present Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 285/449] wifi: mt76: mt7925: adjust rm BSS flow to prevent next connection failure Greg Kroah-Hartman
` (171 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Wang, Caleb Jorden,
Ming Yen Hsieh, Felix Fietkau
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
commit 7dcea6fe33ee3d7cbb65baee0dd7adc76d1c9ddc upstream.
The mt7925 chip is only support a single radio, so the maximum
number of simultaneous should be 0.
Fixes: 86c051f2c418 ("wifi: mt76: mt7925: enabling MLO when the firmware supports it")
Cc: stable@vger.kernel.org
Co-developed-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Tested-by: Caleb Jorden <cjorden@gmail.com>
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20250305000851.493671-3-sean.wang@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -256,7 +256,7 @@ int mt7925_init_mlo_caps(struct mt792x_p
ext_capab[0].eml_capabilities = phy->eml_cap;
ext_capab[0].mld_capa_and_ops =
- u16_encode_bits(1, IEEE80211_MLD_CAP_OP_MAX_SIMUL_LINKS);
+ u16_encode_bits(0, IEEE80211_MLD_CAP_OP_MAX_SIMUL_LINKS);
wiphy->flags |= WIPHY_FLAG_SUPPORTS_MLO;
wiphy->iftype_ext_capab = ext_capab;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 285/449] wifi: mt76: mt7925: adjust rm BSS flow to prevent next connection failure
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 284/449] wifi: mt76: mt7925: fix the wrong simultaneous cap for MLO Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 286/449] wifi: mt76: mt7925: integrate *mlo_sta_cmd and *sta_cmd Greg Kroah-Hartman
` (170 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Wang, Caleb Jorden,
Ming Yen Hsieh, Felix Fietkau
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
commit 0ebb60da8416c1d8e84c7e511a5687ce76a9467a upstream.
Removing BSS without removing STAREC first will cause firmware
abnormal and next connection fail.
Fixes: 816161051a03 ("wifi: mt76: mt7925: Cleanup MLO settings post-disconnection")
Cc: stable@vger.kernel.org
Co-developed-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Tested-by: Caleb Jorden <cjorden@gmail.com>
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20250305000851.493671-4-sean.wang@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/main.c | 66 +++++++++++------------
drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 56 +++++++++++++++++++
drivers/net/wireless/mediatek/mt76/mt7925/mcu.h | 2
3 files changed, 91 insertions(+), 33 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -1155,7 +1155,12 @@ static void mt7925_mac_link_sta_remove(s
struct mt792x_bss_conf *mconf;
mconf = mt792x_link_conf_to_mconf(link_conf);
- mt792x_mac_link_bss_remove(dev, mconf, mlink);
+
+ if (ieee80211_vif_is_mld(vif))
+ mt792x_mac_link_bss_remove(dev, mconf, mlink);
+ else
+ mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, link_conf,
+ link_sta, false);
}
spin_lock_bh(&mdev->sta_poll_lock);
@@ -1175,6 +1180,31 @@ mt7925_mac_sta_remove_links(struct mt792
struct mt76_wcid *wcid;
unsigned int link_id;
+ /* clean up bss before starec */
+ for_each_set_bit(link_id, &old_links, IEEE80211_MLD_MAX_NUM_LINKS) {
+ struct ieee80211_link_sta *link_sta;
+ struct ieee80211_bss_conf *link_conf;
+ struct mt792x_bss_conf *mconf;
+ struct mt792x_link_sta *mlink;
+
+ link_sta = mt792x_sta_to_link_sta(vif, sta, link_id);
+ if (!link_sta)
+ continue;
+
+ mlink = mt792x_sta_to_link(msta, link_id);
+ if (!mlink)
+ continue;
+
+ link_conf = mt792x_vif_to_bss_conf(vif, link_id);
+ if (!link_conf)
+ continue;
+
+ mconf = mt792x_link_conf_to_mconf(link_conf);
+
+ mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, link_conf,
+ link_sta, false);
+ }
+
for_each_set_bit(link_id, &old_links, IEEE80211_MLD_MAX_NUM_LINKS) {
struct ieee80211_link_sta *link_sta;
struct mt792x_link_sta *mlink;
@@ -1212,44 +1242,14 @@ void mt7925_mac_sta_remove(struct mt76_d
{
struct mt792x_dev *dev = container_of(mdev, struct mt792x_dev, mt76);
struct mt792x_sta *msta = (struct mt792x_sta *)sta->drv_priv;
- struct {
- struct {
- u8 omac_idx;
- u8 band_idx;
- __le16 pad;
- } __packed hdr;
- struct req_tlv {
- __le16 tag;
- __le16 len;
- u8 active;
- u8 link_idx; /* hw link idx */
- u8 omac_addr[ETH_ALEN];
- } __packed tlv;
- } dev_req = {
- .hdr = {
- .omac_idx = 0,
- .band_idx = 0,
- },
- .tlv = {
- .tag = cpu_to_le16(DEV_INFO_ACTIVE),
- .len = cpu_to_le16(sizeof(struct req_tlv)),
- .active = true,
- },
- };
unsigned long rem;
rem = ieee80211_vif_is_mld(vif) ? msta->valid_links : BIT(0);
mt7925_mac_sta_remove_links(dev, vif, sta, rem);
- if (ieee80211_vif_is_mld(vif)) {
- mt7925_mcu_set_dbdc(&dev->mphy, false);
-
- /* recovery omac address for the legacy interface */
- memcpy(dev_req.tlv.omac_addr, vif->addr, ETH_ALEN);
- mt76_mcu_send_msg(mdev, MCU_UNI_CMD(DEV_INFO_UPDATE),
- &dev_req, sizeof(dev_req), true);
- }
+ if (ieee80211_vif_is_mld(vif))
+ mt7925_mcu_del_dev(mdev, vif);
if (vif->type == NL80211_IFTYPE_STATION) {
struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -2636,6 +2636,62 @@ int mt7925_mcu_set_timing(struct mt792x_
MCU_UNI_CMD(BSS_INFO_UPDATE), true);
}
+void mt7925_mcu_del_dev(struct mt76_dev *mdev,
+ struct ieee80211_vif *vif)
+{
+ struct mt76_vif_link *mvif = (struct mt76_vif_link *)vif->drv_priv;
+ struct {
+ struct {
+ u8 omac_idx;
+ u8 band_idx;
+ __le16 pad;
+ } __packed hdr;
+ struct req_tlv {
+ __le16 tag;
+ __le16 len;
+ u8 active;
+ u8 link_idx; /* hw link idx */
+ u8 omac_addr[ETH_ALEN];
+ } __packed tlv;
+ } dev_req = {
+ .tlv = {
+ .tag = cpu_to_le16(DEV_INFO_ACTIVE),
+ .len = cpu_to_le16(sizeof(struct req_tlv)),
+ .active = true,
+ },
+ };
+ struct {
+ struct {
+ u8 bss_idx;
+ u8 pad[3];
+ } __packed hdr;
+ struct mt76_connac_bss_basic_tlv basic;
+ } basic_req = {
+ .basic = {
+ .tag = cpu_to_le16(UNI_BSS_INFO_BASIC),
+ .len = cpu_to_le16(sizeof(struct mt76_connac_bss_basic_tlv)),
+ .active = true,
+ .conn_state = 1,
+ },
+ };
+
+ dev_req.hdr.omac_idx = mvif->omac_idx;
+ dev_req.hdr.band_idx = mvif->band_idx;
+
+ basic_req.hdr.bss_idx = mvif->idx;
+ basic_req.basic.omac_idx = mvif->omac_idx;
+ basic_req.basic.band_idx = mvif->band_idx;
+ basic_req.basic.link_idx = mvif->link_idx;
+
+ mt76_mcu_send_msg(mdev, MCU_UNI_CMD(BSS_INFO_UPDATE),
+ &basic_req, sizeof(basic_req), true);
+
+ /* recovery omac address for the legacy interface */
+ memcpy(dev_req.tlv.omac_addr, vif->addr, ETH_ALEN);
+ mt76_mcu_send_msg(mdev, MCU_UNI_CMD(DEV_INFO_UPDATE),
+ &dev_req, sizeof(dev_req), true);
+}
+
int mt7925_mcu_add_bss_info(struct mt792x_phy *phy,
struct ieee80211_chanctx_conf *ctx,
struct ieee80211_bss_conf *link_conf,
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h
@@ -627,6 +627,8 @@ int mt7925_mcu_sched_scan_req(struct mt7
int mt7925_mcu_sched_scan_enable(struct mt76_phy *phy,
struct ieee80211_vif *vif,
bool enable);
+void mt7925_mcu_del_dev(struct mt76_dev *mdev,
+ struct ieee80211_vif *vif);
int mt7925_mcu_add_bss_info(struct mt792x_phy *phy,
struct ieee80211_chanctx_conf *ctx,
struct ieee80211_bss_conf *link_conf,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 286/449] wifi: mt76: mt7925: integrate *mlo_sta_cmd and *sta_cmd
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 285/449] wifi: mt76: mt7925: adjust rm BSS flow to prevent next connection failure Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 287/449] wifi: mt76: mt7925: update the power-saving flow Greg Kroah-Hartman
` (169 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Wang, Caleb Jorden,
Ming Yen Hsieh, Felix Fietkau
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
commit cb1353ef34735ec1e5d9efa1fe966f05ff1dc1e1 upstream.
Integrate *mlo_sta_cmd and *sta_cmd for the MLO firmware.
Fixes: 86c051f2c418 ("wifi: mt76: mt7925: enabling MLO when the firmware supports it")
Cc: stable@vger.kernel.org
Co-developed-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Tested-by: Caleb Jorden <cjorden@gmail.com>
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20250305000851.493671-5-sean.wang@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 59 +-----------------------
1 file changed, 4 insertions(+), 55 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -1818,49 +1818,6 @@ mt7925_mcu_sta_mld_tlv(struct sk_buff *s
}
}
-static int
-mt7925_mcu_sta_cmd(struct mt76_phy *phy,
- struct mt76_sta_cmd_info *info)
-{
- struct mt76_vif_link *mvif = (struct mt76_vif_link *)info->vif->drv_priv;
- struct mt76_dev *dev = phy->dev;
- struct sk_buff *skb;
- int conn_state;
-
- skb = __mt76_connac_mcu_alloc_sta_req(dev, mvif, info->wcid,
- MT7925_STA_UPDATE_MAX_SIZE);
- if (IS_ERR(skb))
- return PTR_ERR(skb);
-
- conn_state = info->enable ? CONN_STATE_PORT_SECURE :
- CONN_STATE_DISCONNECT;
- if (info->link_sta)
- mt76_connac_mcu_sta_basic_tlv(dev, skb, info->link_conf,
- info->link_sta,
- conn_state, info->newly);
- if (info->link_sta && info->enable) {
- mt7925_mcu_sta_phy_tlv(skb, info->vif, info->link_sta);
- mt7925_mcu_sta_ht_tlv(skb, info->link_sta);
- mt7925_mcu_sta_vht_tlv(skb, info->link_sta);
- mt76_connac_mcu_sta_uapsd(skb, info->vif, info->link_sta->sta);
- mt7925_mcu_sta_amsdu_tlv(skb, info->vif, info->link_sta);
- mt7925_mcu_sta_he_tlv(skb, info->link_sta);
- mt7925_mcu_sta_he_6g_tlv(skb, info->link_sta);
- mt7925_mcu_sta_eht_tlv(skb, info->link_sta);
- mt7925_mcu_sta_rate_ctrl_tlv(skb, info->vif,
- info->link_sta);
- mt7925_mcu_sta_state_v2_tlv(phy, skb, info->link_sta,
- info->vif, info->rcpi,
- info->state);
- mt7925_mcu_sta_mld_tlv(skb, info->vif, info->link_sta->sta);
- }
-
- if (info->enable)
- mt7925_mcu_sta_hdr_trans_tlv(skb, info->vif, info->link_sta);
-
- return mt76_mcu_skb_send_msg(dev, skb, info->cmd, true);
-}
-
static void
mt7925_mcu_sta_remove_tlv(struct sk_buff *skb)
{
@@ -1873,8 +1830,8 @@ mt7925_mcu_sta_remove_tlv(struct sk_buff
}
static int
-mt7925_mcu_mlo_sta_cmd(struct mt76_phy *phy,
- struct mt76_sta_cmd_info *info)
+mt7925_mcu_sta_cmd(struct mt76_phy *phy,
+ struct mt76_sta_cmd_info *info)
{
struct mt792x_vif *mvif = (struct mt792x_vif *)info->vif->drv_priv;
struct mt76_dev *dev = phy->dev;
@@ -1888,12 +1845,10 @@ mt7925_mcu_mlo_sta_cmd(struct mt76_phy *
if (IS_ERR(skb))
return PTR_ERR(skb);
- if (info->enable)
+ if (info->enable && info->link_sta) {
mt76_connac_mcu_sta_basic_tlv(dev, skb, info->link_conf,
info->link_sta,
info->enable, info->newly);
-
- if (info->enable && info->link_sta) {
mt7925_mcu_sta_phy_tlv(skb, info->vif, info->link_sta);
mt7925_mcu_sta_ht_tlv(skb, info->link_sta);
mt7925_mcu_sta_vht_tlv(skb, info->link_sta);
@@ -1944,7 +1899,6 @@ int mt7925_mcu_sta_update(struct mt792x_
};
struct mt792x_sta *msta;
struct mt792x_link_sta *mlink;
- int err;
if (link_sta) {
msta = (struct mt792x_sta *)link_sta->sta->drv_priv;
@@ -1957,12 +1911,7 @@ int mt7925_mcu_sta_update(struct mt792x_
else
info.newly = state == MT76_STA_INFO_STATE_ASSOC ? false : true;
- if (ieee80211_vif_is_mld(vif))
- err = mt7925_mcu_mlo_sta_cmd(&dev->mphy, &info);
- else
- err = mt7925_mcu_sta_cmd(&dev->mphy, &info);
-
- return err;
+ return mt7925_mcu_sta_cmd(&dev->mphy, &info);
}
int mt7925_mcu_set_beacon_filter(struct mt792x_dev *dev,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 287/449] wifi: mt76: mt7925: update the power-saving flow
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 286/449] wifi: mt76: mt7925: integrate *mlo_sta_cmd and *sta_cmd Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 288/449] scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag Greg Kroah-Hartman
` (168 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Wang, Caleb Jorden,
Ming Yen Hsieh, Felix Fietkau
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
commit 276a568832577c81ec90b62dc506bbdc3781ca46 upstream.
After joining MLO, ensure that all links are setup before
enabling power-saving.
Fixes: 86c051f2c418 ("wifi: mt76: mt7925: enabling MLO when the firmware supports it")
Cc: stable@vger.kernel.org
Co-developed-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Tested-by: Caleb Jorden <cjorden@gmail.com>
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20250305000851.493671-6-sean.wang@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/init.c | 1
drivers/net/wireless/mediatek/mt76/mt7925/main.c | 68 +++++++++++++++++----
drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h | 1
drivers/net/wireless/mediatek/mt76/mt792x.h | 9 ++
4 files changed, 68 insertions(+), 11 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/init.c
@@ -244,6 +244,7 @@ int mt7925_register_device(struct mt792x
dev->mt76.tx_worker.fn = mt792x_tx_worker;
INIT_DELAYED_WORK(&dev->pm.ps_work, mt792x_pm_power_save_work);
+ INIT_DELAYED_WORK(&dev->mlo_pm_work, mt7925_mlo_pm_work);
INIT_WORK(&dev->pm.wake_work, mt792x_pm_wake_work);
spin_lock_init(&dev->pm.wake.lock);
mutex_init(&dev->pm.mutex);
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -427,6 +427,7 @@ mt7925_add_interface(struct ieee80211_hw
mvif->bss_conf.vif = mvif;
mvif->sta.vif = mvif;
mvif->deflink_id = IEEE80211_LINK_UNSPECIFIED;
+ mvif->mlo_pm_state = MT792x_MLO_LINK_DISASSOC;
ret = mt7925_mac_link_bss_add(dev, &vif->bss_conf, &mvif->sta.deflink);
if (ret < 0)
@@ -1242,6 +1243,7 @@ void mt7925_mac_sta_remove(struct mt76_d
{
struct mt792x_dev *dev = container_of(mdev, struct mt792x_dev, mt76);
struct mt792x_sta *msta = (struct mt792x_sta *)sta->drv_priv;
+ struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
unsigned long rem;
rem = ieee80211_vif_is_mld(vif) ? msta->valid_links : BIT(0);
@@ -1252,11 +1254,11 @@ void mt7925_mac_sta_remove(struct mt76_d
mt7925_mcu_del_dev(mdev, vif);
if (vif->type == NL80211_IFTYPE_STATION) {
- struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
-
mvif->wep_sta = NULL;
ewma_rssi_init(&mvif->bss_conf.rssi);
}
+
+ mvif->mlo_pm_state = MT792x_MLO_LINK_DISASSOC;
}
EXPORT_SYMBOL_GPL(mt7925_mac_sta_remove);
@@ -1328,6 +1330,38 @@ mt7925_ampdu_action(struct ieee80211_hw
return ret;
}
+static void
+mt7925_mlo_pm_iter(void *priv, u8 *mac, struct ieee80211_vif *vif)
+{
+ struct mt792x_dev *dev = priv;
+ struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
+ unsigned long valid = ieee80211_vif_is_mld(vif) ?
+ mvif->valid_links : BIT(0);
+ struct ieee80211_bss_conf *bss_conf;
+ int i;
+
+ if (mvif->mlo_pm_state != MT792x_MLO_CHANGED_PS)
+ return;
+
+ mt792x_mutex_acquire(dev);
+ for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) {
+ bss_conf = mt792x_vif_to_bss_conf(vif, i);
+ mt7925_mcu_uni_bss_ps(dev, bss_conf);
+ }
+ mt792x_mutex_release(dev);
+}
+
+void mt7925_mlo_pm_work(struct work_struct *work)
+{
+ struct mt792x_dev *dev = container_of(work, struct mt792x_dev,
+ mlo_pm_work.work);
+ struct ieee80211_hw *hw = mt76_hw(dev);
+
+ ieee80211_iterate_active_interfaces(hw,
+ IEEE80211_IFACE_ITER_RESUME_ALL,
+ mt7925_mlo_pm_iter, dev);
+}
+
static bool is_valid_alpha2(const char *alpha2)
{
if (!alpha2)
@@ -1877,6 +1911,9 @@ static void mt7925_vif_cfg_changed(struc
mt7925_mcu_sta_update(dev, NULL, vif, true,
MT76_STA_INFO_STATE_ASSOC);
mt7925_mcu_set_beacon_filter(dev, vif, vif->cfg.assoc);
+
+ if (ieee80211_vif_is_mld(vif))
+ mvif->mlo_pm_state = MT792x_MLO_LINK_ASSOC;
}
if (changed & BSS_CHANGED_ARP_FILTER) {
@@ -1887,9 +1924,19 @@ static void mt7925_vif_cfg_changed(struc
}
if (changed & BSS_CHANGED_PS) {
- for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) {
- bss_conf = mt792x_vif_to_bss_conf(vif, i);
+ if (hweight16(mvif->valid_links) < 2) {
+ /* legacy */
+ bss_conf = &vif->bss_conf;
mt7925_mcu_uni_bss_ps(dev, bss_conf);
+ } else {
+ if (mvif->mlo_pm_state == MT792x_MLO_LINK_ASSOC) {
+ mvif->mlo_pm_state = MT792x_MLO_CHANGED_PS_PENDING;
+ } else if (mvif->mlo_pm_state == MT792x_MLO_CHANGED_PS) {
+ for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) {
+ bss_conf = mt792x_vif_to_bss_conf(vif, i);
+ mt7925_mcu_uni_bss_ps(dev, bss_conf);
+ }
+ }
}
}
@@ -1940,11 +1987,12 @@ static void mt7925_link_info_changed(str
if (changed & (BSS_CHANGED_QOS | BSS_CHANGED_BEACON_ENABLED))
mt7925_mcu_set_tx(dev, info);
- if (changed & BSS_CHANGED_BSSID) {
- if (ieee80211_vif_is_mld(vif) &&
- hweight16(mvif->valid_links) == 2)
- /* Indicate the secondary setup done */
- mt7925_mcu_uni_bss_bcnft(dev, info, true);
+ if (mvif->mlo_pm_state == MT792x_MLO_CHANGED_PS_PENDING) {
+ /* Indicate the secondary setup done */
+ mt7925_mcu_uni_bss_bcnft(dev, info, true);
+
+ ieee80211_queue_delayed_work(hw, &dev->mlo_pm_work, 5 * HZ);
+ mvif->mlo_pm_state = MT792x_MLO_CHANGED_PS;
}
mt792x_mutex_release(dev);
@@ -2028,8 +2076,6 @@ mt7925_change_vif_links(struct ieee80211
goto free;
if (mconf != &mvif->bss_conf) {
- mt7925_mcu_set_bss_pm(dev, link_conf, true);
-
err = mt7925_set_mlo_roc(phy, &mvif->bss_conf,
vif->active_links);
if (err < 0)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
@@ -268,6 +268,7 @@ int mt7925_mcu_uni_tx_ba(struct mt792x_d
int mt7925_mcu_uni_rx_ba(struct mt792x_dev *dev,
struct ieee80211_ampdu_params *params,
bool enable);
+void mt7925_mlo_pm_work(struct work_struct *work);
void mt7925_scan_work(struct work_struct *work);
void mt7925_roc_work(struct work_struct *work);
int mt7925_mcu_uni_bss_ps(struct mt792x_dev *dev,
--- a/drivers/net/wireless/mediatek/mt76/mt792x.h
+++ b/drivers/net/wireless/mediatek/mt76/mt792x.h
@@ -81,6 +81,13 @@ enum mt792x_reg_power_type {
MT_AP_VLP,
};
+enum mt792x_mlo_pm_state {
+ MT792x_MLO_LINK_DISASSOC,
+ MT792x_MLO_LINK_ASSOC,
+ MT792x_MLO_CHANGED_PS_PENDING,
+ MT792x_MLO_CHANGED_PS,
+};
+
DECLARE_EWMA(avg_signal, 10, 8)
struct mt792x_link_sta {
@@ -134,6 +141,7 @@ struct mt792x_vif {
struct mt792x_phy *phy;
u16 valid_links;
u8 deflink_id;
+ enum mt792x_mlo_pm_state mlo_pm_state;
struct work_struct csa_work;
struct timer_list csa_timer;
@@ -239,6 +247,7 @@ struct mt792x_dev {
const struct mt792x_irq_map *irq_map;
struct work_struct ipv6_ns_work;
+ struct delayed_work mlo_pm_work;
/* IPv6 addresses for WoWLAN */
struct sk_buff_head ipv6_ns_list;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 288/449] scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 287/449] wifi: mt76: mt7925: update the power-saving flow Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 289/449] net: stmmac: Fix accessing freed irq affinity_hint Greg Kroah-Hartman
` (167 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marco Patalano, Ewan D. Milne,
Justin Tee, Martin K. Petersen
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ewan D. Milne <emilne@redhat.com>
commit 040492ac2578b66d3ff4dcefb4f56811634de53d upstream.
Commit 32566a6f1ae5 ("scsi: lpfc: Remove NLP_RELEASE_RPI flag from nodelist
structure") introduced a regression with SLI-3 adapters (e.g. LPe12000 8Gb)
where a Link Down / Link Up such as caused by disabling an host FC switch
port would result in the devices remaining in the transport-offline state
and multipath reporting them as failed. This problem was not seen with
newer SLI-4 adapters.
The problem was caused by portions of the patch which removed the functions
__lpfc_sli_rpi_release() and lpfc_sli_rpi_release() and all their callers.
This was presumably because with the removal of the NLP_RELEASE_RPI flag
there was no need to free the rpi.
However, __lpfc_sli_rpi_release() and lpfc_sli_rpi_release() which calls it
reset the NLP_UNREG_INP flag. And, lpfc_sli_def_mbox_cmpl() has a path
where __lpfc_sli_rpi_release() was called in a particular case where
NLP_UNREG_INP was not otherwise cleared because of other conditions.
Restoring the else clause of this conditional and simply clearing the
NLP_UNREG_INP flag appears to resolve the problem with SLI-3 adapters. It
should be noted that the code path in question is not specific to SLI-3,
but there are other SLI-4 code paths which may have masked the issue.
Fixes: 32566a6f1ae5 ("scsi: lpfc: Remove NLP_RELEASE_RPI flag from nodelist structure")
Cc: stable@vger.kernel.org
Tested-by: Marco Patalano <mpatalan@redhat.com>
Signed-off-by: Ewan D. Milne <emilne@redhat.com>
Link: https://lore.kernel.org/r/20250317163731.356873-1-emilne@redhat.com
Reviewed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/lpfc/lpfc_sli.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -2923,6 +2923,8 @@ lpfc_sli_def_mbox_cmpl(struct lpfc_hba *
clear_bit(NLP_UNREG_INP, &ndlp->nlp_flag);
ndlp->nlp_defer_did = NLP_EVT_NOTHING_PENDING;
lpfc_issue_els_plogi(vport, ndlp->nlp_DID, 0);
+ } else {
+ clear_bit(NLP_UNREG_INP, &ndlp->nlp_flag);
}
/* The unreg_login mailbox is complete and had a
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 289/449] net: stmmac: Fix accessing freed irq affinity_hint
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 288/449] scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 290/449] io_uring/net: fix accept multishot handling Greg Kroah-Hartman
` (166 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qingfang Deng, Jacob Keller,
Jakub Kicinski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingfang Deng <dqfext@gmail.com>
commit c60d101a226f18e9a8f01bb4c6ca2b47dfcb15ef upstream.
The cpumask should not be a local variable, since its pointer is saved
to irq_desc and may be accessed from procfs.
To fix it, use the persistent mask cpumask_of(cpu#).
Cc: stable@vger.kernel.org
Fixes: 8deec94c6040 ("net: stmmac: set IRQ affinity hint for multi MSI vectors")
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20250318032424.112067-1-dqfext@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -3640,7 +3640,6 @@ static int stmmac_request_irq_multi_msi(
{
struct stmmac_priv *priv = netdev_priv(dev);
enum request_irq_err irq_err;
- cpumask_t cpu_mask;
int irq_idx = 0;
char *int_name;
int ret;
@@ -3769,9 +3768,8 @@ static int stmmac_request_irq_multi_msi(
irq_idx = i;
goto irq_error;
}
- cpumask_clear(&cpu_mask);
- cpumask_set_cpu(i % num_online_cpus(), &cpu_mask);
- irq_set_affinity_hint(priv->rx_irq[i], &cpu_mask);
+ irq_set_affinity_hint(priv->rx_irq[i],
+ cpumask_of(i % num_online_cpus()));
}
/* Request Tx MSI irq */
@@ -3794,9 +3792,8 @@ static int stmmac_request_irq_multi_msi(
irq_idx = i;
goto irq_error;
}
- cpumask_clear(&cpu_mask);
- cpumask_set_cpu(i % num_online_cpus(), &cpu_mask);
- irq_set_affinity_hint(priv->tx_irq[i], &cpu_mask);
+ irq_set_affinity_hint(priv->tx_irq[i],
+ cpumask_of(i % num_online_cpus()));
}
return 0;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 290/449] io_uring/net: fix accept multishot handling
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 289/449] net: stmmac: Fix accessing freed irq affinity_hint Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 291/449] io_uring/net: fix io_req_post_cqe abuse by send bundle Greg Kroah-Hartman
` (165 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pavel Begunkov, Jens Axboe
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
commit f6a89bf5278d6e15016a736db67043560d1b50d5 upstream.
REQ_F_APOLL_MULTISHOT doesn't guarantee it's executed from the multishot
context, so a multishot accept may get executed inline, fail
io_req_post_cqe(), and ask the core code to kill the request with
-ECANCELED by returning IOU_STOP_MULTISHOT even when a socket has been
accepted and installed.
Cc: stable@vger.kernel.org
Fixes: 390ed29b5e425 ("io_uring: add IORING_ACCEPT_MULTISHOT for accept")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/51c6deb01feaa78b08565ca8f24843c017f5bc80.1740331076.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/net.c | 2 ++
1 file changed, 2 insertions(+)
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -1650,6 +1650,8 @@ retry:
}
io_req_set_res(req, ret, cflags);
+ if (!(issue_flags & IO_URING_F_MULTISHOT))
+ return IOU_OK;
return IOU_STOP_MULTISHOT;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 291/449] io_uring/net: fix io_req_post_cqe abuse by send bundle
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 290/449] io_uring/net: fix accept multishot handling Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 292/449] io_uring/kbuf: reject zero sized provided buffers Greg Kroah-Hartman
` (164 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pavel Begunkov, Jens Axboe
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
commit 6889ae1b4df1579bcdffef023e2ea9a982565dff upstream.
[ 114.987980][ T5313] WARNING: CPU: 6 PID: 5313 at io_uring/io_uring.c:872 io_req_post_cqe+0x12e/0x4f0
[ 114.991597][ T5313] RIP: 0010:io_req_post_cqe+0x12e/0x4f0
[ 115.001880][ T5313] Call Trace:
[ 115.002222][ T5313] <TASK>
[ 115.007813][ T5313] io_send+0x4fe/0x10f0
[ 115.009317][ T5313] io_issue_sqe+0x1a6/0x1740
[ 115.012094][ T5313] io_wq_submit_work+0x38b/0xed0
[ 115.013223][ T5313] io_worker_handle_work+0x62a/0x1600
[ 115.013876][ T5313] io_wq_worker+0x34f/0xdf0
As the comment states, io_req_post_cqe() should only be used by
multishot requests, i.e. REQ_F_APOLL_MULTISHOT, which bundled sends are
not. Add a flag signifying whether a request wants to post multiple
CQEs. Eventually REQ_F_APOLL_MULTISHOT should imply the new flag, but
that's left out for simplicity.
Cc: stable@vger.kernel.org
Fixes: a05d1f625c7aa ("io_uring/net: support bundles for send")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/8b611dbb54d1cd47a88681f5d38c84d0c02bc563.1743067183.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/io_uring_types.h | 3 +++
io_uring/io_uring.c | 4 ++--
io_uring/net.c | 1 +
3 files changed, 6 insertions(+), 2 deletions(-)
--- a/include/linux/io_uring_types.h
+++ b/include/linux/io_uring_types.h
@@ -470,6 +470,7 @@ enum {
REQ_F_SKIP_LINK_CQES_BIT,
REQ_F_SINGLE_POLL_BIT,
REQ_F_DOUBLE_POLL_BIT,
+ REQ_F_MULTISHOT_BIT,
REQ_F_APOLL_MULTISHOT_BIT,
REQ_F_CLEAR_POLLIN_BIT,
/* keep async read/write and isreg together and in order */
@@ -546,6 +547,8 @@ enum {
REQ_F_SINGLE_POLL = IO_REQ_FLAG(REQ_F_SINGLE_POLL_BIT),
/* double poll may active */
REQ_F_DOUBLE_POLL = IO_REQ_FLAG(REQ_F_DOUBLE_POLL_BIT),
+ /* request posts multiple completions, should be set at prep time */
+ REQ_F_MULTISHOT = IO_REQ_FLAG(REQ_F_MULTISHOT_BIT),
/* fast poll multishot mode */
REQ_F_APOLL_MULTISHOT = IO_REQ_FLAG(REQ_F_APOLL_MULTISHOT_BIT),
/* recvmsg special flag, clear EPOLLIN */
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1818,7 +1818,7 @@ fail:
* Don't allow any multishot execution from io-wq. It's more restrictive
* than necessary and also cleaner.
*/
- if (req->flags & REQ_F_APOLL_MULTISHOT) {
+ if (req->flags & (REQ_F_MULTISHOT|REQ_F_APOLL_MULTISHOT)) {
err = -EBADFD;
if (!io_file_can_poll(req))
goto fail;
@@ -1829,7 +1829,7 @@ fail:
goto fail;
return;
} else {
- req->flags &= ~REQ_F_APOLL_MULTISHOT;
+ req->flags &= ~(REQ_F_APOLL_MULTISHOT|REQ_F_MULTISHOT);
}
}
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -429,6 +429,7 @@ int io_sendmsg_prep(struct io_kiocb *req
sr->msg_flags |= MSG_WAITALL;
sr->buf_group = req->buf_index;
req->buf_list = NULL;
+ req->flags |= REQ_F_MULTISHOT;
}
#ifdef CONFIG_COMPAT
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 292/449] io_uring/kbuf: reject zero sized provided buffers
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 291/449] io_uring/net: fix io_req_post_cqe abuse by send bundle Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 293/449] ASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe() Greg Kroah-Hartman
` (163 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot+58928048fd1416f1457c,
Jens Axboe
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
commit cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc upstream.
This isn't fixing a real issue, but there's also zero point in going
through group and buffer setup, when the buffers are going to be
rejected once attempted to get used.
Cc: stable@vger.kernel.org
Reported-by: syzbot+58928048fd1416f1457c@syzkaller.appspotmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/kbuf.c | 2 ++
1 file changed, 2 insertions(+)
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -480,6 +480,8 @@ int io_provide_buffers_prep(struct io_ki
p->nbufs = tmp;
p->addr = READ_ONCE(sqe->addr);
p->len = READ_ONCE(sqe->len);
+ if (!p->len)
+ return -EINVAL;
if (check_mul_overflow((unsigned long)p->len, (unsigned long)p->nbufs,
&size))
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 293/449] ASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 292/449] io_uring/kbuf: reject zero sized provided buffers Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 294/449] ASoC: q6apm: add q6apm_get_hw_pointer helper Greg Kroah-Hartman
` (162 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Mark Brown
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit 3e330acf4efd63876d673c046cd073a1d4ed57a8 upstream.
When snd_soc_dapm_new_controls() or snd_soc_dapm_add_routes() fails,
wcd937x_soc_codec_probe() returns without releasing 'wcd937x->clsh_info',
which is allocated by wcd_clsh_ctrl_alloc. Add wcd_clsh_ctrl_free()
to prevent potential memory leak.
Fixes: 313e978df7fc ("ASoC: codecs: wcd937x: add audio routing and Kconfig")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Link: https://patch.msgid.link/20250226085050.3584898-1-haoxiang_li2024@163.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wcd937x.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/soc/codecs/wcd937x.c
+++ b/sound/soc/codecs/wcd937x.c
@@ -2563,6 +2563,7 @@ static int wcd937x_soc_codec_probe(struc
ARRAY_SIZE(wcd9375_dapm_widgets));
if (ret < 0) {
dev_err(component->dev, "Failed to add snd_ctls\n");
+ wcd_clsh_ctrl_free(wcd937x->clsh_info);
return ret;
}
@@ -2570,6 +2571,7 @@ static int wcd937x_soc_codec_probe(struc
ARRAY_SIZE(wcd9375_audio_map));
if (ret < 0) {
dev_err(component->dev, "Failed to add routes\n");
+ wcd_clsh_ctrl_free(wcd937x->clsh_info);
return ret;
}
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 294/449] ASoC: q6apm: add q6apm_get_hw_pointer helper
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 293/449] ASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe() Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 295/449] ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs Greg Kroah-Hartman
` (161 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla,
Krzysztof Kozlowski, Johan Hovold, Mark Brown
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
commit 0badb5432fd525a00db5630c459b635e9d47f445 upstream.
Implement an helper function in q6apm to be able to read the current
hardware pointer for both read and write buffers.
This should help q6apm-dai to get the hardware pointer consistently
without it doing manual calculation, which could go wrong in some race
conditions.
Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://patch.msgid.link/20250314174800.10142-3-srinivas.kandagatla@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm.c | 18 +++++++++++++++++-
sound/soc/qcom/qdsp6/q6apm.h | 3 +++
2 files changed, 20 insertions(+), 1 deletion(-)
--- a/sound/soc/qcom/qdsp6/q6apm.c
+++ b/sound/soc/qcom/qdsp6/q6apm.c
@@ -494,6 +494,19 @@ int q6apm_read(struct q6apm_graph *graph
}
EXPORT_SYMBOL_GPL(q6apm_read);
+int q6apm_get_hw_pointer(struct q6apm_graph *graph, int dir)
+{
+ struct audioreach_graph_data *data;
+
+ if (dir == SNDRV_PCM_STREAM_PLAYBACK)
+ data = &graph->rx_data;
+ else
+ data = &graph->tx_data;
+
+ return (int)atomic_read(&data->hw_ptr);
+}
+EXPORT_SYMBOL_GPL(q6apm_get_hw_pointer);
+
static int graph_callback(struct gpr_resp_pkt *data, void *priv, int op)
{
struct data_cmd_rsp_rd_sh_mem_ep_data_buffer_done_v2 *rd_done;
@@ -520,7 +533,8 @@ static int graph_callback(struct gpr_res
done = data->payload;
phys = graph->rx_data.buf[token].phys;
mutex_unlock(&graph->lock);
-
+ /* token numbering starts at 0 */
+ atomic_set(&graph->rx_data.hw_ptr, token + 1);
if (lower_32_bits(phys) == done->buf_addr_lsw &&
upper_32_bits(phys) == done->buf_addr_msw) {
graph->result.opcode = hdr->opcode;
@@ -553,6 +567,8 @@ static int graph_callback(struct gpr_res
rd_done = data->payload;
phys = graph->tx_data.buf[hdr->token].phys;
mutex_unlock(&graph->lock);
+ /* token numbering starts at 0 */
+ atomic_set(&graph->tx_data.hw_ptr, hdr->token + 1);
if (upper_32_bits(phys) == rd_done->buf_addr_msw &&
lower_32_bits(phys) == rd_done->buf_addr_lsw) {
--- a/sound/soc/qcom/qdsp6/q6apm.h
+++ b/sound/soc/qcom/qdsp6/q6apm.h
@@ -2,6 +2,7 @@
#ifndef __Q6APM_H__
#define __Q6APM_H__
#include <linux/types.h>
+#include <linux/atomic.h>
#include <linux/slab.h>
#include <linux/wait.h>
#include <linux/kernel.h>
@@ -77,6 +78,7 @@ struct audioreach_graph_data {
uint32_t num_periods;
uint32_t dsp_buf;
uint32_t mem_map_handle;
+ atomic_t hw_ptr;
};
struct audioreach_graph {
@@ -150,4 +152,5 @@ int q6apm_enable_compress_module(struct
int q6apm_remove_initial_silence(struct device *dev, struct q6apm_graph *graph, uint32_t samples);
int q6apm_remove_trailing_silence(struct device *dev, struct q6apm_graph *graph, uint32_t samples);
int q6apm_set_real_module_id(struct device *dev, struct q6apm_graph *graph, uint32_t codec_id);
+int q6apm_get_hw_pointer(struct q6apm_graph *graph, int dir);
#endif /* __APM_GRAPH_ */
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 295/449] ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 294/449] ASoC: q6apm: add q6apm_get_hw_pointer helper Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 296/449] ASoC: q6apm-dai: make use of q6apm_get_hw_pointer Greg Kroah-Hartman
` (160 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Srinivas Kandagatla, Johan Hovold, Mark Brown
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
commit 3d4a4411aa8bbc3653ff22a1ff0432eb93d22ae0 upstream.
With the existing code, we are only setting up one period at a time, in a
ping-pong buffer style. This triggers lot of underruns in the dsp
leading to jitter noise during audio playback.
Fix this by scheduling all available periods, this will ensure that the dsp
has enough buffer feed and ultimatley fixing the underruns and audio
distortion.
Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
Cc: stable@vger.kernel.org
Reported-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://patch.msgid.link/20250314174800.10142-2-srinivas.kandagatla@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-dai.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
@@ -70,6 +70,7 @@ struct q6apm_dai_rtd {
unsigned int bytes_received;
unsigned int copied_total;
uint16_t bits_per_sample;
+ snd_pcm_uframes_t queue_ptr;
bool next_track;
enum stream_state state;
struct q6apm_graph *graph;
@@ -134,8 +135,6 @@ static void event_handler(uint32_t opcod
prtd->pos += prtd->pcm_count;
spin_unlock_irqrestore(&prtd->lock, flags);
snd_pcm_period_elapsed(substream);
- if (prtd->state == Q6APM_STREAM_RUNNING)
- q6apm_write_async(prtd->graph, prtd->pcm_count, 0, 0, 0);
break;
case APM_CLIENT_EVENT_DATA_READ_DONE:
@@ -294,6 +293,27 @@ static int q6apm_dai_prepare(struct snd_
return 0;
}
+static int q6apm_dai_ack(struct snd_soc_component *component, struct snd_pcm_substream *substream)
+{
+ struct snd_pcm_runtime *runtime = substream->runtime;
+ struct q6apm_dai_rtd *prtd = runtime->private_data;
+ int i, ret = 0, avail_periods;
+
+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
+ avail_periods = (runtime->control->appl_ptr - prtd->queue_ptr)/runtime->period_size;
+ for (i = 0; i < avail_periods; i++) {
+ ret = q6apm_write_async(prtd->graph, prtd->pcm_count, 0, 0, NO_TIMESTAMP);
+ if (ret < 0) {
+ dev_err(component->dev, "Error queuing playback buffer %d\n", ret);
+ return ret;
+ }
+ prtd->queue_ptr += runtime->period_size;
+ }
+ }
+
+ return ret;
+}
+
static int q6apm_dai_trigger(struct snd_soc_component *component,
struct snd_pcm_substream *substream, int cmd)
{
@@ -305,9 +325,6 @@ static int q6apm_dai_trigger(struct snd_
case SNDRV_PCM_TRIGGER_START:
case SNDRV_PCM_TRIGGER_RESUME:
case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
- /* start writing buffers for playback only as we already queued capture buffers */
- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
- ret = q6apm_write_async(prtd->graph, prtd->pcm_count, 0, 0, 0);
break;
case SNDRV_PCM_TRIGGER_STOP:
/* TODO support be handled via SoftPause Module */
@@ -836,6 +853,7 @@ static const struct snd_soc_component_dr
.hw_params = q6apm_dai_hw_params,
.pointer = q6apm_dai_pointer,
.trigger = q6apm_dai_trigger,
+ .ack = q6apm_dai_ack,
.compress_ops = &q6apm_dai_compress_ops,
.use_dai_pcm_id = true,
};
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 296/449] ASoC: q6apm-dai: make use of q6apm_get_hw_pointer
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 295/449] ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 297/449] ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment Greg Kroah-Hartman
` (159 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla,
Krzysztof Kozlowski, Johan Hovold, Mark Brown
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
commit a93dad6f4e6a04a5943f6ee5686585f24abf7063 upstream.
With the existing code, the buffer position is only reset in pointer
callback, which leaves the possiblity of it going over the size of
buffer size and reporting incorrect position to userspace.
Without this patch, its possible to see errors like:
snd-x1e80100 sound: invalid position: pcmC0D0p:0, pos = 12288, buffer size = 12288, period size = 1536
snd-x1e80100 sound: invalid position: pcmC0D0p:0, pos = 12288, buffer size = 12288, period size = 1536
Fixes: 9b4fe0f1cd791 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://patch.msgid.link/20250314174800.10142-4-srinivas.kandagatla@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-dai.c | 23 ++++-------------------
1 file changed, 4 insertions(+), 19 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
@@ -64,7 +64,6 @@ struct q6apm_dai_rtd {
phys_addr_t phys;
unsigned int pcm_size;
unsigned int pcm_count;
- unsigned int pos; /* Buffer position */
unsigned int periods;
unsigned int bytes_sent;
unsigned int bytes_received;
@@ -124,23 +123,16 @@ static void event_handler(uint32_t opcod
{
struct q6apm_dai_rtd *prtd = priv;
struct snd_pcm_substream *substream = prtd->substream;
- unsigned long flags;
switch (opcode) {
case APM_CLIENT_EVENT_CMD_EOS_DONE:
prtd->state = Q6APM_STREAM_STOPPED;
break;
case APM_CLIENT_EVENT_DATA_WRITE_DONE:
- spin_lock_irqsave(&prtd->lock, flags);
- prtd->pos += prtd->pcm_count;
- spin_unlock_irqrestore(&prtd->lock, flags);
snd_pcm_period_elapsed(substream);
break;
case APM_CLIENT_EVENT_DATA_READ_DONE:
- spin_lock_irqsave(&prtd->lock, flags);
- prtd->pos += prtd->pcm_count;
- spin_unlock_irqrestore(&prtd->lock, flags);
snd_pcm_period_elapsed(substream);
if (prtd->state == Q6APM_STREAM_RUNNING)
q6apm_read(prtd->graph);
@@ -247,7 +239,6 @@ static int q6apm_dai_prepare(struct snd_
}
prtd->pcm_count = snd_pcm_lib_period_bytes(substream);
- prtd->pos = 0;
/* rate and channels are sent to audio driver */
ret = q6apm_graph_media_format_shmem(prtd->graph, &cfg);
if (ret < 0) {
@@ -445,16 +436,12 @@ static snd_pcm_uframes_t q6apm_dai_point
struct snd_pcm_runtime *runtime = substream->runtime;
struct q6apm_dai_rtd *prtd = runtime->private_data;
snd_pcm_uframes_t ptr;
- unsigned long flags;
- spin_lock_irqsave(&prtd->lock, flags);
- if (prtd->pos == prtd->pcm_size)
- prtd->pos = 0;
-
- ptr = bytes_to_frames(runtime, prtd->pos);
- spin_unlock_irqrestore(&prtd->lock, flags);
+ ptr = q6apm_get_hw_pointer(prtd->graph, substream->stream) * runtime->period_size;
+ if (ptr)
+ return ptr - 1;
- return ptr;
+ return 0;
}
static int q6apm_dai_hw_params(struct snd_soc_component *component,
@@ -669,8 +656,6 @@ static int q6apm_dai_compr_set_params(st
prtd->pcm_size = runtime->fragments * runtime->fragment_size;
prtd->bits_per_sample = 16;
- prtd->pos = 0;
-
if (prtd->next_track != true) {
memcpy(&prtd->codec, codec, sizeof(*codec));
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 297/449] ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment.
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 296/449] ASoC: q6apm-dai: make use of q6apm_get_hw_pointer Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 298/449] ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns Greg Kroah-Hartman
` (158 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Johan Hovold,
Mark Brown
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
commit 3107019501842c27334554ba9d6583b1f200f61f upstream.
DSP expects the periods to be aligned to fragment sizes, currently
setting up to hw constriants on periods bytes is not going to work
correctly as we can endup with periods sizes aligned to 32 bytes however
not aligned to fragment size.
Update the constriants to use fragment size, and also set at step of
10ms for period size to accommodate DSP requirements of 10ms latency.
Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://patch.msgid.link/20250314174800.10142-5-srinivas.kandagatla@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-dai.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
@@ -385,13 +385,14 @@ static int q6apm_dai_open(struct snd_soc
}
}
- ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_PERIOD_BYTES, 32);
+ /* setup 10ms latency to accommodate DSP restrictions */
+ ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, 480);
if (ret < 0) {
dev_err(dev, "constraint for period bytes step ret = %d\n", ret);
goto err;
}
- ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_BYTES, 32);
+ ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_SIZE, 480);
if (ret < 0) {
dev_err(dev, "constraint for buffer bytes step ret = %d\n", ret);
goto err;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 298/449] ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns.
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 297/449] ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 299/449] ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Greg Kroah-Hartman
` (157 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla,
Krzysztof Kozlowski, Johan Hovold, Mark Brown
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
commit 5d01ed9b9939b4c726be74db291a982bc984c584 upstream.
Period sizes less than 6k for capture path triggers overruns in the
dsp capture pipeline.
Change the period size and number of periods to value which DSP is happy with.
Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://patch.msgid.link/20250314174800.10142-6-srinivas.kandagatla@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-dai.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
@@ -24,8 +24,8 @@
#define PLAYBACK_MIN_PERIOD_SIZE 128
#define CAPTURE_MIN_NUM_PERIODS 2
#define CAPTURE_MAX_NUM_PERIODS 8
-#define CAPTURE_MAX_PERIOD_SIZE 4096
-#define CAPTURE_MIN_PERIOD_SIZE 320
+#define CAPTURE_MAX_PERIOD_SIZE 65536
+#define CAPTURE_MIN_PERIOD_SIZE 6144
#define BUFFER_BYTES_MAX (PLAYBACK_MAX_NUM_PERIODS * PLAYBACK_MAX_PERIOD_SIZE)
#define BUFFER_BYTES_MIN (PLAYBACK_MIN_NUM_PERIODS * PLAYBACK_MIN_PERIOD_SIZE)
#define COMPR_PLAYBACK_MAX_FRAGMENT_SIZE (128 * 1024)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 299/449] ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 298/449] ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 300/449] ALSA: hda/realtek: Enable Mute LED on HP OMEN 16 Laptop xd000xx Greg Kroah-Hartman
` (156 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Vinod Koul,
Pierre-Louis Bossart, Alexey Klimov, Mark Brown
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Klimov <alexey.klimov@linaro.org>
commit 7eccc86e90f04a0d758d16c08627a620ac59604d upstream.
In case of attempts to compress playback something, for instance,
when audio routing is not set up correctly, the audio DSP is left in
inconsistent state because we are not doing the correct things in
the error path of q6asm_dai_compr_set_params().
So, when routing is not set up and compress playback is attempted
the following errors are present (simplified log):
q6routing routing: Routing not setup for MultiMedia-1 Session
q6asm-dai dais: Stream reg failed ret:-22
q6asm-dai dais: ASoC error (-22): at snd_soc_component_compr_set_params()
on 17300000.remoteproc:glink-edge:apr:service@7:dais
After setting the correct routing the compress playback will always fail:
q6asm-dai dais: cmd = 0x10db3 returned error = 0x9
q6asm-dai dais: DSP returned error[9]
q6asm-dai dais: q6asm_open_write failed
q6asm-dai dais: ASoC error (-22): at snd_soc_component_compr_set_params()
on 17300000.remoteproc:glink-edge:apr:service@7:dais
0x9 here means "Operation is already processed". The CMD_OPEN here was
sent the second time hence DSP responds that it was already done.
Turns out the CMD_CLOSE should be sent after the q6asm_open_write()
succeeded but something failed after that, for instance, routing
setup.
Fix this by slightly reworking the error path in
q6asm_dai_compr_set_params().
Tested on QRB5165 RB5 and SDM845 RB3 boards.
Cc: stable@vger.kernel.org
Fixes: 5b39363e54cc ("ASoC: q6asm-dai: prepare set params to accept profile change")
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Cc: Vinod Koul <vkoul@kernel.org>
Cc: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Alexey Klimov <alexey.klimov@linaro.org>
Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://patch.msgid.link/20250327154650.337404-1-alexey.klimov@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -892,9 +892,7 @@ static int q6asm_dai_compr_set_params(st
if (ret < 0) {
dev_err(dev, "q6asm_open_write failed\n");
- q6asm_audio_client_free(prtd->audio_client);
- prtd->audio_client = NULL;
- return ret;
+ goto open_err;
}
}
@@ -903,7 +901,7 @@ static int q6asm_dai_compr_set_params(st
prtd->session_id, dir);
if (ret) {
dev_err(dev, "Stream reg failed ret:%d\n", ret);
- return ret;
+ goto q6_err;
}
ret = __q6asm_dai_compr_set_codec_params(component, stream,
@@ -911,7 +909,7 @@ static int q6asm_dai_compr_set_params(st
prtd->stream_id);
if (ret) {
dev_err(dev, "codec param setup failed ret:%d\n", ret);
- return ret;
+ goto q6_err;
}
ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys,
@@ -920,12 +918,21 @@ static int q6asm_dai_compr_set_params(st
if (ret < 0) {
dev_err(dev, "Buffer Mapping failed ret:%d\n", ret);
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto q6_err;
}
prtd->state = Q6ASM_STREAM_RUNNING;
return 0;
+
+q6_err:
+ q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
+
+open_err:
+ q6asm_audio_client_free(prtd->audio_client);
+ prtd->audio_client = NULL;
+ return ret;
}
static int q6asm_dai_compr_set_metadata(struct snd_soc_component *component,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 300/449] ALSA: hda/realtek: Enable Mute LED on HP OMEN 16 Laptop xd000xx
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 299/449] ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 301/449] accel/ivpu: Fix warning in ivpu_ipc_send_receive_internal() Greg Kroah-Hartman
` (155 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sharan Kumar M, Takashi Iwai
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sharan Kumar M <sharweshraajan@gmail.com>
commit e5182305a5199246dbcb4053299dcb1c8867b6ff upstream.
This patch adds the HP OMEN 16 Laptop xd000xx to enable mute led.
it uses ALC245_FIXUP_HP_MUTE_LED_COEFBIT with a slight modification
setting mute_led_coef.off to 0(it was set to 4 i guess
in that function) which i referred to your previous patch disscusion
https://bugzilla.kernel.org/show_bug.cgi?id=214735 .
i am not sure whether i can modify the current working function so i
added another version calling
ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT. and both works for me.
Tested on 6.13.4-arch1-1 to 6.14.0-arch1-1
Signed-off-by: Sharan Kumar M <sharweshraajan@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250329154105.7618-2-sharweshraajan@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -4742,6 +4742,22 @@ static void alc245_fixup_hp_mute_led_coe
}
}
+static void alc245_fixup_hp_mute_led_v1_coefbit(struct hda_codec *codec,
+ const struct hda_fixup *fix,
+ int action)
+{
+ struct alc_spec *spec = codec->spec;
+
+ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
+ spec->mute_led_polarity = 0;
+ spec->mute_led_coef.idx = 0x0b;
+ spec->mute_led_coef.mask = 1 << 3;
+ spec->mute_led_coef.on = 1 << 3;
+ spec->mute_led_coef.off = 0;
+ snd_hda_gen_add_mute_led_cdev(codec, coef_mute_led_set);
+ }
+}
+
/* turn on/off mic-mute LED per capture hook by coef bit */
static int coef_micmute_led_set(struct led_classdev *led_cdev,
enum led_brightness brightness)
@@ -7885,6 +7901,7 @@ enum {
ALC245_FIXUP_TAS2781_SPI_2,
ALC287_FIXUP_YOGA7_14ARB7_I2C,
ALC245_FIXUP_HP_MUTE_LED_COEFBIT,
+ ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT,
ALC245_FIXUP_HP_X360_MUTE_LEDS,
ALC287_FIXUP_THINKPAD_I2S_SPK,
ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD,
@@ -10132,6 +10149,10 @@ static const struct hda_fixup alc269_fix
.type = HDA_FIXUP_FUNC,
.v.func = alc245_fixup_hp_mute_led_coefbit,
},
+ [ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc245_fixup_hp_mute_led_v1_coefbit,
+ },
[ALC245_FIXUP_HP_X360_MUTE_LEDS] = {
.type = HDA_FIXUP_FUNC,
.v.func = alc245_fixup_hp_mute_led_coefbit,
@@ -10626,6 +10647,7 @@ static const struct hda_quirk alc269_fix
SND_PCI_QUIRK(0x103c, 0x8b97, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
SND_PCI_QUIRK(0x103c, 0x8bb3, "HP Slim OMEN", ALC287_FIXUP_CS35L41_I2C_2),
SND_PCI_QUIRK(0x103c, 0x8bb4, "HP Slim OMEN", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8bcd, "HP Omen 16-xd0xxx", ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT),
SND_PCI_QUIRK(0x103c, 0x8bdd, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2),
SND_PCI_QUIRK(0x103c, 0x8bde, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2),
SND_PCI_QUIRK(0x103c, 0x8bdf, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2),
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 301/449] accel/ivpu: Fix warning in ivpu_ipc_send_receive_internal()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 300/449] ALSA: hda/realtek: Enable Mute LED on HP OMEN 16 Laptop xd000xx Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 302/449] accel/ivpu: Fix deadlock in ivpu_ms_cleanup() Greg Kroah-Hartman
` (154 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej Falkowski, Lizhi Hou,
Jacek Lawrynowicz
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
commit 6b4568b675b14cf890c0c21779773c3e08e80ce5 upstream.
Warn if device is suspended only when runtime PM is enabled.
Runtime PM is disabled during reset/recovery and it is not an error
to use ivpu_ipc_send_receive_internal() in such cases.
Fixes: 5eaa49741119 ("accel/ivpu: Prevent recovery invocation during probe and resume")
Cc: stable@vger.kernel.org # v6.13+
Signed-off-by: Maciej Falkowski <maciej.falkowski@linux.intel.com>
Reviewed-by: Lizhi Hou <lizhi.hou@amd.com>
Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
Link: https://lore.kernel.org/r/20250325114219.3739951-1-maciej.falkowski@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ivpu/ivpu_ipc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/accel/ivpu/ivpu_ipc.c
+++ b/drivers/accel/ivpu/ivpu_ipc.c
@@ -302,7 +302,8 @@ ivpu_ipc_send_receive_internal(struct iv
struct ivpu_ipc_consumer cons;
int ret;
- drm_WARN_ON(&vdev->drm, pm_runtime_status_suspended(vdev->drm.dev));
+ drm_WARN_ON(&vdev->drm, pm_runtime_status_suspended(vdev->drm.dev) &&
+ pm_runtime_enabled(vdev->drm.dev));
ivpu_ipc_consumer_add(vdev, &cons, channel, NULL);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 302/449] accel/ivpu: Fix deadlock in ivpu_ms_cleanup()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 301/449] accel/ivpu: Fix warning in ivpu_ipc_send_receive_internal() Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 303/449] arm/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch() Greg Kroah-Hartman
` (153 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej Falkowski, Lizhi Hou,
Jacek Lawrynowicz
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
commit 9a6f56762d23a1f3af15e67901493c927caaf882 upstream.
Fix deadlock in ivpu_ms_cleanup() by preventing runtime resume after
file_priv->ms_lock is acquired.
During a failure in runtime resume, a cold boot is executed, which
calls ivpu_ms_cleanup_all(). This function calls ivpu_ms_cleanup()
that acquires file_priv->ms_lock and causes the deadlock.
Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support")
Cc: stable@vger.kernel.org # v6.11+
Signed-off-by: Maciej Falkowski <maciej.falkowski@linux.intel.com>
Reviewed-by: Lizhi Hou <lizhi.hou@amd.com>
Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
Link: https://lore.kernel.org/r/20250325114306.3740022-2-maciej.falkowski@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ivpu/ivpu_ms.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/accel/ivpu/ivpu_ms.c
+++ b/drivers/accel/ivpu/ivpu_ms.c
@@ -4,6 +4,7 @@
*/
#include <drm/drm_file.h>
+#include <linux/pm_runtime.h>
#include "ivpu_drv.h"
#include "ivpu_gem.h"
@@ -299,6 +300,9 @@ unlock:
void ivpu_ms_cleanup(struct ivpu_file_priv *file_priv)
{
struct ivpu_ms_instance *ms, *tmp;
+ struct ivpu_device *vdev = file_priv->vdev;
+
+ pm_runtime_get_sync(vdev->drm.dev);
mutex_lock(&file_priv->ms_lock);
@@ -311,6 +315,8 @@ void ivpu_ms_cleanup(struct ivpu_file_pr
free_instance(file_priv, ms);
mutex_unlock(&file_priv->ms_lock);
+
+ pm_runtime_put_autosuspend(vdev->drm.dev);
}
void ivpu_ms_cleanup_all(struct ivpu_device *vdev)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 303/449] arm/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 302/449] accel/ivpu: Fix deadlock in ivpu_ms_cleanup() Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 304/449] arm64/crc-t10dif: " Greg Kroah-Hartman
` (152 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Binderman, Eric Biggers
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 3371f569223c4e8d36edbb0ba789ee5f5cb7316f upstream.
Fix a silly bug where an array was used outside of its scope.
Fixes: 1684e8293605 ("arm/crc-t10dif: expose CRC-T10DIF function through lib")
Cc: stable@vger.kernel.org
Reported-by: David Binderman <dcb314@hotmail.com>
Closes: https://lore.kernel.org/r/AS8PR02MB102170568EAE7FFDF93C8D1ED9CA62@AS8PR02MB10217.eurprd02.prod.outlook.com
Link: https://lore.kernel.org/r/20250326200812.125574-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/lib/crc-t10dif-glue.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/arch/arm/lib/crc-t10dif-glue.c b/arch/arm/lib/crc-t10dif-glue.c
index f3584ba70e57..6efad3d78284 100644
--- a/arch/arm/lib/crc-t10dif-glue.c
+++ b/arch/arm/lib/crc-t10dif-glue.c
@@ -44,9 +44,7 @@ u16 crc_t10dif_arch(u16 crc, const u8 *data, size_t length)
crc_t10dif_pmull8(crc, data, length, buf);
kernel_neon_end();
- crc = 0;
- data = buf;
- length = sizeof(buf);
+ return crc_t10dif_generic(0, buf, sizeof(buf));
}
}
return crc_t10dif_generic(crc, data, length);
--
2.49.0
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 304/449] arm64/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 303/449] arm/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch() Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 305/449] bus: mhi: host: Fix race between unprepare and queue_buf Greg Kroah-Hartman
` (151 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Binderman, Eric Biggers
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit d48b663f410f8b35b8ba9bd597bafaa00f53293b upstream.
Fix a silly bug where an array was used outside of its scope.
Fixes: 2051da858534 ("arm64/crc-t10dif: expose CRC-T10DIF function through lib")
Cc: stable@vger.kernel.org
Reported-by: David Binderman <dcb314@hotmail.com>
Closes: https://lore.kernel.org/r/AS8PR02MB102170568EAE7FFDF93C8D1ED9CA62@AS8PR02MB10217.eurprd02.prod.outlook.com
Link: https://lore.kernel.org/r/20250326200918.125743-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/lib/crc-t10dif-glue.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/arch/arm64/lib/crc-t10dif-glue.c b/arch/arm64/lib/crc-t10dif-glue.c
index a007d0c5f3fe..bacd18f23168 100644
--- a/arch/arm64/lib/crc-t10dif-glue.c
+++ b/arch/arm64/lib/crc-t10dif-glue.c
@@ -45,9 +45,7 @@ u16 crc_t10dif_arch(u16 crc, const u8 *data, size_t length)
crc_t10dif_pmull_p8(crc, data, length, buf);
kernel_neon_end();
- crc = 0;
- data = buf;
- length = sizeof(buf);
+ return crc_t10dif_generic(0, buf, sizeof(buf));
}
}
return crc_t10dif_generic(crc, data, length);
--
2.49.0
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 305/449] bus: mhi: host: Fix race between unprepare and queue_buf
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 304/449] arm64/crc-t10dif: " Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 306/449] ext4: fix off-by-one error in do_split Greg Kroah-Hartman
` (150 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeffrey Hugo, Jeff Hugo,
Krishna Chaitanya Chundru, Youssef Samir, Manivannan Sadhasivam,
Troy Hanson
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Hugo <quic_jhugo@quicinc.com>
commit 0686a818d77a431fc3ba2fab4b46bbb04e8c9380 upstream.
A client driver may use mhi_unprepare_from_transfer() to quiesce
incoming data during the client driver's tear down. The client driver
might also be processing data at the same time, resulting in a call to
mhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs
after mhi_unprepare_from_transfer() has torn down the channel, a panic
will occur due to an invalid dereference leading to a page fault.
This occurs because mhi_gen_tre() does not verify the channel state
after locking it. Fix this by having mhi_gen_tre() confirm the channel
state is valid, or return error to avoid accessing deinitialized data.
Cc: stable@vger.kernel.org # 6.8
Fixes: b89b6a863dd5 ("bus: mhi: host: Add spinlock to protect WP access when queueing TREs")
Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Signed-off-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
Reviewed-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
Reviewed-by: Youssef Samir <quic_yabdulra@quicinc.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Reviewed-by: Troy Hanson <quic_thanson@quicinc.com>
Link: https://lore.kernel.org/r/20250306172913.856982-1-jeff.hugo@oss.qualcomm.com
[mani: added stable tag]
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/mhi/host/main.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/drivers/bus/mhi/host/main.c
+++ b/drivers/bus/mhi/host/main.c
@@ -1207,11 +1207,16 @@ int mhi_gen_tre(struct mhi_controller *m
struct mhi_ring_element *mhi_tre;
struct mhi_buf_info *buf_info;
int eot, eob, chain, bei;
- int ret;
+ int ret = 0;
/* Protect accesses for reading and incrementing WP */
write_lock_bh(&mhi_chan->lock);
+ if (mhi_chan->ch_state != MHI_CH_STATE_ENABLED) {
+ ret = -ENODEV;
+ goto out;
+ }
+
buf_ring = &mhi_chan->buf_ring;
tre_ring = &mhi_chan->tre_ring;
@@ -1229,10 +1234,8 @@ int mhi_gen_tre(struct mhi_controller *m
if (!info->pre_mapped) {
ret = mhi_cntrl->map_single(mhi_cntrl, buf_info);
- if (ret) {
- write_unlock_bh(&mhi_chan->lock);
- return ret;
- }
+ if (ret)
+ goto out;
}
eob = !!(flags & MHI_EOB);
@@ -1250,9 +1253,10 @@ int mhi_gen_tre(struct mhi_controller *m
mhi_add_ring_element(mhi_cntrl, tre_ring);
mhi_add_ring_element(mhi_cntrl, buf_ring);
+out:
write_unlock_bh(&mhi_chan->lock);
- return 0;
+ return ret;
}
int mhi_queue_buf(struct mhi_device *mhi_dev, enum dma_data_direction dir,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 306/449] ext4: fix off-by-one error in do_split
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 305/449] bus: mhi: host: Fix race between unprepare and queue_buf Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 307/449] f2fs: fix the missing write pointer correction Greg Kroah-Hartman
` (149 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Artem Sadovnikov, Jan Kara,
Theodore Tso
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artem Sadovnikov <a.sadovnikov@ispras.ru>
commit 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d upstream.
Syzkaller detected a use-after-free issue in ext4_insert_dentry that was
caused by out-of-bounds access due to incorrect splitting in do_split.
BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847
CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154
make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351
ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455
ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796
ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431
vfs_symlink+0x137/0x2e0 fs/namei.c:4615
do_symlinkat+0x222/0x3a0 fs/namei.c:4641
__do_sys_symlink fs/namei.c:4662 [inline]
__se_sys_symlink fs/namei.c:4660 [inline]
__x64_sys_symlink+0x7a/0x90 fs/namei.c:4660
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
The following loop is located right above 'if' statement.
for (i = count-1; i >= 0; i--) {
/* is more than half of this entry in 2nd half of the block? */
if (size + map[i].size/2 > blocksize/2)
break;
size += map[i].size;
move++;
}
'i' in this case could go down to -1, in which case sum of active entries
wouldn't exceed half the block size, but previous behaviour would also do
split in half if sum would exceed at the very last block, which in case of
having too many long name files in a single block could lead to
out-of-bounds access and following use-after-free.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Cc: stable@vger.kernel.org
Fixes: 5872331b3d91 ("ext4: fix potential negative array index in do_split()")
Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250404082804.2567-3-a.sadovnikov@ispras.ru
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -1995,7 +1995,7 @@ static struct ext4_dir_entry_2 *do_split
* split it in half by count; each resulting block will have at least
* half the space free.
*/
- if (i > 0)
+ if (i >= 0)
split = count - move;
else
split = count/2;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 307/449] f2fs: fix the missing write pointer correction
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 306/449] ext4: fix off-by-one error in do_split Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 308/449] f2fs: fix to avoid atomicity corruption of atomic file Greg Kroah-Hartman
` (148 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jaegeuk Kim <jaegeuk@kernel.org>
commit 201e07aec617b10360df09090651dea9d0d4f7d3 upstream.
If checkpoint was disabled, we missed to fix the write pointers.
Cc: <stable@vger.kernel.org>
Fixes: 1015035609e4 ("f2fs: fix changing cursegs if recovery fails on zoned device")
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4749,8 +4749,10 @@ try_onemore:
if (err)
goto free_meta;
- if (unlikely(is_set_ckpt_flags(sbi, CP_DISABLED_FLAG)))
+ if (unlikely(is_set_ckpt_flags(sbi, CP_DISABLED_FLAG))) {
+ skip_recovery = true;
goto reset_checkpoint;
+ }
/* recover fsynced data */
if (!test_opt(sbi, DISABLE_ROLL_FORWARD) &&
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 308/449] f2fs: fix to avoid atomicity corruption of atomic file
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 307/449] f2fs: fix the missing write pointer correction Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 309/449] vdpa/mlx5: Fix oversized null mkey longer than 32bit Greg Kroah-Hartman
` (147 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sungjong Seo, Sunmin Jeong,
Yeongjin Gil, Daeho Jeong, Chao Yu, Jaegeuk Kim
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yeongjin Gil <youngjin.gil@samsung.com>
commit f098aeba04c9328571567dca45159358a250240c upstream.
In the case of the following call stack for an atomic file,
FI_DIRTY_INODE is set, but FI_ATOMIC_DIRTIED is not subsequently set.
f2fs_file_write_iter
f2fs_map_blocks
f2fs_reserve_new_blocks
inc_valid_block_count
__mark_inode_dirty(dquot)
f2fs_dirty_inode
If FI_ATOMIC_DIRTIED is not set, atomic file can encounter corruption
due to a mismatch between old file size and new data.
To resolve this issue, I changed to set FI_ATOMIC_DIRTIED when
FI_DIRTY_INODE is set. This ensures that FI_DIRTY_INODE, which was
previously cleared by the Writeback thread during the commit atomic, is
set and i_size is updated.
Cc: <stable@vger.kernel.org>
Fixes: fccaa81de87e ("f2fs: prevent atomic file from being dirtied before commit")
Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
Reviewed-by: Sunmin Jeong <s_min.jeong@samsung.com>
Signed-off-by: Yeongjin Gil <youngjin.gil@samsung.com>
Reviewed-by: Daeho Jeong <daehojeong@google.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/inode.c | 4 +---
fs/f2fs/super.c | 4 ++++
2 files changed, 5 insertions(+), 3 deletions(-)
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -34,10 +34,8 @@ void f2fs_mark_inode_dirty_sync(struct i
if (f2fs_inode_dirtied(inode, sync))
return;
- if (f2fs_is_atomic_file(inode)) {
- set_inode_flag(inode, FI_ATOMIC_DIRTIED);
+ if (f2fs_is_atomic_file(inode))
return;
- }
mark_inode_dirty_sync(inode);
}
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1527,6 +1527,10 @@ int f2fs_inode_dirtied(struct inode *ino
inc_page_count(sbi, F2FS_DIRTY_IMETA);
}
spin_unlock(&sbi->inode_lock[DIRTY_META]);
+
+ if (!ret && f2fs_is_atomic_file(inode))
+ set_inode_flag(inode, FI_ATOMIC_DIRTIED);
+
return ret;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 309/449] vdpa/mlx5: Fix oversized null mkey longer than 32bit
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 308/449] f2fs: fix to avoid atomicity corruption of atomic file Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 310/449] udf: Fix inode_getblk() return value Greg Kroah-Hartman
` (146 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cong Meng, Si-Wei Liu,
Dragos Tatulea, Eugenio Pérez, Michael S. Tsirkin,
Jason Wang
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Si-Wei Liu <si-wei.liu@oracle.com>
commit a6097e0a54a5c24f8d577ffecbc35289ae281c2e upstream.
create_user_mr() has correct code to count the number of null keys
used to fill in a hole for the memory map. However, fill_indir()
does not follow the same to cap the range up to the 1GB limit
correspondingly. Fill in more null keys for the gaps in between,
so that null keys are correctly populated.
Fixes: 94abbccdf291 ("vdpa/mlx5: Add shared memory registration code")
Cc: stable@vger.kernel.org
Reported-by: Cong Meng <cong.meng@oracle.com>
Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Acked-by: Eugenio Pérez <eperezma@redhat.com>
Message-Id: <20250220193732.521462-2-dtatulea@nvidia.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vdpa/mlx5/core/mr.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/vdpa/mlx5/core/mr.c
+++ b/drivers/vdpa/mlx5/core/mr.c
@@ -190,9 +190,12 @@ again:
klm->bcount = cpu_to_be32(klm_bcount(dmr->end - dmr->start));
preve = dmr->end;
} else {
+ u64 bcount = min_t(u64, dmr->start - preve, MAX_KLM_SIZE);
+
klm->key = cpu_to_be32(mvdev->res.null_mkey);
- klm->bcount = cpu_to_be32(klm_bcount(dmr->start - preve));
- preve = dmr->start;
+ klm->bcount = cpu_to_be32(klm_bcount(bcount));
+ preve += bcount;
+
goto again;
}
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 310/449] udf: Fix inode_getblk() return value
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 309/449] vdpa/mlx5: Fix oversized null mkey longer than 32bit Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 311/449] tpm: do not start chip while suspended Greg Kroah-Hartman
` (145 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Carlos Maiolino,
Jan Kara
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 6afdc60ec30b0a9390d11b7cebed79c857ce82aa upstream.
Smatch noticed that inode_getblk() can return 1 on successful mapping of
a block instead of expected 0 after commit b405c1e58b73 ("udf: refactor
udf_next_aext() to handle error"). This could confuse some of the
callers and lead to strange failures (although the one reported by
Smatch in udf_mkdir() is impossible to trigger in practice). Fix the
return value of inode_getblk().
Link: https://lore.kernel.org/all/cb514af7-bbe0-435b-934f-dd1d7a16d2cd@stanley.mountain
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Fixes: b405c1e58b73 ("udf: refactor udf_next_aext() to handle error")
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/inode.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -810,6 +810,7 @@ static int inode_getblk(struct inode *in
}
map->oflags = UDF_BLK_MAPPED;
map->pblk = udf_get_lb_pblock(inode->i_sb, &eloc, offset);
+ ret = 0;
goto out_free;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 311/449] tpm: do not start chip while suspended
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 310/449] udf: Fix inode_getblk() return value Greg Kroah-Hartman
@ 2025-04-17 17:49 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 312/449] svcrdma: do not unregister device for listeners Greg Kroah-Hartman
` (144 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Jerry Snitselaar, Mike Seo, Jarkko Sakkinen
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
commit 17d253af4c2c8a2acf84bb55a0c2045f150b7dfd upstream.
Checking TPM_CHIP_FLAG_SUSPENDED after the call to tpm_find_get_ops() can
lead to a spurious tpm_chip_start() call:
[35985.503771] i2c i2c-1: Transfer while suspended
[35985.503796] WARNING: CPU: 0 PID: 74 at drivers/i2c/i2c-core.h:56 __i2c_transfer+0xbe/0x810
[35985.503802] Modules linked in:
[35985.503808] CPU: 0 UID: 0 PID: 74 Comm: hwrng Tainted: G W 6.13.0-next-20250203-00005-gfa0cb5642941 #19 9c3d7f78192f2d38e32010ac9c90fdc71109ef6f
[35985.503814] Tainted: [W]=WARN
[35985.503817] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023
[35985.503819] RIP: 0010:__i2c_transfer+0xbe/0x810
[35985.503825] Code: 30 01 00 00 4c 89 f7 e8 40 fe d8 ff 48 8b 93 80 01 00 00 48 85 d2 75 03 49 8b 16 48 c7 c7 0a fb 7c a7 48 89 c6 e8 32 ad b0 fe <0f> 0b b8 94 ff ff ff e9 33 04 00 00 be 02 00 00 00 83 fd 02 0f 5
[35985.503828] RSP: 0018:ffffa106c0333d30 EFLAGS: 00010246
[35985.503833] RAX: 074ba64aa20f7000 RBX: ffff8aa4c1167120 RCX: 0000000000000000
[35985.503836] RDX: 0000000000000000 RSI: ffffffffa77ab0e4 RDI: 0000000000000001
[35985.503838] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
[35985.503841] R10: 0000000000000004 R11: 00000001000313d5 R12: ffff8aa4c10f1820
[35985.503843] R13: ffff8aa4c0e243c0 R14: ffff8aa4c1167250 R15: ffff8aa4c1167120
[35985.503846] FS: 0000000000000000(0000) GS:ffff8aa4eae00000(0000) knlGS:0000000000000000
[35985.503849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[35985.503852] CR2: 00007fab0aaf1000 CR3: 0000000105328000 CR4: 00000000003506f0
[35985.503855] Call Trace:
[35985.503859] <TASK>
[35985.503863] ? __warn+0xd4/0x260
[35985.503868] ? __i2c_transfer+0xbe/0x810
[35985.503874] ? report_bug+0xf3/0x210
[35985.503882] ? handle_bug+0x63/0xb0
[35985.503887] ? exc_invalid_op+0x16/0x50
[35985.503892] ? asm_exc_invalid_op+0x16/0x20
[35985.503904] ? __i2c_transfer+0xbe/0x810
[35985.503913] tpm_cr50_i2c_transfer_message+0x24/0xf0
[35985.503920] tpm_cr50_i2c_read+0x8e/0x120
[35985.503928] tpm_cr50_request_locality+0x75/0x170
[35985.503935] tpm_chip_start+0x116/0x160
[35985.503942] tpm_try_get_ops+0x57/0x90
[35985.503948] tpm_find_get_ops+0x26/0xd0
[35985.503955] tpm_get_random+0x2d/0x80
Don't move forward with tpm_chip_start() inside tpm_try_get_ops(), unless
TPM_CHIP_FLAG_SUSPENDED is not set. tpm_find_get_ops() will return NULL in
such a failure case.
Fixes: 9265fed6db60 ("tpm: Lock TPM chip in tpm_pm_suspend() first")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Cc: stable@vger.kernel.org
Cc: Jerry Snitselaar <jsnitsel@redhat.com>
Cc: Mike Seo <mikeseohyungjin@gmail.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm-chip.c | 5 +++++
drivers/char/tpm/tpm-interface.c | 7 -------
2 files changed, 5 insertions(+), 7 deletions(-)
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -168,6 +168,11 @@ int tpm_try_get_ops(struct tpm_chip *chi
goto out_ops;
mutex_lock(&chip->tpm_mutex);
+
+ /* tmp_chip_start may issue IO that is denied while suspended */
+ if (chip->flags & TPM_CHIP_FLAG_SUSPENDED)
+ goto out_lock;
+
rc = tpm_chip_start(chip);
if (rc)
goto out_lock;
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -445,18 +445,11 @@ int tpm_get_random(struct tpm_chip *chip
if (!chip)
return -ENODEV;
- /* Give back zero bytes, as TPM chip has not yet fully resumed: */
- if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) {
- rc = 0;
- goto out;
- }
-
if (chip->flags & TPM_CHIP_FLAG_TPM2)
rc = tpm2_get_random(chip, out, max);
else
rc = tpm1_get_random(chip, out, max);
-out:
tpm_put_ops(chip);
return rc;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 312/449] svcrdma: do not unregister device for listeners
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2025-04-17 17:49 ` [PATCH 6.14 311/449] tpm: do not start chip while suspended Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 313/449] soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() Greg Kroah-Hartman
` (143 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chuck Lever, Olga Kornievskaia
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Olga Kornievskaia <okorniev@redhat.com>
commit 750037aa0a9f28d84df3dcf319a28423d69092fd upstream.
On an rdma-capable machine, a start/stop/start and then on a stop of
a knfsd server would lead kref underflow warning because svc_rdma_free
would indiscriminately unregister the rdma device but a listening
transport never calls the rdma_rn_register() thus leading to kref
going down to 0 on the 1st stop of the server and on the 2nd stop
it leads to a problem.
Suggested-by: Chuck Lever <chuck.lever@oracle.com>
Fixes: c4de97f7c454 ("svcrdma: Handle device removal outside of the CM event handler")
Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/xprtrdma/svc_rdma_transport.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
@@ -621,7 +621,8 @@ static void __svc_rdma_free(struct work_
/* Destroy the CM ID */
rdma_destroy_id(rdma->sc_cm_id);
- rpcrdma_rn_unregister(device, &rdma->sc_rn);
+ if (!test_bit(XPT_LISTENER, &rdma->sc_xprt.xpt_flags))
+ rpcrdma_rn_unregister(device, &rdma->sc_rn);
kfree(rdma);
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 313/449] soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 312/449] svcrdma: do not unregister device for listeners Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 314/449] smb311 client: fix missing tcon check when mounting with linux/posix extensions Greg Kroah-Hartman
` (142 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Krzysztof Kozlowski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenyuan Yang <chenyuan0y@gmail.com>
commit c8222ef6cf29dd7cad21643228f96535cc02b327 upstream.
soc_dev_attr->revision could be NULL, thus,
a pointer check is added to prevent potential NULL pointer dereference.
This is similar to the fix in commit 3027e7b15b02
("ice: Fix some null pointer dereference issues in ice_ptp.c").
This issue is found by our static analysis tool.
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
Link: https://lore.kernel.org/r/20250212213518.69432-1-chenyuan0y@gmail.com
Fixes: 3253b7b7cd44 ("soc: samsung: Add exynos chipid driver support")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/samsung/exynos-chipid.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/soc/samsung/exynos-chipid.c
+++ b/drivers/soc/samsung/exynos-chipid.c
@@ -134,6 +134,8 @@ static int exynos_chipid_probe(struct pl
soc_dev_attr->revision = devm_kasprintf(&pdev->dev, GFP_KERNEL,
"%x", soc_info.revision);
+ if (!soc_dev_attr->revision)
+ return -ENOMEM;
soc_dev_attr->soc_id = product_id_to_soc_id(soc_info.product_id);
if (!soc_dev_attr->soc_id) {
pr_err("Unknown SoC\n");
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 314/449] smb311 client: fix missing tcon check when mounting with linux/posix extensions
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 313/449] soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 315/449] ima: limit the number of open-writers integrity violations Greg Kroah-Hartman
` (141 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Steve French
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steve French <stfrench@microsoft.com>
commit b365b9d404b7376c60c91cd079218bfef11b7822 upstream.
When mounting the same share twice, once with the "linux" mount parameter
(or equivalently "posix") and then once without (or e.g. with "nolinux"),
we were incorrectly reusing the same tree connection for both mounts.
This meant that the first mount of the share on the client, would
cause subsequent mounts of that same share on the same client to
ignore that mount parm ("linux" vs. "nolinux") and incorrectly reuse
the same tcon.
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/connect.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -2455,6 +2455,8 @@ static int match_tcon(struct cifs_tcon *
return 0;
if (tcon->nodelete != ctx->nodelete)
return 0;
+ if (tcon->posix_extensions != ctx->linux_ext)
+ return 0;
return 1;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 315/449] ima: limit the number of open-writers integrity violations
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 314/449] smb311 client: fix missing tcon check when mounting with linux/posix extensions Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 316/449] ima: limit the number of ToMToU " Greg Kroah-Hartman
` (140 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Berger, Petr Vorel,
Roberto Sassu, Mimi Zohar
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mimi Zohar <zohar@linux.ibm.com>
commit 5b3cd801155f0b34b0b95942a5b057c9b8cad33e upstream.
Each time a file in policy, that is already opened for write, is opened
for read, an open-writers integrity violation audit message is emitted
and a violation record is added to the IMA measurement list. This
occurs even if an open-writers violation has already been recorded.
Limit the number of open-writers integrity violations for an existing
file open for write to one. After the existing file open for write
closes (__fput), subsequent open-writers integrity violations may be
emitted.
Cc: stable@vger.kernel.org # applies cleanly up to linux-6.6
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Tested-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_main.c | 11 +++++++++--
2 files changed, 10 insertions(+), 2 deletions(-)
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -182,6 +182,7 @@ struct ima_kexec_hdr {
#define IMA_CHANGE_ATTR 2
#define IMA_DIGSIG 3
#define IMA_MUST_MEASURE 4
+#define IMA_EMITTED_OPENWRITERS 5
/* IMA integrity metadata associated with an inode */
struct ima_iint_cache {
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -137,8 +137,13 @@ static void ima_rdwr_violation_check(str
} else {
if (must_measure)
set_bit(IMA_MUST_MEASURE, &iint->atomic_flags);
- if (inode_is_open_for_write(inode) && must_measure)
- send_writers = true;
+
+ /* Limit number of open_writers violations */
+ if (inode_is_open_for_write(inode) && must_measure) {
+ if (!test_and_set_bit(IMA_EMITTED_OPENWRITERS,
+ &iint->atomic_flags))
+ send_writers = true;
+ }
}
if (!send_tomtou && !send_writers)
@@ -167,6 +172,8 @@ static void ima_check_last_writer(struct
if (atomic_read(&inode->i_writecount) == 1) {
struct kstat stat;
+ clear_bit(IMA_EMITTED_OPENWRITERS, &iint->atomic_flags);
+
update = test_and_clear_bit(IMA_UPDATE_XATTR,
&iint->atomic_flags);
if ((iint->flags & IMA_NEW_FILE) ||
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 316/449] ima: limit the number of ToMToU integrity violations
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 315/449] ima: limit the number of open-writers integrity violations Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 317/449] igc: Fix XSK queue NAPI ID mapping Greg Kroah-Hartman
` (139 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Berger, Petr Vorel,
Roberto Sassu, Mimi Zohar
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mimi Zohar <zohar@linux.ibm.com>
commit a414016218ca97140171aa3bb926b02e1f68c2cc upstream.
Each time a file in policy, that is already opened for read, is opened
for write, a Time-of-Measure-Time-of-Use (ToMToU) integrity violation
audit message is emitted and a violation record is added to the IMA
measurement list. This occurs even if a ToMToU violation has already
been recorded.
Limit the number of ToMToU integrity violations per file open for read.
Note: The IMA_MAY_EMIT_TOMTOU atomic flag must be set from the reader
side based on policy. This may result in a per file open for read
ToMToU violation.
Since IMA_MUST_MEASURE is only used for violations, rename the atomic
IMA_MUST_MEASURE flag to IMA_MAY_EMIT_TOMTOU.
Cc: stable@vger.kernel.org # applies cleanly up to linux-6.6
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Tested-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/integrity/ima/ima.h | 2 +-
security/integrity/ima/ima_main.c | 7 ++++---
2 files changed, 5 insertions(+), 4 deletions(-)
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -181,7 +181,7 @@ struct ima_kexec_hdr {
#define IMA_UPDATE_XATTR 1
#define IMA_CHANGE_ATTR 2
#define IMA_DIGSIG 3
-#define IMA_MUST_MEASURE 4
+#define IMA_MAY_EMIT_TOMTOU 4
#define IMA_EMITTED_OPENWRITERS 5
/* IMA integrity metadata associated with an inode */
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -129,14 +129,15 @@ static void ima_rdwr_violation_check(str
if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
if (!iint)
iint = ima_iint_find(inode);
+
/* IMA_MEASURE is set from reader side */
- if (iint && test_bit(IMA_MUST_MEASURE,
- &iint->atomic_flags))
+ if (iint && test_and_clear_bit(IMA_MAY_EMIT_TOMTOU,
+ &iint->atomic_flags))
send_tomtou = true;
}
} else {
if (must_measure)
- set_bit(IMA_MUST_MEASURE, &iint->atomic_flags);
+ set_bit(IMA_MAY_EMIT_TOMTOU, &iint->atomic_flags);
/* Limit number of open_writers violations */
if (inode_is_open_for_write(inode) && must_measure) {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 317/449] igc: Fix XSK queue NAPI ID mapping
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 316/449] ima: limit the number of ToMToU " Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 318/449] i3c: master: svc: Use readsb helper for reading MDB Greg Kroah-Hartman
` (138 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joe Damato, Gerhard Engleder,
Mor Bar-Gabay, Tony Nguyen
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Damato <jdamato@fastly.com>
commit dddeeaa16ce9d163ccf3b681715512d338afa541 upstream.
In commit b65969856d4f ("igc: Link queues to NAPI instances"), the XSK
queues were incorrectly unmapped from their NAPI instances. After
discussion on the mailing list and the introduction of a test to codify
the expected behavior, we can see that the unmapping causes the
check_xsk test to fail:
NETIF=enp86s0 ./tools/testing/selftests/drivers/net/queues.py
[...]
# Check| ksft_eq(q.get('xsk', None), {},
# Check failed None != {} xsk attr on queue we configured
not ok 4 queues.check_xsk
After this commit, the test passes:
ok 4 queues.check_xsk
Note that the test itself is only in net-next, so I tested this change
by applying it to my local net-next tree, booting, and running the test.
Cc: stable@vger.kernel.org
Fixes: b65969856d4f ("igc: Link queues to NAPI instances")
Signed-off-by: Joe Damato <jdamato@fastly.com>
Reviewed-by: Gerhard Engleder <gerhard@engleder-embedded.com>
Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/igc/igc.h | 2 --
drivers/net/ethernet/intel/igc/igc_main.c | 4 ++--
drivers/net/ethernet/intel/igc/igc_xdp.c | 2 --
3 files changed, 2 insertions(+), 6 deletions(-)
--- a/drivers/net/ethernet/intel/igc/igc.h
+++ b/drivers/net/ethernet/intel/igc/igc.h
@@ -337,8 +337,6 @@ struct igc_adapter {
struct igc_led_classdev *leds;
};
-void igc_set_queue_napi(struct igc_adapter *adapter, int q_idx,
- struct napi_struct *napi);
void igc_up(struct igc_adapter *adapter);
void igc_down(struct igc_adapter *adapter);
int igc_open(struct net_device *netdev);
--- a/drivers/net/ethernet/intel/igc/igc_main.c
+++ b/drivers/net/ethernet/intel/igc/igc_main.c
@@ -5021,8 +5021,8 @@ static int igc_sw_init(struct igc_adapte
return 0;
}
-void igc_set_queue_napi(struct igc_adapter *adapter, int vector,
- struct napi_struct *napi)
+static void igc_set_queue_napi(struct igc_adapter *adapter, int vector,
+ struct napi_struct *napi)
{
struct igc_q_vector *q_vector = adapter->q_vector[vector];
--- a/drivers/net/ethernet/intel/igc/igc_xdp.c
+++ b/drivers/net/ethernet/intel/igc/igc_xdp.c
@@ -86,7 +86,6 @@ static int igc_xdp_enable_pool(struct ig
napi_disable(napi);
}
- igc_set_queue_napi(adapter, queue_id, NULL);
set_bit(IGC_RING_FLAG_AF_XDP_ZC, &rx_ring->flags);
set_bit(IGC_RING_FLAG_AF_XDP_ZC, &tx_ring->flags);
@@ -136,7 +135,6 @@ static int igc_xdp_disable_pool(struct i
xsk_pool_dma_unmap(pool, IGC_RX_DMA_ATTR);
clear_bit(IGC_RING_FLAG_AF_XDP_ZC, &rx_ring->flags);
clear_bit(IGC_RING_FLAG_AF_XDP_ZC, &tx_ring->flags);
- igc_set_queue_napi(adapter, queue_id, napi);
if (needs_reset) {
napi_enable(napi);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 318/449] i3c: master: svc: Use readsb helper for reading MDB
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 317/449] igc: Fix XSK queue NAPI ID mapping Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 319/449] i3c: Add NULL pointer check in i3c_master_queue_ibi() Greg Kroah-Hartman
` (137 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Stanley Chu, Frank Li,
Alexandre Belloni
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanley Chu <yschu@nuvoton.com>
commit c06acf7143bddaa3c0f7bedd8b99e48f6acb85c3 upstream.
The target can send the MDB byte followed by additional data bytes.
The readl on MRDATAB reads one actual byte, but the readsl advances
the destination pointer by 4 bytes. This causes the subsequent payload
to be copied to wrong position in the destination buffer.
Cc: stable@kernel.org
Fixes: dd3c52846d59 ("i3c: master: svc: Add Silvaco I3C master driver")
Signed-off-by: Stanley Chu <yschu@nuvoton.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/r/20250318053606.3087121-3-yschu@nuvoton.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/svc-i3c-master.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i3c/master/svc-i3c-master.c
+++ b/drivers/i3c/master/svc-i3c-master.c
@@ -378,7 +378,7 @@ static int svc_i3c_master_handle_ibi(str
slot->len < SVC_I3C_FIFO_SIZE) {
mdatactrl = readl(master->regs + SVC_I3C_MDATACTRL);
count = SVC_I3C_MDATACTRL_RXCOUNT(mdatactrl);
- readsl(master->regs + SVC_I3C_MRDATAB, buf, count);
+ readsb(master->regs + SVC_I3C_MRDATAB, buf, count);
slot->len += count;
buf += count;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 319/449] i3c: Add NULL pointer check in i3c_master_queue_ibi()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 318/449] i3c: master: svc: Use readsb helper for reading MDB Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 320/449] jbd2: remove wrong sb->s_sequence check Greg Kroah-Hartman
` (136 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manjunatha Venkatesh, Frank Li,
Alexandre Belloni
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manjunatha Venkatesh <manjunatha.venkatesh@nxp.com>
commit bd496a44f041da9ef3afe14d1d6193d460424e91 upstream.
The I3C master driver may receive an IBI from a target device that has not
been probed yet. In such cases, the master calls `i3c_master_queue_ibi()`
to queue an IBI work task, leading to "Unable to handle kernel read from
unreadable memory" and resulting in a kernel panic.
Typical IBI handling flow:
1. The I3C master scans target devices and probes their respective drivers.
2. The target device driver calls `i3c_device_request_ibi()` to enable IBI
and assigns `dev->ibi = ibi`.
3. The I3C master receives an IBI from the target device and calls
`i3c_master_queue_ibi()` to queue the target device driver’s IBI
handler task.
However, since target device events are asynchronous to the I3C probe
sequence, step 3 may occur before step 2, causing `dev->ibi` to be `NULL`,
leading to a kernel panic.
Add a NULL pointer check in `i3c_master_queue_ibi()` to prevent accessing
an uninitialized `dev->ibi`, ensuring stability.
Fixes: 3a379bbcea0af ("i3c: Add core I3C infrastructure")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/lkml/Z9gjGYudiYyl3bSe@lizhi-Precision-Tower-5810/
Signed-off-by: Manjunatha Venkatesh <manjunatha.venkatesh@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/r/20250326123047.2797946-1-manjunatha.venkatesh@nxp.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -2561,6 +2561,9 @@ static void i3c_master_unregister_i3c_de
*/
void i3c_master_queue_ibi(struct i3c_dev_desc *dev, struct i3c_ibi_slot *slot)
{
+ if (!dev->ibi || !slot)
+ return;
+
atomic_inc(&dev->ibi->pending_ibis);
queue_work(dev->ibi->wq, &slot->work);
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 320/449] jbd2: remove wrong sb->s_sequence check
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 319/449] i3c: Add NULL pointer check in i3c_master_queue_ibi() Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 321/449] kbuild: exclude .rodata.(cst|str)* when building ranges Greg Kroah-Hartman
` (135 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara, Zhang Yi, Theodore Tso
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit e6eff39dd0fe4190c6146069cc16d160e71d1148 upstream.
Journal emptiness is not determined by sb->s_sequence == 0 but rather by
sb->s_start == 0 (which is set a few lines above). Furthermore 0 is a
valid transaction ID so the check can spuriously trigger. Remove the
invalid WARN_ON.
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Link: https://patch.msgid.link/20250206094657.20865-3-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/journal.c | 1 -
1 file changed, 1 deletion(-)
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -1879,7 +1879,6 @@ int jbd2_journal_update_sb_log_tail(jour
/* Log is no longer empty */
write_lock(&journal->j_state_lock);
- WARN_ON(!sb->s_sequence);
journal->j_flags &= ~JBD2_FLUSHED;
write_unlock(&journal->j_state_lock);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 321/449] kbuild: exclude .rodata.(cst|str)* when building ranges
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 320/449] jbd2: remove wrong sb->s_sequence check Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 322/449] kbuild: Add -fno-builtin-wcslen Greg Kroah-Hartman
` (134 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kris Van Hees, Jack Vogel,
Masahiro Yamada
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kris Van Hees <kris.van.hees@oracle.com>
commit 87bb368d0637c466a8a77433837056f981d01991 upstream.
The .rodata.(cst|str)* sections are often resized during the final
linking and since these sections do not cover actual symbols there is
no need to include them in the modules.builtin.ranges data.
When these sections were included in processing and resizing occurred,
modules were reported with ranges that extended beyond their true end,
causing subsequent symbols (in address order) to be associated with
the wrong module.
Fixes: 5f5e7344322f ("kbuild: generate offset range data for builtin modules")
Cc: stable@vger.kernel.org
Signed-off-by: Kris Van Hees <kris.van.hees@oracle.com>
Reviewed-by: Jack Vogel <jack.vogel@oracle.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
scripts/generate_builtin_ranges.awk | 5 +++++
1 file changed, 5 insertions(+)
--- a/scripts/generate_builtin_ranges.awk
+++ b/scripts/generate_builtin_ranges.awk
@@ -282,6 +282,11 @@ ARGIND == 2 && !anchor && NF == 2 && $1
# section.
#
ARGIND == 2 && sect && NF == 4 && /^ [^ \*]/ && !($1 in sect_addend) {
+ # There are a few sections with constant data (without symbols) that
+ # can get resized during linking, so it is best to ignore them.
+ if ($1 ~ /^\.rodata\.(cst|str)[0-9]/)
+ next;
+
if (!($1 in sect_base)) {
sect_base[$1] = base;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 322/449] kbuild: Add -fno-builtin-wcslen
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 321/449] kbuild: exclude .rodata.(cst|str)* when building ranges Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 323/449] leds: rgb: leds-qcom-lpg: Fix pwm resolution max for Hi-Res PWMs Greg Kroah-Hartman
` (133 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Linus Torvalds
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 84ffc79bfbf70c779e60218563f2f3ad45288671 upstream.
A recent optimization change in LLVM [1] aims to transform certain loop
idioms into calls to strlen() or wcslen(). This change transforms the
first while loop in UniStrcat() into a call to wcslen(), breaking the
build when UniStrcat() gets inlined into alloc_path_with_tree_prefix():
ld.lld: error: undefined symbol: wcslen
>>> referenced by nls_ucs2_utils.h:54 (fs/smb/client/../../nls/nls_ucs2_utils.h:54)
>>> vmlinux.o:(alloc_path_with_tree_prefix)
>>> referenced by nls_ucs2_utils.h:54 (fs/smb/client/../../nls/nls_ucs2_utils.h:54)
>>> vmlinux.o:(alloc_path_with_tree_prefix)
Disable this optimization with '-fno-builtin-wcslen', which prevents the
compiler from assuming that wcslen() is available in the kernel's C
library.
[ More to the point - it's not that we couldn't implement wcslen(), it's
that this isn't an optimization at all in the context of the kernel.
Replacing a simple inlined loop with a function call to the same loop
is just stupid and pointless if you don't have long strings and fancy
libraries with vectorization support etc.
For the regular 'strlen()' cases, we want the compiler to do this in
order to handle the trivial case of constant strings. And we do have
optimized versions of 'strlen()' on some architectures. But for
wcslen? Just no. - Linus ]
Cc: stable@vger.kernel.org
Link: https://github.com/llvm/llvm-project/commit/9694844d7e36fd5e01011ab56b64f27b867aa72d [1]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 3 +++
1 file changed, 3 insertions(+)
--- a/Makefile
+++ b/Makefile
@@ -1065,6 +1065,9 @@ ifdef CONFIG_CC_IS_GCC
KBUILD_CFLAGS += -fconserve-stack
endif
+# Ensure compilers do not transform certain loops into calls to wcslen()
+KBUILD_CFLAGS += -fno-builtin-wcslen
+
# change __FILE__ to the relative path to the source directory
ifdef building_out_of_srctree
KBUILD_CPPFLAGS += $(call cc-option,-fmacro-prefix-map=$(srcroot)/=)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 323/449] leds: rgb: leds-qcom-lpg: Fix pwm resolution max for Hi-Res PWMs
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 322/449] kbuild: Add -fno-builtin-wcslen Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 324/449] leds: rgb: leds-qcom-lpg: Fix calculation of best period " Greg Kroah-Hartman
` (132 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abel Vesa, Bjorn Andersson,
Sebastian Reichel, Lee Jones
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abel Vesa <abel.vesa@linaro.org>
commit b7881eacc07fdf50be3f33c662997541bb59366d upstream.
Ideally, the requested duty cycle should never translate to a PWM
value higher than the selected resolution (PWM size), but currently the
best matched period is never reported back to the PWM consumer, so the
consumer will still be using the requested period which is higher than
the best matched one. This will result in PWM consumer requesting
duty cycle values higher than the allowed PWM value.
For example, a consumer might request a period of 5ms while the best
(closest) period the PWM hardware will do is 4.26ms. For this best
matched resolution, if the selected resolution is 8-bit wide, when
the consumer asks for a duty cycle of 5ms, the PWM value will be 300,
which is outside of what the resolution allows. This will happen with
all possible resolutions when selected.
Since for these Hi-Res PWMs, the current implementation is capping the PWM
value at a 15-bit resolution, even when lower resolutions are selected,
the value will be wrapped around by the HW internal logic to the selected
resolution.
Fix the issue by capping the PWM value to the maximum value allowed by
the selected resolution.
Cc: stable@vger.kernel.org # 6.4
Fixes: b00d2ed37617 ("leds: rgb: leds-qcom-lpg: Add support for high resolution PWM")
Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Reviewed-by: Sebastian Reichel <sre@kernel.org>
Link: https://lore.kernel.org/r/20250305-leds-qcom-lpg-fix-max-pwm-on-hi-res-v4-2-bfe124a53a9f@linaro.org
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/leds/rgb/leds-qcom-lpg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/leds/rgb/leds-qcom-lpg.c
+++ b/drivers/leds/rgb/leds-qcom-lpg.c
@@ -529,7 +529,7 @@ static void lpg_calc_duty(struct lpg_cha
unsigned int clk_rate;
if (chan->subtype == LPG_SUBTYPE_HI_RES_PWM) {
- max = LPG_RESOLUTION_15BIT - 1;
+ max = BIT(lpg_pwm_resolution_hi_res[chan->pwm_resolution_sel]) - 1;
clk_rate = lpg_clk_rates_hi_res[chan->clk_sel];
} else {
max = LPG_RESOLUTION_9BIT - 1;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 324/449] leds: rgb: leds-qcom-lpg: Fix calculation of best period Hi-Res PWMs
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 323/449] leds: rgb: leds-qcom-lpg: Fix pwm resolution max for Hi-Res PWMs Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 325/449] mfd: ene-kb3930: Fix a potential NULL pointer dereference Greg Kroah-Hartman
` (131 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abel Vesa, Sebastian Reichel,
Lee Jones
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abel Vesa <abel.vesa@linaro.org>
commit 2528eec7da0ec58fcae6d12cfa79a622c933d86b upstream.
When determining the actual best period by looping through all
possible PWM configs, the resolution currently used is based on
bit shift value which is off-by-one above the possible maximum
PWM value allowed.
So subtract one from the resolution before determining the best
period so that the maximum duty cycle requested by the PWM user
won't result in a value above the maximum allowed by the selected
resolution.
Cc: stable@vger.kernel.org # 6.4
Fixes: b00d2ed37617 ("leds: rgb: leds-qcom-lpg: Add support for high resolution PWM")
Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
Reviewed-by: Sebastian Reichel <sre@kernel.org>
Link: https://lore.kernel.org/r/20250305-leds-qcom-lpg-fix-max-pwm-on-hi-res-v4-3-bfe124a53a9f@linaro.org
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/leds/rgb/leds-qcom-lpg.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/leds/rgb/leds-qcom-lpg.c
+++ b/drivers/leds/rgb/leds-qcom-lpg.c
@@ -461,7 +461,7 @@ static int lpg_calc_freq(struct lpg_chan
max_res = LPG_RESOLUTION_9BIT;
}
- min_period = div64_u64((u64)NSEC_PER_SEC * (1 << pwm_resolution_arr[0]),
+ min_period = div64_u64((u64)NSEC_PER_SEC * ((1 << pwm_resolution_arr[0]) - 1),
clk_rate_arr[clk_len - 1]);
if (period <= min_period)
return -EINVAL;
@@ -482,7 +482,7 @@ static int lpg_calc_freq(struct lpg_chan
*/
for (i = 0; i < pwm_resolution_count; i++) {
- resolution = 1 << pwm_resolution_arr[i];
+ resolution = (1 << pwm_resolution_arr[i]) - 1;
for (clk_sel = 1; clk_sel < clk_len; clk_sel++) {
u64 numerator = period * clk_rate_arr[clk_sel];
@@ -1291,7 +1291,7 @@ static int lpg_pwm_get_state(struct pwm_
if (ret)
return ret;
- state->period = DIV_ROUND_UP_ULL((u64)NSEC_PER_SEC * (1 << resolution) *
+ state->period = DIV_ROUND_UP_ULL((u64)NSEC_PER_SEC * ((1 << resolution) - 1) *
pre_div * (1 << m), refclk);
state->duty_cycle = DIV_ROUND_UP_ULL((u64)NSEC_PER_SEC * pwm_value * pre_div * (1 << m), refclk);
} else {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 325/449] mfd: ene-kb3930: Fix a potential NULL pointer dereference
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 324/449] leds: rgb: leds-qcom-lpg: Fix calculation of best period " Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 326/449] mailbox: tegra-hsp: Define dimensioning masks in SoC data Greg Kroah-Hartman
` (130 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lee Jones, Chenyuan Yang
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenyuan Yang <chenyuan0y@gmail.com>
commit 4cdf1d2a816a93fa02f7b6b5492dc7f55af2a199 upstream.
The off_gpios could be NULL. Add missing check in the kb3930_probe().
This is similar to the issue fixed in commit b1ba8bcb2d1f
("backlight: hx8357: Fix potential NULL pointer dereference").
This was detected by our static analysis tool.
Cc: stable@vger.kernel.org
Fixes: ede6b2d1dfc0 ("mfd: ene-kb3930: Add driver for ENE KB3930 Embedded Controller")
Suggested-by: Lee Jones <lee@kernel.org>
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
Link: https://lore.kernel.org/r/20250224233736.1919739-1-chenyuan0y@gmail.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/ene-kb3930.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mfd/ene-kb3930.c
+++ b/drivers/mfd/ene-kb3930.c
@@ -162,7 +162,7 @@ static int kb3930_probe(struct i2c_clien
devm_gpiod_get_array_optional(dev, "off", GPIOD_IN);
if (IS_ERR(ddata->off_gpios))
return PTR_ERR(ddata->off_gpios);
- if (ddata->off_gpios->ndescs < 2) {
+ if (ddata->off_gpios && ddata->off_gpios->ndescs < 2) {
dev_err(dev, "invalid off-gpios property\n");
return -EINVAL;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 326/449] mailbox: tegra-hsp: Define dimensioning masks in SoC data
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 325/449] mfd: ene-kb3930: Fix a potential NULL pointer dereference Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 327/449] locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Greg Kroah-Hartman
` (129 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kartik Rajput, Thierry Reding,
Jon Hunter, Jassi Brar
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kartik Rajput <kkartik@nvidia.com>
commit bf0c9fb462038815f5f502653fb6dba06e6af415 upstream.
Tegra264 has updated HSP_INT_DIMENSIONING register as follows:
* nSI is now BIT17:BIT21.
* nDB is now BIT12:BIT16.
Currently, we are using a static macro HSP_nINT_MASK to get the values
from HSP_INT_DIMENSIONING register. This results in wrong values for nSI
for HSP instances that supports 16 shared interrupts.
Define dimensioning masks in soc data and use them to parse nSI, nDB,
nAS, nSS & nSM values.
Fixes: 602dbbacc3ef ("mailbox: tegra: add support for Tegra264")
Cc: stable@vger.kernel.org
Signed-off-by: Kartik Rajput <kkartik@nvidia.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Acked-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mailbox/tegra-hsp.c | 72 ++++++++++++++++++++++++++++++++++++--------
1 file changed, 60 insertions(+), 12 deletions(-)
--- a/drivers/mailbox/tegra-hsp.c
+++ b/drivers/mailbox/tegra-hsp.c
@@ -1,6 +1,6 @@
// SPDX-License-Identifier: GPL-2.0-only
/*
- * Copyright (c) 2016-2023, NVIDIA CORPORATION. All rights reserved.
+ * Copyright (c) 2016-2025, NVIDIA CORPORATION. All rights reserved.
*/
#include <linux/delay.h>
@@ -28,12 +28,6 @@
#define HSP_INT_FULL_MASK 0xff
#define HSP_INT_DIMENSIONING 0x380
-#define HSP_nSM_SHIFT 0
-#define HSP_nSS_SHIFT 4
-#define HSP_nAS_SHIFT 8
-#define HSP_nDB_SHIFT 12
-#define HSP_nSI_SHIFT 16
-#define HSP_nINT_MASK 0xf
#define HSP_DB_TRIGGER 0x0
#define HSP_DB_ENABLE 0x4
@@ -97,6 +91,20 @@ struct tegra_hsp_soc {
bool has_per_mb_ie;
bool has_128_bit_mb;
unsigned int reg_stride;
+
+ /* Shifts for dimensioning register. */
+ unsigned int si_shift;
+ unsigned int db_shift;
+ unsigned int as_shift;
+ unsigned int ss_shift;
+ unsigned int sm_shift;
+
+ /* Masks for dimensioning register. */
+ unsigned int si_mask;
+ unsigned int db_mask;
+ unsigned int as_mask;
+ unsigned int ss_mask;
+ unsigned int sm_mask;
};
struct tegra_hsp {
@@ -747,11 +755,11 @@ static int tegra_hsp_probe(struct platfo
return PTR_ERR(hsp->regs);
value = tegra_hsp_readl(hsp, HSP_INT_DIMENSIONING);
- hsp->num_sm = (value >> HSP_nSM_SHIFT) & HSP_nINT_MASK;
- hsp->num_ss = (value >> HSP_nSS_SHIFT) & HSP_nINT_MASK;
- hsp->num_as = (value >> HSP_nAS_SHIFT) & HSP_nINT_MASK;
- hsp->num_db = (value >> HSP_nDB_SHIFT) & HSP_nINT_MASK;
- hsp->num_si = (value >> HSP_nSI_SHIFT) & HSP_nINT_MASK;
+ hsp->num_sm = (value >> hsp->soc->sm_shift) & hsp->soc->sm_mask;
+ hsp->num_ss = (value >> hsp->soc->ss_shift) & hsp->soc->ss_mask;
+ hsp->num_as = (value >> hsp->soc->as_shift) & hsp->soc->as_mask;
+ hsp->num_db = (value >> hsp->soc->db_shift) & hsp->soc->db_mask;
+ hsp->num_si = (value >> hsp->soc->si_shift) & hsp->soc->si_mask;
err = platform_get_irq_byname_optional(pdev, "doorbell");
if (err >= 0)
@@ -915,6 +923,16 @@ static const struct tegra_hsp_soc tegra1
.has_per_mb_ie = false,
.has_128_bit_mb = false,
.reg_stride = 0x100,
+ .si_shift = 16,
+ .db_shift = 12,
+ .as_shift = 8,
+ .ss_shift = 4,
+ .sm_shift = 0,
+ .si_mask = 0xf,
+ .db_mask = 0xf,
+ .as_mask = 0xf,
+ .ss_mask = 0xf,
+ .sm_mask = 0xf,
};
static const struct tegra_hsp_soc tegra194_hsp_soc = {
@@ -922,6 +940,16 @@ static const struct tegra_hsp_soc tegra1
.has_per_mb_ie = true,
.has_128_bit_mb = false,
.reg_stride = 0x100,
+ .si_shift = 16,
+ .db_shift = 12,
+ .as_shift = 8,
+ .ss_shift = 4,
+ .sm_shift = 0,
+ .si_mask = 0xf,
+ .db_mask = 0xf,
+ .as_mask = 0xf,
+ .ss_mask = 0xf,
+ .sm_mask = 0xf,
};
static const struct tegra_hsp_soc tegra234_hsp_soc = {
@@ -929,6 +957,16 @@ static const struct tegra_hsp_soc tegra2
.has_per_mb_ie = false,
.has_128_bit_mb = true,
.reg_stride = 0x100,
+ .si_shift = 16,
+ .db_shift = 12,
+ .as_shift = 8,
+ .ss_shift = 4,
+ .sm_shift = 0,
+ .si_mask = 0xf,
+ .db_mask = 0xf,
+ .as_mask = 0xf,
+ .ss_mask = 0xf,
+ .sm_mask = 0xf,
};
static const struct tegra_hsp_soc tegra264_hsp_soc = {
@@ -936,6 +974,16 @@ static const struct tegra_hsp_soc tegra2
.has_per_mb_ie = false,
.has_128_bit_mb = true,
.reg_stride = 0x1000,
+ .si_shift = 17,
+ .db_shift = 12,
+ .as_shift = 8,
+ .ss_shift = 4,
+ .sm_shift = 0,
+ .si_mask = 0x1f,
+ .db_mask = 0x1f,
+ .as_mask = 0xf,
+ .ss_mask = 0xf,
+ .sm_mask = 0xf,
};
static const struct of_device_id tegra_hsp_match[] = {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 327/449] locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 326/449] mailbox: tegra-hsp: Define dimensioning masks in SoC data Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 328/449] lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Greg Kroah-Hartman
` (128 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Boqun Feng, Ingo Molnar, Waiman Long
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boqun Feng <boqun.feng@gmail.com>
commit 495f53d5cca0f939eaed9dca90b67e7e6fb0e30c upstream.
Currently, when a lock class is allocated, nr_unused_locks will be
increased by 1, until it gets used: nr_unused_locks will be decreased by
1 in mark_lock(). However, one scenario is missed: a lock class may be
zapped without even being used once. This could result into a situation
that nr_unused_locks != 0 but no unused lock class is active in the
system, and when `cat /proc/lockdep_stats`, a WARN_ON() will
be triggered in a CONFIG_DEBUG_LOCKDEP=y kernel:
[...] DEBUG_LOCKS_WARN_ON(debug_atomic_read(nr_unused_locks) != nr_unused)
[...] WARNING: CPU: 41 PID: 1121 at kernel/locking/lockdep_proc.c:283 lockdep_stats_show+0xba9/0xbd0
And as a result, lockdep will be disabled after this.
Therefore, nr_unused_locks needs to be accounted correctly at
zap_class() time.
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Waiman Long <longman@redhat.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250326180831.510348-1-boqun.feng@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/locking/lockdep.c | 3 +++
1 file changed, 3 insertions(+)
--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -6249,6 +6249,9 @@ static void zap_class(struct pending_fre
hlist_del_rcu(&class->hash_entry);
WRITE_ONCE(class->key, NULL);
WRITE_ONCE(class->name, NULL);
+ /* Class allocated but not used, -1 in nr_unused_locks */
+ if (class->usage_mask == 0)
+ debug_atomic_dec(nr_unused_locks);
nr_lock_classes--;
__clear_bit(class - lock_classes, lock_classes_in_use);
if (class - lock_classes == max_lock_class_idx)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 328/449] lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 327/449] locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 329/449] mptcp: fix NULL pointer in can_accept_new_subflow Greg Kroah-Hartman
` (127 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, T Pratham, Robert Jarzmik,
Jens Axboe, Kamlesh Gurudasani, Praneeth Bajjuri,
Vignesh Raghavendra, Andrew Morton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: T Pratham <t-pratham@ti.com>
commit 8b46fdaea819a679da176b879e7b0674a1161a5e upstream.
The split_sg_phys function was incorrectly setting the offsets of all
scatterlist entries (except the first) to 0. Only the first scatterlist
entry's offset and length needs to be modified to account for the skip.
Setting the rest entries' offsets to 0 could lead to incorrect data
access.
I am using this function in a crypto driver that I'm currently developing
(not yet sent to mailing list). During testing, it was observed that the
output scatterlists (except the first one) contained incorrect garbage
data.
I narrowed this issue down to the call of sg_split(). Upon debugging
inside this function, I found that this resetting of offset is the cause
of the problem, causing the subsequent scatterlists to point to incorrect
memory locations in a page. By removing this code, I am obtaining
expected data in all the split output scatterlists. Thus, this was indeed
causing observable runtime effects!
This patch removes the offending code, ensuring that the page offsets in
the input scatterlist are preserved in the output scatterlist.
Link: https://lkml.kernel.org/r/20250319111437.1969903-1-t-pratham@ti.com
Fixes: f8bcbe62acd0 ("lib: scatterlist: add sg splitting function")
Signed-off-by: T Pratham <t-pratham@ti.com>
Cc: Robert Jarzmik <robert.jarzmik@free.fr>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Kamlesh Gurudasani <kamlesh@ti.com>
Cc: Praneeth Bajjuri <praneeth@ti.com>
Cc: Vignesh Raghavendra <vigneshr@ti.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/sg_split.c | 2 --
1 file changed, 2 deletions(-)
--- a/lib/sg_split.c
+++ b/lib/sg_split.c
@@ -88,8 +88,6 @@ static void sg_split_phys(struct sg_spli
if (!j) {
out_sg->offset += split->skip_sg0;
out_sg->length -= split->skip_sg0;
- } else {
- out_sg->offset = 0;
}
sg_dma_address(out_sg) = 0;
sg_dma_len(out_sg) = 0;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 329/449] mptcp: fix NULL pointer in can_accept_new_subflow
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 328/449] lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 330/449] mptcp: only inc MPJoinAckHMacFailure for HMAC failures Greg Kroah-Hartman
` (126 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Gang Yan,
Matthieu Baerts (NGI0), Jakub Kicinski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gang Yan <yangang@kylinos.cn>
commit 443041deb5ef6a1289a99ed95015ec7442f141dc upstream.
When testing valkey benchmark tool with MPTCP, the kernel panics in
'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL.
Call trace:
mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P)
subflow_syn_recv_sock (./net/mptcp/subflow.c:854)
tcp_check_req (./net/ipv4/tcp_minisocks.c:863)
tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268)
ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207)
ip_local_deliver_finish (./net/ipv4/ip_input.c:234)
ip_local_deliver (./net/ipv4/ip_input.c:254)
ip_rcv_finish (./net/ipv4/ip_input.c:449)
...
According to the debug log, the same req received two SYN-ACK in a very
short time, very likely because the client retransmits the syn ack due
to multiple reasons.
Even if the packets are transmitted with a relevant time interval, they
can be processed by the server on different CPUs concurrently). The
'subflow_req->msk' ownership is transferred to the subflow the first,
and there will be a risk of a null pointer dereference here.
This patch fixes this issue by moving the 'subflow_req->msk' under the
`own_req == true` conditional.
Note that the !msk check in subflow_hmac_valid() can be dropped, because
the same check already exists under the own_req mpj branch where the
code has been moved to.
Fixes: 9466a1ccebbe ("mptcp: enable JOIN requests even if cookies are in use")
Cc: stable@vger.kernel.org
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Gang Yan <yangang@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250328-net-mptcp-misc-fixes-6-15-v1-1-34161a482a7f@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -754,8 +754,6 @@ static bool subflow_hmac_valid(const str
subflow_req = mptcp_subflow_rsk(req);
msk = subflow_req->msk;
- if (!msk)
- return false;
subflow_generate_hmac(READ_ONCE(msk->remote_key),
READ_ONCE(msk->local_key),
@@ -853,12 +851,8 @@ static struct sock *subflow_syn_recv_soc
} else if (subflow_req->mp_join) {
mptcp_get_options(skb, &mp_opt);
- if (!(mp_opt.suboptions & OPTION_MPTCP_MPJ_ACK) ||
- !subflow_hmac_valid(req, &mp_opt) ||
- !mptcp_can_accept_new_subflow(subflow_req->msk)) {
- SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
+ if (!(mp_opt.suboptions & OPTION_MPTCP_MPJ_ACK))
fallback = true;
- }
}
create_child:
@@ -907,6 +901,13 @@ create_child:
subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT);
goto dispose_child;
}
+
+ if (!subflow_hmac_valid(req, &mp_opt) ||
+ !mptcp_can_accept_new_subflow(subflow_req->msk)) {
+ SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
+ subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT);
+ goto dispose_child;
+ }
/* move the msk reference ownership to the subflow */
subflow_req->msk = NULL;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 330/449] mptcp: only inc MPJoinAckHMacFailure for HMAC failures
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 329/449] mptcp: fix NULL pointer in can_accept_new_subflow Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 331/449] mtd: inftlcore: Add error check for inftl_read_oob() Greg Kroah-Hartman
` (125 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geliang Tang, Matthieu Baerts (NGI0),
Simon Horman, Jakub Kicinski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 21c02e8272bc95ba0dd44943665c669029b42760 upstream.
Recently, during a debugging session using local MPTCP connections, I
noticed MPJoinAckHMacFailure was not zero on the server side. The
counter was in fact incremented when the PM rejected new subflows,
because the 'subflow' limit was reached.
The fix is easy, simply dissociating the two cases: only the HMAC
validation check should increase MPTCP_MIB_JOINACKMAC counter.
Fixes: 4cf8b7e48a09 ("subflow: introduce and use mptcp_can_accept_new_subflow()")
Cc: stable@vger.kernel.org
Reviewed-by: Geliang Tang <geliang@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250407-net-mptcp-hmac-failure-mib-v1-1-3c9ecd0a3a50@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -902,12 +902,16 @@ create_child:
goto dispose_child;
}
- if (!subflow_hmac_valid(req, &mp_opt) ||
- !mptcp_can_accept_new_subflow(subflow_req->msk)) {
+ if (!subflow_hmac_valid(req, &mp_opt)) {
SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT);
goto dispose_child;
}
+
+ if (!mptcp_can_accept_new_subflow(owner)) {
+ subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT);
+ goto dispose_child;
+ }
/* move the msk reference ownership to the subflow */
subflow_req->msk = NULL;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 331/449] mtd: inftlcore: Add error check for inftl_read_oob()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 330/449] mptcp: only inc MPJoinAckHMacFailure for HMAC failures Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 332/449] mtd: rawnand: Add status chack in r852_ready() Greg Kroah-Hartman
` (124 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Miquel Raynal
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit d027951dc85cb2e15924c980dc22a6754d100c7c upstream.
In INFTL_findwriteunit(), the return value of inftl_read_oob()
need to be checked. A proper implementation can be
found in INFTL_deleteblock(). The status will be set as
SECTOR_IGNORE to break from the while-loop correctly
if the inftl_read_oob() fails.
Fixes: 8593fbc68b0d ("[MTD] Rework the out of band handling completely")
Cc: stable@vger.kernel.org # v2.6+
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/inftlcore.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/mtd/inftlcore.c
+++ b/drivers/mtd/inftlcore.c
@@ -482,10 +482,11 @@ static inline u16 INFTL_findwriteunit(st
silly = MAX_LOOPS;
while (thisEUN <= inftl->lastEUN) {
- inftl_read_oob(mtd, (thisEUN * inftl->EraseSize) +
- blockofs, 8, &retlen, (char *)&bci);
-
- status = bci.Status | bci.Status1;
+ if (inftl_read_oob(mtd, (thisEUN * inftl->EraseSize) +
+ blockofs, 8, &retlen, (char *)&bci) < 0)
+ status = SECTOR_IGNORE;
+ else
+ status = bci.Status | bci.Status1;
pr_debug("INFTL: status of block %d in EUN %d is %x\n",
block , writeEUN, status);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 332/449] mtd: rawnand: Add status chack in r852_ready()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 331/449] mtd: inftlcore: Add error check for inftl_read_oob() Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 333/449] mtd: spinand: Fix build with gcc < 7.5 Greg Kroah-Hartman
` (123 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Miquel Raynal
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit b79fe1829975556854665258cf4d2476784a89db upstream.
In r852_ready(), the dev get from r852_get_dev() need to be checked.
An unstable device should not be ready. A proper implementation can
be found in r852_read_byte(). Add a status check and return 0 when it is
unstable.
Fixes: 50a487e7719c ("mtd: rawnand: Pass a nand_chip object to chip->dev_ready()")
Cc: stable@vger.kernel.org # v4.20+
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/r852.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/mtd/nand/raw/r852.c
+++ b/drivers/mtd/nand/raw/r852.c
@@ -387,6 +387,9 @@ static int r852_wait(struct nand_chip *c
static int r852_ready(struct nand_chip *chip)
{
struct r852_device *dev = r852_get_dev(nand_to_mtd(chip));
+ if (dev->card_unstable)
+ return 0;
+
return !(r852_read_reg(dev, R852_CARD_STA) & R852_CARD_STA_BUSY);
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 333/449] mtd: spinand: Fix build with gcc < 7.5
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 332/449] mtd: rawnand: Add status chack in r852_ready() Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 334/449] arm64: mops: Do not dereference src reg for a set operation Greg Kroah-Hartman
` (122 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Jean Delvare,
Miquel Raynal
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit 1c1fd374a2fe72b8a6dde62d3c3a9fd153e7581c upstream.
__VA_OPT__ is a macro that is useful when some arguments can be present
or not to entirely skip some part of a definition. Unfortunately, it
is a too recent addition that some of the still supported old GCC
versions do not know about, and is anyway not part of C11 that is the
version used in the kernel.
Find a trick to remove this macro, typically '__VA_ARGS__ + 0' is a
workaround used in netlink.h which works very well here, as we either
expect:
- 0
- A positive value
- No value, which means the field should be 0.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202503181330.YcDXGy7F-lkp@intel.com/
Fixes: 7ce0d16d5802 ("mtd: spinand: Add an optional frequency to read from cache macros")
Cc: stable@vger.kernel.org
Tested-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mtd/spinand.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/linux/mtd/spinand.h
+++ b/include/linux/mtd/spinand.h
@@ -67,7 +67,7 @@
SPI_MEM_OP_ADDR(2, addr, 1), \
SPI_MEM_OP_DUMMY(ndummy, 1), \
SPI_MEM_OP_DATA_IN(len, buf, 1), \
- __VA_OPT__(SPI_MEM_OP_MAX_FREQ(__VA_ARGS__)))
+ SPI_MEM_OP_MAX_FREQ(__VA_ARGS__ + 0))
#define SPINAND_PAGE_READ_FROM_CACHE_FAST_OP(addr, ndummy, buf, len) \
SPI_MEM_OP(SPI_MEM_OP_CMD(0x0b, 1), \
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 334/449] arm64: mops: Do not dereference src reg for a set operation
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 333/449] mtd: spinand: Fix build with gcc < 7.5 Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 335/449] arm64: tegra: Remove the Orin NX/Nano suspend key Greg Kroah-Hartman
` (121 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kristina Martsenko, Will Deacon,
Marc Zyngier, Keir Fraser, Mark Rutland, Catalin Marinas
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keir Fraser <keirf@google.com>
commit a13bfa4fe0d6949cea14718df2d1fe84c38cd113 upstream.
The source register is not used for SET* and reading it can result in
a UBSAN out-of-bounds array access error, specifically when the MOPS
exception is taken from a SET* sequence with XZR (reg 31) as the
source. Architecturally this is the only case where a src/dst/size
field in the ESR can be reported as 31.
Prior to 2de451a329cf662b the code in do_el0_mops() was benign as the
use of pt_regs_read_reg() prevented the out-of-bounds access.
Fixes: 2de451a329cf ("KVM: arm64: Add handler for MOPS exceptions")
Cc: <stable@vger.kernel.org> # 6.12.x
Cc: Kristina Martsenko <kristina.martsenko@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: stable@vger.kernel.org
Reviewed-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Keir Fraser <keirf@google.com>
Reviewed-by: Kristina Martšenko <kristina.martsenko@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250326110448.3792396-1-keirf@google.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/traps.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/include/asm/traps.h
+++ b/arch/arm64/include/asm/traps.h
@@ -109,10 +109,9 @@ static inline void arm64_mops_reset_regs
int dstreg = ESR_ELx_MOPS_ISS_DESTREG(esr);
int srcreg = ESR_ELx_MOPS_ISS_SRCREG(esr);
int sizereg = ESR_ELx_MOPS_ISS_SIZEREG(esr);
- unsigned long dst, src, size;
+ unsigned long dst, size;
dst = regs->regs[dstreg];
- src = regs->regs[srcreg];
size = regs->regs[sizereg];
/*
@@ -129,6 +128,7 @@ static inline void arm64_mops_reset_regs
}
} else {
/* CPY* instruction */
+ unsigned long src = regs->regs[srcreg];
if (!(option_a ^ wrong_option)) {
/* Format is from Option B */
if (regs->pstate & PSR_N_BIT) {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 335/449] arm64: tegra: Remove the Orin NX/Nano suspend key
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 334/449] arm64: mops: Do not dereference src reg for a set operation Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 336/449] arm64: mm: Correct the update of max_pfn Greg Kroah-Hartman
` (120 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ninad Malwade, Ivy Huang,
Thierry Reding
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ninad Malwade <nmalwade@nvidia.com>
commit bb8a3ad25f098b6ea9b1d0f522427b4ad53a7bba upstream.
As per the Orin Nano Dev Kit schematic, GPIO_G.02 is not available
on this device family. It should not be used at all on Orin NX/Nano.
Having this unused pin mapped as the suspend key can lead to
unpredictable behavior for low power modes.
Orin NX/Nano uses GPIO_EE.04 as both a "power" button and a "suspend"
button. However, we cannot have two gpio-keys mapped to the same
GPIO. Therefore remove the "suspend" key.
Cc: stable@vger.kernel.org
Fixes: e63472eda5ea ("arm64: tegra: Support Jetson Orin NX reference platform")
Signed-off-by: Ninad Malwade <nmalwade@nvidia.com>
Signed-off-by: Ivy Huang <yijuh@nvidia.com>
Link: https://lore.kernel.org/r/20250206224034.3691397-1-yijuh@nvidia.com
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/nvidia/tegra234-p3768-0000+p3767.dtsi | 7 -------
1 file changed, 7 deletions(-)
--- a/arch/arm64/boot/dts/nvidia/tegra234-p3768-0000+p3767.dtsi
+++ b/arch/arm64/boot/dts/nvidia/tegra234-p3768-0000+p3767.dtsi
@@ -227,13 +227,6 @@
wakeup-event-action = <EV_ACT_ASSERTED>;
wakeup-source;
};
-
- key-suspend {
- label = "Suspend";
- gpios = <&gpio TEGRA234_MAIN_GPIO(G, 2) GPIO_ACTIVE_LOW>;
- linux,input-type = <EV_KEY>;
- linux,code = <KEY_SLEEP>;
- };
};
fan: pwm-fan {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 336/449] arm64: mm: Correct the update of max_pfn
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 335/449] arm64: tegra: Remove the Orin NX/Nano suspend key Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 337/449] arm64: dts: ti: k3-j784s4-j742s2-main-common: Correct the GICD size Greg Kroah-Hartman
` (119 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhenhua Huang, David Hildenbrand,
Anshuman Khandual, Catalin Marinas
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenhua Huang <quic_zhenhuah@quicinc.com>
commit 89f43e1ce6f60d4f44399059595ac47f7a90a393 upstream.
Hotplugged memory can be smaller than the original memory. For example,
on my target:
root@genericarmv8:~# cat /sys/kernel/debug/memblock/memory
0: 0x0000000064005000..0x0000000064023fff 0 NOMAP
1: 0x0000000064400000..0x00000000647fffff 0 NOMAP
2: 0x0000000068000000..0x000000006fffffff 0 DRV_MNG
3: 0x0000000088800000..0x0000000094ffefff 0 NONE
4: 0x0000000094fff000..0x0000000094ffffff 0 NOMAP
max_pfn will affect read_page_owner. Therefore, it should first compare and
then select the larger value for max_pfn.
Fixes: 8fac67ca236b ("arm64: mm: update max_pfn after memory hotplug")
Cc: <stable@vger.kernel.org> # 6.1.x
Signed-off-by: Zhenhua Huang <quic_zhenhuah@quicinc.com>
Acked-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Link: https://lore.kernel.org/r/20250321070019.1271859-1-quic_zhenhuah@quicinc.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/mm/mmu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -1361,7 +1361,8 @@ int arch_add_memory(int nid, u64 start,
__remove_pgd_mapping(swapper_pg_dir,
__phys_to_virt(start), size);
else {
- max_pfn = PFN_UP(start + size);
+ /* Address of hotplugged memory can be smaller */
+ max_pfn = max(max_pfn, PFN_UP(start + size));
max_low_pfn = max_pfn;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 337/449] arm64: dts: ti: k3-j784s4-j742s2-main-common: Correct the GICD size
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 336/449] arm64: mm: Correct the update of max_pfn Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 338/449] arm64: dts: ti: k3-j784s4-j742s2-main-common: Fix serdes_ln_ctrl reg-masks Greg Kroah-Hartman
` (118 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Keerthy, Vignesh Raghavendra
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keerthy <j-keerthy@ti.com>
commit 398898f9cca1a19a83184430c675562680e57c7b upstream.
Currently we get the warning:
"GICv3: [Firmware Bug]: GICR region 0x0000000001900000 has
overlapping address"
As per TRM GICD is 64 KB. Fix it by correcting the size of GICD.
Cc: stable@vger.kernel.org
Fixes: 9cc161a4509c ("arm64: dts: ti: Refactor J784s4 SoC files to a common file")
Link: https://lore.kernel.org/r/20250218052248.4734-1-j-keerthy@ti.com
Signed-off-by: Keerthy <j-keerthy@ti.com>
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi
@@ -193,7 +193,7 @@
ranges;
#interrupt-cells = <3>;
interrupt-controller;
- reg = <0x00 0x01800000 0x00 0x200000>, /* GICD */
+ reg = <0x00 0x01800000 0x00 0x10000>, /* GICD */
<0x00 0x01900000 0x00 0x100000>, /* GICR */
<0x00 0x6f000000 0x00 0x2000>, /* GICC */
<0x00 0x6f010000 0x00 0x1000>, /* GICH */
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 338/449] arm64: dts: ti: k3-j784s4-j742s2-main-common: Fix serdes_ln_ctrl reg-masks
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 337/449] arm64: dts: ti: k3-j784s4-j742s2-main-common: Correct the GICD size Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 339/449] arm64: dts: mediatek: mt8188: Assign apll1 clock as parent to avoid hang Greg Kroah-Hartman
` (117 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siddharth Vadapalli,
Vignesh Raghavendra
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siddharth Vadapalli <s-vadapalli@ti.com>
commit 38e7f9092efbbf2a4a67e4410b55b797f8d1e184 upstream.
Commit under Fixes added the 'idle-states' property for SERDES4 lane muxes
without defining the corresponding register offsets and masks for it in the
'mux-reg-masks' property within the 'serdes_ln_ctrl' node.
Fix this.
Fixes: 7287d423f138 ("arm64: dts: ti: k3-j784s4-main: Add system controller and SERDES lane mux")
Cc: stable@vger.kernel.org
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Link: https://lore.kernel.org/r/20250228053850.506028-1-s-vadapalli@ti.com
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi
@@ -84,7 +84,9 @@
<0x10 0x3>, <0x14 0x3>, /* SERDES1 lane0/1 select */
<0x18 0x3>, <0x1c 0x3>, /* SERDES1 lane2/3 select */
<0x20 0x3>, <0x24 0x3>, /* SERDES2 lane0/1 select */
- <0x28 0x3>, <0x2c 0x3>; /* SERDES2 lane2/3 select */
+ <0x28 0x3>, <0x2c 0x3>, /* SERDES2 lane2/3 select */
+ <0x40 0x3>, <0x44 0x3>, /* SERDES4 lane0/1 select */
+ <0x48 0x3>, <0x4c 0x3>; /* SERDES4 lane2/3 select */
idle-states = <J784S4_SERDES0_LANE0_PCIE1_LANE0>,
<J784S4_SERDES0_LANE1_PCIE1_LANE1>,
<J784S4_SERDES0_LANE2_IP3_UNUSED>,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 339/449] arm64: dts: mediatek: mt8188: Assign apll1 clock as parent to avoid hang
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 338/449] arm64: dts: ti: k3-j784s4-j742s2-main-common: Fix serdes_ln_ctrl reg-masks Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 340/449] arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Greg Kroah-Hartman
` (116 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AngeloGioacchino Del Regno,
Nícolas F . R . A . Prado
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
commit a69d5795f12b06d07b6437cafdd08f929fff2706 upstream.
Certain registers in the AFE IO space require the apll1 clock to be
enabled in order to be read, otherwise the machine hangs (registers like
0x280, 0x410 (AFE_GAIN1_CON0) and 0x830 (AFE_CONN0_5)). During AFE
driver probe, when initializing the regmap for the AFE IO space those
registers are read, resulting in a hang during boot.
This has been observed on the Genio 700 EVK, Genio 510 EVK and
MT8188-Geralt-Ciri Chromebook, all of which are based on the MT8188 SoC.
Assign CLK_TOP_APLL1_D4 as the parent for CLK_TOP_A1SYS_HP, which is
enabled during register read and write, to make sure the apll1 is
enabled during register operations and prevent the MT8188 machines from
hanging during boot.
Cc: stable@vger.kernel.org
Fixes: bd568ce198b8 ("arm64: dts: mediatek: mt8188: Add audio support")
Suggested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
Link: https://lore.kernel.org/r/20250207-mt8188-afe-fix-hang-disabled-apll1-clk-v2-1-a636d844c272@collabora.com
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/mediatek/mt8188.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/mediatek/mt8188.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8188.dtsi
@@ -1392,7 +1392,7 @@
compatible = "mediatek,mt8188-afe";
reg = <0 0x10b10000 0 0x10000>;
assigned-clocks = <&topckgen CLK_TOP_A1SYS_HP>;
- assigned-clock-parents = <&clk26m>;
+ assigned-clock-parents = <&topckgen CLK_TOP_APLL1_D4>;
clocks = <&clk26m>,
<&apmixedsys CLK_APMIXED_APLL1>,
<&apmixedsys CLK_APMIXED_APLL2>,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 340/449] arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 339/449] arm64: dts: mediatek: mt8188: Assign apll1 clock as parent to avoid hang Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 341/449] arm64: dts: exynos: gs101: disable pinctrl_gsacore node Greg Kroah-Hartman
` (115 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, YH Huang, Chen-Yu Tsai,
AngeloGioacchino Del Regno
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
commit 46ad36002088eff8fc5cae200aa42ae9f9310ddd upstream.
The MT8173 disp-pwm device should have only one compatible string, based
on the following DT validation error:
arch/arm64/boot/dts/mediatek/mt8173-elm.dtb: pwm@1401e000: compatible: 'oneOf' conditional failed, one must be fixed:
['mediatek,mt8173-disp-pwm', 'mediatek,mt6595-disp-pwm'] is too long
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt6795-disp-pwm', 'mediatek,mt8167-disp-pwm']
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt8186-disp-pwm', 'mediatek,mt8188-disp-pwm', 'mediatek,mt8192-disp-pwm', 'mediatek,mt8195-disp-pwm', 'mediatek,mt8365-disp-pwm']
'mediatek,mt8173-disp-pwm' was expected
'mediatek,mt8183-disp-pwm' was expected
from schema $id: http://devicetree.org/schemas/pwm/mediatek,pwm-disp.yaml#
arch/arm64/boot/dts/mediatek/mt8173-elm.dtb: pwm@1401f000: compatible: 'oneOf' conditional failed, one must be fixed:
['mediatek,mt8173-disp-pwm', 'mediatek,mt6595-disp-pwm'] is too long
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt6795-disp-pwm', 'mediatek,mt8167-disp-pwm']
'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt8186-disp-pwm', 'mediatek,mt8188-disp-pwm', 'mediatek,mt8192-disp-pwm', 'mediatek,mt8195-disp-pwm', 'mediatek,mt8365-disp-pwm']
'mediatek,mt8173-disp-pwm' was expected
'mediatek,mt8183-disp-pwm' was expected
from schema $id: http://devicetree.org/schemas/pwm/mediatek,pwm-disp.yaml#
Drop the extra "mediatek,mt6595-disp-pwm" compatible string.
Fixes: 61aee9342514 ("arm64: dts: mt8173: add MT8173 display PWM driver support node")
Cc: YH Huang <yh.huang@mediatek.com>
Cc: stable@vger.kernel.org # v4.5+
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20250108083424.2732375-2-wenst@chromium.org
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/arch/arm64/boot/dts/mediatek/mt8173.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8173.dtsi
@@ -1255,8 +1255,7 @@
};
pwm0: pwm@1401e000 {
- compatible = "mediatek,mt8173-disp-pwm",
- "mediatek,mt6595-disp-pwm";
+ compatible = "mediatek,mt8173-disp-pwm";
reg = <0 0x1401e000 0 0x1000>;
#pwm-cells = <2>;
clocks = <&mmsys CLK_MM_DISP_PWM026M>,
@@ -1266,8 +1265,7 @@
};
pwm1: pwm@1401f000 {
- compatible = "mediatek,mt8173-disp-pwm",
- "mediatek,mt6595-disp-pwm";
+ compatible = "mediatek,mt8173-disp-pwm";
reg = <0 0x1401f000 0 0x1000>;
#pwm-cells = <2>;
clocks = <&mmsys CLK_MM_DISP_PWM126M>,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 341/449] arm64: dts: exynos: gs101: disable pinctrl_gsacore node
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 340/449] arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 342/449] backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Greg Kroah-Hartman
` (114 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Alim Akhtar
Cc: Greg Kroah-Hartman, patches, Peter Griffin, linux-arm-kernel,
linux-samsung-soc, devicetree, linux-kernel, tudor.ambarus,
andre.draszik, kernel-team, willmcvicker, Krzysztof Kozlowski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Griffin <peter.griffin@linaro.org>
commit 168e24966f10ff635b0ec9728aa71833bf850ee5 upstream.
gsacore registers are not accessible from normal world.
Disable this node, so that the suspend/resume callbacks
in the pinctrl driver don't cause a Serror attempting to
access the registers.
Fixes: ea89fdf24fd9 ("arm64: dts: exynos: google: Add initial Google gs101 SoC support")
Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
To: Rob Herring <robh@kernel.org>
To: Krzysztof Kozlowski <krzk+dt@kernel.org>
To: Conor Dooley <conor+dt@kernel.org>
To: Alim Akhtar <alim.akhtar@samsung.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-samsung-soc@vger.kernel.org
Cc: devicetree@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: tudor.ambarus@linaro.org
Cc: andre.draszik@linaro.org
Cc: kernel-team@android.com
Cc: willmcvicker@google.com
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250106-contrib-pg-pinctrl_gsacore_disable-v1-1-d3fc88a48aed@linaro.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/exynos/google/gs101.dtsi | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm64/boot/dts/exynos/google/gs101.dtsi
+++ b/arch/arm64/boot/dts/exynos/google/gs101.dtsi
@@ -1454,6 +1454,7 @@
/* TODO: update once support for this CMU exists */
clocks = <0>;
clock-names = "pclk";
+ status = "disabled";
};
cmu_top: clock-controller@1e080000 {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 342/449] backlight: led_bl: Hold led_access lock when calling led_sysfs_disable()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 341/449] arm64: dts: exynos: gs101: disable pinctrl_gsacore node Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 343/449] btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers Greg Kroah-Hartman
` (113 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herve Codina, Lee Jones
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herve Codina <herve.codina@bootlin.com>
commit 276822a00db3c1061382b41e72cafc09d6a0ec30 upstream.
Lockdep detects the following issue on led-backlight removal:
[ 142.315935] ------------[ cut here ]------------
[ 142.315954] WARNING: CPU: 2 PID: 292 at drivers/leds/led-core.c:455 led_sysfs_enable+0x54/0x80
...
[ 142.500725] Call trace:
[ 142.503176] led_sysfs_enable+0x54/0x80 (P)
[ 142.507370] led_bl_remove+0x80/0xa8 [led_bl]
[ 142.511742] platform_remove+0x30/0x58
[ 142.515501] device_remove+0x54/0x90
...
Indeed, led_sysfs_enable() has to be called with the led_access
lock held.
Hold the lock when calling led_sysfs_disable().
Fixes: ae232e45acf9 ("backlight: add led-backlight driver")
Cc: stable@vger.kernel.org
Signed-off-by: Herve Codina <herve.codina@bootlin.com>
Link: https://lore.kernel.org/r/20250122091914.309533-1-herve.codina@bootlin.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/backlight/led_bl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/video/backlight/led_bl.c
+++ b/drivers/video/backlight/led_bl.c
@@ -229,8 +229,11 @@ static void led_bl_remove(struct platfor
backlight_device_unregister(bl);
led_bl_power_off(priv);
- for (i = 0; i < priv->nb_leds; i++)
+ for (i = 0; i < priv->nb_leds; i++) {
+ mutex_lock(&priv->leds[i]->led_access);
led_sysfs_enable(priv->leds[i]);
+ mutex_unlock(&priv->leds[i]->led_access);
+ }
}
static const struct of_device_id led_bl_of_match[] = {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 343/449] btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 342/449] backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 344/449] btrfs: tests: fix chunk map leak after failure to add it to the tree Greg Kroah-Hartman
` (112 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Filipe Manana,
David Sterba
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 4c782247b89376a83fa132f7d45d6977edae0629 upstream.
At close_ctree() after we have ran delayed iputs either through explicitly
calling btrfs_run_delayed_iputs() or later during the call to
btrfs_commit_super() or btrfs_error_commit_super(), we assert that the
delayed iputs list is empty.
When we have compressed writes this assertion may fail because delayed
iputs may have been added to the list after we last ran delayed iputs.
This happens like this:
1) We have a compressed write bio executing;
2) We enter close_ctree() and flush the fs_info->endio_write_workers
queue which is the queue used for running ordered extent completion;
3) The compressed write bio finishes and enters
btrfs_finish_compressed_write_work(), where it calls
btrfs_finish_ordered_extent() which in turn calls
btrfs_queue_ordered_fn(), which queues a work item in the
fs_info->endio_write_workers queue that we have flushed before;
4) At close_ctree() we proceed, run all existing delayed iputs and
call btrfs_commit_super() (which also runs delayed iputs), but before
we run the following assertion below:
ASSERT(list_empty(&fs_info->delayed_iputs))
A delayed iput is added by the step below...
5) The ordered extent completion job queued in step 3 runs and results in
creating a delayed iput when dropping the last reference of the ordered
extent (a call to btrfs_put_ordered_extent() made from
btrfs_finish_one_ordered());
6) At this point the delayed iputs list is not empty, so the assertion at
close_ctree() fails.
Fix this by flushing the fs_info->compressed_write_workers queue at
close_ctree() before flushing the fs_info->endio_write_workers queue,
respecting the queue dependency as the later is responsible for the
execution of ordered extent completion.
CC: stable@vger.kernel.org # 5.15+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/disk-io.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -4349,6 +4349,18 @@ void __cold close_ctree(struct btrfs_fs_
btrfs_flush_workqueue(fs_info->delalloc_workers);
/*
+ * When finishing a compressed write bio we schedule a work queue item
+ * to finish an ordered extent - btrfs_finish_compressed_write_work()
+ * calls btrfs_finish_ordered_extent() which in turns does a call to
+ * btrfs_queue_ordered_fn(), and that queues the ordered extent
+ * completion either in the endio_write_workers work queue or in the
+ * fs_info->endio_freespace_worker work queue. We flush those queues
+ * below, so before we flush them we must flush this queue for the
+ * workers of compressed writes.
+ */
+ flush_workqueue(fs_info->compressed_write_workers);
+
+ /*
* After we parked the cleaner kthread, ordered extents may have
* completed and created new delayed iputs. If one of the async reclaim
* tasks is running and in the RUN_DELAYED_IPUTS flush state, then we
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 344/449] btrfs: tests: fix chunk map leak after failure to add it to the tree
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 343/449] btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 345/449] btrfs: zoned: fix zone activation with missing devices Greg Kroah-Hartman
` (111 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Burkov, Filipe Manana,
David Sterba
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 009ca358486ded9b4822eddb924009b6848d7271 upstream.
If we fail to add the chunk map to the fs mapping tree we exit
test_rmap_block() without freeing the chunk map. Fix this by adding a
call to btrfs_free_chunk_map() before exiting the test function if the
call to btrfs_add_chunk_map() failed.
Fixes: 7dc66abb5a47 ("btrfs: use a dedicated data structure for chunk maps")
CC: stable@vger.kernel.org # 6.12+
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/tests/extent-map-tests.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/btrfs/tests/extent-map-tests.c
+++ b/fs/btrfs/tests/extent-map-tests.c
@@ -1045,6 +1045,7 @@ static int test_rmap_block(struct btrfs_
ret = btrfs_add_chunk_map(fs_info, map);
if (ret) {
test_err("error adding chunk map to mapping tree");
+ btrfs_free_chunk_map(map);
goto out_free;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 345/449] btrfs: zoned: fix zone activation with missing devices
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 344/449] btrfs: tests: fix chunk map leak after failure to add it to the tree Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 346/449] btrfs: zoned: fix zone finishing " Greg Kroah-Hartman
` (110 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naohiro Aota, Anand Jain,
Johannes Thumshirn, David Sterba
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
commit 2bbc4a45e5eb6b868357c1045bf6f38f6ba576e0 upstream.
If btrfs_zone_activate() is called with a filesystem that has missing
devices (e.g. a RAID file system mounted in degraded mode) it is accessing
the btrfs_device::zone_info pointer, which will not be set if the device in
question is missing.
Check if the device is present (by checking if it has a valid block
device pointer associated) and if not, skip zone activation for it.
Fixes: f9a912a3c45f ("btrfs: zoned: make zone activation multi stripe capable")
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/zoned.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/btrfs/zoned.c
+++ b/fs/btrfs/zoned.c
@@ -2111,6 +2111,9 @@ bool btrfs_zone_activate(struct btrfs_bl
physical = map->stripes[i].physical;
zinfo = device->zone_info;
+ if (!device->bdev)
+ continue;
+
if (zinfo->max_active_zones == 0)
continue;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 346/449] btrfs: zoned: fix zone finishing with missing devices
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 345/449] btrfs: zoned: fix zone activation with missing devices Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 347/449] iommufd: Fix uninitialized rc in iommufd_access_rw() Greg Kroah-Hartman
` (109 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naohiro Aota, Anand Jain,
Johannes Thumshirn, David Sterba
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
commit 35fec1089ebb5617f85884d3fa6a699ce6337a75 upstream.
If do_zone_finish() is called with a filesystem that has missing devices
(e.g. a RAID file system mounted in degraded mode) it is accessing the
btrfs_device::zone_info pointer, which will not be set if the device
in question is missing.
Check if the device is present (by checking if it has a valid block device
pointer associated) and if not, skip zone finishing for it.
Fixes: 4dcbb8ab31c1 ("btrfs: zoned: make zone finishing multi stripe capable")
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/zoned.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/btrfs/zoned.c
+++ b/fs/btrfs/zoned.c
@@ -2275,6 +2275,9 @@ static int do_zone_finish(struct btrfs_b
struct btrfs_zoned_device_info *zinfo = device->zone_info;
unsigned int nofs_flags;
+ if (!device->bdev)
+ continue;
+
if (zinfo->max_active_zones == 0)
continue;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 347/449] iommufd: Fix uninitialized rc in iommufd_access_rw()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 346/449] btrfs: zoned: fix zone finishing " Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 348/449] iommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent() Greg Kroah-Hartman
` (108 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Nicolin Chen, Jason Gunthorpe
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
commit a05df03a88bc1088be8e9d958f208d6484691e43 upstream.
Reported by smatch:
drivers/iommu/iommufd/device.c:1392 iommufd_access_rw() error: uninitialized symbol 'rc'.
Fixes: 8d40205f6093 ("iommufd: Add kAPI toward external drivers for kernel access")
Link: https://patch.msgid.link/r/20250227200729.85030-1-nicolinc@nvidia.com
Cc: stable@vger.kernel.org
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202502271339.a2nWr9UA-lkp@intel.com/
[nicolinc: can't find an original report but only in "old smatch warnings"]
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iommu/iommufd/device.c
+++ b/drivers/iommu/iommufd/device.c
@@ -1127,7 +1127,7 @@ int iommufd_access_rw(struct iommufd_acc
struct io_pagetable *iopt;
struct iopt_area *area;
unsigned long last_iova;
- int rc;
+ int rc = -EINVAL;
if (!length)
return -EINVAL;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 348/449] iommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 347/449] iommufd: Fix uninitialized rc in iommufd_access_rw() Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 349/449] iommu/vt-d: Put IRTE back into posted MSI mode if vCPU posting is disabled Greg Kroah-Hartman
` (107 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Nicolin Chen,
Joerg Roedel
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
commit 767e22001dfce64cc03b7def1562338591ab6031 upstream.
Two WARNINGs are observed when SMMU driver rolls back upon failure:
arm-smmu-v3.9.auto: Failed to register iommu
arm-smmu-v3.9.auto: probe with driver arm-smmu-v3 failed with error -22
------------[ cut here ]------------
WARNING: CPU: 5 PID: 1 at kernel/dma/mapping.c:74 dmam_free_coherent+0xc0/0xd8
Call trace:
dmam_free_coherent+0xc0/0xd8 (P)
tegra241_vintf_free_lvcmdq+0x74/0x188
tegra241_cmdqv_remove_vintf+0x60/0x148
tegra241_cmdqv_remove+0x48/0xc8
arm_smmu_impl_remove+0x28/0x60
devm_action_release+0x1c/0x40
------------[ cut here ]------------
128 pages are still in use!
WARNING: CPU: 16 PID: 1 at mm/page_alloc.c:6902 free_contig_range+0x18c/0x1c8
Call trace:
free_contig_range+0x18c/0x1c8 (P)
cma_release+0x154/0x2f0
dma_free_contiguous+0x38/0xa0
dma_direct_free+0x10c/0x248
dma_free_attrs+0x100/0x290
dmam_free_coherent+0x78/0xd8
tegra241_vintf_free_lvcmdq+0x74/0x160
tegra241_cmdqv_remove+0x98/0x198
arm_smmu_impl_remove+0x28/0x60
devm_action_release+0x1c/0x40
This is because the LVCMDQ queue memory are managed by devres, while that
dmam_free_coherent() is called in the context of devm_action_release().
Jason pointed out that "arm_smmu_impl_probe() has mis-ordered the devres
callbacks if ops->device_remove() is going to be manually freeing things
that probe allocated":
https://lore.kernel.org/linux-iommu/20250407174408.GB1722458@nvidia.com/
In fact, tegra241_cmdqv_init_structures() only allocates memory resources
which means any failure that it generates would be similar to -ENOMEM, so
there is no point in having that "falling back to standard SMMU" routine,
as the standard SMMU would likely fail to allocate memory too.
Remove the unwind part in tegra241_cmdqv_init_structures(), and return a
proper error code to ask SMMU driver to call tegra241_cmdqv_remove() via
impl_ops->device_remove(). Then, drop tegra241_vintf_free_lvcmdq() since
devres will take care of that.
Fixes: 483e0bd8883a ("iommu/tegra241-cmdqv: Do not allocate vcmdq until dma_set_mask_and_coherent")
Cc: stable@vger.kernel.org
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Link: https://lore.kernel.org/r/20250407201908.172225-1-nicolinc@nvidia.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c | 32 +++----------------------
1 file changed, 5 insertions(+), 27 deletions(-)
--- a/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c
+++ b/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c
@@ -487,17 +487,6 @@ static int tegra241_cmdqv_hw_reset(struc
/* VCMDQ Resource Helpers */
-static void tegra241_vcmdq_free_smmu_cmdq(struct tegra241_vcmdq *vcmdq)
-{
- struct arm_smmu_queue *q = &vcmdq->cmdq.q;
- size_t nents = 1 << q->llq.max_n_shift;
- size_t qsz = nents << CMDQ_ENT_SZ_SHIFT;
-
- if (!q->base)
- return;
- dmam_free_coherent(vcmdq->cmdqv->smmu.dev, qsz, q->base, q->base_dma);
-}
-
static int tegra241_vcmdq_alloc_smmu_cmdq(struct tegra241_vcmdq *vcmdq)
{
struct arm_smmu_device *smmu = &vcmdq->cmdqv->smmu;
@@ -560,7 +549,8 @@ static void tegra241_vintf_free_lvcmdq(s
struct tegra241_vcmdq *vcmdq = vintf->lvcmdqs[lidx];
char header[64];
- tegra241_vcmdq_free_smmu_cmdq(vcmdq);
+ /* Note that the lvcmdq queue memory space is managed by devres */
+
tegra241_vintf_deinit_lvcmdq(vintf, lidx);
dev_dbg(vintf->cmdqv->dev,
@@ -768,13 +758,13 @@ static int tegra241_cmdqv_init_structure
vintf = kzalloc(sizeof(*vintf), GFP_KERNEL);
if (!vintf)
- goto out_fallback;
+ return -ENOMEM;
/* Init VINTF0 for in-kernel use */
ret = tegra241_cmdqv_init_vintf(cmdqv, 0, vintf);
if (ret) {
dev_err(cmdqv->dev, "failed to init vintf0: %d\n", ret);
- goto free_vintf;
+ return ret;
}
/* Preallocate logical VCMDQs to VINTF0 */
@@ -783,24 +773,12 @@ static int tegra241_cmdqv_init_structure
vcmdq = tegra241_vintf_alloc_lvcmdq(vintf, lidx);
if (IS_ERR(vcmdq))
- goto free_lvcmdq;
+ return PTR_ERR(vcmdq);
}
/* Now, we are ready to run all the impl ops */
smmu->impl_ops = &tegra241_cmdqv_impl_ops;
return 0;
-
-free_lvcmdq:
- for (lidx--; lidx >= 0; lidx--)
- tegra241_vintf_free_lvcmdq(vintf, lidx);
- tegra241_cmdqv_deinit_vintf(cmdqv, vintf->idx);
-free_vintf:
- kfree(vintf);
-out_fallback:
- dev_info(smmu->impl_dev, "Falling back to standard SMMU CMDQ\n");
- smmu->options &= ~ARM_SMMU_OPT_TEGRA241_CMDQV;
- tegra241_cmdqv_remove(smmu);
- return 0;
}
#ifdef CONFIG_IOMMU_DEBUGFS
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 349/449] iommu/vt-d: Put IRTE back into posted MSI mode if vCPU posting is disabled
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 348/449] iommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent() Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 350/449] iommu/vt-d: Dont clobber posted vCPU IRTE when host IRQ affinity changes Greg Kroah-Hartman
` (106 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, Jacob Pan,
Sean Christopherson, Lu Baolu, Joerg Roedel
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 2454823e97a63d85a6b215905f71e5a06324eab7 upstream.
Add a helper to take care of reconfiguring an IRTE to deliver IRQs to the
host, i.e. not to a vCPU, and use the helper when an IRTE's vCPU affinity
is nullified, i.e. when KVM puts an IRTE back into "host" mode. Because
posted MSIs use an ephemeral IRTE, using modify_irte() puts the IRTE into
full remapped mode, i.e. unintentionally disables posted MSIs on the IRQ.
Fixes: ed1e48ea4370 ("iommu/vt-d: Enable posted mode for device MSIs")
Cc: stable@vger.kernel.org
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Link: https://lore.kernel.org/r/20250315025135.2365846-2-seanjc@google.com
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/intel/irq_remapping.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- a/drivers/iommu/intel/irq_remapping.c
+++ b/drivers/iommu/intel/irq_remapping.c
@@ -1169,7 +1169,17 @@ static void intel_ir_reconfigure_irte_po
static inline void intel_ir_reconfigure_irte_posted(struct irq_data *irqd) {}
#endif
-static void intel_ir_reconfigure_irte(struct irq_data *irqd, bool force)
+static void __intel_ir_reconfigure_irte(struct irq_data *irqd, bool force_host)
+{
+ struct intel_ir_data *ir_data = irqd->chip_data;
+
+ if (ir_data->irq_2_iommu.posted_msi)
+ intel_ir_reconfigure_irte_posted(irqd);
+ else if (force_host || ir_data->irq_2_iommu.mode == IRQ_REMAPPING)
+ modify_irte(&ir_data->irq_2_iommu, &ir_data->irte_entry);
+}
+
+static void intel_ir_reconfigure_irte(struct irq_data *irqd, bool force_host)
{
struct intel_ir_data *ir_data = irqd->chip_data;
struct irte *irte = &ir_data->irte_entry;
@@ -1182,10 +1192,7 @@ static void intel_ir_reconfigure_irte(st
irte->vector = cfg->vector;
irte->dest_id = IRTE_DEST(cfg->dest_apicid);
- if (ir_data->irq_2_iommu.posted_msi)
- intel_ir_reconfigure_irte_posted(irqd);
- else if (force || ir_data->irq_2_iommu.mode == IRQ_REMAPPING)
- modify_irte(&ir_data->irq_2_iommu, irte);
+ __intel_ir_reconfigure_irte(irqd, force_host);
}
/*
@@ -1240,7 +1247,7 @@ static int intel_ir_set_vcpu_affinity(st
/* stop posting interrupts, back to the default mode */
if (!vcpu_pi_info) {
- modify_irte(&ir_data->irq_2_iommu, &ir_data->irte_entry);
+ __intel_ir_reconfigure_irte(data, true);
} else {
struct irte irte_pi;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 350/449] iommu/vt-d: Dont clobber posted vCPU IRTE when host IRQ affinity changes
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 349/449] iommu/vt-d: Put IRTE back into posted MSI mode if vCPU posting is disabled Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 351/449] iommu/vt-d: Fix possible circular locking dependency Greg Kroah-Hartman
` (105 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, Jacob Pan,
Sean Christopherson, Lu Baolu, Joerg Roedel
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 688124cc541f60d26a7547f45637b23dada4e527 upstream.
Don't overwrite an IRTE that is posting IRQs to a vCPU with a posted MSI
entry if the host IRQ affinity happens to change. If/when the IRTE is
reverted back to "host mode", it will be reconfigured as a posted MSI or
remapped entry as appropriate.
Drop the "mode" field, which doesn't differentiate between posted MSIs and
posted vCPUs, in favor of a dedicated posted_vcpu flag. Note! The two
posted_{msi,vcpu} flags are intentionally not mutually exclusive; an IRTE
can transition between posted MSI and posted vCPU.
Fixes: ed1e48ea4370 ("iommu/vt-d: Enable posted mode for device MSIs")
Cc: stable@vger.kernel.org
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Link: https://lore.kernel.org/r/20250315025135.2365846-3-seanjc@google.com
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/intel/irq_remapping.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
--- a/drivers/iommu/intel/irq_remapping.c
+++ b/drivers/iommu/intel/irq_remapping.c
@@ -25,11 +25,6 @@
#include "../irq_remapping.h"
#include "../iommu-pages.h"
-enum irq_mode {
- IRQ_REMAPPING,
- IRQ_POSTING,
-};
-
struct ioapic_scope {
struct intel_iommu *iommu;
unsigned int id;
@@ -49,8 +44,8 @@ struct irq_2_iommu {
u16 irte_index;
u16 sub_handle;
u8 irte_mask;
- enum irq_mode mode;
bool posted_msi;
+ bool posted_vcpu;
};
struct intel_ir_data {
@@ -138,7 +133,6 @@ static int alloc_irte(struct intel_iommu
irq_iommu->irte_index = index;
irq_iommu->sub_handle = 0;
irq_iommu->irte_mask = mask;
- irq_iommu->mode = IRQ_REMAPPING;
}
raw_spin_unlock_irqrestore(&irq_2_ir_lock, flags);
@@ -193,8 +187,6 @@ static int modify_irte(struct irq_2_iomm
rc = qi_flush_iec(iommu, index, 0);
- /* Update iommu mode according to the IRTE mode */
- irq_iommu->mode = irte->pst ? IRQ_POSTING : IRQ_REMAPPING;
raw_spin_unlock_irqrestore(&irq_2_ir_lock, flags);
return rc;
@@ -1173,9 +1165,18 @@ static void __intel_ir_reconfigure_irte(
{
struct intel_ir_data *ir_data = irqd->chip_data;
+ /*
+ * Don't modify IRTEs for IRQs that are being posted to vCPUs if the
+ * host CPU affinity changes.
+ */
+ if (ir_data->irq_2_iommu.posted_vcpu && !force_host)
+ return;
+
+ ir_data->irq_2_iommu.posted_vcpu = false;
+
if (ir_data->irq_2_iommu.posted_msi)
intel_ir_reconfigure_irte_posted(irqd);
- else if (force_host || ir_data->irq_2_iommu.mode == IRQ_REMAPPING)
+ else
modify_irte(&ir_data->irq_2_iommu, &ir_data->irte_entry);
}
@@ -1270,6 +1271,7 @@ static int intel_ir_set_vcpu_affinity(st
irte_pi.pda_h = (vcpu_pi_info->pi_desc_addr >> 32) &
~(-1UL << PDA_HIGH_BIT);
+ ir_data->irq_2_iommu.posted_vcpu = true;
modify_irte(&ir_data->irq_2_iommu, &irte_pi);
}
@@ -1496,6 +1498,9 @@ static void intel_irq_remapping_deactiva
struct intel_ir_data *data = irq_data->chip_data;
struct irte entry;
+ WARN_ON_ONCE(data->irq_2_iommu.posted_vcpu);
+ data->irq_2_iommu.posted_vcpu = false;
+
memset(&entry, 0, sizeof(entry));
modify_irte(&data->irq_2_iommu, &entry);
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 351/449] iommu/vt-d: Fix possible circular locking dependency
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 350/449] iommu/vt-d: Dont clobber posted vCPU IRTE when host IRQ affinity changes Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 352/449] iommu/vt-d: Wire up irq_ack() to irq_move_irq() for posted MSIs Greg Kroah-Hartman
` (104 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chaitanya Kumar Borah, Lu Baolu,
Joerg Roedel
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu <baolu.lu@linux.intel.com>
commit 93ae6e68b6d6b62d92b3a89d1c253d4a1721a1d3 upstream.
We have recently seen report of lockdep circular lock dependency warnings
on platforms like Skylake and Kabylake:
======================================================
WARNING: possible circular locking dependency detected
6.14.0-rc6-CI_DRM_16276-gca2c04fe76e8+ #1 Not tainted
------------------------------------------------------
swapper/0/1 is trying to acquire lock:
ffffffff8360ee48 (iommu_probe_device_lock){+.+.}-{3:3},
at: iommu_probe_device+0x1d/0x70
but task is already holding lock:
ffff888102c7efa8 (&device->physical_node_lock){+.+.}-{3:3},
at: intel_iommu_init+0xe75/0x11f0
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #6 (&device->physical_node_lock){+.+.}-{3:3}:
__mutex_lock+0xb4/0xe40
mutex_lock_nested+0x1b/0x30
intel_iommu_init+0xe75/0x11f0
pci_iommu_init+0x13/0x70
do_one_initcall+0x62/0x3f0
kernel_init_freeable+0x3da/0x6a0
kernel_init+0x1b/0x200
ret_from_fork+0x44/0x70
ret_from_fork_asm+0x1a/0x30
-> #5 (dmar_global_lock){++++}-{3:3}:
down_read+0x43/0x1d0
enable_drhd_fault_handling+0x21/0x110
cpuhp_invoke_callback+0x4c6/0x870
cpuhp_issue_call+0xbf/0x1f0
__cpuhp_setup_state_cpuslocked+0x111/0x320
__cpuhp_setup_state+0xb0/0x220
irq_remap_enable_fault_handling+0x3f/0xa0
apic_intr_mode_init+0x5c/0x110
x86_late_time_init+0x24/0x40
start_kernel+0x895/0xbd0
x86_64_start_reservations+0x18/0x30
x86_64_start_kernel+0xbf/0x110
common_startup_64+0x13e/0x141
-> #4 (cpuhp_state_mutex){+.+.}-{3:3}:
__mutex_lock+0xb4/0xe40
mutex_lock_nested+0x1b/0x30
__cpuhp_setup_state_cpuslocked+0x67/0x320
__cpuhp_setup_state+0xb0/0x220
page_alloc_init_cpuhp+0x2d/0x60
mm_core_init+0x18/0x2c0
start_kernel+0x576/0xbd0
x86_64_start_reservations+0x18/0x30
x86_64_start_kernel+0xbf/0x110
common_startup_64+0x13e/0x141
-> #3 (cpu_hotplug_lock){++++}-{0:0}:
__cpuhp_state_add_instance+0x4f/0x220
iova_domain_init_rcaches+0x214/0x280
iommu_setup_dma_ops+0x1a4/0x710
iommu_device_register+0x17d/0x260
intel_iommu_init+0xda4/0x11f0
pci_iommu_init+0x13/0x70
do_one_initcall+0x62/0x3f0
kernel_init_freeable+0x3da/0x6a0
kernel_init+0x1b/0x200
ret_from_fork+0x44/0x70
ret_from_fork_asm+0x1a/0x30
-> #2 (&domain->iova_cookie->mutex){+.+.}-{3:3}:
__mutex_lock+0xb4/0xe40
mutex_lock_nested+0x1b/0x30
iommu_setup_dma_ops+0x16b/0x710
iommu_device_register+0x17d/0x260
intel_iommu_init+0xda4/0x11f0
pci_iommu_init+0x13/0x70
do_one_initcall+0x62/0x3f0
kernel_init_freeable+0x3da/0x6a0
kernel_init+0x1b/0x200
ret_from_fork+0x44/0x70
ret_from_fork_asm+0x1a/0x30
-> #1 (&group->mutex){+.+.}-{3:3}:
__mutex_lock+0xb4/0xe40
mutex_lock_nested+0x1b/0x30
__iommu_probe_device+0x24c/0x4e0
probe_iommu_group+0x2b/0x50
bus_for_each_dev+0x7d/0xe0
iommu_device_register+0xe1/0x260
intel_iommu_init+0xda4/0x11f0
pci_iommu_init+0x13/0x70
do_one_initcall+0x62/0x3f0
kernel_init_freeable+0x3da/0x6a0
kernel_init+0x1b/0x200
ret_from_fork+0x44/0x70
ret_from_fork_asm+0x1a/0x30
-> #0 (iommu_probe_device_lock){+.+.}-{3:3}:
__lock_acquire+0x1637/0x2810
lock_acquire+0xc9/0x300
__mutex_lock+0xb4/0xe40
mutex_lock_nested+0x1b/0x30
iommu_probe_device+0x1d/0x70
intel_iommu_init+0xe90/0x11f0
pci_iommu_init+0x13/0x70
do_one_initcall+0x62/0x3f0
kernel_init_freeable+0x3da/0x6a0
kernel_init+0x1b/0x200
ret_from_fork+0x44/0x70
ret_from_fork_asm+0x1a/0x30
other info that might help us debug this:
Chain exists of:
iommu_probe_device_lock --> dmar_global_lock -->
&device->physical_node_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&device->physical_node_lock);
lock(dmar_global_lock);
lock(&device->physical_node_lock);
lock(iommu_probe_device_lock);
*** DEADLOCK ***
This driver uses a global lock to protect the list of enumerated DMA
remapping units. It is necessary due to the driver's support for dynamic
addition and removal of remapping units at runtime.
Two distinct code paths require iteration over this remapping unit list:
- Device registration and probing: the driver iterates the list to
register each remapping unit with the upper layer IOMMU framework
and subsequently probe the devices managed by that unit.
- Global configuration: Upper layer components may also iterate the list
to apply configuration changes.
The lock acquisition order between these two code paths was reversed. This
caused lockdep warnings, indicating a risk of deadlock. Fix this warning
by releasing the global lock before invoking upper layer interfaces for
device registration.
Fixes: b150654f74bf ("iommu/vt-d: Fix suspicious RCU usage")
Closes: https://lore.kernel.org/linux-iommu/SJ1PR11MB612953431F94F18C954C4A9CB9D32@SJ1PR11MB6129.namprd11.prod.outlook.com/
Tested-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Link: https://lore.kernel.org/r/20250317035714.1041549-1-baolu.lu@linux.intel.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/intel/iommu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -3016,6 +3016,7 @@ static int __init probe_acpi_namespace_d
if (dev->bus != &acpi_bus_type)
continue;
+ up_read(&dmar_global_lock);
adev = to_acpi_device(dev);
mutex_lock(&adev->physical_node_lock);
list_for_each_entry(pn,
@@ -3025,6 +3026,7 @@ static int __init probe_acpi_namespace_d
break;
}
mutex_unlock(&adev->physical_node_lock);
+ down_read(&dmar_global_lock);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 352/449] iommu/vt-d: Wire up irq_ack() to irq_move_irq() for posted MSIs
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 351/449] iommu/vt-d: Fix possible circular locking dependency Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 353/449] sparc/mm: disable preemption in lazy mmu mode Greg Kroah-Hartman
` (103 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robert Lippert, Thomas Gleixner,
Wentao Yang, Sean Christopherson, Lu Baolu, Joerg Roedel
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 548183ea388c12b6d76d6982f3d72df3887af0da upstream.
Set the posted MSI irq_chip's irq_ack() hook to irq_move_irq() instead of
a dummy/empty callback so that posted MSIs process pending changes to the
IRQ's SMP affinity. Failure to honor a pending set-affinity results in
userspace being unable to change the effective affinity of the IRQ, as
IRQD_SETAFFINITY_PENDING is never cleared and so irq_set_affinity_locked()
always defers moving the IRQ.
The issue is most easily reproducible by setting /proc/irq/xx/smp_affinity
multiple times in quick succession, as only the first update is likely to
be handled in process context.
Fixes: ed1e48ea4370 ("iommu/vt-d: Enable posted mode for device MSIs")
Cc: Robert Lippert <rlippert@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Reported-by: Wentao Yang <wentaoyang@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20250321194249.1217961-1-seanjc@google.com
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/intel/irq_remapping.c | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
--- a/drivers/iommu/intel/irq_remapping.c
+++ b/drivers/iommu/intel/irq_remapping.c
@@ -1287,43 +1287,44 @@ static struct irq_chip intel_ir_chip = {
};
/*
- * With posted MSIs, all vectors are multiplexed into a single notification
- * vector. Devices MSIs are then dispatched in a demux loop where
- * EOIs can be coalesced as well.
+ * With posted MSIs, the MSI vectors are multiplexed into a single notification
+ * vector, and only the notification vector is sent to the APIC IRR. Device
+ * MSIs are then dispatched in a demux loop that harvests the MSIs from the
+ * CPU's Posted Interrupt Request bitmap. I.e. Posted MSIs never get sent to
+ * the APIC IRR, and thus do not need an EOI. The notification handler instead
+ * performs a single EOI after processing the PIR.
*
- * "INTEL-IR-POST" IRQ chip does not do EOI on ACK, thus the dummy irq_ack()
- * function. Instead EOI is performed by the posted interrupt notification
- * handler.
+ * Note! Pending SMP/CPU affinity changes, which are per MSI, must still be
+ * honored, only the APIC EOI is omitted.
*
* For the example below, 3 MSIs are coalesced into one CPU notification. Only
- * one apic_eoi() is needed.
+ * one apic_eoi() is needed, but each MSI needs to process pending changes to
+ * its CPU affinity.
*
* __sysvec_posted_msi_notification()
* irq_enter();
* handle_edge_irq()
* irq_chip_ack_parent()
- * dummy(); // No EOI
+ * irq_move_irq(); // No EOI
* handle_irq_event()
* driver_handler()
* handle_edge_irq()
* irq_chip_ack_parent()
- * dummy(); // No EOI
+ * irq_move_irq(); // No EOI
* handle_irq_event()
* driver_handler()
* handle_edge_irq()
* irq_chip_ack_parent()
- * dummy(); // No EOI
+ * irq_move_irq(); // No EOI
* handle_irq_event()
* driver_handler()
* apic_eoi()
* irq_exit()
+ *
*/
-
-static void dummy_ack(struct irq_data *d) { }
-
static struct irq_chip intel_ir_chip_post_msi = {
.name = "INTEL-IR-POST",
- .irq_ack = dummy_ack,
+ .irq_ack = irq_move_irq,
.irq_set_affinity = intel_ir_set_affinity,
.irq_compose_msi_msg = intel_ir_compose_msi_msg,
.irq_set_vcpu_affinity = intel_ir_set_vcpu_affinity,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 353/449] sparc/mm: disable preemption in lazy mmu mode
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 352/449] iommu/vt-d: Wire up irq_ack() to irq_move_irq() for posted MSIs Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 354/449] sparc/mm: avoid calling arch_enter/leave_lazy_mmu() in set_ptes Greg Kroah-Hartman
` (102 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryan Roberts, David Hildenbrand,
Andreas Larsson, Juergen Gross, Borislav Betkov, Boris Ostrovsky,
Catalin Marinas, Dave Hansen, David S. Miller, H. Peter Anvin,
Ingo Molnar, Matthew Wilcow (Oracle), Thomas Gleinxer,
Andrew Morton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryan Roberts <ryan.roberts@arm.com>
commit a1d416bf9faf4f4871cb5a943614a07f80a7d70f upstream.
Since commit 38e0edb15bd0 ("mm/apply_to_range: call pte function with lazy
updates") it's been possible for arch_[enter|leave]_lazy_mmu_mode() to be
called without holding a page table lock (for the kernel mappings case),
and therefore it is possible that preemption may occur while in the lazy
mmu mode. The Sparc lazy mmu implementation is not robust to preemption
since it stores the lazy mode state in a per-cpu structure and does not
attempt to manage that state on task switch.
Powerpc had the same issue and fixed it by explicitly disabling preemption
in arch_enter_lazy_mmu_mode() and re-enabling in
arch_leave_lazy_mmu_mode(). See commit b9ef323ea168 ("powerpc/64s:
Disable preemption in hash lazy mmu mode").
Given Sparc's lazy mmu mode is based on powerpc's, let's fix it in the
same way here.
Link: https://lkml.kernel.org/r/20250303141542.3371656-4-ryan.roberts@arm.com
Fixes: 38e0edb15bd0 ("mm/apply_to_range: call pte function with lazy updates")
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Andreas Larsson <andreas@gaisler.com>
Acked-by: Juergen Gross <jgross@suse.com>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Juegren Gross <jgross@suse.com>
Cc: Matthew Wilcow (Oracle) <willy@infradead.org>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/sparc/mm/tlb.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/sparc/mm/tlb.c
+++ b/arch/sparc/mm/tlb.c
@@ -52,8 +52,10 @@ out:
void arch_enter_lazy_mmu_mode(void)
{
- struct tlb_batch *tb = this_cpu_ptr(&tlb_batch);
+ struct tlb_batch *tb;
+ preempt_disable();
+ tb = this_cpu_ptr(&tlb_batch);
tb->active = 1;
}
@@ -64,6 +66,7 @@ void arch_leave_lazy_mmu_mode(void)
if (tb->tlb_nr)
flush_tlb_pending();
tb->active = 0;
+ preempt_enable();
}
static void tlb_batch_add_one(struct mm_struct *mm, unsigned long vaddr,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 354/449] sparc/mm: avoid calling arch_enter/leave_lazy_mmu() in set_ptes
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 353/449] sparc/mm: disable preemption in lazy mmu mode Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 355/449] net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod Greg Kroah-Hartman
` (101 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryan Roberts, David Hildenbrand,
Andreas Larsson, Juergen Gross, Borislav Betkov, Boris Ostrovsky,
Catalin Marinas, Dave Hansen, David S. Miller, H. Peter Anvin,
Ingo Molnar, Matthew Wilcow (Oracle), Thomas Gleinxer,
Andrew Morton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryan Roberts <ryan.roberts@arm.com>
commit eb61ad14c459b54f71f76331ca35d12fa3eb8f98 upstream.
With commit 1a10a44dfc1d ("sparc64: implement the new page table range
API") set_ptes was added to the sparc architecture. The implementation
included calling arch_enter/leave_lazy_mmu() calls.
The patch removes the usage of arch_enter/leave_lazy_mmu() since this
implies nesting of lazy mmu regions which is not supported. Without this
fix, lazy mmu mode is effectively disabled because we exit the mode after
the first set_ptes:
remap_pte_range()
-> arch_enter_lazy_mmu()
-> set_ptes()
-> arch_enter_lazy_mmu()
-> arch_leave_lazy_mmu()
-> arch_leave_lazy_mmu()
Powerpc suffered the same problem and fixed it in a corresponding way with
commit 47b8def9358c ("powerpc/mm: Avoid calling
arch_enter/leave_lazy_mmu() in set_ptes").
Link: https://lkml.kernel.org/r/20250303141542.3371656-5-ryan.roberts@arm.com
Fixes: 1a10a44dfc1d ("sparc64: implement the new page table range API")
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Andreas Larsson <andreas@gaisler.com>
Acked-by: Juergen Gross <jgross@suse.com>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Juegren Gross <jgross@suse.com>
Cc: Matthew Wilcow (Oracle) <willy@infradead.org>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/sparc/include/asm/pgtable_64.h | 2 --
1 file changed, 2 deletions(-)
--- a/arch/sparc/include/asm/pgtable_64.h
+++ b/arch/sparc/include/asm/pgtable_64.h
@@ -936,7 +936,6 @@ static inline void __set_pte_at(struct m
static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
pte_t *ptep, pte_t pte, unsigned int nr)
{
- arch_enter_lazy_mmu_mode();
for (;;) {
__set_pte_at(mm, addr, ptep, pte, 0);
if (--nr == 0)
@@ -945,7 +944,6 @@ static inline void set_ptes(struct mm_st
pte_val(pte) += PAGE_SIZE;
addr += PAGE_SIZE;
}
- arch_leave_lazy_mmu_mode();
}
#define set_ptes set_ptes
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 355/449] net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 354/449] sparc/mm: avoid calling arch_enter/leave_lazy_mmu() in set_ptes Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 356/449] mm/damon/ops: have damon_get_folio return folio even for tail pages Greg Kroah-Hartman
` (100 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Jakub Kicinski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
commit 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 upstream.
When I ran the repro [0] and waited a few seconds, I observed two
LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1]
Reproduction Steps:
1) Mount CIFS
2) Add an iptables rule to drop incoming FIN packets for CIFS
3) Unmount CIFS
4) Unload the CIFS module
5) Remove the iptables rule
At step 3), the CIFS module calls sock_release() for the underlying
TCP socket, and it returns quickly. However, the socket remains in
FIN_WAIT_1 because incoming FIN packets are dropped.
At this point, the module's refcnt is 0 while the socket is still
alive, so the following rmmod command succeeds.
# ss -tan
State Recv-Q Send-Q Local Address:Port Peer Address:Port
FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445
# lsmod | grep cifs
cifs 1159168 0
This highlights a discrepancy between the lifetime of the CIFS module
and the underlying TCP socket. Even after CIFS calls sock_release()
and it returns, the TCP socket does not die immediately in order to
close the connection gracefully.
While this is generally fine, it causes an issue with LOCKDEP because
CIFS assigns a different lock class to the TCP socket's sk->sk_lock
using sock_lock_init_class_and_name().
Once an incoming packet is processed for the socket or a timer fires,
sk->sk_lock is acquired.
Then, LOCKDEP checks the lock context in check_wait_context(), where
hlock_class() is called to retrieve the lock class. However, since
the module has already been unloaded, hlock_class() logs a warning
and returns NULL, triggering the null-ptr-deref.
If LOCKDEP is enabled, we must ensure that a module calling
sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded
while such a socket is still alive to prevent this issue.
Let's hold the module reference in sock_lock_init_class_and_name()
and release it when the socket is freed in sk_prot_free().
Note that sock_lock_init() clears sk->sk_owner for svc_create_socket()
that calls sock_lock_init_class_and_name() for a listening socket,
which clones a socket by sk_clone_lock() without GFP_ZERO.
[0]:
CIFS_SERVER="10.0.0.137"
CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST"
DEV="enp0s3"
CRED="/root/WindowsCredential.txt"
MNT=$(mktemp -d /tmp/XXXXXX)
mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1
iptables -A INPUT -s ${CIFS_SERVER} -j DROP
for i in $(seq 10);
do
umount ${MNT}
rmmod cifs
sleep 1
done
rm -r ${MNT}
iptables -D INPUT -s ${CIFS_SERVER} -j DROP
[1]:
DEBUG_LOCKS_WARN_ON(1)
WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)
Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]
CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)
...
Call Trace:
<IRQ>
__lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178)
lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816)
_raw_spin_lock_nested (kernel/locking/spinlock.c:379)
tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350)
...
BUG: kernel NULL pointer dereference, address: 00000000000000c4
PF: supervisor read access in kernel mode
PF: error_code(0x0000) - not-present page
PGD 0
Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:__lock_acquire (kernel/locking/lockdep.c:4852 kernel/locking/lockdep.c:5178)
Code: 15 41 09 c7 41 8b 44 24 20 25 ff 1f 00 00 41 09 c7 8b 84 24 a0 00 00 00 45 89 7c 24 20 41 89 44 24 24 e8 e1 bc ff ff 4c 89 e7 <44> 0f b6 b8 c4 00 00 00 e8 d1 bc ff ff 0f b6 80 c5 00 00 00 88 44
RSP: 0018:ffa0000000468a10 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ff1100010091cc38 RCX: 0000000000000027
RDX: ff1100081f09ca48 RSI: 0000000000000001 RDI: ff1100010091cc88
RBP: ff1100010091c200 R08: ff1100083fe6e228 R09: 00000000ffffbfff
R10: ff1100081eca0000 R11: ff1100083fe10dc0 R12: ff1100010091cc88
R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424b1
FS: 0000000000000000(0000) GS:ff1100081f080000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000c4 CR3: 0000000002c4a003 CR4: 0000000000771ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<IRQ>
lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816)
_raw_spin_lock_nested (kernel/locking/spinlock.c:379)
tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350)
ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1))
ip_local_deliver_finish (./include/linux/rcupdate.h:878 net/ipv4/ip_input.c:234)
ip_sublist_rcv_finish (net/ipv4/ip_input.c:576)
ip_list_rcv_finish (net/ipv4/ip_input.c:628)
ip_list_rcv (net/ipv4/ip_input.c:670)
__netif_receive_skb_list_core (net/core/dev.c:5939 net/core/dev.c:5986)
netif_receive_skb_list_internal (net/core/dev.c:6040 net/core/dev.c:6129)
napi_complete_done (./include/linux/list.h:37 ./include/net/gro.h:519 ./include/net/gro.h:514 net/core/dev.c:6496)
e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3815)
__napi_poll.constprop.0 (net/core/dev.c:7191)
net_rx_action (net/core/dev.c:7262 net/core/dev.c:7382)
handle_softirqs (kernel/softirq.c:561)
__irq_exit_rcu (kernel/softirq.c:596 kernel/softirq.c:435 kernel/softirq.c:662)
irq_exit_rcu (kernel/softirq.c:680)
common_interrupt (arch/x86/kernel/irq.c:280 (discriminator 14))
</IRQ>
<TASK>
asm_common_interrupt (./arch/x86/include/asm/idtentry.h:693)
RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:744)
Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c3 2b 15 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffa00000000ffee8 EFLAGS: 00000202
RAX: 000000000000640b RBX: ff1100010091c200 RCX: 0000000000061aa4
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812f30c5
RBP: 000000000000000a R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
? do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325)
default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118)
do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325)
cpu_startup_entry (kernel/sched/idle.c:422 (discriminator 1))
start_secondary (arch/x86/kernel/smpboot.c:315)
common_startup_64 (arch/x86/kernel/head_64.S:421)
</TASK>
Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]
CR2: 00000000000000c4
Fixes: ed07536ed673 ("[PATCH] lockdep: annotate nfs/nfsd in-kernel sockets")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250407163313.22682-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/sock.h | 40 ++++++++++++++++++++++++++++++++++++++--
net/core/sock.c | 5 +++++
2 files changed, 43 insertions(+), 2 deletions(-)
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -338,6 +338,8 @@ struct sk_filter;
* @sk_txtime_unused: unused txtime flags
* @ns_tracker: tracker for netns reference
* @sk_user_frags: xarray of pages the user is holding a reference on.
+ * @sk_owner: reference to the real owner of the socket that calls
+ * sock_lock_init_class_and_name().
*/
struct sock {
/*
@@ -544,6 +546,10 @@ struct sock {
struct rcu_head sk_rcu;
netns_tracker ns_tracker;
struct xarray sk_user_frags;
+
+#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES)
+ struct module *sk_owner;
+#endif
};
struct sock_bh_locked {
@@ -1592,6 +1598,35 @@ static inline void sk_mem_uncharge(struc
sk_mem_reclaim(sk);
}
+#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES)
+static inline void sk_owner_set(struct sock *sk, struct module *owner)
+{
+ __module_get(owner);
+ sk->sk_owner = owner;
+}
+
+static inline void sk_owner_clear(struct sock *sk)
+{
+ sk->sk_owner = NULL;
+}
+
+static inline void sk_owner_put(struct sock *sk)
+{
+ module_put(sk->sk_owner);
+}
+#else
+static inline void sk_owner_set(struct sock *sk, struct module *owner)
+{
+}
+
+static inline void sk_owner_clear(struct sock *sk)
+{
+}
+
+static inline void sk_owner_put(struct sock *sk)
+{
+}
+#endif
/*
* Macro so as to not evaluate some arguments when
* lockdep is not enabled.
@@ -1601,13 +1636,14 @@ static inline void sk_mem_uncharge(struc
*/
#define sock_lock_init_class_and_name(sk, sname, skey, name, key) \
do { \
+ sk_owner_set(sk, THIS_MODULE); \
sk->sk_lock.owned = 0; \
init_waitqueue_head(&sk->sk_lock.wq); \
spin_lock_init(&(sk)->sk_lock.slock); \
debug_check_no_locks_freed((void *)&(sk)->sk_lock, \
- sizeof((sk)->sk_lock)); \
+ sizeof((sk)->sk_lock)); \
lockdep_set_class_and_name(&(sk)->sk_lock.slock, \
- (skey), (sname)); \
+ (skey), (sname)); \
lockdep_init_map(&(sk)->sk_lock.dep_map, (name), (key), 0); \
} while (0)
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2115,6 +2115,8 @@ lenout:
*/
static inline void sock_lock_init(struct sock *sk)
{
+ sk_owner_clear(sk);
+
if (sk->sk_kern_sock)
sock_lock_init_class_and_name(
sk,
@@ -2211,6 +2213,9 @@ static void sk_prot_free(struct proto *p
cgroup_sk_free(&sk->sk_cgrp_data);
mem_cgroup_sk_free(sk);
security_sk_free(sk);
+
+ sk_owner_put(sk);
+
if (slab != NULL)
kmem_cache_free(slab, sk);
else
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 356/449] mm/damon/ops: have damon_get_folio return folio even for tail pages
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 355/449] net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 357/449] mm/damon: avoid applying DAMOS action to same entity multiple times Greg Kroah-Hartman
` (99 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Usama Arif, SeongJae Park,
Andrew Morton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Usama Arif <usamaarif642@gmail.com>
commit 3a06696305e757f652dd0dcf4dfa2272eda39434 upstream.
Patch series "mm/damon/paddr: fix large folios access and schemes handling".
DAMON operations set for physical address space, namely 'paddr', treats
tail pages as unaccessed always. It can also apply DAMOS action to a
large folio multiple times within single DAMOS' regions walking. As a
result, the monitoring output has poor quality and DAMOS works in
unexpected ways when large folios are being used. Fix those.
The patches were parts of Usama's hugepage_size DAMOS filter patch
series[1]. The first fix has collected from there with a slight commit
message change for the subject prefix. The second fix is re-written by SJ
and posted as an RFC before this series. The second one also got a slight
commit message change for the subject prefix.
[1] https://lore.kernel.org/20250203225604.44742-1-usamaarif642@gmail.com
[2] https://lore.kernel.org/20250206231103.38298-1-sj@kernel.org
This patch (of 2):
This effectively adds support for large folios in damon for paddr, as
damon_pa_mkold/young won't get a null folio from this function and won't
ignore it, hence access will be checked and reported. This also means
that larger folios will be considered for different DAMOS actions like
pageout, prioritization and migration. As these DAMOS actions will
consider larger folios, iterate through the region at folio_size and not
PAGE_SIZE intervals. This should not have an affect on vaddr, as
damon_young_pmd_entry considers pmd entries.
Link: https://lkml.kernel.org/r/20250207212033.45269-1-sj@kernel.org
Link: https://lkml.kernel.org/r/20250207212033.45269-2-sj@kernel.org
Fixes: a28397beb55b ("mm/damon: implement primitives for physical address space monitoring")
Signed-off-by: Usama Arif <usamaarif642@gmail.com>
Signed-off-by: SeongJae Park <sj@kernel.org>
Reviewed-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/ops-common.c | 2 +-
mm/damon/paddr.c | 24 ++++++++++++++++++------
2 files changed, 19 insertions(+), 7 deletions(-)
--- a/mm/damon/ops-common.c
+++ b/mm/damon/ops-common.c
@@ -24,7 +24,7 @@ struct folio *damon_get_folio(unsigned l
struct page *page = pfn_to_online_page(pfn);
struct folio *folio;
- if (!page || PageTail(page))
+ if (!page)
return NULL;
folio = page_folio(page);
--- a/mm/damon/paddr.c
+++ b/mm/damon/paddr.c
@@ -269,11 +269,14 @@ static unsigned long damon_pa_pageout(st
damos_add_filter(s, filter);
}
- for (addr = r->ar.start; addr < r->ar.end; addr += PAGE_SIZE) {
+ addr = r->ar.start;
+ while (addr < r->ar.end) {
struct folio *folio = damon_get_folio(PHYS_PFN(addr));
- if (!folio)
+ if (!folio) {
+ addr += PAGE_SIZE;
continue;
+ }
if (damos_pa_filter_out(s, folio))
goto put_folio;
@@ -289,6 +292,7 @@ static unsigned long damon_pa_pageout(st
else
list_add(&folio->lru, &folio_list);
put_folio:
+ addr += folio_size(folio);
folio_put(folio);
}
if (install_young_filter)
@@ -304,11 +308,14 @@ static inline unsigned long damon_pa_mar
{
unsigned long addr, applied = 0;
- for (addr = r->ar.start; addr < r->ar.end; addr += PAGE_SIZE) {
+ addr = r->ar.start;
+ while (addr < r->ar.end) {
struct folio *folio = damon_get_folio(PHYS_PFN(addr));
- if (!folio)
+ if (!folio) {
+ addr += PAGE_SIZE;
continue;
+ }
if (damos_pa_filter_out(s, folio))
goto put_folio;
@@ -321,6 +328,7 @@ static inline unsigned long damon_pa_mar
folio_deactivate(folio);
applied += folio_nr_pages(folio);
put_folio:
+ addr += folio_size(folio);
folio_put(folio);
}
return applied * PAGE_SIZE;
@@ -467,11 +475,14 @@ static unsigned long damon_pa_migrate(st
unsigned long addr, applied;
LIST_HEAD(folio_list);
- for (addr = r->ar.start; addr < r->ar.end; addr += PAGE_SIZE) {
+ addr = r->ar.start;
+ while (addr < r->ar.end) {
struct folio *folio = damon_get_folio(PHYS_PFN(addr));
- if (!folio)
+ if (!folio) {
+ addr += PAGE_SIZE;
continue;
+ }
if (damos_pa_filter_out(s, folio))
goto put_folio;
@@ -482,6 +493,7 @@ static unsigned long damon_pa_migrate(st
goto put_folio;
list_add(&folio->lru, &folio_list);
put_folio:
+ addr += folio_size(folio);
folio_put(folio);
}
applied = damon_pa_migrate_pages(&folio_list, s->target_nid);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 357/449] mm/damon: avoid applying DAMOS action to same entity multiple times
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 356/449] mm/damon/ops: have damon_get_folio return folio even for tail pages Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 358/449] mm/rmap: reject hugetlb folios in folio_make_device_exclusive() Greg Kroah-Hartman
` (98 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Usama Arif,
Andrew Morton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 94ba17adaba0f651fdcf745c8891a88e2e028cfa upstream.
'paddr' DAMON operations set can apply a DAMOS scheme's action to a large
folio multiple times in single DAMOS-regions-walk if the folio is laid on
multiple DAMON regions. Add a field for DAMOS scheme object that can be
used by the underlying ops to know what was the last entity that the
scheme's action has applied. The core layer unsets the field when each
DAMOS-regions-walk is done for the given scheme. And update 'paddr' ops
to use the infrastructure to avoid the problem.
Link: https://lkml.kernel.org/r/20250207212033.45269-3-sj@kernel.org
Fixes: 57223ac29584 ("mm/damon/paddr: support the pageout scheme")
Signed-off-by: SeongJae Park <sj@kernel.org>
Reported-by: Usama Arif <usamaarif642@gmail.com>
Closes: https://lore.kernel.org/20250203225604.44742-3-usamaarif642@gmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/damon.h | 11 +++++++++++
mm/damon/core.c | 1 +
mm/damon/paddr.c | 39 +++++++++++++++++++++++++++------------
3 files changed, 39 insertions(+), 12 deletions(-)
--- a/include/linux/damon.h
+++ b/include/linux/damon.h
@@ -432,6 +432,7 @@ struct damos_access_pattern {
* @wmarks: Watermarks for automated (in)activation of this scheme.
* @target_nid: Destination node if @action is "migrate_{hot,cold}".
* @filters: Additional set of &struct damos_filter for &action.
+ * @last_applied: Last @action applied ops-managing entity.
* @stat: Statistics of this scheme.
* @list: List head for siblings.
*
@@ -454,6 +455,15 @@ struct damos_access_pattern {
* implementation could check pages of the region and skip &action to respect
* &filters
*
+ * The minimum entity that @action can be applied depends on the underlying
+ * &struct damon_operations. Since it may not be aligned with the core layer
+ * abstract, namely &struct damon_region, &struct damon_operations could apply
+ * @action to same entity multiple times. Large folios that underlying on
+ * multiple &struct damon region objects could be such examples. The &struct
+ * damon_operations can use @last_applied to avoid that. DAMOS core logic
+ * unsets @last_applied when each regions walking for applying the scheme is
+ * finished.
+ *
* After applying the &action to each region, &stat_count and &stat_sz is
* updated to reflect the number of regions and total size of regions that the
* &action is applied.
@@ -482,6 +492,7 @@ struct damos {
int target_nid;
};
struct list_head filters;
+ void *last_applied;
struct damos_stat stat;
struct list_head list;
};
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -1856,6 +1856,7 @@ static void kdamond_apply_schemes(struct
s->next_apply_sis = c->passed_sample_intervals +
(s->apply_interval_us ? s->apply_interval_us :
c->attrs.aggr_interval) / sample_interval;
+ s->last_applied = NULL;
}
}
--- a/mm/damon/paddr.c
+++ b/mm/damon/paddr.c
@@ -246,6 +246,17 @@ static bool damos_pa_filter_out(struct d
return false;
}
+static bool damon_pa_invalid_damos_folio(struct folio *folio, struct damos *s)
+{
+ if (!folio)
+ return true;
+ if (folio == s->last_applied) {
+ folio_put(folio);
+ return true;
+ }
+ return false;
+}
+
static unsigned long damon_pa_pageout(struct damon_region *r, struct damos *s,
unsigned long *sz_filter_passed)
{
@@ -253,6 +264,7 @@ static unsigned long damon_pa_pageout(st
LIST_HEAD(folio_list);
bool install_young_filter = true;
struct damos_filter *filter;
+ struct folio *folio;
/* check access in page level again by default */
damos_for_each_filter(filter, s) {
@@ -271,9 +283,8 @@ static unsigned long damon_pa_pageout(st
addr = r->ar.start;
while (addr < r->ar.end) {
- struct folio *folio = damon_get_folio(PHYS_PFN(addr));
-
- if (!folio) {
+ folio = damon_get_folio(PHYS_PFN(addr));
+ if (damon_pa_invalid_damos_folio(folio, s)) {
addr += PAGE_SIZE;
continue;
}
@@ -299,6 +310,7 @@ put_folio:
damos_destroy_filter(filter);
applied = reclaim_pages(&folio_list);
cond_resched();
+ s->last_applied = folio;
return applied * PAGE_SIZE;
}
@@ -307,12 +319,12 @@ static inline unsigned long damon_pa_mar
unsigned long *sz_filter_passed)
{
unsigned long addr, applied = 0;
+ struct folio *folio;
addr = r->ar.start;
while (addr < r->ar.end) {
- struct folio *folio = damon_get_folio(PHYS_PFN(addr));
-
- if (!folio) {
+ folio = damon_get_folio(PHYS_PFN(addr));
+ if (damon_pa_invalid_damos_folio(folio, s)) {
addr += PAGE_SIZE;
continue;
}
@@ -331,6 +343,7 @@ put_folio:
addr += folio_size(folio);
folio_put(folio);
}
+ s->last_applied = folio;
return applied * PAGE_SIZE;
}
@@ -474,12 +487,12 @@ static unsigned long damon_pa_migrate(st
{
unsigned long addr, applied;
LIST_HEAD(folio_list);
+ struct folio *folio;
addr = r->ar.start;
while (addr < r->ar.end) {
- struct folio *folio = damon_get_folio(PHYS_PFN(addr));
-
- if (!folio) {
+ folio = damon_get_folio(PHYS_PFN(addr));
+ if (damon_pa_invalid_damos_folio(folio, s)) {
addr += PAGE_SIZE;
continue;
}
@@ -498,6 +511,7 @@ put_folio:
}
applied = damon_pa_migrate_pages(&folio_list, s->target_nid);
cond_resched();
+ s->last_applied = folio;
return applied * PAGE_SIZE;
}
@@ -515,15 +529,15 @@ static unsigned long damon_pa_stat(struc
{
unsigned long addr;
LIST_HEAD(folio_list);
+ struct folio *folio;
if (!damon_pa_scheme_has_filter(s))
return 0;
addr = r->ar.start;
while (addr < r->ar.end) {
- struct folio *folio = damon_get_folio(PHYS_PFN(addr));
-
- if (!folio) {
+ folio = damon_get_folio(PHYS_PFN(addr));
+ if (damon_pa_invalid_damos_folio(folio, s)) {
addr += PAGE_SIZE;
continue;
}
@@ -533,6 +547,7 @@ static unsigned long damon_pa_stat(struc
addr += folio_size(folio);
folio_put(folio);
}
+ s->last_applied = folio;
return 0;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 358/449] mm/rmap: reject hugetlb folios in folio_make_device_exclusive()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 357/449] mm/damon: avoid applying DAMOS action to same entity multiple times Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 359/449] mm: make page_mapped_in_vma() hugetlb walk aware Greg Kroah-Hartman
` (97 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Alistair Popple,
Alex Shi, Danilo Krummrich, Dave Airlie, Jann Horn,
Jason Gunthorpe, Jerome Glisse, John Hubbard, Jonathan Corbet,
Karol Herbst, Liam Howlett, Lorenzo Stoakes, Lyude,
Masami Hiramatsu (Google), Oleg Nesterov, Pasha Tatashin,
Peter Xu, Peter Zijlstra (Intel), SeongJae Park, Simona Vetter,
Vlastimil Babka, Yanteng Si, Barry Song, Andrew Morton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
commit bc3fe6805cf09a25a086573a17d40e525208c5d8 upstream.
Even though FOLL_SPLIT_PMD on hugetlb now always fails with -EOPNOTSUPP,
let's add a safety net in case FOLL_SPLIT_PMD usage would ever be
reworked.
In particular, before commit 9cb28da54643 ("mm/gup: handle hugetlb in the
generic follow_page_mask code"), GUP(FOLL_SPLIT_PMD) would just have
returned a page. In particular, hugetlb folios that are not PMD-sized
would never have been prone to FOLL_SPLIT_PMD.
hugetlb folios can be anonymous, and page_make_device_exclusive_one() is
not really prepared for handling them at all. So let's spell that out.
Link: https://lkml.kernel.org/r/20250210193801.781278-3-david@redhat.com
Fixes: b756a3b5e7ea ("mm: device exclusive memory access")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Alistair Popple <apopple@nvidia.com>
Tested-by: Alistair Popple <apopple@nvidia.com>
Cc: Alex Shi <alexs@kernel.org>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: Dave Airlie <airlied@gmail.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Karol Herbst <kherbst@redhat.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Lyude <lyude@redhat.com>
Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: SeongJae Park <sj@kernel.org>
Cc: Simona Vetter <simona.vetter@ffwll.ch>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Yanteng Si <si.yanteng@linux.dev>
Cc: Barry Song <v-songbaohua@oppo.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/rmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -2499,7 +2499,7 @@ static bool folio_make_device_exclusive(
* Restrict to anonymous folios for now to avoid potential writeback
* issues.
*/
- if (!folio_test_anon(folio))
+ if (!folio_test_anon(folio) || folio_test_hugetlb(folio))
return false;
rmap_walk(folio, &rwc);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 359/449] mm: make page_mapped_in_vma() hugetlb walk aware
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 358/449] mm/rmap: reject hugetlb folios in folio_make_device_exclusive() Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 360/449] mm: fix lazy mmu docs and usage Greg Kroah-Hartman
` (96 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jane Chu, Hugh Dickins,
Kirill A. Shuemov, linmiaohe, Matthew Wilcow (Oracle), Peter Xu,
Andrew Morton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jane Chu <jane.chu@oracle.com>
commit 442b1eca223b4860cc85ef970ae602d125aec5a4 upstream.
When a process consumes a UE in a page, the memory failure handler
attempts to collect information for a potential SIGBUS. If the page is an
anonymous page, page_mapped_in_vma(page, vma) is invoked in order to
1. retrieve the vaddr from the process' address space,
2. verify that the vaddr is indeed mapped to the poisoned page,
where 'page' is the precise small page with UE.
It's been observed that when injecting poison to a non-head subpage of an
anonymous hugetlb page, no SIGBUS shows up, while injecting to the head
page produces a SIGBUS. The cause is that, though hugetlb_walk() returns
a valid pmd entry (on x86), but check_pte() detects mismatch between the
head page per the pmd and the input subpage. Thus the vaddr is considered
not mapped to the subpage and the process is not collected for SIGBUS
purpose. This is the calling stack:
collect_procs_anon
page_mapped_in_vma
page_vma_mapped_walk
hugetlb_walk
huge_pte_lock
check_pte
check_pte() header says that it
"check if [pvmw->pfn, @pvmw->pfn + @pvmw->nr_pages) is mapped at the @pvmw->pte"
but practically works only if pvmw->pfn is the head page pfn at pvmw->pte.
Hindsight acknowledging that some pvmw->pte could point to a hugepage of
some sort such that it makes sense to make check_pte() work for hugepage.
Link: https://lkml.kernel.org/r/20250224211445.2663312-1-jane.chu@oracle.com
Signed-off-by: Jane Chu <jane.chu@oracle.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Kirill A. Shuemov <kirill.shutemov@linux.intel.com>
Cc: linmiaohe <linmiaohe@huawei.com>
Cc: Matthew Wilcow (Oracle) <willy@infradead.org>
Cc: Peter Xu <peterx@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/page_vma_mapped.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/mm/page_vma_mapped.c
+++ b/mm/page_vma_mapped.c
@@ -84,6 +84,7 @@ again:
* mapped at the @pvmw->pte
* @pvmw: page_vma_mapped_walk struct, includes a pair pte and pfn range
* for checking
+ * @pte_nr: the number of small pages described by @pvmw->pte.
*
* page_vma_mapped_walk() found a place where pfn range is *potentially*
* mapped. check_pte() has to validate this.
@@ -100,7 +101,7 @@ again:
* Otherwise, return false.
*
*/
-static bool check_pte(struct page_vma_mapped_walk *pvmw)
+static bool check_pte(struct page_vma_mapped_walk *pvmw, unsigned long pte_nr)
{
unsigned long pfn;
pte_t ptent = ptep_get(pvmw->pte);
@@ -133,7 +134,11 @@ static bool check_pte(struct page_vma_ma
pfn = pte_pfn(ptent);
}
- return (pfn - pvmw->pfn) < pvmw->nr_pages;
+ if ((pfn + pte_nr - 1) < pvmw->pfn)
+ return false;
+ if (pfn > (pvmw->pfn + pvmw->nr_pages - 1))
+ return false;
+ return true;
}
/* Returns true if the two ranges overlap. Careful to not overflow. */
@@ -208,7 +213,7 @@ bool page_vma_mapped_walk(struct page_vm
return false;
pvmw->ptl = huge_pte_lock(hstate, mm, pvmw->pte);
- if (!check_pte(pvmw))
+ if (!check_pte(pvmw, pages_per_huge_page(hstate)))
return not_found(pvmw);
return true;
}
@@ -291,7 +296,7 @@ restart:
goto next_pte;
}
this_pte:
- if (check_pte(pvmw))
+ if (check_pte(pvmw, 1))
return true;
next_pte:
do {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 360/449] mm: fix lazy mmu docs and usage
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 359/449] mm: make page_mapped_in_vma() hugetlb walk aware Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 361/449] mm/mremap: correctly handle partial mremap() of VMA starting at 0 Greg Kroah-Hartman
` (95 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryan Roberts, David Hildenbrand,
Juergen Gross, Andreas Larsson, Borislav Betkov, Boris Ostrovsky,
Catalin Marinas, Dave Hansen, David S. Miller, H. Peter Anvin,
Ingo Molnar, Matthew Wilcow (Oracle), Thomas Gleinxer,
Andrew Morton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryan Roberts <ryan.roberts@arm.com>
commit 691ee97e1a9de0cdb3efb893c1f180e3f4a35e32 upstream.
Patch series "Fix lazy mmu mode", v2.
I'm planning to implement lazy mmu mode for arm64 to optimize vmalloc. As
part of that, I will extend lazy mmu mode to cover kernel mappings in
vmalloc table walkers. While lazy mmu mode is already used for kernel
mappings in a few places, this will extend it's use significantly.
Having reviewed the existing lazy mmu implementations in powerpc, sparc
and x86, it looks like there are a bunch of bugs, some of which may be
more likely to trigger once I extend the use of lazy mmu. So this series
attempts to clarify the requirements and fix all the bugs in advance of
that series. See patch #1 commit log for all the details.
This patch (of 5):
The docs, implementations and use of arch_[enter|leave]_lazy_mmu_mode() is
a bit of a mess (to put it politely). There are a number of issues
related to nesting of lazy mmu regions and confusion over whether the
task, when in a lazy mmu region, is preemptible or not. Fix all the
issues relating to the core-mm. Follow up commits will fix the
arch-specific implementations. 3 arches implement lazy mmu; powerpc,
sparc and x86.
When arch_[enter|leave]_lazy_mmu_mode() was first introduced by commit
6606c3e0da53 ("[PATCH] paravirt: lazy mmu mode hooks.patch"), it was
expected that lazy mmu regions would never nest and that the appropriate
page table lock(s) would be held while in the region, thus ensuring the
region is non-preemptible. Additionally lazy mmu regions were only used
during manipulation of user mappings.
Commit 38e0edb15bd0 ("mm/apply_to_range: call pte function with lazy
updates") started invoking the lazy mmu mode in apply_to_pte_range(),
which is used for both user and kernel mappings. For kernel mappings the
region is no longer protected by any lock so there is no longer any
guarantee about non-preemptibility. Additionally, for RT configs, the
holding the PTL only implies no CPU migration, it doesn't prevent
preemption.
Commit bcc6cc832573 ("mm: add default definition of set_ptes()") added
arch_[enter|leave]_lazy_mmu_mode() to the default implementation of
set_ptes(), used by x86. So after this commit, lazy mmu regions can be
nested. Additionally commit 1a10a44dfc1d ("sparc64: implement the new
page table range API") and commit 9fee28baa601 ("powerpc: implement the
new page table range API") did the same for the sparc and powerpc
set_ptes() overrides.
powerpc couldn't deal with preemption so avoids it in commit b9ef323ea168
("powerpc/64s: Disable preemption in hash lazy mmu mode"), which
explicitly disables preemption for the whole region in its implementation.
x86 can support preemption (or at least it could until it tried to add
support nesting; more on this below). Sparc looks to be totally broken in
the face of preemption, as far as I can tell.
powerpc can't deal with nesting, so avoids it in commit 47b8def9358c
("powerpc/mm: Avoid calling arch_enter/leave_lazy_mmu() in set_ptes"),
which removes the lazy mmu calls from its implementation of set_ptes().
x86 attempted to support nesting in commit 49147beb0ccb ("x86/xen: allow
nesting of same lazy mode") but as far as I can tell, this breaks its
support for preemption.
In short, it's all a mess; the semantics for
arch_[enter|leave]_lazy_mmu_mode() are not clearly defined and as a result
the implementations all have different expectations, sticking plasters and
bugs.
arm64 is aiming to start using these hooks, so let's clean everything up
before adding an arm64 implementation. Update the documentation to state
that lazy mmu regions can never be nested, must not be called in interrupt
context and preemption may or may not be enabled for the duration of the
region. And fix the generic implementation of set_ptes() to avoid
nesting.
arch-specific fixes to conform to the new spec will proceed this one.
These issues were spotted by code review and I have no evidence of issues
being reported in the wild.
Link: https://lkml.kernel.org/r/20250303141542.3371656-1-ryan.roberts@arm.com
Link: https://lkml.kernel.org/r/20250303141542.3371656-2-ryan.roberts@arm.com
Fixes: bcc6cc832573 ("mm: add default definition of set_ptes()")
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Juergen Gross <jgross@suse.com>
Cc: Andreas Larsson <andreas@gaisler.com>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Juegren Gross <jgross@suse.com>
Cc: Matthew Wilcow (Oracle) <willy@infradead.org>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/pgtable.h | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/include/linux/pgtable.h
+++ b/include/linux/pgtable.h
@@ -222,10 +222,14 @@ static inline int pmd_dirty(pmd_t pmd)
* hazard could result in the direct mode hypervisor case, since the actual
* write to the page tables may not yet have taken place, so reads though
* a raw PTE pointer after it has been modified are not guaranteed to be
- * up to date. This mode can only be entered and left under the protection of
- * the page table locks for all page tables which may be modified. In the UP
- * case, this is required so that preemption is disabled, and in the SMP case,
- * it must synchronize the delayed page table writes properly on other CPUs.
+ * up to date.
+ *
+ * In the general case, no lock is guaranteed to be held between entry and exit
+ * of the lazy mode. So the implementation must assume preemption may be enabled
+ * and cpu migration is possible; it must take steps to be robust against this.
+ * (In practice, for user PTE updates, the appropriate page table lock(s) are
+ * held, but for kernel PTE updates, no lock is held). Nesting is not permitted
+ * and the mode cannot be used in interrupt context.
*/
#ifndef __HAVE_ARCH_ENTER_LAZY_MMU_MODE
#define arch_enter_lazy_mmu_mode() do {} while (0)
@@ -287,7 +291,6 @@ static inline void set_ptes(struct mm_st
{
page_table_check_ptes_set(mm, ptep, pte, nr);
- arch_enter_lazy_mmu_mode();
for (;;) {
set_pte(ptep, pte);
if (--nr == 0)
@@ -295,7 +298,6 @@ static inline void set_ptes(struct mm_st
ptep++;
pte = pte_next_pfn(pte);
}
- arch_leave_lazy_mmu_mode();
}
#endif
#define set_pte_at(mm, addr, ptep, pte) set_ptes(mm, addr, ptep, pte, 1)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 361/449] mm/mremap: correctly handle partial mremap() of VMA starting at 0
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 360/449] mm: fix lazy mmu docs and usage Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 362/449] mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Greg Kroah-Hartman
` (94 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes, Harry Yoo,
Liam R. Howlett, Vlastimil Babka, Andrew Morton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
commit 937582ee8e8d227c30ec147629a0179131feaa80 upstream.
Patch series "refactor mremap and fix bug", v3.
The existing mremap() logic has grown organically over a very long period
of time, resulting in code that is in many parts, very difficult to follow
and full of subtleties and sources of confusion.
In addition, it is difficult to thread state through the operation
correctly, as function arguments have expanded, some parameters are
expected to be temporarily altered during the operation, others are
intended to remain static and some can be overridden.
This series completely refactors the mremap implementation, sensibly
separating functions, adding comments to explain the more subtle aspects
of the implementation and making use of small structs to thread state
through everything.
The reason for doing so is to lay the groundwork for planned future
changes to the mremap logic, changes which require the ability to easily
pass around state.
Additionally, it would be unhelpful to add yet more logic to code that is
already difficult to follow without first refactoring it like this.
The first patch in this series additionally fixes a bug when a VMA with
start address zero is partially remapped.
Tested on real hardware under heavy workload and all self tests are
passing.
This patch (of 3):
Consider the case of a partial mremap() (that results in a VMA split) of
an accountable VMA (i.e. which has the VM_ACCOUNT flag set) whose start
address is zero, with the MREMAP_MAYMOVE flag specified and a scenario
where a move does in fact occur:
addr end
| |
v v
|-------------|
| vma |
|-------------|
0
This move is affected by unmapping the range [addr, end). In order to
prevent an incorrect decrement of accounted memory which has already been
determined, the mremap() code in move_vma() clears VM_ACCOUNT from the VMA
prior to doing so, before reestablishing it in each of the VMAs
post-split:
addr end
| |
v v
|---| |---|
| A | | B |
|---| |---|
Commit 6b73cff239e5 ("mm: change munmap splitting order and move_vma()")
changed this logic such as to determine whether there is a need to do so
by establishing account_start and account_end and, in the instance where
such an operation is required, assigning them to vma->vm_start and
vma->vm_end.
Later the code checks if the operation is required for 'A' referenced
above thusly:
if (account_start) {
...
}
However, if the VMA described above has vma->vm_start == 0, which is now
assigned to account_start, this branch will not be executed.
As a result, the VMA 'A' above will remain stripped of its VM_ACCOUNT
flag, incorrectly.
The fix is to simply convert these variables to booleans and set them as
required.
Link: https://lkml.kernel.org/r/cover.1741639347.git.lorenzo.stoakes@oracle.com
Link: https://lkml.kernel.org/r/dc55cb6db25d97c3d9e460de4986a323fa959676.1741639347.git.lorenzo.stoakes@oracle.com
Fixes: 6b73cff239e5 ("mm: change munmap splitting order and move_vma()")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/mremap.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -705,8 +705,8 @@ static unsigned long move_vma(struct vm_
unsigned long vm_flags = vma->vm_flags;
unsigned long new_pgoff;
unsigned long moved_len;
- unsigned long account_start = 0;
- unsigned long account_end = 0;
+ bool account_start = false;
+ bool account_end = false;
unsigned long hiwater_vm;
int err = 0;
bool need_rmap_locks;
@@ -790,9 +790,9 @@ static unsigned long move_vma(struct vm_
if (vm_flags & VM_ACCOUNT && !(flags & MREMAP_DONTUNMAP)) {
vm_flags_clear(vma, VM_ACCOUNT);
if (vma->vm_start < old_addr)
- account_start = vma->vm_start;
+ account_start = true;
if (vma->vm_end > old_addr + old_len)
- account_end = vma->vm_end;
+ account_end = true;
}
/*
@@ -832,7 +832,7 @@ static unsigned long move_vma(struct vm_
/* OOM: unable to split vma, just get accounts right */
if (vm_flags & VM_ACCOUNT && !(flags & MREMAP_DONTUNMAP))
vm_acct_memory(old_len >> PAGE_SHIFT);
- account_start = account_end = 0;
+ account_start = account_end = false;
}
if (vm_flags & VM_LOCKED) {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 362/449] mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 361/449] mm/mremap: correctly handle partial mremap() of VMA starting at 0 Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 363/449] mm/userfaultfd: fix release hang over concurrent GUP Greg Kroah-Hartman
` (93 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers, Lorenzo Stoakes,
Matthew Wilcox, Alan Stern, Andrea Parri, Will Deacon,
Peter Zijlstra, Boqun Feng, Nicholas Piggin, David Howells,
Jade Alglave, Luc Maranget, Paul E. McKenney, Andrew Morton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
commit c0ebbb3841e07c4493e6fe351698806b09a87a37 upstream.
The PGDAT_RECLAIM_LOCKED bit is used to provide mutual exclusion of node
reclaim for struct pglist_data using a single bit.
It is "locked" with a test_and_set_bit (similarly to a try lock) which
provides full ordering with respect to loads and stores done within
__node_reclaim().
It is "unlocked" with clear_bit(), which does not provide any ordering
with respect to loads and stores done before clearing the bit.
The lack of clear_bit() memory ordering with respect to stores within
__node_reclaim() can cause a subsequent CPU to fail to observe stores from
a prior node reclaim. This is not an issue in practice on TSO (e.g.
x86), but it is an issue on weakly-ordered architectures (e.g. arm64).
Fix this by using clear_bit_unlock rather than clear_bit to clear
PGDAT_RECLAIM_LOCKED with a release memory ordering semantic.
This provides stronger memory ordering (release rather than relaxed).
Link: https://lkml.kernel.org/r/20250312141014.129725-1-mathieu.desnoyers@efficios.com
Fixes: d773ed6b856a ("mm: test and set zone reclaim lock before starting reclaim")
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Andrea Parri <parri.andrea@gmail.com>
Cc: Will Deacon <will@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Jade Alglave <j.alglave@ucl.ac.uk>
Cc: Luc Maranget <luc.maranget@inria.fr>
Cc: "Paul E. McKenney" <paulmck@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/vmscan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -7580,7 +7580,7 @@ int node_reclaim(struct pglist_data *pgd
return NODE_RECLAIM_NOSCAN;
ret = __node_reclaim(pgdat, gfp_mask, order);
- clear_bit(PGDAT_RECLAIM_LOCKED, &pgdat->flags);
+ clear_bit_unlock(PGDAT_RECLAIM_LOCKED, &pgdat->flags);
if (ret)
count_vm_event(PGSCAN_ZONE_RECLAIM_SUCCESS);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 363/449] mm/userfaultfd: fix release hang over concurrent GUP
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 362/449] mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 364/449] mm/hwpoison: do not send SIGBUS to processes with recovered clean pages Greg Kroah-Hartman
` (92 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Xu, Andrea Arcangeli,
Mike Rapoport (IBM), Axel Rasmussen, Jinjiang Tu,
Dimitris Siakavaras, Andrew Morton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Xu <peterx@redhat.com>
commit fe4cdc2c4e248f48de23bc778870fd71e772a274 upstream.
This patch should fix a possible userfaultfd release() hang during
concurrent GUP.
This problem was initially reported by Dimitris Siakavaras in July 2023
[1] in a firecracker use case. Firecracker has a separate process
handling page faults remotely, and when the process releases the
userfaultfd it can race with a concurrent GUP from KVM trying to fault in
a guest page during the secondary MMU page fault process.
A similar problem was reported recently again by Jinjiang Tu in March 2025
[2], even though the race happened this time with a mlockall() operation,
which does GUP in a similar fashion.
In 2017, commit 656710a60e36 ("userfaultfd: non-cooperative: closing the
uffd without triggering SIGBUS") was trying to fix this issue. AFAIU,
that fixes well the fault paths but may not work yet for GUP. In GUP, the
issue is NOPAGE will be almost treated the same as "page fault resolved"
in faultin_page(), then the GUP will follow page again, seeing page
missing, and it'll keep going into a live lock situation as reported.
This change makes core mm return RETRY instead of NOPAGE for both the GUP
and fault paths, proactively releasing the mmap read lock. This should
guarantee the other release thread make progress on taking the write lock
and avoid the live lock even for GUP.
When at it, rearrange the comments to make sure it's uptodate.
[1] https://lore.kernel.org/r/79375b71-db2e-3e66-346b-254c90d915e2@cslab.ece.ntua.gr
[2] https://lore.kernel.org/r/20250307072133.3522652-1-tujinjiang@huawei.com
Link: https://lkml.kernel.org/r/20250312145131.1143062-1-peterx@redhat.com
Signed-off-by: Peter Xu <peterx@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Mike Rapoport (IBM) <rppt@kernel.org>
Cc: Axel Rasmussen <axelrasmussen@google.com>
Cc: Jinjiang Tu <tujinjiang@huawei.com>
Cc: Dimitris Siakavaras <jimsiak@cslab.ece.ntua.gr>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/userfaultfd.c | 51 +++++++++++++++++++++++++--------------------------
1 file changed, 25 insertions(+), 26 deletions(-)
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -396,32 +396,6 @@ vm_fault_t handle_userfault(struct vm_fa
goto out;
/*
- * If it's already released don't get it. This avoids to loop
- * in __get_user_pages if userfaultfd_release waits on the
- * caller of handle_userfault to release the mmap_lock.
- */
- if (unlikely(READ_ONCE(ctx->released))) {
- /*
- * Don't return VM_FAULT_SIGBUS in this case, so a non
- * cooperative manager can close the uffd after the
- * last UFFDIO_COPY, without risking to trigger an
- * involuntary SIGBUS if the process was starting the
- * userfaultfd while the userfaultfd was still armed
- * (but after the last UFFDIO_COPY). If the uffd
- * wasn't already closed when the userfault reached
- * this point, that would normally be solved by
- * userfaultfd_must_wait returning 'false'.
- *
- * If we were to return VM_FAULT_SIGBUS here, the non
- * cooperative manager would be instead forced to
- * always call UFFDIO_UNREGISTER before it can safely
- * close the uffd.
- */
- ret = VM_FAULT_NOPAGE;
- goto out;
- }
-
- /*
* Check that we can return VM_FAULT_RETRY.
*
* NOTE: it should become possible to return VM_FAULT_RETRY
@@ -457,6 +431,31 @@ vm_fault_t handle_userfault(struct vm_fa
if (vmf->flags & FAULT_FLAG_RETRY_NOWAIT)
goto out;
+ if (unlikely(READ_ONCE(ctx->released))) {
+ /*
+ * If a concurrent release is detected, do not return
+ * VM_FAULT_SIGBUS or VM_FAULT_NOPAGE, but instead always
+ * return VM_FAULT_RETRY with lock released proactively.
+ *
+ * If we were to return VM_FAULT_SIGBUS here, the non
+ * cooperative manager would be instead forced to
+ * always call UFFDIO_UNREGISTER before it can safely
+ * close the uffd, to avoid involuntary SIGBUS triggered.
+ *
+ * If we were to return VM_FAULT_NOPAGE, it would work for
+ * the fault path, in which the lock will be released
+ * later. However for GUP, faultin_page() does nothing
+ * special on NOPAGE, so GUP would spin retrying without
+ * releasing the mmap read lock, causing possible livelock.
+ *
+ * Here only VM_FAULT_RETRY would make sure the mmap lock
+ * be released immediately, so that the thread concurrently
+ * releasing the userfault would always make progress.
+ */
+ release_fault_lock(vmf);
+ goto out;
+ }
+
/* take the reference before dropping the mmap_lock */
userfaultfd_ctx_get(ctx);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 364/449] mm/hwpoison: do not send SIGBUS to processes with recovered clean pages
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 363/449] mm/userfaultfd: fix release hang over concurrent GUP Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 365/449] mm/hugetlb: move hugetlb_sysctl_init() to the __init section Greg Kroah-Hartman
` (91 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuai Xue, Tony Luck, Miaohe Lin,
Baolin Wang, Borislav Betkov, Catalin Marinas, Dave Hansen,
H. Peter Anvin, Ingo Molnar, Jane Chu, Jarkko Sakkinen,
Jonathan Cameron, Josh Poimboeuf, Naoya Horiguchi, Peter Zijlstra,
Ruidong Tian, Thomas Gleinxer, Yazen Ghannam, Andrew Morton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Xue <xueshuai@linux.alibaba.com>
commit aaf99ac2ceb7c974f758a635723eeaf48596388e upstream.
When an uncorrected memory error is consumed there is a race between the
CMCI from the memory controller reporting an uncorrected error with a UCNA
signature, and the core reporting and SRAR signature machine check when
the data is about to be consumed.
- Background: why *UN*corrected errors tied to *C*MCI in Intel platform [1]
Prior to Icelake memory controllers reported patrol scrub events that
detected a previously unseen uncorrected error in memory by signaling a
broadcast machine check with an SRAO (Software Recoverable Action
Optional) signature in the machine check bank. This was overkill because
it's not an urgent problem that no core is on the verge of consuming that
bad data. It's also found that multi SRAO UCE may cause nested MCE
interrupts and finally become an IERR.
Hence, Intel downgrades the machine check bank signature of patrol scrub
from SRAO to UCNA (Uncorrected, No Action required), and signal changed to
#CMCI. Just to add to the confusion, Linux does take an action (in
uc_decode_notifier()) to try to offline the page despite the UC*NA*
signature name.
- Background: why #CMCI and #MCE race when poison is consuming in Intel platform [1]
Having decided that CMCI/UCNA is the best action for patrol scrub errors,
the memory controller uses it for reads too. But the memory controller is
executing asynchronously from the core, and can't tell the difference
between a "real" read and a speculative read. So it will do CMCI/UCNA if
an error is found in any read.
Thus:
1) Core is clever and thinks address A is needed soon, issues a speculative read.
2) Core finds it is going to use address A soon after sending the read request
3) The CMCI from the memory controller is in a race with MCE from the core
that will soon try to retire the load from address A.
Quite often (because speculation has got better) the CMCI from the memory
controller is delivered before the core is committed to the instruction
reading address A, so the interrupt is taken, and Linux offlines the page
(marking it as poison).
- Why user process is killed for instr case
Commit 046545a661af ("mm/hwpoison: fix error page recovered but reported
"not recovered"") tries to fix noise message "Memory error not recovered"
and skips duplicate SIGBUSs due to the race. But it also introduced a bug
that kill_accessing_process() return -EHWPOISON for instr case, as result,
kill_me_maybe() send a SIGBUS to user process.
If the CMCI wins that race, the page is marked poisoned when
uc_decode_notifier() calls memory_failure(). For dirty pages,
memory_failure() invokes try_to_unmap() with the TTU_HWPOISON flag,
converting the PTE to a hwpoison entry. As a result,
kill_accessing_process():
- call walk_page_range() and return 1 regardless of whether
try_to_unmap() succeeds or fails,
- call kill_proc() to make sure a SIGBUS is sent
- return -EHWPOISON to indicate that SIGBUS is already sent to the
process and kill_me_maybe() doesn't have to send it again.
However, for clean pages, the TTU_HWPOISON flag is cleared, leaving the
PTE unchanged and not converted to a hwpoison entry. Conversely, for
clean pages where PTE entries are not marked as hwpoison,
kill_accessing_process() returns -EFAULT, causing kill_me_maybe() to send
a SIGBUS.
Console log looks like this:
Memory failure: 0x827ca68: corrupted page was clean: dropped without side effects
Memory failure: 0x827ca68: recovery action for clean LRU page: Recovered
Memory failure: 0x827ca68: already hardware poisoned
mce: Memory error not recovered
To fix it, return 0 for "corrupted page was clean", preventing an
unnecessary SIGBUS to user process.
[1] https://lore.kernel.org/lkml/20250217063335.22257-1-xueshuai@linux.alibaba.com/T/#mba94f1305b3009dd340ce4114d3221fe810d1871
Link: https://lkml.kernel.org/r/20250312112852.82415-3-xueshuai@linux.alibaba.com
Fixes: 046545a661af ("mm/hwpoison: fix error page recovered but reported "not recovered"")
Signed-off-by: Shuai Xue <xueshuai@linux.alibaba.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Acked-by: Miaohe Lin <linmiaohe@huawei.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jane Chu <jane.chu@oracle.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ruidong Tian <tianruidong@linux.alibaba.com>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: Yazen Ghannam <yazen.ghannam@amd.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory-failure.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -881,12 +881,17 @@ static int kill_accessing_process(struct
mmap_read_lock(p->mm);
ret = walk_page_range(p->mm, 0, TASK_SIZE, &hwpoison_walk_ops,
(void *)&priv);
+ /*
+ * ret = 1 when CMCI wins, regardless of whether try_to_unmap()
+ * succeeds or fails, then kill the process with SIGBUS.
+ * ret = 0 when poison page is a clean page and it's dropped, no
+ * SIGBUS is needed.
+ */
if (ret == 1 && priv.tk.addr)
kill_proc(&priv.tk, pfn, flags);
- else
- ret = 0;
mmap_read_unlock(p->mm);
- return ret > 0 ? -EHWPOISON : -EFAULT;
+
+ return ret > 0 ? -EHWPOISON : 0;
}
/*
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 365/449] mm/hugetlb: move hugetlb_sysctl_init() to the __init section
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 364/449] mm/hwpoison: do not send SIGBUS to processes with recovered clean pages Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 366/449] mm/hwpoison: introduce folio_contain_hwpoisoned_page() helper Greg Kroah-Hartman
` (90 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Herbert, Anshuman Khandual,
Muchun Song, Andrew Morton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Herbert <Marc.Herbert@linux.intel.com>
commit 1ca77ff1837249701053a7fcbdedabc41f4ae67c upstream.
hugetlb_sysctl_init() is only invoked once by an __init function and is
merely a wrapper around another __init function so there is not reason to
keep it.
Fixes the following warning when toning down some GCC inline options:
WARNING: modpost: vmlinux: section mismatch in reference:
hugetlb_sysctl_init+0x1b (section: .text) ->
__register_sysctl_init (section: .init.text)
Link: https://lkml.kernel.org/r/20250319060041.2737320-1-marc.herbert@linux.intel.com
Signed-off-by: Marc Herbert <Marc.Herbert@linux.intel.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Reviewed-by: Muchun Song <muchun.song@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hugetlb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4912,7 +4912,7 @@ static const struct ctl_table hugetlb_ta
},
};
-static void hugetlb_sysctl_init(void)
+static void __init hugetlb_sysctl_init(void)
{
register_sysctl_init("vm", hugetlb_table);
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 366/449] mm/hwpoison: introduce folio_contain_hwpoisoned_page() helper
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 365/449] mm/hugetlb: move hugetlb_sysctl_init() to the __init section Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 367/449] sctp: detect and prevent references to a freed transport in sendmsg Greg Kroah-Hartman
` (89 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jinjiang Tu, Miaohe Lin,
David Hildenbrand, Kefeng Wang, Nanyong Sun, Naoya Horiguchi,
Andrew Morton
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjiang Tu <tujinjiang@huawei.com>
commit 5f5ee52d4f58605330b09851273d6e56aaadd29e upstream.
Patch series "mm/vmscan: don't try to reclaim hwpoison folio".
Fix a bug during memory reclaim if folio is hwpoisoned.
This patch (of 2):
Introduce helper folio_contain_hwpoisoned_page() to check if the entire
folio is hwpoisoned or it contains hwpoisoned pages.
Link: https://lkml.kernel.org/r/20250318083939.987651-1-tujinjiang@huawei.com
Link: https://lkml.kernel.org/r/20250318083939.987651-2-tujinjiang@huawei.com
Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>
Acked-by: Miaohe Lin <linmiaohe@huawei.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Nanyong Sun <sunnanyong@huawei.com>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/page-flags.h | 6 ++++++
mm/memory_hotplug.c | 3 +--
mm/shmem.c | 3 +--
3 files changed, 8 insertions(+), 4 deletions(-)
--- a/include/linux/page-flags.h
+++ b/include/linux/page-flags.h
@@ -1104,6 +1104,12 @@ static inline bool is_page_hwpoison(cons
return folio_test_hugetlb(folio) && PageHWPoison(&folio->page);
}
+static inline bool folio_contain_hwpoisoned_page(struct folio *folio)
+{
+ return folio_test_hwpoison(folio) ||
+ (folio_test_large(folio) && folio_test_has_hwpoisoned(folio));
+}
+
bool is_free_buddy_page(const struct page *page);
PAGEFLAG(Isolated, isolated, PF_ANY);
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -1828,8 +1828,7 @@ static void do_migrate_range(unsigned lo
if (unlikely(page_folio(page) != folio))
goto put_folio;
- if (folio_test_hwpoison(folio) ||
- (folio_test_large(folio) && folio_test_has_hwpoisoned(folio))) {
+ if (folio_contain_hwpoisoned_page(folio)) {
if (WARN_ON(folio_test_lru(folio)))
folio_isolate_lru(folio);
if (folio_mapped(folio)) {
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -3302,8 +3302,7 @@ shmem_write_begin(struct file *file, str
if (ret)
return ret;
- if (folio_test_hwpoison(folio) ||
- (folio_test_large(folio) && folio_test_has_hwpoisoned(folio))) {
+ if (folio_contain_hwpoisoned_page(folio)) {
folio_unlock(folio);
folio_put(folio);
return -EIO;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 367/449] sctp: detect and prevent references to a freed transport in sendmsg
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 366/449] mm/hwpoison: introduce folio_contain_hwpoisoned_page() helper Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 368/449] x86/xen: fix balloon target initialization for PVH dom0 Greg Kroah-Hartman
` (88 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long,
Ricardo Cañuelo Navarro, Paolo Abeni
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Cañuelo Navarro <rcn@igalia.com>
commit f1a69a940de58b16e8249dff26f74c8cc59b32be upstream.
sctp_sendmsg() re-uses associations and transports when possible by
doing a lookup based on the socket endpoint and the message destination
address, and then sctp_sendmsg_to_asoc() sets the selected transport in
all the message chunks to be sent.
There's a possible race condition if another thread triggers the removal
of that selected transport, for instance, by explicitly unbinding an
address with setsockopt(SCTP_SOCKOPT_BINDX_REM), after the chunks have
been set up and before the message is sent. This can happen if the send
buffer is full, during the period when the sender thread temporarily
releases the socket lock in sctp_wait_for_sndbuf().
This causes the access to the transport data in
sctp_outq_select_transport(), when the association outqueue is flushed,
to result in a use-after-free read.
This change avoids this scenario by having sctp_transport_free() signal
the freeing of the transport, tagging it as "dead". In order to do this,
the patch restores the "dead" bit in struct sctp_transport, which was
removed in
commit 47faa1e4c50e ("sctp: remove the dead field of sctp_transport").
Then, in the scenario where the sender thread has released the socket
lock in sctp_wait_for_sndbuf(), the bit is checked again after
re-acquiring the socket lock to detect the deletion. This is done while
holding a reference to the transport to prevent it from being freed in
the process.
If the transport was deleted while the socket lock was relinquished,
sctp_sendmsg_to_asoc() will return -EAGAIN to let userspace retry the
send.
The bug was found by a private syzbot instance (see the error report [1]
and the C reproducer that triggers it [2]).
Link: https://people.igalia.com/rcn/kernel_logs/20250402__KASAN_slab-use-after-free_Read_in_sctp_outq_select_transport.txt [1]
Link: https://people.igalia.com/rcn/kernel_logs/20250402__KASAN_slab-use-after-free_Read_in_sctp_outq_select_transport__repro.c [2]
Cc: stable@vger.kernel.org
Fixes: df132eff4638 ("sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer")
Suggested-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Ricardo Cañuelo Navarro <rcn@igalia.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20250404-kasan_slab-use-after-free_read_in_sctp_outq_select_transport__20250404-v1-1-5ce4a0b78ef2@igalia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/sctp/structs.h | 3 ++-
net/sctp/socket.c | 22 ++++++++++++++--------
net/sctp/transport.c | 2 ++
3 files changed, 18 insertions(+), 9 deletions(-)
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -775,6 +775,7 @@ struct sctp_transport {
/* Reference counting. */
refcount_t refcnt;
+ __u32 dead:1,
/* RTO-Pending : A flag used to track if one of the DATA
* chunks sent to this address is currently being
* used to compute a RTT. If this flag is 0,
@@ -784,7 +785,7 @@ struct sctp_transport {
* calculation completes (i.e. the DATA chunk
* is SACK'd) clear this flag.
*/
- __u32 rto_pending:1,
+ rto_pending:1,
/*
* hb_sent : a flag that signals that we have a pending
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -72,8 +72,9 @@
/* Forward declarations for internal helper functions. */
static bool sctp_writeable(const struct sock *sk);
static void sctp_wfree(struct sk_buff *skb);
-static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
- size_t msg_len);
+static int sctp_wait_for_sndbuf(struct sctp_association *asoc,
+ struct sctp_transport *transport,
+ long *timeo_p, size_t msg_len);
static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p);
static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p);
static int sctp_wait_for_accept(struct sock *sk, long timeo);
@@ -1828,7 +1829,7 @@ static int sctp_sendmsg_to_asoc(struct s
if (sctp_wspace(asoc) <= 0 || !sk_wmem_schedule(sk, msg_len)) {
timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
- err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
+ err = sctp_wait_for_sndbuf(asoc, transport, &timeo, msg_len);
if (err)
goto err;
if (unlikely(sinfo->sinfo_stream >= asoc->stream.outcnt)) {
@@ -9214,8 +9215,9 @@ void sctp_sock_rfree(struct sk_buff *skb
/* Helper function to wait for space in the sndbuf. */
-static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
- size_t msg_len)
+static int sctp_wait_for_sndbuf(struct sctp_association *asoc,
+ struct sctp_transport *transport,
+ long *timeo_p, size_t msg_len)
{
struct sock *sk = asoc->base.sk;
long current_timeo = *timeo_p;
@@ -9225,7 +9227,9 @@ static int sctp_wait_for_sndbuf(struct s
pr_debug("%s: asoc:%p, timeo:%ld, msg_len:%zu\n", __func__, asoc,
*timeo_p, msg_len);
- /* Increment the association's refcnt. */
+ /* Increment the transport and association's refcnt. */
+ if (transport)
+ sctp_transport_hold(transport);
sctp_association_hold(asoc);
/* Wait on the association specific sndbuf space. */
@@ -9234,7 +9238,7 @@ static int sctp_wait_for_sndbuf(struct s
TASK_INTERRUPTIBLE);
if (asoc->base.dead)
goto do_dead;
- if (!*timeo_p)
+ if ((!*timeo_p) || (transport && transport->dead))
goto do_nonblock;
if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING)
goto do_error;
@@ -9259,7 +9263,9 @@ static int sctp_wait_for_sndbuf(struct s
out:
finish_wait(&asoc->wait, &wait);
- /* Release the association's refcnt. */
+ /* Release the transport and association's refcnt. */
+ if (transport)
+ sctp_transport_put(transport);
sctp_association_put(asoc);
return err;
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -117,6 +117,8 @@ fail:
*/
void sctp_transport_free(struct sctp_transport *transport)
{
+ transport->dead = 1;
+
/* Try to delete the heartbeat timer. */
if (del_timer(&transport->hb_timer))
sctp_transport_put(transport);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 368/449] x86/xen: fix balloon target initialization for PVH dom0
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 367/449] sctp: detect and prevent references to a freed transport in sendmsg Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 369/449] uprobes: Avoid false-positive lockdep splat on CONFIG_PREEMPT_RT=y in the ri_timer() uprobe timer callback, use raw_write_seqcount_*() Greg Kroah-Hartman
` (87 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Roger Pau Monné, Juergen Gross
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roger Pau Monne <roger.pau@citrix.com>
commit 87af633689ce16ddb166c80f32b120e50b1295de upstream.
PVH dom0 re-uses logic from PV dom0, in which RAM ranges not assigned to
dom0 are re-used as scratch memory to map foreign and grant pages. Such
logic relies on reporting those unpopulated ranges as RAM to Linux, and
mark them as reserved. This way Linux creates the underlying page
structures required for metadata management.
Such approach works fine on PV because the initial balloon target is
calculated using specific Xen data, that doesn't take into account the
memory type changes described above. However on HVM and PVH the initial
balloon target is calculated using get_num_physpages(), and that function
does take into account the unpopulated RAM regions used as scratch space
for remote domain mappings.
This leads to PVH dom0 having an incorrect initial balloon target, which
causes malfunction (excessive memory freeing) of the balloon driver if the
dom0 memory target is later adjusted from the toolstack.
Fix this by using xen_released_pages to account for any pages that are part
of the memory map, but are already unpopulated when the balloon driver is
initialized. This accounts for any regions used for scratch remote
mappings. Note on x86 xen_released_pages definition is moved to
enlighten.c so it's uniformly available for all Xen-enabled builds.
Take the opportunity to unify PV with PVH/HVM guests regarding the usage of
get_num_physpages(), as that avoids having to add different logic for PV vs
PVH in both balloon_add_regions() and arch_xen_unpopulated_init().
Much like a6aa4eb994ee, the code in this changeset should have been part of
38620fc4e893.
Fixes: a6aa4eb994ee ('xen/x86: add extra pages to unpopulated-alloc if available')
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Cc: stable@vger.kernel.org
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250407082838.65495-1-roger.pau@citrix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/xen/enlighten.c | 10 ++++++++++
arch/x86/xen/setup.c | 3 ---
drivers/xen/balloon.c | 34 ++++++++++++++++++++++++----------
3 files changed, 34 insertions(+), 13 deletions(-)
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -70,6 +70,9 @@ EXPORT_SYMBOL(xen_start_flags);
*/
struct shared_info *HYPERVISOR_shared_info = &xen_dummy_shared_info;
+/* Number of pages released from the initial allocation. */
+unsigned long xen_released_pages;
+
static __ref void xen_get_vendor(void)
{
init_cpu_devs();
@@ -466,6 +469,13 @@ int __init arch_xen_unpopulated_init(str
xen_free_unpopulated_pages(1, &pg);
}
+ /*
+ * Account for the region being in the physmap but unpopulated.
+ * The value in xen_released_pages is used by the balloon
+ * driver to know how much of the physmap is unpopulated and
+ * set an accurate initial memory target.
+ */
+ xen_released_pages += xen_extra_mem[i].n_pfns;
/* Zero so region is not also added to the balloon driver. */
xen_extra_mem[i].n_pfns = 0;
}
--- a/arch/x86/xen/setup.c
+++ b/arch/x86/xen/setup.c
@@ -37,9 +37,6 @@
#define GB(x) ((uint64_t)(x) * 1024 * 1024 * 1024)
-/* Number of pages released from the initial allocation. */
-unsigned long xen_released_pages;
-
/* Memory map would allow PCI passthrough. */
bool xen_pv_pci_possible;
--- a/drivers/xen/balloon.c
+++ b/drivers/xen/balloon.c
@@ -675,7 +675,7 @@ void xen_free_ballooned_pages(unsigned i
}
EXPORT_SYMBOL(xen_free_ballooned_pages);
-static void __init balloon_add_regions(void)
+static int __init balloon_add_regions(void)
{
unsigned long start_pfn, pages;
unsigned long pfn, extra_pfn_end;
@@ -698,26 +698,38 @@ static void __init balloon_add_regions(v
for (pfn = start_pfn; pfn < extra_pfn_end; pfn++)
balloon_append(pfn_to_page(pfn));
- balloon_stats.total_pages += extra_pfn_end - start_pfn;
+ /*
+ * Extra regions are accounted for in the physmap, but need
+ * decreasing from current_pages to balloon down the initial
+ * allocation, because they are already accounted for in
+ * total_pages.
+ */
+ if (extra_pfn_end - start_pfn >= balloon_stats.current_pages) {
+ WARN(1, "Extra pages underflow current target");
+ return -ERANGE;
+ }
+ balloon_stats.current_pages -= extra_pfn_end - start_pfn;
}
+
+ return 0;
}
static int __init balloon_init(void)
{
struct task_struct *task;
+ int rc;
if (!xen_domain())
return -ENODEV;
pr_info("Initialising balloon driver\n");
-#ifdef CONFIG_XEN_PV
- balloon_stats.current_pages = xen_pv_domain()
- ? min(xen_start_info->nr_pages - xen_released_pages, max_pfn)
- : get_num_physpages();
-#else
- balloon_stats.current_pages = get_num_physpages();
-#endif
+ if (xen_released_pages >= get_num_physpages()) {
+ WARN(1, "Released pages underflow current target");
+ return -ERANGE;
+ }
+
+ balloon_stats.current_pages = get_num_physpages() - xen_released_pages;
balloon_stats.target_pages = balloon_stats.current_pages;
balloon_stats.balloon_low = 0;
balloon_stats.balloon_high = 0;
@@ -734,7 +746,9 @@ static int __init balloon_init(void)
register_sysctl_init("xen/balloon", balloon_table);
#endif
- balloon_add_regions();
+ rc = balloon_add_regions();
+ if (rc)
+ return rc;
task = kthread_run(balloon_thread, NULL, "xen-balloon");
if (IS_ERR(task)) {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 369/449] uprobes: Avoid false-positive lockdep splat on CONFIG_PREEMPT_RT=y in the ri_timer() uprobe timer callback, use raw_write_seqcount_*()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 368/449] x86/xen: fix balloon target initialization for PVH dom0 Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 370/449] tracing: fprobe: Fix to lock module while registering fprobe Greg Kroah-Hartman
` (86 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexei Starovoitov,
Sebastian Siewior, Andrii Nakryiko, Ingo Molnar, Oleg Nesterov,
Thomas Gleixner, Peter Zijlstra, stable
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
commit 0cd575cab10e114e95921321f069a08d45bc412e upstream.
Avoid a false-positive lockdep warning in the CONFIG_PREEMPT_RT=y
configuration when using write_seqcount_begin() in the uprobe timer
callback by using raw_write_* APIs.
Uprobe's use of timer callback is guaranteed to not race with itself
for a given uprobe_task, and as such seqcount's insistence on having
preemption disabled on the writer side is irrelevant. So switch to
raw_ variants of seqcount API instead of disabling preemption unnecessarily.
Also, point out in the comments more explicitly why we use seqcount
despite our reader side being rather simple and never retrying. We favor
well-maintained kernel primitive in favor of open-coding our own memory
barriers.
Fixes: 8622e45b5da1 ("uprobes: Reuse return_instances between multiple uretprobes within task")
Reported-by: Alexei Starovoitov <ast@kernel.org>
Suggested-by: Sebastian Siewior <bigeasy@linutronix.de>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20250404194848.2109539-1-andrii@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/events/uprobes.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1955,6 +1955,9 @@ static void free_ret_instance(struct upr
* to-be-reused return instances for future uretprobes. If ri_timer()
* happens to be running right now, though, we fallback to safety and
* just perform RCU-delated freeing of ri.
+ * Admittedly, this is a rather simple use of seqcount, but it nicely
+ * abstracts away all the necessary memory barriers, so we use
+ * a well-supported kernel primitive here.
*/
if (raw_seqcount_try_begin(&utask->ri_seqcount, seq)) {
/* immediate reuse of ri without RCU GP is OK */
@@ -2015,12 +2018,20 @@ static void ri_timer(struct timer_list *
/* RCU protects return_instance from freeing. */
guard(rcu)();
- write_seqcount_begin(&utask->ri_seqcount);
+ /*
+ * See free_ret_instance() for notes on seqcount use.
+ * We also employ raw API variants to avoid lockdep false-positive
+ * warning complaining about enabled preemption. The timer can only be
+ * invoked once for a uprobe_task. Therefore there can only be one
+ * writer. The reader does not require an even sequence count to make
+ * progress, so it is OK to remain preemptible on PREEMPT_RT.
+ */
+ raw_write_seqcount_begin(&utask->ri_seqcount);
for_each_ret_instance_rcu(ri, utask->return_instances)
hprobe_expire(&ri->hprobe, false);
- write_seqcount_end(&utask->ri_seqcount);
+ raw_write_seqcount_end(&utask->ri_seqcount);
}
static struct uprobe_task *alloc_utask(void)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 370/449] tracing: fprobe: Fix to lock module while registering fprobe
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 369/449] uprobes: Avoid false-positive lockdep splat on CONFIG_PREEMPT_RT=y in the ri_timer() uprobe timer callback, use raw_write_seqcount_*() Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 371/449] tracing: fprobe events: Fix possible UAF on modules Greg Kroah-Hartman
` (85 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steven Rostedt,
Masami Hiramatsu (Google)
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
commit d24fa977eec53399a9a49a2e1dc592430ea0a607 upstream.
Since register_fprobe() does not get the module reference count while
registering fgraph filter, if the target functions (symbols) are in
modules, those modules can be unloaded when registering fprobe to
fgraph.
To avoid this issue, get the reference counter of module for each
symbol, and put it after register the fprobe.
Link: https://lore.kernel.org/all/174330568792.459674.16874380163991113156.stgit@devnote2/
Reported-by: Steven Rostedt <rostedt@goodmis.org>
Closes: https://lore.kernel.org/all/20250325130628.3a9e234c@gandalf.local.home/
Fixes: 4346ba160409 ("fprobe: Rewrite fprobe on function-graph tracer")
Cc: stable@vger.kernel.org
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/fprobe.c | 67 +++++++++++++++++++++++++++++++++++---------------
1 file changed, 48 insertions(+), 19 deletions(-)
--- a/kernel/trace/fprobe.c
+++ b/kernel/trace/fprobe.c
@@ -544,6 +544,7 @@ struct filter_match_data {
size_t index;
size_t size;
unsigned long *addrs;
+ struct module **mods;
};
static int filter_match_callback(void *data, const char *name, unsigned long addr)
@@ -557,30 +558,47 @@ static int filter_match_callback(void *d
if (!ftrace_location(addr))
return 0;
- if (match->addrs)
- match->addrs[match->index] = addr;
+ if (match->addrs) {
+ struct module *mod = __module_text_address(addr);
+
+ if (mod && !try_module_get(mod))
+ return 0;
+ match->mods[match->index] = mod;
+ match->addrs[match->index] = addr;
+ }
match->index++;
return match->index == match->size;
}
/*
* Make IP list from the filter/no-filter glob patterns.
- * Return the number of matched symbols, or -ENOENT.
+ * Return the number of matched symbols, or errno.
+ * If @addrs == NULL, this just counts the number of matched symbols. If @addrs
+ * is passed with an array, we need to pass the an @mods array of the same size
+ * to increment the module refcount for each symbol.
+ * This means we also need to call `module_put` for each element of @mods after
+ * using the @addrs.
*/
-static int ip_list_from_filter(const char *filter, const char *notfilter,
- unsigned long *addrs, size_t size)
+static int get_ips_from_filter(const char *filter, const char *notfilter,
+ unsigned long *addrs, struct module **mods,
+ size_t size)
{
struct filter_match_data match = { .filter = filter, .notfilter = notfilter,
- .index = 0, .size = size, .addrs = addrs};
+ .index = 0, .size = size, .addrs = addrs, .mods = mods};
int ret;
+ if (addrs && !mods)
+ return -EINVAL;
+
ret = kallsyms_on_each_symbol(filter_match_callback, &match);
if (ret < 0)
return ret;
- ret = module_kallsyms_on_each_symbol(NULL, filter_match_callback, &match);
- if (ret < 0)
- return ret;
+ if (IS_ENABLED(CONFIG_MODULES)) {
+ ret = module_kallsyms_on_each_symbol(NULL, filter_match_callback, &match);
+ if (ret < 0)
+ return ret;
+ }
return match.index ?: -ENOENT;
}
@@ -642,24 +660,35 @@ static int fprobe_init(struct fprobe *fp
*/
int register_fprobe(struct fprobe *fp, const char *filter, const char *notfilter)
{
- unsigned long *addrs;
- int ret;
+ unsigned long *addrs __free(kfree) = NULL;
+ struct module **mods __free(kfree) = NULL;
+ int ret, num;
if (!fp || !filter)
return -EINVAL;
- ret = ip_list_from_filter(filter, notfilter, NULL, FPROBE_IPS_MAX);
- if (ret < 0)
- return ret;
+ num = get_ips_from_filter(filter, notfilter, NULL, NULL, FPROBE_IPS_MAX);
+ if (num < 0)
+ return num;
- addrs = kcalloc(ret, sizeof(unsigned long), GFP_KERNEL);
+ addrs = kcalloc(num, sizeof(*addrs), GFP_KERNEL);
if (!addrs)
return -ENOMEM;
- ret = ip_list_from_filter(filter, notfilter, addrs, ret);
- if (ret > 0)
- ret = register_fprobe_ips(fp, addrs, ret);
- kfree(addrs);
+ mods = kcalloc(num, sizeof(*mods), GFP_KERNEL);
+ if (!mods)
+ return -ENOMEM;
+
+ ret = get_ips_from_filter(filter, notfilter, addrs, mods, num);
+ if (ret < 0)
+ return ret;
+
+ ret = register_fprobe_ips(fp, addrs, ret);
+
+ for (int i = 0; i < num; i++) {
+ if (mods[i])
+ module_put(mods[i]);
+ }
return ret;
}
EXPORT_SYMBOL_GPL(register_fprobe);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 371/449] tracing: fprobe events: Fix possible UAF on modules
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 370/449] tracing: fprobe: Fix to lock module while registering fprobe Greg Kroah-Hartman
@ 2025-04-17 17:50 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 372/449] tracing: Do not add length to print format in synthetic events Greg Kroah-Hartman
` (84 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu (Google)
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
commit dd941507a9486252d6fcf11814387666792020f3 upstream.
Commit ac91052f0ae5 ("tracing: tprobe-events: Fix leakage of module
refcount") moved try_module_get() from __find_tracepoint_module_cb()
to find_tracepoint() caller, but that introduced a possible UAF
because the module can be unloaded before try_module_get(). In this
case, the module object should be freed too. Thus, try_module_get()
does not only fail but may access to the freed object.
To avoid that, try_module_get() in __find_tracepoint_module_cb()
again.
Link: https://lore.kernel.org/all/174342990779.781946.9138388479067729366.stgit@devnote2/
Fixes: ac91052f0ae5 ("tracing: tprobe-events: Fix leakage of module refcount")
Cc: stable@vger.kernel.org
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_fprobe.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
--- a/kernel/trace/trace_fprobe.c
+++ b/kernel/trace/trace_fprobe.c
@@ -919,9 +919,15 @@ static void __find_tracepoint_module_cb(
struct __find_tracepoint_cb_data *data = priv;
if (!data->tpoint && !strcmp(data->tp_name, tp->name)) {
- data->tpoint = tp;
- if (!data->mod)
+ /* If module is not specified, try getting module refcount. */
+ if (!data->mod && mod) {
+ /* If failed to get refcount, ignore this tracepoint. */
+ if (!try_module_get(mod))
+ return;
+
data->mod = mod;
+ }
+ data->tpoint = tp;
}
}
@@ -933,7 +939,11 @@ static void __find_tracepoint_cb(struct
data->tpoint = tp;
}
-/* Find a tracepoint from kernel and module. */
+/*
+ * Find a tracepoint from kernel and module. If the tracepoint is on the module,
+ * the module's refcount is incremented and returned as *@tp_mod. Thus, if it is
+ * not NULL, caller must call module_put(*tp_mod) after used the tracepoint.
+ */
static struct tracepoint *find_tracepoint(const char *tp_name,
struct module **tp_mod)
{
@@ -962,7 +972,10 @@ static void reenable_trace_fprobe(struct
}
}
-/* Find a tracepoint from specified module. */
+/*
+ * Find a tracepoint from specified module. In this case, this does not get the
+ * module's refcount. The caller must ensure the module is not freed.
+ */
static struct tracepoint *find_tracepoint_in_module(struct module *mod,
const char *tp_name)
{
@@ -1169,11 +1182,6 @@ static int trace_fprobe_create_internal(
if (is_tracepoint) {
ctx->flags |= TPARG_FL_TPOINT;
tpoint = find_tracepoint(symbol, &tp_mod);
- /* lock module until register this tprobe. */
- if (tp_mod && !try_module_get(tp_mod)) {
- tpoint = NULL;
- tp_mod = NULL;
- }
if (tpoint) {
ctx->funcname = kallsyms_lookup(
(unsigned long)tpoint->probestub,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 372/449] tracing: Do not add length to print format in synthetic events
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2025-04-17 17:50 ` [PATCH 6.14 371/449] tracing: fprobe events: Fix possible UAF on modules Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 373/449] thermal/drivers/rockchip: Add missing rk3328 mapping entry Greg Kroah-Hartman
` (83 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers, Tom Zanussi,
Douglas Raillard, Masami Hiramatsu (Google),
Steven Rostedt (Google)
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit e1a453a57bc76be678bd746f84e3d73f378a9511 upstream.
The following causes a vsnprintf fault:
# echo 's:wake_lat char[] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events
# echo 'hist:keys=pid:ts=common_timestamp.usecs if !(common_flags & 0x18)' > /sys/kernel/tracing/events/sched/sched_waking/trigger
# echo 'hist:keys=next_pid:delta=common_timestamp.usecs-$ts:onmatch(sched.sched_waking).trace(wake_lat,next_comm,$delta)' > /sys/kernel/tracing/events/sched/sched_switch/trigger
Because the synthetic event's "wakee" field is created as a dynamic string
(even though the string copied is not). The print format to print the
dynamic string changed from "%*s" to "%s" because another location
(__set_synth_event_print_fmt()) exported this to user space, and user
space did not need that. But it is still used in print_synth_event(), and
the output looks like:
<idle>-0 [001] d..5. 193.428167: wake_lat: wakee=(efault)sshd-sessiondelta=155
sshd-session-879 [001] d..5. 193.811080: wake_lat: wakee=(efault)kworker/u34:5delta=58
<idle>-0 [002] d..5. 193.811198: wake_lat: wakee=(efault)bashdelta=91
bash-880 [002] d..5. 193.811371: wake_lat: wakee=(efault)kworker/u35:2delta=21
<idle>-0 [001] d..5. 193.811516: wake_lat: wakee=(efault)sshd-sessiondelta=129
sshd-session-879 [001] d..5. 193.967576: wake_lat: wakee=(efault)kworker/u34:5delta=50
The length isn't needed as the string is always nul terminated. Just print
the string and not add the length (which was hard coded to the max string
length anyway).
Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Tom Zanussi <zanussi@kernel.org>
Cc: Douglas Raillard <douglas.raillard@arm.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Link: https://lore.kernel.org/20250407154139.69955768@gandalf.local.home
Fixes: 4d38328eb442d ("tracing: Fix synth event printk format for str fields");
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events_synth.c | 1 -
1 file changed, 1 deletion(-)
--- a/kernel/trace/trace_events_synth.c
+++ b/kernel/trace/trace_events_synth.c
@@ -370,7 +370,6 @@ static enum print_line_t print_synth_eve
union trace_synth_field *data = &entry->fields[n_u64];
trace_seq_printf(s, print_fmt, se->fields[i]->name,
- STR_VAR_LEN_MAX,
(char *)entry + data->as_dynamic.offset,
i == se->n_fields - 1 ? "" : " ");
n_u64++;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 373/449] thermal/drivers/rockchip: Add missing rk3328 mapping entry
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 372/449] tracing: Do not add length to print format in synthetic events Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 374/449] CIFS: Propagate min offload along with other parameters from primary to secondary channels Greg Kroah-Hartman
` (82 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Trevor Woerner, Dragan Simic,
Daniel Lezcano
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trevor Woerner <twoerner@gmail.com>
commit ee022e5cae052e0c67ca7c5fec0f2e7bc897c70e upstream.
The mapping table for the rk3328 is missing the entry for -25C which is
found in the TRM section 9.5.2 "Temperature-to-code mapping".
NOTE: the kernel uses the tsadc_q_sel=1'b1 mode which is defined as:
4096-<code in table>. Whereas the table in the TRM gives the code
"3774" for -25C, the kernel uses 4096-3774=322.
[Dragan Simic] : "After going through the RK3308 and RK3328 TRMs, as
well as through the downstream kernel code, it seems we may have
some troubles at our hands. Let me explain, please.
To sum it up, part 1 of the RK3308 TRM v1.1 says on page 538 that
the equation for the output when tsadc_q_sel equals 1 is (4096 -
tsadc_q), while part 1 of the RK3328 TRM v1.2 says that the output
equation is (1024 - tsadc_q) in that case.
The downstream kernel code, however, treats the RK3308 and RK3328
tables and their values as being the same. It even mentions 1024 as
the "offset" value in a comment block for the rk_tsadcv3_control()
function, just like the upstream code does, which is obviously wrong
"offset" value when correlated with the table on page 544 of part 1
of the RK3308 TRM v1.1.
With all this in mind, it's obvious that more work is needed to make
it clear where's the actual mistake (it could be that the TRM is
wrong), which I'll volunteer for as part of the SoC binning project.
In the meantime, this patch looks fine as-is to me, by offering
what's a clear improvement to the current state of the upstream
code"
Link: https://opensource.rock-chips.com/images/9/97/Rockchip_RK3328TRM_V1.1-Part1-20170321.pdf
Cc: stable@vger.kernel.org
Fixes: eda519d5f73e ("thermal: rockchip: Support the RK3328 SOC in thermal driver")
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Reviewed-by: Dragan Simic <dsimic@manjaro.org>
Link: https://lore.kernel.org/r/20250207175048.35959-1-twoerner@gmail.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/rockchip_thermal.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/thermal/rockchip_thermal.c
+++ b/drivers/thermal/rockchip_thermal.c
@@ -386,6 +386,7 @@ static const struct tsadc_table rk3328_c
{296, -40000},
{304, -35000},
{313, -30000},
+ {322, -25000},
{331, -20000},
{340, -15000},
{349, -10000},
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 374/449] CIFS: Propagate min offload along with other parameters from primary to secondary channels.
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 373/449] thermal/drivers/rockchip: Add missing rk3328 mapping entry Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 375/449] cifs: avoid NULL pointer dereference in dbg call Greg Kroah-Hartman
` (81 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aman, Paulo Alcantara (Red Hat),
Steve French
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aman <aman1@microsoft.com>
commit 1821e90be08e7d4a54cd167dd818d80d06e064e9 upstream.
In a multichannel setup, it was observed that a few fields were not being
copied over to the secondary channels, which impacted performance in cases
where these options were relevant but not properly synchronized. To address
this, this patch introduces copying the following parameters from the
primary channel to the secondary channels:
- min_offload
- compression.requested
- dfs_conn
- ignore_signature
- leaf_fullpath
- noblockcnt
- retrans
- sign
By copying these parameters, we ensure consistency across channels and
prevent performance degradation due to missing or outdated settings.
Cc: stable@vger.kernel.org
Signed-off-by: Aman <aman1@microsoft.com>
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/connect.c | 1 +
fs/smb/client/sess.c | 7 +++++++
2 files changed, 8 insertions(+)
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -1677,6 +1677,7 @@ cifs_get_tcp_session(struct smb3_fs_cont
/* Grab netns reference for this server. */
cifs_set_net_ns(tcp_ses, get_net(current->nsproxy->net_ns));
+ tcp_ses->sign = ctx->sign;
tcp_ses->conn_id = atomic_inc_return(&tcpSesNextId);
tcp_ses->noblockcnt = ctx->rootfs;
tcp_ses->noblocksnd = ctx->noblocksnd || ctx->rootfs;
--- a/fs/smb/client/sess.c
+++ b/fs/smb/client/sess.c
@@ -522,6 +522,13 @@ cifs_ses_add_channel(struct cifs_ses *se
ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay;
ctx->echo_interval = ses->server->echo_interval / HZ;
ctx->max_credits = ses->server->max_credits;
+ ctx->min_offload = ses->server->min_offload;
+ ctx->compress = ses->server->compression.requested;
+ ctx->dfs_conn = ses->server->dfs_conn;
+ ctx->ignore_signature = ses->server->ignore_signature;
+ ctx->leaf_fullpath = ses->server->leaf_fullpath;
+ ctx->rootfs = ses->server->noblockcnt;
+ ctx->retrans = ses->server->retrans;
/*
* This will be used for encoding/decoding user/domain/pw
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 375/449] cifs: avoid NULL pointer dereference in dbg call
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 374/449] CIFS: Propagate min offload along with other parameters from primary to secondary channels Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 376/449] cifs: fix integer overflow in match_server() Greg Kroah-Hartman
` (80 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexandra Diupina, Steve French
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandra Diupina <adiupina@astralinux.ru>
commit b4885bd5935bb26f0a414ad55679a372e53f9b9b upstream.
cifs_server_dbg() implies server to be non-NULL so
move call under condition to avoid NULL pointer dereference.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: e79b0332ae06 ("cifs: ignore cached share root handle closing errors")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2misc.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/fs/smb/client/smb2misc.c
+++ b/fs/smb/client/smb2misc.c
@@ -816,11 +816,12 @@ smb2_handle_cancelled_close(struct cifs_
WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative");
spin_unlock(&cifs_tcp_ses_lock);
- if (tcon->ses)
+ if (tcon->ses) {
server = tcon->ses->server;
-
- cifs_server_dbg(FYI, "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
- tcon->tid, persistent_fid, volatile_fid);
+ cifs_server_dbg(FYI,
+ "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
+ tcon->tid, persistent_fid, volatile_fid);
+ }
return 0;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 376/449] cifs: fix integer overflow in match_server()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 375/449] cifs: avoid NULL pointer dereference in dbg call Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 377/449] cifs: Ensure that all non-client-specific reparse points are processed by the server Greg Kroah-Hartman
` (79 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Roman Smirnov, Steve French
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roman Smirnov <r.smirnov@omp.ru>
commit 2510859475d7f46ed7940db0853f3342bf1b65ee upstream.
The echo_interval is not limited in any way during mounting,
which makes it possible to write a large number to it. This can
cause an overflow when multiplying ctx->echo_interval by HZ in
match_server().
Add constraints for echo_interval to smb3_fs_context_parse_param().
Found by Linux Verification Center (linuxtesting.org) with Svace.
Fixes: adfeb3e00e8e1 ("cifs: Make echo interval tunable")
Cc: stable@vger.kernel.org
Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/fs_context.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -1377,6 +1377,11 @@ static int smb3_fs_context_parse_param(s
ctx->closetimeo = HZ * result.uint_32;
break;
case Opt_echo_interval:
+ if (result.uint_32 < SMB_ECHO_INTERVAL_MIN ||
+ result.uint_32 > SMB_ECHO_INTERVAL_MAX) {
+ cifs_errorf(fc, "echo interval is out of bounds\n");
+ goto cifs_parse_mount_err;
+ }
ctx->echo_interval = result.uint_32;
break;
case Opt_snapshot:
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 377/449] cifs: Ensure that all non-client-specific reparse points are processed by the server
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 376/449] cifs: fix integer overflow in match_server() Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 378/449] clk: renesas: r9a07g043: Fix HP clock source for RZ/Five Greg Kroah-Hartman
` (78 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junwen Sun, Pali Rohár,
Steve French
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pali Rohár <pali@kernel.org>
commit 6f8a394aa952257575910d57cf0a63627fa949a2 upstream.
Fix regression in mounts to e.g. onedrive shares.
Generally, reparse points are processed by the SMB server during the
SMB OPEN request, but there are few reparse points which do not have
OPEN-like meaning for the SMB server and has to be processed by the SMB
client. Those are symlinks and special files (fifo, socket, block, char).
For Linux SMB client, it is required to process also name surrogate reparse
points as they represent another entity on the SMB server system. Linux
client will mark them as separate mount points. Examples of name surrogate
reparse points are NTFS junction points (e.g. created by the "mklink" tool
on Windows servers).
So after processing the name surrogate reparse points, clear the
-EOPNOTSUPP error code returned from the parse_reparse_point() to let SMB
server to process reparse points.
And remove printing misleading error message "unhandled reparse tag:" as
reparse points are handled by SMB server and hence unhandled fact is normal
operation.
Fixes: cad3fc0a4c8c ("cifs: Throw -EOPNOTSUPP error on unsupported reparse point type from parse_reparse_point()")
Fixes: b587fd128660 ("cifs: Treat unhandled directory name surrogate reparse points as mount directory nodes")
Cc: stable@vger.kernel.org
Reported-by: Junwen Sun <sunjw8888@gmail.com>
Tested-by: Junwen Sun <sunjw8888@gmail.com>
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/inode.c | 10 ++++++++++
fs/smb/client/reparse.c | 4 ----
2 files changed, 10 insertions(+), 4 deletions(-)
--- a/fs/smb/client/inode.c
+++ b/fs/smb/client/inode.c
@@ -1228,6 +1228,16 @@ static int reparse_info_to_fattr(struct
cifs_create_junction_fattr(fattr, sb);
goto out;
}
+ /*
+ * If the reparse point is unsupported by the Linux SMB
+ * client then let it process by the SMB server. So mask
+ * the -EOPNOTSUPP error code. This will allow Linux SMB
+ * client to send SMB OPEN request to server. If server
+ * does not support this reparse point too then server
+ * will return error during open the path.
+ */
+ if (rc == -EOPNOTSUPP)
+ rc = 0;
}
if (data->reparse.tag == IO_REPARSE_TAG_SYMLINK && !rc) {
--- a/fs/smb/client/reparse.c
+++ b/fs/smb/client/reparse.c
@@ -1069,8 +1069,6 @@ int parse_reparse_point(struct reparse_d
const char *full_path,
struct cifs_open_info_data *data)
{
- struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
-
data->reparse.buf = buf;
/* See MS-FSCC 2.1.2 */
@@ -1097,8 +1095,6 @@ int parse_reparse_point(struct reparse_d
}
return 0;
default:
- cifs_tcon_dbg(VFS | ONCE, "unhandled reparse tag: 0x%08x\n",
- le32_to_cpu(buf->ReparseTag));
return -EOPNOTSUPP;
}
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 378/449] clk: renesas: r9a07g043: Fix HP clock source for RZ/Five
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 377/449] cifs: Ensure that all non-client-specific reparse points are processed by the server Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 379/449] clk: qcom: clk-branch: Fix invert halt status bit check for votable clocks Greg Kroah-Hartman
` (77 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hien Huynh, Lad Prabhakar,
Geert Uytterhoeven
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
commit 7f22a298d926664b51fcfe2f8ea5feb7f8b79952 upstream.
According to the Rev.1.20 hardware manual for the RZ/Five SoC, the clock
source for HP is derived from PLL6 divided by 2. Correct the
implementation by configuring HP as a fixed clock source instead of a
MUX.
The `CPG_PL6_ETH_SSEL' register, which is available on the RZ/G2UL SoC,
is not present on the RZ/Five SoC, necessitating this change.
Fixes: 95d48d270305ad2c ("clk: renesas: r9a07g043: Add support for RZ/Five SoC")
Cc: stable@vger.kernel.org
Reported-by: Hien Huynh <hien.huynh.px@renesas.com>
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/20250127173159.34572-1-prabhakar.mahadev-lad.rj@bp.renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/renesas/r9a07g043-cpg.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/clk/renesas/r9a07g043-cpg.c
+++ b/drivers/clk/renesas/r9a07g043-cpg.c
@@ -89,7 +89,9 @@ static const struct clk_div_table dtable
/* Mux clock tables */
static const char * const sel_pll3_3[] = { ".pll3_533", ".pll3_400" };
+#ifdef CONFIG_ARM64
static const char * const sel_pll6_2[] = { ".pll6_250", ".pll5_250" };
+#endif
static const char * const sel_sdhi[] = { ".clk_533", ".clk_400", ".clk_266" };
static const u32 mtable_sdhi[] = { 1, 2, 3 };
@@ -137,7 +139,12 @@ static const struct cpg_core_clk r9a07g0
DEF_DIV("P2", R9A07G043_CLK_P2, CLK_PLL3_DIV2_4_2, DIVPL3A, dtable_1_32),
DEF_FIXED("M0", R9A07G043_CLK_M0, CLK_PLL3_DIV2_4, 1, 1),
DEF_FIXED("ZT", R9A07G043_CLK_ZT, CLK_PLL3_DIV2_4_2, 1, 1),
+#ifdef CONFIG_ARM64
DEF_MUX("HP", R9A07G043_CLK_HP, SEL_PLL6_2, sel_pll6_2),
+#endif
+#ifdef CONFIG_RISCV
+ DEF_FIXED("HP", R9A07G043_CLK_HP, CLK_PLL6_250, 1, 1),
+#endif
DEF_FIXED("SPI0", R9A07G043_CLK_SPI0, CLK_DIV_PLL3_C, 1, 2),
DEF_FIXED("SPI1", R9A07G043_CLK_SPI1, CLK_DIV_PLL3_C, 1, 4),
DEF_SD_MUX("SD0", R9A07G043_CLK_SD0, SEL_SDHI0, SEL_SDHI0_STS, sel_sdhi,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 379/449] clk: qcom: clk-branch: Fix invert halt status bit check for votable clocks
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 378/449] clk: renesas: r9a07g043: Fix HP clock source for RZ/Five Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 380/449] clk: qcom: gdsc: Release pm subdomains in reverse add order Greg Kroah-Hartman
` (76 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ajit Pandey, Dmitry Baryshkov,
Bjorn Andersson
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ajit Pandey <quic_ajipan@quicinc.com>
commit 5eac348182d2b5ed1066459abedb7bc6b5466f81 upstream.
BRANCH_HALT_ENABLE and BRANCH_HALT_ENABLE_VOTED flags are used to check
halt status of branch clocks, which have an inverted logic for the halt
bit in CBCR register. However, the current logic in the _check_halt()
method only compares the BRANCH_HALT_ENABLE flags, ignoring the votable
branch clocks.
Update the logic to correctly handle the invert logic for votable clocks
using the BRANCH_HALT_ENABLE_VOTED flags.
Fixes: 9092d1083a62 ("clk: qcom: branch: Extend the invert logic for branch2 clocks")
Cc: stable@vger.kernel.org
Signed-off-by: Ajit Pandey <quic_ajipan@quicinc.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/20250128-push_fix-v1-1-fafec6747881@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/clk-branch.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/clk/qcom/clk-branch.c
+++ b/drivers/clk/qcom/clk-branch.c
@@ -28,7 +28,7 @@ static bool clk_branch_in_hwcg_mode(cons
static bool clk_branch_check_halt(const struct clk_branch *br, bool enabling)
{
- bool invert = (br->halt_check == BRANCH_HALT_ENABLE);
+ bool invert = (br->halt_check & BRANCH_HALT_ENABLE);
u32 val;
regmap_read(br->clkr.regmap, br->halt_reg, &val);
@@ -44,7 +44,7 @@ static bool clk_branch2_check_halt(const
{
u32 val;
u32 mask;
- bool invert = (br->halt_check == BRANCH_HALT_ENABLE);
+ bool invert = (br->halt_check & BRANCH_HALT_ENABLE);
mask = CBCR_NOC_FSM_STATUS;
mask |= CBCR_CLK_OFF;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 380/449] clk: qcom: gdsc: Release pm subdomains in reverse add order
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 379/449] clk: qcom: clk-branch: Fix invert halt status bit check for votable clocks Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 381/449] clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code Greg Kroah-Hartman
` (75 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Bjorn Andersson
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
commit 0e6dfde439df0bb977cddd3cf7fff150a084a9bf upstream.
gdsc_unregister() should release subdomains in the reverse order to the
order in which those subdomains were added.
I've made this patch a standalone patch because it facilitates a subsequent
fix to stable.
Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support")
Cc: stable@vger.kernel.org
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Link: https://lore.kernel.org/r/20250117-b4-linux-next-24-11-18-clock-multiple-power-domains-v10-1-13f2bb656dad@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/gdsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/clk/qcom/gdsc.c
+++ b/drivers/clk/qcom/gdsc.c
@@ -571,7 +571,7 @@ void gdsc_unregister(struct gdsc_desc *d
size_t num = desc->num;
/* Remove subdomains */
- for (i = 0; i < num; i++) {
+ for (i = num - 1; i >= 0; i--) {
if (!scs[i])
continue;
if (scs[i]->parent)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 381/449] clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 380/449] clk: qcom: gdsc: Release pm subdomains in reverse add order Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 382/449] clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Greg Kroah-Hartman
` (74 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Bjorn Andersson
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
commit 65a733464553ea192797b889d1533a1a37216f32 upstream.
Adding a new clause to this if/else I noticed the existing usage of
pm_genpd_add_subdomain() wasn't capturing and returning the result code.
pm_genpd_add_subdomain() returns an int and can fail. Capture that result
code and throw it up the call stack if something goes wrong.
Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support")
Cc: stable@vger.kernel.org
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Link: https://lore.kernel.org/r/20250117-b4-linux-next-24-11-18-clock-multiple-power-domains-v10-2-13f2bb656dad@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/gdsc.c | 40 +++++++++++++++++++++++++++-------------
1 file changed, 27 insertions(+), 13 deletions(-)
--- a/drivers/clk/qcom/gdsc.c
+++ b/drivers/clk/qcom/gdsc.c
@@ -506,6 +506,23 @@ err_disable_supply:
return ret;
}
+static void gdsc_pm_subdomain_remove(struct gdsc_desc *desc, size_t num)
+{
+ struct device *dev = desc->dev;
+ struct gdsc **scs = desc->scs;
+ int i;
+
+ /* Remove subdomains */
+ for (i = num - 1; i >= 0; i--) {
+ if (!scs[i])
+ continue;
+ if (scs[i]->parent)
+ pm_genpd_remove_subdomain(scs[i]->parent, &scs[i]->pd);
+ else if (!IS_ERR_OR_NULL(dev->pm_domain))
+ pm_genpd_remove_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
+ }
+}
+
int gdsc_register(struct gdsc_desc *desc,
struct reset_controller_dev *rcdev, struct regmap *regmap)
{
@@ -555,30 +572,27 @@ int gdsc_register(struct gdsc_desc *desc
if (!scs[i])
continue;
if (scs[i]->parent)
- pm_genpd_add_subdomain(scs[i]->parent, &scs[i]->pd);
+ ret = pm_genpd_add_subdomain(scs[i]->parent, &scs[i]->pd);
else if (!IS_ERR_OR_NULL(dev->pm_domain))
- pm_genpd_add_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
+ ret = pm_genpd_add_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
+ if (ret)
+ goto err_pm_subdomain_remove;
}
return of_genpd_add_provider_onecell(dev->of_node, data);
+
+err_pm_subdomain_remove:
+ gdsc_pm_subdomain_remove(desc, i);
+
+ return ret;
}
void gdsc_unregister(struct gdsc_desc *desc)
{
- int i;
struct device *dev = desc->dev;
- struct gdsc **scs = desc->scs;
size_t num = desc->num;
- /* Remove subdomains */
- for (i = num - 1; i >= 0; i--) {
- if (!scs[i])
- continue;
- if (scs[i]->parent)
- pm_genpd_remove_subdomain(scs[i]->parent, &scs[i]->pd);
- else if (!IS_ERR_OR_NULL(dev->pm_domain))
- pm_genpd_remove_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
- }
+ gdsc_pm_subdomain_remove(desc, num);
of_genpd_del_provider(dev->of_node);
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 382/449] clk: qcom: gdsc: Set retain_ff before moving to HW CTRL
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 381/449] clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 383/449] crypto: ccp - Fix check for the primary ASP device Greg Kroah-Hartman
` (73 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Taniya Das, Imran Shaik,
Bjorn Andersson
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taniya Das <quic_tdas@quicinc.com>
commit 25708f73ff171bb4171950c9f4be5aa8504b8459 upstream.
Enable the retain_ff_enable bit of GDSCR only if the GDSC is already ON.
Once the GDSCR moves to HW control, SW no longer can determine the state
of the GDSCR and setting the retain_ff bit could destroy all the register
contents we intended to save.
Therefore, move the retain_ff configuration before switching the GDSC to
HW trigger mode.
Cc: stable@vger.kernel.org
Fixes: 173722995cdb ("clk: qcom: gdsc: Add support to enable retention of GSDCR")
Signed-off-by: Taniya Das <quic_tdas@quicinc.com>
Reviewed-by: Imran Shaik <quic_imrashai@quicinc.com>
Tested-by: Imran Shaik <quic_imrashai@quicinc.com> # on QCS8300
Link: https://lore.kernel.org/r/20250214-gdsc_fixes-v1-1-73e56d68a80f@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/gdsc.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
--- a/drivers/clk/qcom/gdsc.c
+++ b/drivers/clk/qcom/gdsc.c
@@ -292,6 +292,9 @@ static int gdsc_enable(struct generic_pm
*/
udelay(1);
+ if (sc->flags & RETAIN_FF_ENABLE)
+ gdsc_retain_ff_on(sc);
+
/* Turn on HW trigger mode if supported */
if (sc->flags & HW_CTRL) {
ret = gdsc_hwctrl(sc, true);
@@ -308,9 +311,6 @@ static int gdsc_enable(struct generic_pm
udelay(1);
}
- if (sc->flags & RETAIN_FF_ENABLE)
- gdsc_retain_ff_on(sc);
-
return 0;
}
@@ -457,13 +457,6 @@ static int gdsc_init(struct gdsc *sc)
goto err_disable_supply;
}
- /* Turn on HW trigger mode if supported */
- if (sc->flags & HW_CTRL) {
- ret = gdsc_hwctrl(sc, true);
- if (ret < 0)
- goto err_disable_supply;
- }
-
/*
* Make sure the retain bit is set if the GDSC is already on,
* otherwise we end up turning off the GDSC and destroying all
@@ -471,6 +464,14 @@ static int gdsc_init(struct gdsc *sc)
*/
if (sc->flags & RETAIN_FF_ENABLE)
gdsc_retain_ff_on(sc);
+
+ /* Turn on HW trigger mode if supported */
+ if (sc->flags & HW_CTRL) {
+ ret = gdsc_hwctrl(sc, true);
+ if (ret < 0)
+ goto err_disable_supply;
+ }
+
} else if (sc->flags & ALWAYS_ON) {
/* If ALWAYS_ON GDSCs are not ON, turn them ON */
gdsc_enable(&sc->pd);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 383/449] crypto: ccp - Fix check for the primary ASP device
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 382/449] clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 384/449] crypto: ccp - Fix uAPI definitions of PSP errors Greg Kroah-Hartman
` (72 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Herbert Xu
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tom Lendacky <thomas.lendacky@amd.com>
commit 07bb097b92b987db518e72525b515d77904e966e upstream.
Currently, the ASP primary device check does not have support for PCI
domains, and, as a result, when the system is configured with PCI domains
(PCI segments) the wrong device can be selected as primary. This results
in commands submitted to the device timing out and failing. The device
check also relies on specific device and function assignments that may
not hold in the future.
Fix the primary ASP device check to include support for PCI domains and
to perform proper checking of the Bus/Device/Function positions.
Fixes: 2a6170dfe755 ("crypto: ccp: Add Platform Security Processor (PSP) device support")
Cc: stable@vger.kernel.org
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccp/sp-pci.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/crypto/ccp/sp-pci.c
+++ b/drivers/crypto/ccp/sp-pci.c
@@ -189,14 +189,17 @@ static bool sp_pci_is_master(struct sp_d
pdev_new = to_pci_dev(dev_new);
pdev_cur = to_pci_dev(dev_cur);
- if (pdev_new->bus->number < pdev_cur->bus->number)
- return true;
+ if (pci_domain_nr(pdev_new->bus) != pci_domain_nr(pdev_cur->bus))
+ return pci_domain_nr(pdev_new->bus) < pci_domain_nr(pdev_cur->bus);
- if (PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn))
- return true;
+ if (pdev_new->bus->number != pdev_cur->bus->number)
+ return pdev_new->bus->number < pdev_cur->bus->number;
- if (PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn))
- return true;
+ if (PCI_SLOT(pdev_new->devfn) != PCI_SLOT(pdev_cur->devfn))
+ return PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn);
+
+ if (PCI_FUNC(pdev_new->devfn) != PCI_FUNC(pdev_cur->devfn))
+ return PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn);
return false;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 384/449] crypto: ccp - Fix uAPI definitions of PSP errors
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 383/449] crypto: ccp - Fix check for the primary ASP device Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 385/449] dlm: fix error if inactive rsb is not hashed Greg Kroah-Hartman
` (71 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dionna Glaze, Tom Lendacky,
Alexey Kardashevskiy, Herbert Xu
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dionna Glaze <dionnaglaze@google.com>
commit b949f55644a6d1645c0a71f78afabf12aec7c33b upstream.
Additions to the error enum after explicit 0x27 setting for
SEV_RET_INVALID_KEY leads to incorrect value assignments.
Use explicit values to match the manufacturer specifications more
clearly.
Fixes: 3a45dc2b419e ("crypto: ccp: Define the SEV-SNP commands")
CC: stable@vger.kernel.org
Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/psp-sev.h | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
--- a/include/uapi/linux/psp-sev.h
+++ b/include/uapi/linux/psp-sev.h
@@ -73,13 +73,20 @@ typedef enum {
SEV_RET_INVALID_PARAM,
SEV_RET_RESOURCE_LIMIT,
SEV_RET_SECURE_DATA_INVALID,
- SEV_RET_INVALID_KEY = 0x27,
- SEV_RET_INVALID_PAGE_SIZE,
- SEV_RET_INVALID_PAGE_STATE,
- SEV_RET_INVALID_MDATA_ENTRY,
- SEV_RET_INVALID_PAGE_OWNER,
- SEV_RET_INVALID_PAGE_AEAD_OFLOW,
- SEV_RET_RMP_INIT_REQUIRED,
+ SEV_RET_INVALID_PAGE_SIZE = 0x0019,
+ SEV_RET_INVALID_PAGE_STATE = 0x001A,
+ SEV_RET_INVALID_MDATA_ENTRY = 0x001B,
+ SEV_RET_INVALID_PAGE_OWNER = 0x001C,
+ SEV_RET_AEAD_OFLOW = 0x001D,
+ SEV_RET_EXIT_RING_BUFFER = 0x001F,
+ SEV_RET_RMP_INIT_REQUIRED = 0x0020,
+ SEV_RET_BAD_SVN = 0x0021,
+ SEV_RET_BAD_VERSION = 0x0022,
+ SEV_RET_SHUTDOWN_REQUIRED = 0x0023,
+ SEV_RET_UPDATE_FAILED = 0x0024,
+ SEV_RET_RESTORE_REQUIRED = 0x0025,
+ SEV_RET_RMP_INITIALIZATION_FAILED = 0x0026,
+ SEV_RET_INVALID_KEY = 0x0027,
SEV_RET_MAX,
} sev_ret_code;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 385/449] dlm: fix error if inactive rsb is not hashed
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 384/449] crypto: ccp - Fix uAPI definitions of PSP errors Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 386/449] dlm: fix error if active " Greg Kroah-Hartman
` (70 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexander Aring, David Teigland
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Aring <aahringo@redhat.com>
commit 94e6e889a786dd16542fc8f2a45405fa13e3bbb5 upstream.
If an inactive rsb is not hashed anymore and this could occur because we
releases and acquired locks we need to signal the followed code that the
lookup failed. Since the lookup was successful, but it isn't part of the
rsb hash anymore we need to signal it by setting error to -EBADR as
dlm_search_rsb_tree() does it.
Cc: stable@vger.kernel.org
Fixes: 01fdeca1cc2d ("dlm: use rcu to avoid an extra rsb struct lookup")
Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/dlm/lock.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/dlm/lock.c
+++ b/fs/dlm/lock.c
@@ -784,6 +784,7 @@ static int find_rsb_dir(struct dlm_ls *l
}
} else {
write_unlock_bh(&ls->ls_rsbtbl_lock);
+ error = -EBADR;
goto do_new;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 386/449] dlm: fix error if active rsb is not hashed
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 385/449] dlm: fix error if inactive rsb is not hashed Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 387/449] dm-ebs: fix prefetch-vs-suspend race Greg Kroah-Hartman
` (69 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexander Aring, David Teigland
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Aring <aahringo@redhat.com>
commit a3672304abf2a847ac0c54c84842c64c5bfba279 upstream.
If an active rsb is not hashed anymore and this could occur because we
releases and acquired locks we need to signal the followed code that
the lookup failed. Since the lookup was successful, but it isn't part of
the rsb hash anymore we need to signal it by setting error to -EBADR as
dlm_search_rsb_tree() does it.
Cc: stable@vger.kernel.org
Fixes: 5be323b0c64d ("dlm: move dlm_search_rsb_tree() out of lock")
Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/dlm/lock.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/dlm/lock.c
+++ b/fs/dlm/lock.c
@@ -741,6 +741,7 @@ static int find_rsb_dir(struct dlm_ls *l
read_lock_bh(&ls->ls_rsbtbl_lock);
if (!rsb_flag(r, RSB_HASHED)) {
read_unlock_bh(&ls->ls_rsbtbl_lock);
+ error = -EBADR;
goto do_new;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 387/449] dm-ebs: fix prefetch-vs-suspend race
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 386/449] dlm: fix error if active " Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 388/449] dm-integrity: set ti->error on memory allocation failure Greg Kroah-Hartman
` (68 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 9c565428788fb9b49066f94ab7b10efc686a0a4c upstream.
There's a possible race condition in dm-ebs - dm bufio prefetch may be in
progress while the device is suspended. Fix this by calling
dm_bufio_client_reset in the postsuspend hook.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-ebs-target.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/md/dm-ebs-target.c
+++ b/drivers/md/dm-ebs-target.c
@@ -390,6 +390,12 @@ static int ebs_map(struct dm_target *ti,
return DM_MAPIO_REMAPPED;
}
+static void ebs_postsuspend(struct dm_target *ti)
+{
+ struct ebs_c *ec = ti->private;
+ dm_bufio_client_reset(ec->bufio);
+}
+
static void ebs_status(struct dm_target *ti, status_type_t type,
unsigned int status_flags, char *result, unsigned int maxlen)
{
@@ -447,6 +453,7 @@ static struct target_type ebs_target = {
.ctr = ebs_ctr,
.dtr = ebs_dtr,
.map = ebs_map,
+ .postsuspend = ebs_postsuspend,
.status = ebs_status,
.io_hints = ebs_io_hints,
.prepare_ioctl = ebs_prepare_ioctl,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 388/449] dm-integrity: set ti->error on memory allocation failure
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 387/449] dm-ebs: fix prefetch-vs-suspend race Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 389/449] dm-integrity: fix non-constant-time tag verification Greg Kroah-Hartman
` (67 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 00204ae3d6712ee053353920e3ce2b00c35ef75b upstream.
The dm-integrity target didn't set the error string when memory
allocation failed. This patch fixes it.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-integrity.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -5084,16 +5084,19 @@ try_smaller_buffer:
ic->recalc_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages);
if (!ic->recalc_bitmap) {
+ ti->error = "Could not allocate memory for bitmap";
r = -ENOMEM;
goto bad;
}
ic->may_write_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages);
if (!ic->may_write_bitmap) {
+ ti->error = "Could not allocate memory for bitmap";
r = -ENOMEM;
goto bad;
}
ic->bbs = kvmalloc_array(ic->n_bitmap_blocks, sizeof(struct bitmap_block_status), GFP_KERNEL);
if (!ic->bbs) {
+ ti->error = "Could not allocate memory for bitmap";
r = -ENOMEM;
goto bad;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 389/449] dm-integrity: fix non-constant-time tag verification
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 388/449] dm-integrity: set ti->error on memory allocation failure Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 390/449] dm-verity: fix prefetch-vs-suspend race Greg Kroah-Hartman
` (66 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Wilke, Jo Van Bulck,
Mikulas Patocka
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jo Van Bulck <jo.vanbulck@kuleuven.be>
commit 8bde1033f9cfc1c08628255cc434c6cf39c9d9ba upstream.
When using dm-integrity in standalone mode with a keyed hmac algorithm,
integrity tags are calculated and verified internally.
Using plain memcmp to compare the stored and computed tags may leak the
position of the first byte mismatch through side-channel analysis,
allowing to brute-force expected tags in linear time (e.g., by counting
single-stepping interrupts in confidential virtual machine environments).
Co-developed-by: Luca Wilke <work@luca-wilke.com>
Signed-off-by: Luca Wilke <work@luca-wilke.com>
Signed-off-by: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-integrity.c | 45 ++++++++++++++++++++++-----------------------
1 file changed, 22 insertions(+), 23 deletions(-)
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -21,6 +21,7 @@
#include <linux/reboot.h>
#include <crypto/hash.h>
#include <crypto/skcipher.h>
+#include <crypto/utils.h>
#include <linux/async_tx.h>
#include <linux/dm-bufio.h>
@@ -516,7 +517,7 @@ static int sb_mac(struct dm_integrity_c
dm_integrity_io_error(ic, "crypto_shash_digest", r);
return r;
}
- if (memcmp(mac, actual_mac, mac_size)) {
+ if (crypto_memneq(mac, actual_mac, mac_size)) {
dm_integrity_io_error(ic, "superblock mac", -EILSEQ);
dm_audit_log_target(DM_MSG_PREFIX, "mac-superblock", ic->ti, 0);
return -EILSEQ;
@@ -859,7 +860,7 @@ static void rw_section_mac(struct dm_int
if (likely(wr))
memcpy(&js->mac, result + (j * JOURNAL_MAC_PER_SECTOR), JOURNAL_MAC_PER_SECTOR);
else {
- if (memcmp(&js->mac, result + (j * JOURNAL_MAC_PER_SECTOR), JOURNAL_MAC_PER_SECTOR)) {
+ if (crypto_memneq(&js->mac, result + (j * JOURNAL_MAC_PER_SECTOR), JOURNAL_MAC_PER_SECTOR)) {
dm_integrity_io_error(ic, "journal mac", -EILSEQ);
dm_audit_log_target(DM_MSG_PREFIX, "mac-journal", ic->ti, 0);
}
@@ -1401,10 +1402,9 @@ static bool find_newer_committed_node(st
static int dm_integrity_rw_tag(struct dm_integrity_c *ic, unsigned char *tag, sector_t *metadata_block,
unsigned int *metadata_offset, unsigned int total_size, int op)
{
-#define MAY_BE_FILLER 1
-#define MAY_BE_HASH 2
unsigned int hash_offset = 0;
- unsigned int may_be = MAY_BE_HASH | (ic->discard ? MAY_BE_FILLER : 0);
+ unsigned char mismatch_hash = 0;
+ unsigned char mismatch_filler = !ic->discard;
do {
unsigned char *data, *dp;
@@ -1425,7 +1425,7 @@ static int dm_integrity_rw_tag(struct dm
if (op == TAG_READ) {
memcpy(tag, dp, to_copy);
} else if (op == TAG_WRITE) {
- if (memcmp(dp, tag, to_copy)) {
+ if (crypto_memneq(dp, tag, to_copy)) {
memcpy(dp, tag, to_copy);
dm_bufio_mark_partial_buffer_dirty(b, *metadata_offset, *metadata_offset + to_copy);
}
@@ -1433,29 +1433,30 @@ static int dm_integrity_rw_tag(struct dm
/* e.g.: op == TAG_CMP */
if (likely(is_power_of_2(ic->tag_size))) {
- if (unlikely(memcmp(dp, tag, to_copy)))
- if (unlikely(!ic->discard) ||
- unlikely(memchr_inv(dp, DISCARD_FILLER, to_copy) != NULL)) {
- goto thorough_test;
- }
+ if (unlikely(crypto_memneq(dp, tag, to_copy)))
+ goto thorough_test;
} else {
unsigned int i, ts;
thorough_test:
ts = total_size;
for (i = 0; i < to_copy; i++, ts--) {
- if (unlikely(dp[i] != tag[i]))
- may_be &= ~MAY_BE_HASH;
- if (likely(dp[i] != DISCARD_FILLER))
- may_be &= ~MAY_BE_FILLER;
+ /*
+ * Warning: the control flow must not be
+ * dependent on match/mismatch of
+ * individual bytes.
+ */
+ mismatch_hash |= dp[i] ^ tag[i];
+ mismatch_filler |= dp[i] ^ DISCARD_FILLER;
hash_offset++;
if (unlikely(hash_offset == ic->tag_size)) {
- if (unlikely(!may_be)) {
+ if (unlikely(mismatch_hash) && unlikely(mismatch_filler)) {
dm_bufio_release(b);
return ts;
}
hash_offset = 0;
- may_be = MAY_BE_HASH | (ic->discard ? MAY_BE_FILLER : 0);
+ mismatch_hash = 0;
+ mismatch_filler = !ic->discard;
}
}
}
@@ -1476,8 +1477,6 @@ thorough_test:
} while (unlikely(total_size));
return 0;
-#undef MAY_BE_FILLER
-#undef MAY_BE_HASH
}
struct flush_request {
@@ -2076,7 +2075,7 @@ retry_kmap:
char checksums_onstack[MAX_T(size_t, HASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)];
integrity_sector_checksum(ic, logical_sector, mem + bv.bv_offset, checksums_onstack);
- if (unlikely(memcmp(checksums_onstack, journal_entry_tag(ic, je), ic->tag_size))) {
+ if (unlikely(crypto_memneq(checksums_onstack, journal_entry_tag(ic, je), ic->tag_size))) {
DMERR_LIMIT("Checksum failed when reading from journal, at sector 0x%llx",
logical_sector);
dm_audit_log_bio(DM_MSG_PREFIX, "journal-checksum",
@@ -2595,7 +2594,7 @@ static void dm_integrity_inline_recheck(
bio_put(outgoing_bio);
integrity_sector_checksum(ic, dio->bio_details.bi_iter.bi_sector, outgoing_data, digest);
- if (unlikely(memcmp(digest, dio->integrity_payload, min(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)))) {
+ if (unlikely(crypto_memneq(digest, dio->integrity_payload, min(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)))) {
DMERR_LIMIT("%pg: Checksum failed at sector 0x%llx",
ic->dev->bdev, dio->bio_details.bi_iter.bi_sector);
atomic64_inc(&ic->number_of_mismatches);
@@ -2634,7 +2633,7 @@ static int dm_integrity_end_io(struct dm
char *mem = bvec_kmap_local(&bv);
//memset(mem, 0xff, ic->sectors_per_block << SECTOR_SHIFT);
integrity_sector_checksum(ic, dio->bio_details.bi_iter.bi_sector, mem, digest);
- if (unlikely(memcmp(digest, dio->integrity_payload + pos,
+ if (unlikely(crypto_memneq(digest, dio->integrity_payload + pos,
min(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)))) {
kunmap_local(mem);
dm_integrity_free_payload(dio);
@@ -2911,7 +2910,7 @@ static void do_journal_write(struct dm_i
integrity_sector_checksum(ic, sec + ((l - j) << ic->sb->log2_sectors_per_block),
(char *)access_journal_data(ic, i, l), test_tag);
- if (unlikely(memcmp(test_tag, journal_entry_tag(ic, je2), ic->tag_size))) {
+ if (unlikely(crypto_memneq(test_tag, journal_entry_tag(ic, je2), ic->tag_size))) {
dm_integrity_io_error(ic, "tag mismatch when replaying journal", -EILSEQ);
dm_audit_log_target(DM_MSG_PREFIX, "integrity-replay-journal", ic->ti, 0);
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 390/449] dm-verity: fix prefetch-vs-suspend race
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 389/449] dm-integrity: fix non-constant-time tag verification Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 391/449] dt-bindings: coresight: qcom,coresight-tpda: Fix too many reg Greg Kroah-Hartman
` (65 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 2de510fccbca3d1906b55f4be5f1de83fa2424ef upstream.
There's a possible race condition in dm-verity - the prefetch work item
may race with suspend and it is possible that prefetch continues to run
while the device is suspended. Fix this by calling flush_workqueue and
dm_bufio_client_reset in the postsuspend hook.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-verity-target.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -796,6 +796,13 @@ static int verity_map(struct dm_target *
return DM_MAPIO_SUBMITTED;
}
+static void verity_postsuspend(struct dm_target *ti)
+{
+ struct dm_verity *v = ti->private;
+ flush_workqueue(v->verify_wq);
+ dm_bufio_client_reset(v->bufio);
+}
+
/*
* Status: V (valid) or C (corruption found)
*/
@@ -1766,6 +1773,7 @@ static struct target_type verity_target
.ctr = verity_ctr,
.dtr = verity_dtr,
.map = verity_map,
+ .postsuspend = verity_postsuspend,
.status = verity_status,
.prepare_ioctl = verity_prepare_ioctl,
.iterate_devices = verity_iterate_devices,
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 391/449] dt-bindings: coresight: qcom,coresight-tpda: Fix too many reg
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 390/449] dm-verity: fix prefetch-vs-suspend race Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 392/449] dt-bindings: coresight: qcom,coresight-tpdm: " Greg Kroah-Hartman
` (64 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Suzuki K Poulose
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit d72deaf05ac18e421d7e52a6be8966fd6ee185f4 upstream.
Binding listed variable number of IO addresses without defining them,
however example DTS code, all in-tree DTS and Linux kernel driver
mention only one address space, so drop the second to make binding
precise and correctly describe the hardware.
Fixes: a8fbe1442c2b ("dt-bindings: arm: Adds CoreSight TPDA hardware definitions")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20250226112914.94361-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml
+++ b/Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml
@@ -55,8 +55,7 @@ properties:
- const: arm,primecell
reg:
- minItems: 1
- maxItems: 2
+ maxItems: 1
clocks:
maxItems: 1
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 392/449] dt-bindings: coresight: qcom,coresight-tpdm: Fix too many reg
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 391/449] dt-bindings: coresight: qcom,coresight-tpda: Fix too many reg Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 393/449] firmware: cs_dsp: test_control_parse: null-terminate test strings Greg Kroah-Hartman
` (63 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Suzuki K Poulose
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 1e4e454223f770748775f211455513c79cb3121e upstream.
Binding listed variable number of IO addresses without defining them,
however example DTS code, all in-tree DTS and Linux kernel driver
mention only one address space, so drop the second to make binding
precise and correctly describe the hardware.
Fixes: 6c781a35133d ("dt-bindings: arm: Add CoreSight TPDM hardware")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20250226112914.94361-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml
+++ b/Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml
@@ -41,8 +41,7 @@ properties:
- const: arm,primecell
reg:
- minItems: 1
- maxItems: 2
+ maxItems: 1
qcom,dsb-element-bits:
description:
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 393/449] firmware: cs_dsp: test_control_parse: null-terminate test strings
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 392/449] dt-bindings: coresight: qcom,coresight-tpdm: " Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 394/449] ftrace: Add cond_resched() to ftrace_graph_set_hash() Greg Kroah-Hartman
` (62 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Richard Fitzgerald, Mark Brown
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
commit 42ae6e2559e63c2d4096b698cd47aaeb974436df upstream.
The char pointers in 'struct cs_dsp_mock_coeff_def' are expected to
point to C strings. They need to be terminated by a null byte.
However the code does not allocate that trailing null byte and only
works if by chance the allocation is followed by such a null byte.
Refactor the repeated string allocation logic into a new helper which
makes sure the terminating null is always present.
It also makes the code more readable.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Fixes: 83baecd92e7c ("firmware: cs_dsp: Add KUnit testing of control parsing")
Cc: stable@vger.kernel.org
Reviewed-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Tested-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Link: https://patch.msgid.link/20250211-cs_dsp-kunit-strings-v1-1-d9bc2035d154@linutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
.../cirrus/test/cs_dsp_test_control_parse.c | 51 +++++++------------
1 file changed, 19 insertions(+), 32 deletions(-)
diff --git a/drivers/firmware/cirrus/test/cs_dsp_test_control_parse.c b/drivers/firmware/cirrus/test/cs_dsp_test_control_parse.c
index cb90964740ea..942ba1af5e7c 100644
--- a/drivers/firmware/cirrus/test/cs_dsp_test_control_parse.c
+++ b/drivers/firmware/cirrus/test/cs_dsp_test_control_parse.c
@@ -73,6 +73,18 @@ static const struct cs_dsp_mock_coeff_def mock_coeff_template = {
.length_bytes = 4,
};
+static char *cs_dsp_ctl_alloc_test_string(struct kunit *test, char c, size_t len)
+{
+ char *str;
+
+ str = kunit_kmalloc(test, len + 1, GFP_KERNEL);
+ KUNIT_ASSERT_NOT_ERR_OR_NULL(test, str);
+ memset(str, c, len);
+ str[len] = '\0';
+
+ return str;
+}
+
/* Algorithm info block without controls should load */
static void cs_dsp_ctl_parse_no_coeffs(struct kunit *test)
{
@@ -160,12 +172,8 @@ static void cs_dsp_ctl_parse_max_v1_name(struct kunit *test)
struct cs_dsp_mock_coeff_def def = mock_coeff_template;
struct cs_dsp_coeff_ctl *ctl;
struct firmware *wmfw;
- char *name;
- name = kunit_kzalloc(test, 256, GFP_KERNEL);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, name);
- memset(name, 'A', 255);
- def.fullname = name;
+ def.fullname = cs_dsp_ctl_alloc_test_string(test, 'A', 255);
cs_dsp_mock_wmfw_start_alg_info_block(local->wmfw_builder,
cs_dsp_ctl_parse_test_algs[0].id,
@@ -252,14 +260,9 @@ static void cs_dsp_ctl_parse_max_short_name(struct kunit *test)
struct cs_dsp_test_local *local = priv->local;
struct cs_dsp_mock_coeff_def def = mock_coeff_template;
struct cs_dsp_coeff_ctl *ctl;
- char *name;
struct firmware *wmfw;
- name = kunit_kmalloc(test, 255, GFP_KERNEL);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, name);
- memset(name, 'A', 255);
-
- def.shortname = name;
+ def.shortname = cs_dsp_ctl_alloc_test_string(test, 'A', 255);
cs_dsp_mock_wmfw_start_alg_info_block(local->wmfw_builder,
cs_dsp_ctl_parse_test_algs[0].id,
@@ -273,7 +276,7 @@ static void cs_dsp_ctl_parse_max_short_name(struct kunit *test)
ctl = list_first_entry_or_null(&priv->dsp->ctl_list, struct cs_dsp_coeff_ctl, list);
KUNIT_ASSERT_NOT_NULL(test, ctl);
KUNIT_EXPECT_EQ(test, ctl->subname_len, 255);
- KUNIT_EXPECT_MEMEQ(test, ctl->subname, name, ctl->subname_len);
+ KUNIT_EXPECT_MEMEQ(test, ctl->subname, def.shortname, ctl->subname_len);
KUNIT_EXPECT_EQ(test, ctl->flags, def.flags);
KUNIT_EXPECT_EQ(test, ctl->type, def.type);
KUNIT_EXPECT_EQ(test, ctl->len, def.length_bytes);
@@ -323,12 +326,8 @@ static void cs_dsp_ctl_parse_with_max_fullname(struct kunit *test)
struct cs_dsp_mock_coeff_def def = mock_coeff_template;
struct cs_dsp_coeff_ctl *ctl;
struct firmware *wmfw;
- char *fullname;
- fullname = kunit_kmalloc(test, 255, GFP_KERNEL);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, fullname);
- memset(fullname, 'A', 255);
- def.fullname = fullname;
+ def.fullname = cs_dsp_ctl_alloc_test_string(test, 'A', 255);
cs_dsp_mock_wmfw_start_alg_info_block(local->wmfw_builder,
cs_dsp_ctl_parse_test_algs[0].id,
@@ -392,12 +391,8 @@ static void cs_dsp_ctl_parse_with_max_description(struct kunit *test)
struct cs_dsp_mock_coeff_def def = mock_coeff_template;
struct cs_dsp_coeff_ctl *ctl;
struct firmware *wmfw;
- char *description;
- description = kunit_kmalloc(test, 65535, GFP_KERNEL);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, description);
- memset(description, 'A', 65535);
- def.description = description;
+ def.description = cs_dsp_ctl_alloc_test_string(test, 'A', 65535);
cs_dsp_mock_wmfw_start_alg_info_block(local->wmfw_builder,
cs_dsp_ctl_parse_test_algs[0].id,
@@ -429,17 +424,9 @@ static void cs_dsp_ctl_parse_with_max_fullname_and_description(struct kunit *tes
struct cs_dsp_mock_coeff_def def = mock_coeff_template;
struct cs_dsp_coeff_ctl *ctl;
struct firmware *wmfw;
- char *fullname, *description;
- fullname = kunit_kmalloc(test, 255, GFP_KERNEL);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, fullname);
- memset(fullname, 'A', 255);
- def.fullname = fullname;
-
- description = kunit_kmalloc(test, 65535, GFP_KERNEL);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, description);
- memset(description, 'A', 65535);
- def.description = description;
+ def.fullname = cs_dsp_ctl_alloc_test_string(test, 'A', 255);
+ def.description = cs_dsp_ctl_alloc_test_string(test, 'A', 65535);
cs_dsp_mock_wmfw_start_alg_info_block(local->wmfw_builder,
cs_dsp_ctl_parse_test_algs[0].id,
--
2.49.0
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 394/449] ftrace: Add cond_resched() to ftrace_graph_set_hash()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 393/449] firmware: cs_dsp: test_control_parse: null-terminate test strings Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 395/449] ftrace: Properly merge notrace hashes Greg Kroah-Hartman
` (61 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, zhoumin, Steven Rostedt (Google)
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: zhoumin <teczm@foxmail.com>
commit 42ea22e754ba4f2b86f8760ca27f6f71da2d982c upstream.
When the kernel contains a large number of functions that can be traced,
the loop in ftrace_graph_set_hash() may take a lot of time to execute.
This may trigger the softlockup watchdog.
Add cond_resched() within the loop to allow the kernel to remain
responsive even when processing a large number of functions.
This matches the cond_resched() that is used in other locations of the
code that iterates over all functions that can be traced.
Cc: stable@vger.kernel.org
Fixes: b9b0c831bed26 ("ftrace: Convert graph filter to use hash tables")
Link: https://lore.kernel.org/tencent_3E06CE338692017B5809534B9C5C03DA7705@qq.com
Signed-off-by: zhoumin <teczm@foxmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ftrace.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -6853,6 +6853,7 @@ ftrace_graph_set_hash(struct ftrace_hash
}
}
}
+ cond_resched();
} while_for_each_ftrace_rec();
return fail ? -EINVAL : 0;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 395/449] ftrace: Properly merge notrace hashes
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 394/449] ftrace: Add cond_resched() to ftrace_graph_set_hash() Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 396/449] fuse: {io-uring} Fix a possible req cancellation race Greg Kroah-Hartman
` (60 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andy Chiu, Steven Rostedt (Google)
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Chiu <andybnac@gmail.com>
commit 04a80a34c22f4db245f553d8696d1318d1c00ece upstream.
The global notrace hash should be jointly decided by the intersection of
each subops's notrace hash, but not the filter hash.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/20250408160258.48563-1-andybnac@gmail.com
Fixes: 5fccc7552ccb ("ftrace: Add subops logic to allow one ops to manage many")
Signed-off-by: Andy Chiu <andybnac@gmail.com>
[ fixed removing of freeing of filter_hash ]
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ftrace.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -3524,16 +3524,16 @@ int ftrace_startup_subops(struct ftrace_
ftrace_hash_empty(subops->func_hash->notrace_hash)) {
notrace_hash = EMPTY_HASH;
} else {
- size_bits = max(ops->func_hash->filter_hash->size_bits,
- subops->func_hash->filter_hash->size_bits);
+ size_bits = max(ops->func_hash->notrace_hash->size_bits,
+ subops->func_hash->notrace_hash->size_bits);
notrace_hash = alloc_ftrace_hash(size_bits);
if (!notrace_hash) {
free_ftrace_hash(filter_hash);
return -ENOMEM;
}
- ret = intersect_hash(¬race_hash, ops->func_hash->filter_hash,
- subops->func_hash->filter_hash);
+ ret = intersect_hash(¬race_hash, ops->func_hash->notrace_hash,
+ subops->func_hash->notrace_hash);
if (ret < 0) {
free_ftrace_hash(filter_hash);
free_ftrace_hash(notrace_hash);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 396/449] fuse: {io-uring} Fix a possible req cancellation race
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 395/449] ftrace: Properly merge notrace hashes Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 397/449] gpio: mpc8xxx: Fix wakeup source leaks on device unbind Greg Kroah-Hartman
` (59 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joanne Koong, Bernd Schubert,
Miklos Szeredi
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernd Schubert <bschubert@ddn.com>
commit 09098e62e4be8f0755e58d6078aaf27cbd9a3a8d upstream.
task-A (application) might be in request_wait_answer and
try to remove the request when it has FR_PENDING set.
task-B (a fuse-server io-uring task) might handle this
request with FUSE_IO_URING_CMD_COMMIT_AND_FETCH, when
fetching the next request and accessed the req from
the pending list in fuse_uring_ent_assign_req().
That code path was not protected by fiq->lock and so
might race with task-A.
For scaling reasons we better don't use fiq->lock, but
add a handler to remove canceled requests from the queue.
This also removes usage of fiq->lock from
fuse_uring_add_req_to_ring_ent() altogether, as it was
there just to protect against this race and incomplete.
Also added is a comment why FR_PENDING is not cleared.
Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support")
Cc: <stable@vger.kernel.org> # v6.14
Reported-by: Joanne Koong <joannelkoong@gmail.com>
Closes: https://lore.kernel.org/all/CAJnrk1ZgHNb78dz-yfNTpxmW7wtT88A=m-zF0ZoLXKLUHRjNTw@mail.gmail.com/
Signed-off-by: Bernd Schubert <bschubert@ddn.com>
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 34 +++++++++++++++++++++++++---------
fs/fuse/dev_uring.c | 15 +++++++++++----
fs/fuse/dev_uring_i.h | 6 ++++++
fs/fuse/fuse_dev_i.h | 1 +
fs/fuse/fuse_i.h | 3 +++
5 files changed, 46 insertions(+), 13 deletions(-)
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 2c3a4d09e500..2645cd8accfd 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -407,6 +407,24 @@ static int queue_interrupt(struct fuse_req *req)
return 0;
}
+bool fuse_remove_pending_req(struct fuse_req *req, spinlock_t *lock)
+{
+ spin_lock(lock);
+ if (test_bit(FR_PENDING, &req->flags)) {
+ /*
+ * FR_PENDING does not get cleared as the request will end
+ * up in destruction anyway.
+ */
+ list_del(&req->list);
+ spin_unlock(lock);
+ __fuse_put_request(req);
+ req->out.h.error = -EINTR;
+ return true;
+ }
+ spin_unlock(lock);
+ return false;
+}
+
static void request_wait_answer(struct fuse_req *req)
{
struct fuse_conn *fc = req->fm->fc;
@@ -428,22 +446,20 @@ static void request_wait_answer(struct fuse_req *req)
}
if (!test_bit(FR_FORCE, &req->flags)) {
+ bool removed;
+
/* Only fatal signals may interrupt this */
err = wait_event_killable(req->waitq,
test_bit(FR_FINISHED, &req->flags));
if (!err)
return;
- spin_lock(&fiq->lock);
- /* Request is not yet in userspace, bail out */
- if (test_bit(FR_PENDING, &req->flags)) {
- list_del(&req->list);
- spin_unlock(&fiq->lock);
- __fuse_put_request(req);
- req->out.h.error = -EINTR;
+ if (test_bit(FR_URING, &req->flags))
+ removed = fuse_uring_remove_pending_req(req);
+ else
+ removed = fuse_remove_pending_req(req, &fiq->lock);
+ if (removed)
return;
- }
- spin_unlock(&fiq->lock);
}
/*
diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
index ebd2931b4f2a..add7273c8dc4 100644
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -726,8 +726,6 @@ static void fuse_uring_add_req_to_ring_ent(struct fuse_ring_ent *ent,
struct fuse_req *req)
{
struct fuse_ring_queue *queue = ent->queue;
- struct fuse_conn *fc = req->fm->fc;
- struct fuse_iqueue *fiq = &fc->iq;
lockdep_assert_held(&queue->lock);
@@ -737,9 +735,7 @@ static void fuse_uring_add_req_to_ring_ent(struct fuse_ring_ent *ent,
ent->state);
}
- spin_lock(&fiq->lock);
clear_bit(FR_PENDING, &req->flags);
- spin_unlock(&fiq->lock);
ent->fuse_req = req;
ent->state = FRRS_FUSE_REQ;
list_move(&ent->list, &queue->ent_w_req_queue);
@@ -1238,6 +1234,8 @@ void fuse_uring_queue_fuse_req(struct fuse_iqueue *fiq, struct fuse_req *req)
if (unlikely(queue->stopped))
goto err_unlock;
+ set_bit(FR_URING, &req->flags);
+ req->ring_queue = queue;
ent = list_first_entry_or_null(&queue->ent_avail_queue,
struct fuse_ring_ent, list);
if (ent)
@@ -1276,6 +1274,8 @@ bool fuse_uring_queue_bq_req(struct fuse_req *req)
return false;
}
+ set_bit(FR_URING, &req->flags);
+ req->ring_queue = queue;
list_add_tail(&req->list, &queue->fuse_req_bg_queue);
ent = list_first_entry_or_null(&queue->ent_avail_queue,
@@ -1306,6 +1306,13 @@ bool fuse_uring_queue_bq_req(struct fuse_req *req)
return true;
}
+bool fuse_uring_remove_pending_req(struct fuse_req *req)
+{
+ struct fuse_ring_queue *queue = req->ring_queue;
+
+ return fuse_remove_pending_req(req, &queue->lock);
+}
+
static const struct fuse_iqueue_ops fuse_io_uring_ops = {
/* should be send over io-uring as enhancement */
.send_forget = fuse_dev_queue_forget,
diff --git a/fs/fuse/dev_uring_i.h b/fs/fuse/dev_uring_i.h
index 2102b3d0c1ae..e5b39a92b7ca 100644
--- a/fs/fuse/dev_uring_i.h
+++ b/fs/fuse/dev_uring_i.h
@@ -142,6 +142,7 @@ void fuse_uring_abort_end_requests(struct fuse_ring *ring);
int fuse_uring_cmd(struct io_uring_cmd *cmd, unsigned int issue_flags);
void fuse_uring_queue_fuse_req(struct fuse_iqueue *fiq, struct fuse_req *req);
bool fuse_uring_queue_bq_req(struct fuse_req *req);
+bool fuse_uring_remove_pending_req(struct fuse_req *req);
static inline void fuse_uring_abort(struct fuse_conn *fc)
{
@@ -200,6 +201,11 @@ static inline bool fuse_uring_ready(struct fuse_conn *fc)
return false;
}
+static inline bool fuse_uring_remove_pending_req(struct fuse_req *req)
+{
+ return false;
+}
+
#endif /* CONFIG_FUSE_IO_URING */
#endif /* _FS_FUSE_DEV_URING_I_H */
diff --git a/fs/fuse/fuse_dev_i.h b/fs/fuse/fuse_dev_i.h
index 3b2bfe1248d3..2481da3388c5 100644
--- a/fs/fuse/fuse_dev_i.h
+++ b/fs/fuse/fuse_dev_i.h
@@ -61,6 +61,7 @@ int fuse_copy_out_args(struct fuse_copy_state *cs, struct fuse_args *args,
void fuse_dev_queue_forget(struct fuse_iqueue *fiq,
struct fuse_forget_link *forget);
void fuse_dev_queue_interrupt(struct fuse_iqueue *fiq, struct fuse_req *req);
+bool fuse_remove_pending_req(struct fuse_req *req, spinlock_t *lock);
#endif
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index fee96fe7887b..2086dac7243b 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -378,6 +378,7 @@ struct fuse_io_priv {
* FR_FINISHED: request is finished
* FR_PRIVATE: request is on private list
* FR_ASYNC: request is asynchronous
+ * FR_URING: request is handled through fuse-io-uring
*/
enum fuse_req_flag {
FR_ISREPLY,
@@ -392,6 +393,7 @@ enum fuse_req_flag {
FR_FINISHED,
FR_PRIVATE,
FR_ASYNC,
+ FR_URING,
};
/**
@@ -441,6 +443,7 @@ struct fuse_req {
#ifdef CONFIG_FUSE_IO_URING
void *ring_entry;
+ void *ring_queue;
#endif
};
--
2.49.0
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 397/449] gpio: mpc8xxx: Fix wakeup source leaks on device unbind
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 396/449] fuse: {io-uring} Fix a possible req cancellation race Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 398/449] gpio: tegra186: fix resource handling in ACPI probe path Greg Kroah-Hartman
` (58 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Bartosz Golaszewski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit da47605e43af9996eb46c8a060f259a8c34cc3c5 upstream.
Device can be unbound, so driver must also release memory for the wakeup
source.
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20250406202245.53854-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-mpc8xxx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpio/gpio-mpc8xxx.c
+++ b/drivers/gpio/gpio-mpc8xxx.c
@@ -410,7 +410,9 @@ static int mpc8xxx_probe(struct platform
goto err;
}
- device_init_wakeup(dev, true);
+ ret = devm_device_init_wakeup(dev);
+ if (ret)
+ return dev_err_probe(dev, ret, "Failed to init wakeup\n");
return 0;
err:
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 398/449] gpio: tegra186: fix resource handling in ACPI probe path
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 397/449] gpio: mpc8xxx: Fix wakeup source leaks on device unbind Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 399/449] gpio: zynq: Fix wakeup source leaks on device unbind Greg Kroah-Hartman
` (57 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guixin Liu, Bartosz Golaszewski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guixin Liu <kanie@linux.alibaba.com>
commit 8323f3a69de6f6e96bf22f32dd8e2920766050c2 upstream.
When the Tegra186 GPIO controller is probed through ACPI matching,
the driver emits two error messages during probing:
"tegra186-gpio NVDA0508:00: invalid resource (null)"
"tegra186-gpio NVDA0508:00: invalid resource (null)"
Fix this by getting resource first and then do the ioremap.
Fixes: 2606e7c9f5fc ("gpio: tegra186: Add ACPI support")
Cc: stable@vger.kernel.org
Signed-off-by: Guixin Liu <kanie@linux.alibaba.com>
Link: https://lore.kernel.org/r/20250327032349.78809-1-kanie@linux.alibaba.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-tegra186.c | 27 ++++++++++++++-------------
1 file changed, 14 insertions(+), 13 deletions(-)
--- a/drivers/gpio/gpio-tegra186.c
+++ b/drivers/gpio/gpio-tegra186.c
@@ -823,6 +823,7 @@ static int tegra186_gpio_probe(struct pl
struct gpio_irq_chip *irq;
struct tegra_gpio *gpio;
struct device_node *np;
+ struct resource *res;
char **names;
int err;
@@ -842,19 +843,19 @@ static int tegra186_gpio_probe(struct pl
gpio->num_banks++;
/* get register apertures */
- gpio->secure = devm_platform_ioremap_resource_byname(pdev, "security");
- if (IS_ERR(gpio->secure)) {
- gpio->secure = devm_platform_ioremap_resource(pdev, 0);
- if (IS_ERR(gpio->secure))
- return PTR_ERR(gpio->secure);
- }
-
- gpio->base = devm_platform_ioremap_resource_byname(pdev, "gpio");
- if (IS_ERR(gpio->base)) {
- gpio->base = devm_platform_ioremap_resource(pdev, 1);
- if (IS_ERR(gpio->base))
- return PTR_ERR(gpio->base);
- }
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "security");
+ if (!res)
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ gpio->secure = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(gpio->secure))
+ return PTR_ERR(gpio->secure);
+
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "gpio");
+ if (!res)
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
+ gpio->base = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(gpio->base))
+ return PTR_ERR(gpio->base);
err = platform_irq_count(pdev);
if (err < 0)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 399/449] gpio: zynq: Fix wakeup source leaks on device unbind
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 398/449] gpio: tegra186: fix resource handling in ACPI probe path Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 400/449] gve: handle overflow when reporting TX consumed descriptors Greg Kroah-Hartman
` (56 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Bartosz Golaszewski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit c5672e310ad971d408752fce7596ed27adc6008f upstream.
Device can be unbound, so driver must also release memory for the wakeup
source.
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20250406202245.53854-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-zynq.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpio/gpio-zynq.c
+++ b/drivers/gpio/gpio-zynq.c
@@ -1011,6 +1011,7 @@ static void zynq_gpio_remove(struct plat
ret = pm_runtime_get_sync(&pdev->dev);
if (ret < 0)
dev_warn(&pdev->dev, "pm_runtime_get_sync() Failed\n");
+ device_init_wakeup(&pdev->dev, 0);
gpiochip_remove(&gpio->chip);
device_set_wakeup_capable(&pdev->dev, 0);
pm_runtime_disable(&pdev->dev);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 400/449] gve: handle overflow when reporting TX consumed descriptors
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 399/449] gpio: zynq: Fix wakeup source leaks on device unbind Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 401/449] KVM: Allow building irqbypass.ko as as module when kvm.ko is a module Greg Kroah-Hartman
` (55 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Washington,
Harshitha Ramamurthy, Michal Swiatkowski, Simon Horman,
Jakub Kicinski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Washington <joshwash@google.com>
commit 15970e1b23f5c25db88c613fddf9131de086f28e upstream.
When the tx tail is less than the head (in cases of wraparound), the TX
consumed descriptor statistic in DQ will be reported as
UINT32_MAX - head + tail, which is incorrect. Mask the difference of
head and tail according to the ring size when reporting the statistic.
Cc: stable@vger.kernel.org
Fixes: 2c9198356d56 ("gve: Add consumed counts to ethtool stats")
Signed-off-by: Joshua Washington <joshwash@google.com>
Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250402001037.2717315-1-hramamurthy@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/google/gve/gve_ethtool.c
+++ b/drivers/net/ethernet/google/gve/gve_ethtool.c
@@ -392,7 +392,9 @@ gve_get_ethtool_stats(struct net_device
*/
data[i++] = 0;
data[i++] = 0;
- data[i++] = tx->dqo_tx.tail - tx->dqo_tx.head;
+ data[i++] =
+ (tx->dqo_tx.tail - tx->dqo_tx.head) &
+ tx->mask;
}
do {
start =
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 401/449] KVM: Allow building irqbypass.ko as as module when kvm.ko is a module
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 400/449] gve: handle overflow when reporting TX consumed descriptors Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 402/449] KVM: PPC: Enable CAP_SPAPR_TCE_VFIO on pSeries KVM guests Greg Kroah-Hartman
` (54 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Paolo Bonzini
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 459a35111b0a890172a78d51c01b204e13a34a18 upstream.
Convert HAVE_KVM_IRQ_BYPASS into a tristate so that selecting
IRQ_BYPASS_MANAGER follows KVM={m,y}, i.e. doesn't force irqbypass.ko to
be built-in.
Note, PPC allows building KVM as a module, but selects HAVE_KVM_IRQ_BYPASS
from a boolean Kconfig, i.e. KVM PPC unnecessarily forces irqbpass.ko to
be built-in. But that flaw is a longstanding PPC specific issue.
Fixes: 61df71ee992d ("kvm: move "select IRQ_BYPASS_MANAGER" to common code")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20250315024623.2363994-1-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/kvm_host.h | 2 +-
virt/kvm/Kconfig | 2 +-
virt/kvm/eventfd.c | 10 +++++-----
3 files changed, 7 insertions(+), 7 deletions(-)
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -2382,7 +2382,7 @@ static inline bool kvm_is_visible_memslo
struct kvm_vcpu *kvm_get_running_vcpu(void);
struct kvm_vcpu * __percpu *kvm_get_running_vcpus(void);
-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS
+#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS)
bool kvm_arch_has_irq_bypass(void);
int kvm_arch_irq_bypass_add_producer(struct irq_bypass_consumer *,
struct irq_bypass_producer *);
--- a/virt/kvm/Kconfig
+++ b/virt/kvm/Kconfig
@@ -75,7 +75,7 @@ config KVM_COMPAT
depends on KVM && COMPAT && !(S390 || ARM64 || RISCV)
config HAVE_KVM_IRQ_BYPASS
- bool
+ tristate
select IRQ_BYPASS_MANAGER
config HAVE_KVM_VCPU_ASYNC_IOCTL
--- a/virt/kvm/eventfd.c
+++ b/virt/kvm/eventfd.c
@@ -149,7 +149,7 @@ irqfd_shutdown(struct work_struct *work)
/*
* It is now safe to release the object's resources
*/
-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS
+#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS)
irq_bypass_unregister_consumer(&irqfd->consumer);
#endif
eventfd_ctx_put(irqfd->eventfd);
@@ -274,7 +274,7 @@ static void irqfd_update(struct kvm *kvm
write_seqcount_end(&irqfd->irq_entry_sc);
}
-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS
+#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS)
void __attribute__((weak)) kvm_arch_irq_bypass_stop(
struct irq_bypass_consumer *cons)
{
@@ -424,7 +424,7 @@ kvm_irqfd_assign(struct kvm *kvm, struct
if (events & EPOLLIN)
schedule_work(&irqfd->inject);
-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS
+#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS)
if (kvm_arch_has_irq_bypass()) {
irqfd->consumer.token = (void *)irqfd->eventfd;
irqfd->consumer.add_producer = kvm_arch_irq_bypass_add_producer;
@@ -609,14 +609,14 @@ void kvm_irq_routing_update(struct kvm *
spin_lock_irq(&kvm->irqfds.lock);
list_for_each_entry(irqfd, &kvm->irqfds.items, list) {
-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS
+#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS)
/* Under irqfds.lock, so can read irq_entry safely */
struct kvm_kernel_irq_routing_entry old = irqfd->irq_entry;
#endif
irqfd_update(kvm, irqfd);
-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS
+#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS)
if (irqfd->producer &&
kvm_arch_irqfd_route_changed(&old, &irqfd->irq_entry)) {
int ret = kvm_arch_update_irqfd_routing(
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 402/449] KVM: PPC: Enable CAP_SPAPR_TCE_VFIO on pSeries KVM guests
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 401/449] KVM: Allow building irqbypass.ko as as module when kvm.ko is a module Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 403/449] KVM: x86: Explicitly zero-initialize on-stack CPUID unions Greg Kroah-Hartman
` (53 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vaibhav Jain, Ritesh Harjani (IBM),
Amit Machhiwal, Madhavan Srinivasan
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amit Machhiwal <amachhiw@linux.ibm.com>
commit b4392813bbc3b05fc01a33c64d8b8c6c62c32cfa upstream.
Currently on book3s-hv, the capability KVM_CAP_SPAPR_TCE_VFIO is only
available for KVM Guests running on PowerNV and not for the KVM guests
running on pSeries hypervisors. This prevents a pSeries L2 guest from
leveraging the in-kernel acceleration for H_PUT_TCE_INDIRECT and
H_STUFF_TCE hcalls that results in slow startup times for large memory
guests.
Support for VFIO on pSeries was restored in commit f431a8cde7f1
("powerpc/iommu: Reimplement the iommu_table_group_ops for pSeries"),
making it possible to re-enable this capability on pSeries hosts.
This change enables KVM_CAP_SPAPR_TCE_VFIO for nested PAPR guests on
pSeries, while maintaining the existing behavior on PowerNV. Booting an
L2 guest with 128GB of memory shows an average 11% improvement in
startup time.
Fixes: f431a8cde7f1 ("powerpc/iommu: Reimplement the iommu_table_group_ops for pSeries")
Cc: stable@vger.kernel.org
Reviewed-by: Vaibhav Jain <vaibhav@linux.ibm.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Amit Machhiwal <amachhiw@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250220070002.1478849-1-amachhiw@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kvm/powerpc.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/arch/powerpc/kvm/powerpc.c
+++ b/arch/powerpc/kvm/powerpc.c
@@ -550,12 +550,9 @@ int kvm_vm_ioctl_check_extension(struct
#ifdef CONFIG_PPC_BOOK3S_64
case KVM_CAP_SPAPR_TCE:
+ fallthrough;
case KVM_CAP_SPAPR_TCE_64:
- r = 1;
- break;
case KVM_CAP_SPAPR_TCE_VFIO:
- r = !!cpu_has_feature(CPU_FTR_HVMODE);
- break;
case KVM_CAP_PPC_RTAS:
case KVM_CAP_PPC_FIXUP_HCALL:
case KVM_CAP_PPC_ENABLE_HCALL:
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 403/449] KVM: x86: Explicitly zero-initialize on-stack CPUID unions
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 402/449] KVM: PPC: Enable CAP_SPAPR_TCE_VFIO on pSeries KVM guests Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 404/449] KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Greg Kroah-Hartman
` (52 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Jim Mattson,
Paolo Bonzini
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit bc52ae0a708cb6fa3926d11c88e3c55e1171b4a1 upstream.
Explicitly zero/empty-initialize the unions used for PMU related CPUID
entries, instead of manually zeroing all fields (hopefully), or in the
case of 0x80000022, relying on the compiler to clobber the uninitialized
bitfields.
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Message-ID: <20250315024102.2361628-1-seanjc@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/cpuid.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -1423,8 +1423,8 @@ static inline int __do_cpuid_func(struct
}
break;
case 0xa: { /* Architectural Performance Monitoring */
- union cpuid10_eax eax;
- union cpuid10_edx edx;
+ union cpuid10_eax eax = { };
+ union cpuid10_edx edx = { };
if (!enable_pmu || !static_cpu_has(X86_FEATURE_ARCH_PERFMON)) {
entry->eax = entry->ebx = entry->ecx = entry->edx = 0;
@@ -1440,8 +1440,6 @@ static inline int __do_cpuid_func(struct
if (kvm_pmu_cap.version)
edx.split.anythread_deprecated = 1;
- edx.split.reserved1 = 0;
- edx.split.reserved2 = 0;
entry->eax = eax.full;
entry->ebx = kvm_pmu_cap.events_mask;
@@ -1759,7 +1757,7 @@ static inline int __do_cpuid_func(struct
break;
/* AMD Extended Performance Monitoring and Debug */
case 0x80000022: {
- union cpuid_0x80000022_ebx ebx;
+ union cpuid_0x80000022_ebx ebx = { };
entry->ecx = entry->edx = 0;
if (!enable_pmu || !kvm_cpu_cap_has(X86_FEATURE_PERFMON_V2)) {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 404/449] KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 403/449] KVM: x86: Explicitly zero-initialize on-stack CPUID unions Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 405/449] scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get Greg Kroah-Hartman
` (51 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Paolo Bonzini
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit ef01cac401f18647d62720cf773d7bb0541827da upstream.
Acquire a lock on kvm->srcu when userspace is getting MP state to handle a
rather extreme edge case where "accepting" APIC events, i.e. processing
pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU
is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP
state will trigger a nested VM-Exit by way of ->check_nested_events(), and
emuating the nested VM-Exit can access guest memory.
The splat was originally hit by syzkaller on a Google-internal kernel, and
reproduced on an upstream kernel by hacking the triple_fault_event_test
selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a
memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario.
=============================
WARNING: suspicious RCU usage
6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted
-----------------------------
include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by triple_fault_ev/1256:
#0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm]
stack backtrace:
CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Call Trace:
<TASK>
dump_stack_lvl+0x7f/0x90
lockdep_rcu_suspicious+0x144/0x190
kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm]
kvm_vcpu_read_guest+0x3e/0x90 [kvm]
read_and_check_msr_entry+0x2e/0x180 [kvm_intel]
__nested_vmx_vmexit+0x550/0xde0 [kvm_intel]
kvm_check_nested_events+0x1b/0x30 [kvm]
kvm_apic_accept_events+0x33/0x100 [kvm]
kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm]
kvm_vcpu_ioctl+0x33e/0x9a0 [kvm]
__x64_sys_ioctl+0x8b/0xb0
do_syscall_64+0x6c/0x170
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20250401150504.829812-1-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -11773,6 +11773,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(stru
if (kvm_mpx_supported())
kvm_load_guest_fpu(vcpu);
+ kvm_vcpu_srcu_read_lock(vcpu);
+
r = kvm_apic_accept_events(vcpu);
if (r < 0)
goto out;
@@ -11786,6 +11788,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(stru
mp_state->mp_state = vcpu->arch.mp_state;
out:
+ kvm_vcpu_srcu_read_unlock(vcpu);
+
if (kvm_mpx_supported())
kvm_put_guest_fpu(vcpu);
vcpu_put(vcpu);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 405/449] scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 404/449] KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 406/449] landlock: Move code to ease future backports Greg Kroah-Hartman
` (50 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Krzysztof Kozlowski,
Abel Vesa, Manivannan Sadhasivam, Bjorn Andersson,
Martin K. Petersen
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
commit ded40f32b55f7f2f4ed9627dd3c37a1fe89ed8c6 upstream.
The driver leaks the device reference taken with
of_find_device_by_node(). Fix the leak by using devm_of_qcom_ice_get().
Fixes: 56541c7c4468 ("scsi: ufs: ufs-qcom: Switch to the new ICE API")
Cc: stable@vger.kernel.org
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
Acked-by: Martin K. Petersen <martin.petersen@oracle.com> # SCSI
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20250117-qcom-ice-fix-dev-leak-v2-3-1ffa5b6884cb@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ufs/host/ufs-qcom.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/ufs/host/ufs-qcom.c
+++ b/drivers/ufs/host/ufs-qcom.c
@@ -125,7 +125,7 @@ static int ufs_qcom_ice_init(struct ufs_
int err;
int i;
- ice = of_qcom_ice_get(dev);
+ ice = devm_of_qcom_ice_get(dev);
if (ice == ERR_PTR(-EOPNOTSUPP)) {
dev_warn(dev, "Disabling inline encryption support\n");
ice = NULL;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 406/449] landlock: Move code to ease future backports
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 405/449] scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 407/449] landlock: Add the errata interface Greg Kroah-Hartman
` (49 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack,
Mickaël Salaün
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mickaël Salaün <mic@digikod.net>
commit 624f177d8f62032b4f3343c289120269645cec37 upstream.
To ease backports in setup.c, let's group changes from
__lsm_ro_after_init to __ro_after_init with commit f22f9aaf6c3d
("selinux: remove the runtime disable functionality"), and the
landlock_lsmid addition with commit f3b8788cde61 ("LSM: Identify modules
by more than name").
That will help to backport the following errata.
Cc: Günther Noack <gnoack@google.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250318161443.279194-2-mic@digikod.net
Fixes: f3b8788cde61 ("LSM: Identify modules by more than name")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/landlock/setup.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/security/landlock/setup.c
+++ b/security/landlock/setup.c
@@ -19,6 +19,11 @@
bool landlock_initialized __ro_after_init = false;
+const struct lsm_id landlock_lsmid = {
+ .name = LANDLOCK_NAME,
+ .id = LSM_ID_LANDLOCK,
+};
+
struct lsm_blob_sizes landlock_blob_sizes __ro_after_init = {
.lbs_cred = sizeof(struct landlock_cred_security),
.lbs_file = sizeof(struct landlock_file_security),
@@ -26,11 +31,6 @@ struct lsm_blob_sizes landlock_blob_size
.lbs_superblock = sizeof(struct landlock_superblock_security),
};
-const struct lsm_id landlock_lsmid = {
- .name = LANDLOCK_NAME,
- .id = LSM_ID_LANDLOCK,
-};
-
static int __init landlock_init(void)
{
landlock_add_cred_hooks();
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 407/449] landlock: Add the errata interface
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 406/449] landlock: Move code to ease future backports Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 408/449] landlock: Add erratum for TCP fix Greg Kroah-Hartman
` (48 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack,
Mickaël Salaün
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mickaël Salaün <mic@digikod.net>
commit 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac upstream.
Some fixes may require user space to check if they are applied on the
running kernel before using a specific feature. For instance, this
applies when a restriction was previously too restrictive and is now
getting relaxed (e.g. for compatibility reasons). However, non-visible
changes for legitimate use (e.g. security fixes) do not require an
erratum.
Because fixes are backported down to a specific Landlock ABI, we need a
way to avoid cherry-pick conflicts. The solution is to only update a
file related to the lower ABI impacted by this issue. All the ABI files
are then used to create a bitmask of fixes.
The new errata interface is similar to the one used to get the supported
Landlock ABI version, but it returns a bitmask instead because the order
of fixes may not match the order of versions, and not all fixes may
apply to all versions.
The actual errata will come with dedicated commits. The description is
not actually used in the code but serves as documentation.
Create the landlock_abi_version symbol and use its value to check errata
consistency.
Update test_base's create_ruleset_checks_ordering tests and add errata
tests.
This commit is backportable down to the first version of Landlock.
Fixes: 3532b0b4352c ("landlock: Enable user space to infer supported features")
Cc: Günther Noack <gnoack@google.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250318161443.279194-3-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/landlock.h | 2
security/landlock/errata.h | 87 +++++++++++++++++++++++++++
security/landlock/setup.c | 30 +++++++++
security/landlock/setup.h | 3
security/landlock/syscalls.c | 22 +++++-
tools/testing/selftests/landlock/base_test.c | 46 +++++++++++++-
6 files changed, 185 insertions(+), 5 deletions(-)
create mode 100644 security/landlock/errata.h
--- a/include/uapi/linux/landlock.h
+++ b/include/uapi/linux/landlock.h
@@ -57,9 +57,11 @@ struct landlock_ruleset_attr {
*
* - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI
* version.
+ * - %LANDLOCK_CREATE_RULESET_ERRATA: Get a bitmask of fixed issues.
*/
/* clang-format off */
#define LANDLOCK_CREATE_RULESET_VERSION (1U << 0)
+#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1)
/* clang-format on */
/**
--- /dev/null
+++ b/security/landlock/errata.h
@@ -0,0 +1,87 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Landlock - Errata information
+ *
+ * Copyright © 2025 Microsoft Corporation
+ */
+
+#ifndef _SECURITY_LANDLOCK_ERRATA_H
+#define _SECURITY_LANDLOCK_ERRATA_H
+
+#include <linux/init.h>
+
+struct landlock_erratum {
+ const int abi;
+ const u8 number;
+};
+
+/* clang-format off */
+#define LANDLOCK_ERRATUM(NUMBER) \
+ { \
+ .abi = LANDLOCK_ERRATA_ABI, \
+ .number = NUMBER, \
+ },
+/* clang-format on */
+
+/*
+ * Some fixes may require user space to check if they are applied on the running
+ * kernel before using a specific feature. For instance, this applies when a
+ * restriction was previously too restrictive and is now getting relaxed (for
+ * compatibility or semantic reasons). However, non-visible changes for
+ * legitimate use (e.g. security fixes) do not require an erratum.
+ */
+static const struct landlock_erratum landlock_errata_init[] __initconst = {
+
+/*
+ * Only Sparse may not implement __has_include. If a compiler does not
+ * implement __has_include, a warning will be printed at boot time (see
+ * setup.c).
+ */
+#ifdef __has_include
+
+#define LANDLOCK_ERRATA_ABI 1
+#if __has_include("errata/abi-1.h")
+#include "errata/abi-1.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+#define LANDLOCK_ERRATA_ABI 2
+#if __has_include("errata/abi-2.h")
+#include "errata/abi-2.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+#define LANDLOCK_ERRATA_ABI 3
+#if __has_include("errata/abi-3.h")
+#include "errata/abi-3.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+#define LANDLOCK_ERRATA_ABI 4
+#if __has_include("errata/abi-4.h")
+#include "errata/abi-4.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+/*
+ * For each new erratum, we need to include all the ABI files up to the impacted
+ * ABI to make all potential future intermediate errata easy to backport.
+ *
+ * If such change involves more than one ABI addition, then it must be in a
+ * dedicated commit with the same Fixes tag as used for the actual fix.
+ *
+ * Each commit creating a new security/landlock/errata/abi-*.h file must have a
+ * Depends-on tag to reference the commit that previously added the line to
+ * include this new file, except if the original Fixes tag is enough.
+ *
+ * Each erratum must be documented in its related ABI file, and a dedicated
+ * commit must update Documentation/userspace-api/landlock.rst to include this
+ * erratum. This commit will not be backported.
+ */
+
+#endif
+
+ {}
+};
+
+#endif /* _SECURITY_LANDLOCK_ERRATA_H */
--- a/security/landlock/setup.c
+++ b/security/landlock/setup.c
@@ -6,12 +6,14 @@
* Copyright © 2018-2020 ANSSI
*/
+#include <linux/bits.h>
#include <linux/init.h>
#include <linux/lsm_hooks.h>
#include <uapi/linux/lsm.h>
#include "common.h"
#include "cred.h"
+#include "errata.h"
#include "fs.h"
#include "net.h"
#include "setup.h"
@@ -31,8 +33,36 @@ struct lsm_blob_sizes landlock_blob_size
.lbs_superblock = sizeof(struct landlock_superblock_security),
};
+int landlock_errata __ro_after_init;
+
+static void __init compute_errata(void)
+{
+ size_t i;
+
+#ifndef __has_include
+ /*
+ * This is a safeguard to make sure the compiler implements
+ * __has_include (see errata.h).
+ */
+ WARN_ON_ONCE(1);
+ return;
+#endif
+
+ for (i = 0; landlock_errata_init[i].number; i++) {
+ const int prev_errata = landlock_errata;
+
+ if (WARN_ON_ONCE(landlock_errata_init[i].abi >
+ landlock_abi_version))
+ continue;
+
+ landlock_errata |= BIT(landlock_errata_init[i].number - 1);
+ WARN_ON_ONCE(prev_errata == landlock_errata);
+ }
+}
+
static int __init landlock_init(void)
{
+ compute_errata();
landlock_add_cred_hooks();
landlock_add_task_hooks();
landlock_add_fs_hooks();
--- a/security/landlock/setup.h
+++ b/security/landlock/setup.h
@@ -11,7 +11,10 @@
#include <linux/lsm_hooks.h>
+extern const int landlock_abi_version;
+
extern bool landlock_initialized;
+extern int landlock_errata;
extern struct lsm_blob_sizes landlock_blob_sizes;
extern const struct lsm_id landlock_lsmid;
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -160,7 +160,9 @@ static const struct file_operations rule
* the new ruleset.
* @size: Size of the pointed &struct landlock_ruleset_attr (needed for
* backward and forward compatibility).
- * @flags: Supported value: %LANDLOCK_CREATE_RULESET_VERSION.
+ * @flags: Supported value:
+ * - %LANDLOCK_CREATE_RULESET_VERSION
+ * - %LANDLOCK_CREATE_RULESET_ERRATA
*
* This system call enables to create a new Landlock ruleset, and returns the
* related file descriptor on success.
@@ -169,6 +171,10 @@ static const struct file_operations rule
* 0, then the returned value is the highest supported Landlock ABI version
* (starting at 1).
*
+ * If @flags is %LANDLOCK_CREATE_RULESET_ERRATA and @attr is NULL and @size is
+ * 0, then the returned value is a bitmask of fixed issues for the current
+ * Landlock ABI version.
+ *
* Possible returned errors are:
*
* - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
@@ -192,9 +198,15 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
return -EOPNOTSUPP;
if (flags) {
- if ((flags == LANDLOCK_CREATE_RULESET_VERSION) && !attr &&
- !size)
- return LANDLOCK_ABI_VERSION;
+ if (attr || size)
+ return -EINVAL;
+
+ if (flags == LANDLOCK_CREATE_RULESET_VERSION)
+ return landlock_abi_version;
+
+ if (flags == LANDLOCK_CREATE_RULESET_ERRATA)
+ return landlock_errata;
+
return -EINVAL;
}
@@ -235,6 +247,8 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
return ruleset_fd;
}
+const int landlock_abi_version = LANDLOCK_ABI_VERSION;
+
/*
* Returns an owned ruleset from a FD. It is thus needed to call
* landlock_put_ruleset() on the return value.
--- a/tools/testing/selftests/landlock/base_test.c
+++ b/tools/testing/selftests/landlock/base_test.c
@@ -98,10 +98,54 @@ TEST(abi_version)
ASSERT_EQ(EINVAL, errno);
}
+/*
+ * Old source trees might not have the set of Kselftest fixes related to kernel
+ * UAPI headers.
+ */
+#ifndef LANDLOCK_CREATE_RULESET_ERRATA
+#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1)
+#endif
+
+TEST(errata)
+{
+ const struct landlock_ruleset_attr ruleset_attr = {
+ .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
+ };
+ int errata;
+
+ errata = landlock_create_ruleset(NULL, 0,
+ LANDLOCK_CREATE_RULESET_ERRATA);
+ /* The errata bitmask will not be backported to tests. */
+ ASSERT_LE(0, errata);
+ TH_LOG("errata: 0x%x", errata);
+
+ ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0,
+ LANDLOCK_CREATE_RULESET_ERRATA));
+ ASSERT_EQ(EINVAL, errno);
+
+ ASSERT_EQ(-1, landlock_create_ruleset(NULL, sizeof(ruleset_attr),
+ LANDLOCK_CREATE_RULESET_ERRATA));
+ ASSERT_EQ(EINVAL, errno);
+
+ ASSERT_EQ(-1,
+ landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr),
+ LANDLOCK_CREATE_RULESET_ERRATA));
+ ASSERT_EQ(EINVAL, errno);
+
+ ASSERT_EQ(-1, landlock_create_ruleset(
+ NULL, 0,
+ LANDLOCK_CREATE_RULESET_VERSION |
+ LANDLOCK_CREATE_RULESET_ERRATA));
+ ASSERT_EQ(-1, landlock_create_ruleset(NULL, 0,
+ LANDLOCK_CREATE_RULESET_ERRATA |
+ 1 << 31));
+ ASSERT_EQ(EINVAL, errno);
+}
+
/* Tests ordering of syscall argument checks. */
TEST(create_ruleset_checks_ordering)
{
- const int last_flag = LANDLOCK_CREATE_RULESET_VERSION;
+ const int last_flag = LANDLOCK_CREATE_RULESET_ERRATA;
const int invalid_flag = last_flag << 1;
int ruleset_fd;
const struct landlock_ruleset_attr ruleset_attr = {
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 408/449] landlock: Add erratum for TCP fix
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 407/449] landlock: Add the errata interface Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 409/449] landlock: Always allow signals between threads of the same process Greg Kroah-Hartman
` (47 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack, Mikhail Ivanov,
Mickaël Salaün
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mickaël Salaün <mic@digikod.net>
commit 48fce74fe209ba9e9b416d7100ccee546edc9fc6 upstream.
Add erratum for the TCP socket identification fixed with commit
854277e2cc8c ("landlock: Fix non-TCP sockets restriction").
Fixes: 854277e2cc8c ("landlock: Fix non-TCP sockets restriction")
Cc: Günther Noack <gnoack@google.com>
Cc: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250318161443.279194-4-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/landlock/errata/abi-4.h | 15 +++++++++++++++
1 file changed, 15 insertions(+)
create mode 100644 security/landlock/errata/abi-4.h
--- /dev/null
+++ b/security/landlock/errata/abi-4.h
@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+
+/**
+ * DOC: erratum_1
+ *
+ * Erratum 1: TCP socket identification
+ * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ *
+ * This fix addresses an issue where IPv4 and IPv6 stream sockets (e.g., SMC,
+ * MPTCP, or SCTP) were incorrectly restricted by TCP access rights during
+ * :manpage:`bind(2)` and :manpage:`connect(2)` operations. This change ensures
+ * that only TCP sockets are subject to TCP access rights, allowing other
+ * protocols to operate without unnecessary restrictions.
+ */
+LANDLOCK_ERRATUM(1)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 409/449] landlock: Always allow signals between threads of the same process
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 408/449] landlock: Add erratum for TCP fix Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 410/449] landlock: Prepare to add second errata Greg Kroah-Hartman
` (46 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack, Paul Moore,
Serge Hallyn, Tahera Fahimi, Christian Brauner,
Mickaël Salaün
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mickaël Salaün <mic@digikod.net>
commit 18eb75f3af40be1f0fc2025d4ff821711222a2fd upstream.
Because Linux credentials are managed per thread, user space relies on
some hack to synchronize credential update across threads from the same
process. This is required by the Native POSIX Threads Library and
implemented by set*id(2) wrappers and libcap(3) to use tgkill(2) to
synchronize threads. See nptl(7) and libpsx(3). Furthermore, some
runtimes like Go do not enable developers to have control over threads
[1].
To avoid potential issues, and because threads are not security
boundaries, let's relax the Landlock (optional) signal scoping to always
allow signals sent between threads of the same process. This exception
is similar to the __ptrace_may_access() one.
hook_file_set_fowner() now checks if the target task is part of the same
process as the caller. If this is the case, then the related signal
triggered by the socket will always be allowed.
Scoping of abstract UNIX sockets is not changed because kernel objects
(e.g. sockets) should be tied to their creator's domain at creation
time.
Note that creating one Landlock domain per thread puts each of these
threads (and their future children) in their own scope, which is
probably not what users expect, especially in Go where we do not control
threads. However, being able to drop permissions on all threads should
not be restricted by signal scoping. We are working on a way to make it
possible to atomically restrict all threads of a process with the same
domain [2].
Add erratum for signal scoping.
Closes: https://github.com/landlock-lsm/go-landlock/issues/36
Fixes: 54a6e6bbf3be ("landlock: Add signal scoping")
Fixes: c8994965013e ("selftests/landlock: Test signal scoping for threads")
Depends-on: 26f204380a3c ("fs: Fix file_set_fowner LSM hook inconsistencies")
Link: https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/psx [1]
Link: https://github.com/landlock-lsm/linux/issues/2 [2]
Cc: Günther Noack <gnoack@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Tahera Fahimi <fahimitahera@gmail.com>
Cc: stable@vger.kernel.org
Acked-by: Christian Brauner <brauner@kernel.org>
Link: https://lore.kernel.org/r/20250318161443.279194-6-mic@digikod.net
[mic: Add extra pointer check and RCU guard, and ease backport]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/landlock/errata/abi-6.h | 19 ++++++++
security/landlock/fs.c | 39 +++++++++++++++---
security/landlock/task.c | 12 +++++
tools/testing/selftests/landlock/scoped_signal_test.c | 2
4 files changed, 65 insertions(+), 7 deletions(-)
create mode 100644 security/landlock/errata/abi-6.h
--- /dev/null
+++ b/security/landlock/errata/abi-6.h
@@ -0,0 +1,19 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+
+/**
+ * DOC: erratum_2
+ *
+ * Erratum 2: Scoped signal handling
+ * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ *
+ * This fix addresses an issue where signal scoping was overly restrictive,
+ * preventing sandboxed threads from signaling other threads within the same
+ * process if they belonged to different domains. Because threads are not
+ * security boundaries, user space might assume that any thread within the same
+ * process can send signals between themselves (see :manpage:`nptl(7)` and
+ * :manpage:`libpsx(3)`). Consistent with :manpage:`ptrace(2)` behavior, direct
+ * interaction between threads of the same process should always be allowed.
+ * This change ensures that any thread is allowed to send signals to any other
+ * thread within the same process, regardless of their domain.
+ */
+LANDLOCK_ERRATUM(2)
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -27,7 +27,9 @@
#include <linux/mount.h>
#include <linux/namei.h>
#include <linux/path.h>
+#include <linux/pid.h>
#include <linux/rcupdate.h>
+#include <linux/sched/signal.h>
#include <linux/spinlock.h>
#include <linux/stat.h>
#include <linux/types.h>
@@ -1628,21 +1630,46 @@ static int hook_file_ioctl_compat(struct
return -EACCES;
}
-static void hook_file_set_fowner(struct file *file)
+/*
+ * Always allow sending signals between threads of the same process. This
+ * ensures consistency with hook_task_kill().
+ */
+static bool control_current_fowner(struct fown_struct *const fown)
{
- struct landlock_ruleset *new_dom, *prev_dom;
+ struct task_struct *p;
/*
* Lock already held by __f_setown(), see commit 26f204380a3c ("fs: Fix
* file_set_fowner LSM hook inconsistencies").
*/
- lockdep_assert_held(&file_f_owner(file)->lock);
- new_dom = landlock_get_current_domain();
- landlock_get_ruleset(new_dom);
+ lockdep_assert_held(&fown->lock);
+
+ /*
+ * Some callers (e.g. fcntl_dirnotify) may not be in an RCU read-side
+ * critical section.
+ */
+ guard(rcu)();
+ p = pid_task(fown->pid, fown->pid_type);
+ if (!p)
+ return true;
+
+ return !same_thread_group(p, current);
+}
+
+static void hook_file_set_fowner(struct file *file)
+{
+ struct landlock_ruleset *prev_dom;
+ struct landlock_ruleset *new_dom = NULL;
+
+ if (control_current_fowner(file_f_owner(file))) {
+ new_dom = landlock_get_current_domain();
+ landlock_get_ruleset(new_dom);
+ }
+
prev_dom = landlock_file(file)->fown_domain;
landlock_file(file)->fown_domain = new_dom;
- /* Called in an RCU read-side critical section. */
+ /* May be called in an RCU read-side critical section. */
landlock_put_ruleset_deferred(prev_dom);
}
--- a/security/landlock/task.c
+++ b/security/landlock/task.c
@@ -13,6 +13,7 @@
#include <linux/lsm_hooks.h>
#include <linux/rcupdate.h>
#include <linux/sched.h>
+#include <linux/sched/signal.h>
#include <net/af_unix.h>
#include <net/sock.h>
@@ -264,6 +265,17 @@ static int hook_task_kill(struct task_st
/* Dealing with USB IO. */
dom = landlock_cred(cred)->domain;
} else {
+ /*
+ * Always allow sending signals between threads of the same process.
+ * This is required for process credential changes by the Native POSIX
+ * Threads Library and implemented by the set*id(2) wrappers and
+ * libcap(3) with tgkill(2). See nptl(7) and libpsx(3).
+ *
+ * This exception is similar to the __ptrace_may_access() one.
+ */
+ if (same_thread_group(p, current))
+ return 0;
+
dom = landlock_get_current_domain();
}
dom = landlock_get_applicable_domain(dom, signal_scope);
--- a/tools/testing/selftests/landlock/scoped_signal_test.c
+++ b/tools/testing/selftests/landlock/scoped_signal_test.c
@@ -281,7 +281,7 @@ TEST(signal_scoping_threads)
/* Restricts the domain after creating the first thread. */
create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
- ASSERT_EQ(EPERM, pthread_kill(no_sandbox_thread, 0));
+ ASSERT_EQ(0, pthread_kill(no_sandbox_thread, 0));
ASSERT_EQ(1, write(thread_pipe[1], ".", 1));
ASSERT_EQ(0, pthread_create(&scoped_thread, NULL, thread_func, NULL));
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 410/449] landlock: Prepare to add second errata
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 409/449] landlock: Always allow signals between threads of the same process Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 411/449] selftests/landlock: Split signal_scoping_threads tests Greg Kroah-Hartman
` (45 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack,
Mickaël Salaün
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mickaël Salaün <mic@digikod.net>
commit 6d9ac5e4d70eba3e336f9809ba91ab2c49de6d87 upstream.
Potentially include errata for Landlock ABI v5 (Linux 6.10) and v6
(Linux 6.12). That will be useful for the following signal scoping
erratum.
As explained in errata.h, this commit should be backportable without
conflict down to ABI v5. It must then not include the errata/abi-6.h
file.
Fixes: 54a6e6bbf3be ("landlock: Add signal scoping")
Cc: Günther Noack <gnoack@google.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250318161443.279194-5-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/landlock/errata.h | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/security/landlock/errata.h
+++ b/security/landlock/errata.h
@@ -63,6 +63,18 @@ static const struct landlock_erratum lan
#endif
#undef LANDLOCK_ERRATA_ABI
+#define LANDLOCK_ERRATA_ABI 5
+#if __has_include("errata/abi-5.h")
+#include "errata/abi-5.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+#define LANDLOCK_ERRATA_ABI 6
+#if __has_include("errata/abi-6.h")
+#include "errata/abi-6.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
/*
* For each new erratum, we need to include all the ABI files up to the impacted
* ABI to make all potential future intermediate errata easy to backport.
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 411/449] selftests/landlock: Split signal_scoping_threads tests
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 410/449] landlock: Prepare to add second errata Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 412/449] selftests/landlock: Add a new test for setuid() Greg Kroah-Hartman
` (44 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack, Tahera Fahimi,
Mickaël Salaün
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mickaël Salaün <mic@digikod.net>
commit bbe72274035a83159c8fff7d553b4a0b3c473690 upstream.
Split signal_scoping_threads tests into signal_scoping_thread_before
and signal_scoping_thread_after.
Use local variables for thread synchronization. Fix exported function.
Replace some asserts with expects.
Fixes: c8994965013e ("selftests/landlock: Test signal scoping for threads")
Cc: Günther Noack <gnoack@google.com>
Cc: Tahera Fahimi <fahimitahera@gmail.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250318161443.279194-7-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/landlock/scoped_signal_test.c | 49 ++++++++++++------
1 file changed, 34 insertions(+), 15 deletions(-)
--- a/tools/testing/selftests/landlock/scoped_signal_test.c
+++ b/tools/testing/selftests/landlock/scoped_signal_test.c
@@ -249,47 +249,66 @@ TEST_F(scoped_domains, check_access_sign
_metadata->exit_code = KSFT_FAIL;
}
-static int thread_pipe[2];
-
enum thread_return {
THREAD_INVALID = 0,
THREAD_SUCCESS = 1,
THREAD_ERROR = 2,
};
-void *thread_func(void *arg)
+static void *thread_sync(void *arg)
{
+ const int pipe_read = *(int *)arg;
char buf;
- if (read(thread_pipe[0], &buf, 1) != 1)
+ if (read(pipe_read, &buf, 1) != 1)
return (void *)THREAD_ERROR;
return (void *)THREAD_SUCCESS;
}
-TEST(signal_scoping_threads)
+TEST(signal_scoping_thread_before)
{
- pthread_t no_sandbox_thread, scoped_thread;
+ pthread_t no_sandbox_thread;
enum thread_return ret = THREAD_INVALID;
+ int thread_pipe[2];
drop_caps(_metadata);
ASSERT_EQ(0, pipe2(thread_pipe, O_CLOEXEC));
- ASSERT_EQ(0,
- pthread_create(&no_sandbox_thread, NULL, thread_func, NULL));
+ ASSERT_EQ(0, pthread_create(&no_sandbox_thread, NULL, thread_sync,
+ &thread_pipe[0]));
- /* Restricts the domain after creating the first thread. */
+ /* Enforces restriction after creating the thread. */
create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
- ASSERT_EQ(0, pthread_kill(no_sandbox_thread, 0));
- ASSERT_EQ(1, write(thread_pipe[1], ".", 1));
-
- ASSERT_EQ(0, pthread_create(&scoped_thread, NULL, thread_func, NULL));
- ASSERT_EQ(0, pthread_kill(scoped_thread, 0));
- ASSERT_EQ(1, write(thread_pipe[1], ".", 1));
+ EXPECT_EQ(0, pthread_kill(no_sandbox_thread, 0));
+ EXPECT_EQ(1, write(thread_pipe[1], ".", 1));
EXPECT_EQ(0, pthread_join(no_sandbox_thread, (void **)&ret));
EXPECT_EQ(THREAD_SUCCESS, ret);
+
+ EXPECT_EQ(0, close(thread_pipe[0]));
+ EXPECT_EQ(0, close(thread_pipe[1]));
+}
+
+TEST(signal_scoping_thread_after)
+{
+ pthread_t scoped_thread;
+ enum thread_return ret = THREAD_INVALID;
+ int thread_pipe[2];
+
+ drop_caps(_metadata);
+ ASSERT_EQ(0, pipe2(thread_pipe, O_CLOEXEC));
+
+ /* Enforces restriction before creating the thread. */
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
+
+ ASSERT_EQ(0, pthread_create(&scoped_thread, NULL, thread_sync,
+ &thread_pipe[0]));
+
+ EXPECT_EQ(0, pthread_kill(scoped_thread, 0));
+ EXPECT_EQ(1, write(thread_pipe[1], ".", 1));
+
EXPECT_EQ(0, pthread_join(scoped_thread, (void **)&ret));
EXPECT_EQ(THREAD_SUCCESS, ret);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 412/449] selftests/landlock: Add a new test for setuid()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 411/449] selftests/landlock: Split signal_scoping_threads tests Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 413/449] misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Greg Kroah-Hartman
` (43 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack, Tahera Fahimi,
Mickaël Salaün
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mickaël Salaün <mic@digikod.net>
commit c5efa393d82cf68812e0ae4d93e339873eabe9fe upstream.
The new signal_scoping_thread_setuid tests check that the libc's
setuid() function works as expected even when a thread is sandboxed with
scoped signal restrictions.
Before the signal scoping fix, this test would have failed with the
setuid() call:
[pid 65] getpid() = 65
[pid 65] tgkill(65, 66, SIGRT_1) = -1 EPERM (Operation not permitted)
[pid 65] futex(0x40a66cdc, FUTEX_WAKE_PRIVATE, 1) = 0
[pid 65] setuid(1001) = 0
After the fix, tgkill(2) is successfully leveraged to synchronize
credentials update across threads:
[pid 65] getpid() = 65
[pid 65] tgkill(65, 66, SIGRT_1) = 0
[pid 66] <... read resumed>0x40a65eb7, 1) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
[pid 66] --- SIGRT_1 {si_signo=SIGRT_1, si_code=SI_TKILL, si_pid=65, si_uid=1000} ---
[pid 66] getpid() = 65
[pid 66] setuid(1001) = 0
[pid 66] futex(0x40a66cdc, FUTEX_WAKE_PRIVATE, 1) = 0
[pid 66] rt_sigreturn({mask=[]}) = 0
[pid 66] read(3, <unfinished ...>
[pid 65] setuid(1001) = 0
Test coverage for security/landlock is 92.9% of 1137 lines according to
gcc/gcov-14.
Fixes: c8994965013e ("selftests/landlock: Test signal scoping for threads")
Cc: Günther Noack <gnoack@google.com>
Cc: Tahera Fahimi <fahimitahera@gmail.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250318161443.279194-8-mic@digikod.net
[mic: Update test coverage]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/landlock/common.h | 1
tools/testing/selftests/landlock/scoped_signal_test.c | 59 ++++++++++++++++++
2 files changed, 60 insertions(+)
--- a/tools/testing/selftests/landlock/common.h
+++ b/tools/testing/selftests/landlock/common.h
@@ -41,6 +41,7 @@ static void _init_caps(struct __test_met
CAP_MKNOD,
CAP_NET_ADMIN,
CAP_NET_BIND_SERVICE,
+ CAP_SETUID,
CAP_SYS_ADMIN,
CAP_SYS_CHROOT,
/* clang-format on */
--- a/tools/testing/selftests/landlock/scoped_signal_test.c
+++ b/tools/testing/selftests/landlock/scoped_signal_test.c
@@ -253,6 +253,7 @@ enum thread_return {
THREAD_INVALID = 0,
THREAD_SUCCESS = 1,
THREAD_ERROR = 2,
+ THREAD_TEST_FAILED = 3,
};
static void *thread_sync(void *arg)
@@ -316,6 +317,64 @@ TEST(signal_scoping_thread_after)
EXPECT_EQ(0, close(thread_pipe[1]));
}
+struct thread_setuid_args {
+ int pipe_read, new_uid;
+};
+
+void *thread_setuid(void *ptr)
+{
+ const struct thread_setuid_args *arg = ptr;
+ char buf;
+
+ if (read(arg->pipe_read, &buf, 1) != 1)
+ return (void *)THREAD_ERROR;
+
+ /* libc's setuid() should update all thread's credentials. */
+ if (getuid() != arg->new_uid)
+ return (void *)THREAD_TEST_FAILED;
+
+ return (void *)THREAD_SUCCESS;
+}
+
+TEST(signal_scoping_thread_setuid)
+{
+ struct thread_setuid_args arg;
+ pthread_t no_sandbox_thread;
+ enum thread_return ret = THREAD_INVALID;
+ int pipe_parent[2];
+ int prev_uid;
+
+ disable_caps(_metadata);
+
+ /* This test does not need to be run as root. */
+ prev_uid = getuid();
+ arg.new_uid = prev_uid + 1;
+ EXPECT_LT(0, arg.new_uid);
+
+ ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
+ arg.pipe_read = pipe_parent[0];
+
+ /* Capabilities must be set before creating a new thread. */
+ set_cap(_metadata, CAP_SETUID);
+ ASSERT_EQ(0, pthread_create(&no_sandbox_thread, NULL, thread_setuid,
+ &arg));
+
+ /* Enforces restriction after creating the thread. */
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
+
+ EXPECT_NE(arg.new_uid, getuid());
+ EXPECT_EQ(0, setuid(arg.new_uid));
+ EXPECT_EQ(arg.new_uid, getuid());
+ EXPECT_EQ(1, write(pipe_parent[1], ".", 1));
+
+ EXPECT_EQ(0, pthread_join(no_sandbox_thread, (void **)&ret));
+ EXPECT_EQ(THREAD_SUCCESS, ret);
+
+ clear_cap(_metadata, CAP_SETUID);
+ EXPECT_EQ(0, close(pipe_parent[0]));
+ EXPECT_EQ(0, close(pipe_parent[1]));
+}
+
const short backlog = 10;
static volatile sig_atomic_t signal_received;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 413/449] misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (411 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 412/449] selftests/landlock: Add a new test for setuid() Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 414/449] misc: pci_endpoint_test: Fix displaying irq_type " Greg Kroah-Hartman
` (42 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Kunihiko Hayashi, Krzysztof Wilczyński
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
commit f6cb7828c8e17520d4f5afb416515d3fae1af9a9 upstream.
After devm_request_irq() fails with error in pci_endpoint_test_request_irq(),
the pci_endpoint_test_free_irq_vectors() is called assuming that all IRQs
have been released.
However, some requested IRQs remain unreleased, so there are still
/proc/irq/* entries remaining, and this results in WARN() with the
following message:
remove_proc_entry: removing non-empty directory 'irq/30', leaking at least 'pci-endpoint-test.0'
WARNING: CPU: 0 PID: 202 at fs/proc/generic.c:719 remove_proc_entry +0x190/0x19c
To solve this issue, set the number of remaining IRQs to test->num_irqs,
and release IRQs in advance by calling pci_endpoint_test_release_irq().
Cc: stable@vger.kernel.org
Fixes: e03327122e2c ("pci_endpoint_test: Add 2 ioctl commands")
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Link: https://lore.kernel.org/r/20250225110252.28866-3-hayashi.kunihiko@socionext.com
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/pci_endpoint_test.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/misc/pci_endpoint_test.c
+++ b/drivers/misc/pci_endpoint_test.c
@@ -258,6 +258,9 @@ fail:
break;
}
+ test->num_irqs = i;
+ pci_endpoint_test_release_irq(test);
+
return ret;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 414/449] misc: pci_endpoint_test: Fix displaying irq_type after request_irq error
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (412 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 413/449] misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 415/449] misc: pci_endpoint_test: Fix irq_type to convey the correct type Greg Kroah-Hartman
` (41 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Kunihiko Hayashi, Krzysztof Wilczyński
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
commit 919d14603dab6a9cf03ebbeb2cfa556df48737c8 upstream.
There are two variables that indicate the interrupt type to be used
in the next test execution, global "irq_type" and "test->irq_type".
The former is referenced from pci_endpoint_test_get_irq() to preserve
the current type for ioctl(PCITEST_GET_IRQTYPE).
In the pci_endpoint_test_request_irq(), since this global variable
is referenced when an error occurs, the unintended error message is
displayed.
For example, after running "pcitest -i 2", the following message
shows "MSI 3" even if the current IRQ type becomes "MSI-X":
pci-endpoint-test 0000:01:00.0: Failed to request IRQ 30 for MSI 3
SET IRQ TYPE TO MSI-X: NOT OKAY
Fix this issue by using "test->irq_type" instead of global "irq_type".
Cc: stable@vger.kernel.org
Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype")
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Link: https://lore.kernel.org/r/20250225110252.28866-4-hayashi.kunihiko@socionext.com
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/pci_endpoint_test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/misc/pci_endpoint_test.c
+++ b/drivers/misc/pci_endpoint_test.c
@@ -241,7 +241,7 @@ static int pci_endpoint_test_request_irq
return 0;
fail:
- switch (irq_type) {
+ switch (test->irq_type) {
case IRQ_TYPE_INTX:
dev_err(dev, "Failed to request IRQ %d for Legacy\n",
pci_irq_vector(pdev, i));
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 415/449] misc: pci_endpoint_test: Fix irq_type to convey the correct type
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (413 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 414/449] misc: pci_endpoint_test: Fix displaying irq_type " Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 416/449] net: mana: Switch to page pool for jumbo frames Greg Kroah-Hartman
` (40 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kunihiko Hayashi,
Krzysztof Wilczyński, Niklas Cassel, Manivannan Sadhasivam
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
commit baaef0a274cfb75f9b50eab3ef93205e604f662c upstream.
There are two variables that indicate the interrupt type to be used
in the next test execution, "irq_type" as global and "test->irq_type".
The global is referenced from pci_endpoint_test_get_irq() to preserve
the current type for ioctl(PCITEST_GET_IRQTYPE).
The type set in this function isn't reflected in the global "irq_type",
so ioctl(PCITEST_GET_IRQTYPE) returns the previous type.
As a result, the wrong type is displayed in old version of "pcitest"
as follows:
- Result of running "pcitest -i 0"
SET IRQ TYPE TO LEGACY: OKAY
- Result of running "pcitest -I"
GET IRQ TYPE: MSI
Whereas running the new version of "pcitest" in kselftest results in an
error as follows:
# RUN pci_ep_basic.LEGACY_IRQ_TEST ...
# pci_endpoint_test.c:104:LEGACY_IRQ_TEST:Expected 0 (0) == ret (1)
# pci_endpoint_test.c:104:LEGACY_IRQ_TEST:Can't get Legacy IRQ type
Fix this issue by propagating the current type to the global "irq_type".
Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype")
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250225110252.28866-5-hayashi.kunihiko@socionext.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/pci_endpoint_test.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/misc/pci_endpoint_test.c
+++ b/drivers/misc/pci_endpoint_test.c
@@ -830,6 +830,7 @@ static int pci_endpoint_test_set_irq(str
return ret;
}
+ irq_type = test->irq_type;
return 0;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 416/449] net: mana: Switch to page pool for jumbo frames
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (414 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 415/449] misc: pci_endpoint_test: Fix irq_type to convey the correct type Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 417/449] ntb: use 64-bit arithmetic for the MSI doorbell mask Greg Kroah-Hartman
` (39 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haiyang Zhang, Long Li,
Shradha Gupta, Jakub Kicinski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haiyang Zhang <haiyangz@microsoft.com>
commit fa37a8849634db2dd3545116873da8cf4b1e67c6 upstream.
Frag allocators, such as netdev_alloc_frag(), were not designed to
work for fragsz > PAGE_SIZE.
So, switch to page pool for jumbo frames instead of using page frag
allocators. This driver is using page pool for smaller MTUs already.
Cc: stable@vger.kernel.org
Fixes: 80f6215b450e ("net: mana: Add support for jumbo frame")
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: Long Li <longli@microsoft.com>
Reviewed-by: Shradha Gupta <shradhagupta@linux.microsoft.com>
Link: https://patch.msgid.link/1742920357-27263-1-git-send-email-haiyangz@microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 46 +++++---------------------
1 file changed, 9 insertions(+), 37 deletions(-)
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -652,30 +652,16 @@ int mana_pre_alloc_rxbufs(struct mana_po
mpc->rxbpre_total = 0;
for (i = 0; i < num_rxb; i++) {
- if (mpc->rxbpre_alloc_size > PAGE_SIZE) {
- va = netdev_alloc_frag(mpc->rxbpre_alloc_size);
- if (!va)
- goto error;
-
- page = virt_to_head_page(va);
- /* Check if the frag falls back to single page */
- if (compound_order(page) <
- get_order(mpc->rxbpre_alloc_size)) {
- put_page(page);
- goto error;
- }
- } else {
- page = dev_alloc_page();
- if (!page)
- goto error;
+ page = dev_alloc_pages(get_order(mpc->rxbpre_alloc_size));
+ if (!page)
+ goto error;
- va = page_to_virt(page);
- }
+ va = page_to_virt(page);
da = dma_map_single(dev, va + mpc->rxbpre_headroom,
mpc->rxbpre_datasize, DMA_FROM_DEVICE);
if (dma_mapping_error(dev, da)) {
- put_page(virt_to_head_page(va));
+ put_page(page);
goto error;
}
@@ -1660,7 +1646,7 @@ drop:
}
static void *mana_get_rxfrag(struct mana_rxq *rxq, struct device *dev,
- dma_addr_t *da, bool *from_pool, bool is_napi)
+ dma_addr_t *da, bool *from_pool)
{
struct page *page;
void *va;
@@ -1671,21 +1657,6 @@ static void *mana_get_rxfrag(struct mana
if (rxq->xdp_save_va) {
va = rxq->xdp_save_va;
rxq->xdp_save_va = NULL;
- } else if (rxq->alloc_size > PAGE_SIZE) {
- if (is_napi)
- va = napi_alloc_frag(rxq->alloc_size);
- else
- va = netdev_alloc_frag(rxq->alloc_size);
-
- if (!va)
- return NULL;
-
- page = virt_to_head_page(va);
- /* Check if the frag falls back to single page */
- if (compound_order(page) < get_order(rxq->alloc_size)) {
- put_page(page);
- return NULL;
- }
} else {
page = page_pool_dev_alloc_pages(rxq->page_pool);
if (!page)
@@ -1718,7 +1689,7 @@ static void mana_refill_rx_oob(struct de
dma_addr_t da;
void *va;
- va = mana_get_rxfrag(rxq, dev, &da, &from_pool, true);
+ va = mana_get_rxfrag(rxq, dev, &da, &from_pool);
if (!va)
return;
@@ -2158,7 +2129,7 @@ static int mana_fill_rx_oob(struct mana_
if (mpc->rxbufs_pre)
va = mana_get_rxbuf_pre(rxq, &da);
else
- va = mana_get_rxfrag(rxq, dev, &da, &from_pool, false);
+ va = mana_get_rxfrag(rxq, dev, &da, &from_pool);
if (!va)
return -ENOMEM;
@@ -2244,6 +2215,7 @@ static int mana_create_page_pool(struct
pprm.nid = gc->numa_node;
pprm.napi = &rxq->rx_cq.napi;
pprm.netdev = rxq->ndev;
+ pprm.order = get_order(rxq->alloc_size);
rxq->page_pool = page_pool_create(&pprm);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 417/449] ntb: use 64-bit arithmetic for the MSI doorbell mask
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (415 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 416/449] net: mana: Switch to page pool for jumbo frames Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 418/449] of/irq: Fix device node refcount leakage in API of_irq_parse_one() Greg Kroah-Hartman
` (38 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Dave Jiang,
Jon Mason
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit fd5625fc86922f36bedee5846fefd647b7e72751 upstream.
msi_db_mask is of type 'u64', still the standard 'int' arithmetic is
performed to compute its value.
While most of the ntb_hw drivers actually don't utilize the higher 32
bits of the doorbell mask now, this may be the case for Switchtec - see
switchtec_ntb_init_db().
Found by Linux Verification Center (linuxtesting.org) with SVACE static
analysis tool.
Fixes: 2b0569b3b7e6 ("NTB: Add MSI interrupt support to ntb_transport")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ntb/ntb_transport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/ntb/ntb_transport.c
+++ b/drivers/ntb/ntb_transport.c
@@ -1353,7 +1353,7 @@ static int ntb_transport_probe(struct nt
qp_count = ilog2(qp_bitmap);
if (nt->use_msi) {
qp_count -= 1;
- nt->msi_db_mask = 1 << qp_count;
+ nt->msi_db_mask = BIT_ULL(qp_count);
ntb_db_clear_mask(ndev, nt->msi_db_mask);
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 418/449] of/irq: Fix device node refcount leakage in API of_irq_parse_one()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (416 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 417/449] ntb: use 64-bit arithmetic for the MSI doorbell mask Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 419/449] of/irq: Fix device node refcount leakage in API of_irq_parse_raw() Greg Kroah-Hartman
` (37 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit 0cb58d6c7b558a69957fabe159bfb184196e1e8d upstream.
of_irq_parse_one(@int_gen_dev, i, ...) will leak refcount of @i_th_phandle
int_gen_dev {
...
interrupts-extended = ..., <&i_th_phandle ...>, ...;
...
};
Refcount of @i_th_phandle is increased by of_parse_phandle_with_args()
but is not decreased by API of_irq_parse_one() before return, so causes
refcount leakage.
Rework the refcounting to use __free() cleanup and simplify the code to
have a single call to of_irq_parse_raw().
Also add comments about refcount of node @out_irq->np got by the API.
Fixes: 79d9701559a9 ("of/irq: create interrupts-extended property")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-2-93e3a2659aa7@quicinc.com
[robh: Use __free() to do puts]
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/irq.c | 59 +++++++++++++++++++++++++------------------------------
1 file changed, 27 insertions(+), 32 deletions(-)
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -16,6 +16,7 @@
#define pr_fmt(fmt) "OF: " fmt
+#include <linux/cleanup.h>
#include <linux/device.h>
#include <linux/errno.h>
#include <linux/list.h>
@@ -339,10 +340,12 @@ EXPORT_SYMBOL_GPL(of_irq_parse_raw);
* This function resolves an interrupt for a node by walking the interrupt tree,
* finding which interrupt controller node it is attached to, and returning the
* interrupt specifier that can be used to retrieve a Linux IRQ number.
+ *
+ * Note: refcount of node @out_irq->np is increased by 1 on success.
*/
int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_args *out_irq)
{
- struct device_node *p;
+ struct device_node __free(device_node) *p = NULL;
const __be32 *addr;
u32 intsize;
int i, res, addr_len;
@@ -367,41 +370,33 @@ int of_irq_parse_one(struct device_node
/* Try the new-style interrupts-extended first */
res = of_parse_phandle_with_args(device, "interrupts-extended",
"#interrupt-cells", index, out_irq);
- if (!res)
- return of_irq_parse_raw(addr_buf, out_irq);
-
- /* Look for the interrupt parent. */
- p = of_irq_find_parent(device);
- if (p == NULL)
- return -EINVAL;
-
- /* Get size of interrupt specifier */
- if (of_property_read_u32(p, "#interrupt-cells", &intsize)) {
- res = -EINVAL;
- goto out;
- }
-
- pr_debug(" parent=%pOF, intsize=%d\n", p, intsize);
+ if (!res) {
+ p = out_irq->np;
+ } else {
+ /* Look for the interrupt parent. */
+ p = of_irq_find_parent(device);
+ /* Get size of interrupt specifier */
+ if (!p || of_property_read_u32(p, "#interrupt-cells", &intsize))
+ return -EINVAL;
+
+ pr_debug(" parent=%pOF, intsize=%d\n", p, intsize);
+
+ /* Copy intspec into irq structure */
+ out_irq->np = p;
+ out_irq->args_count = intsize;
+ for (i = 0; i < intsize; i++) {
+ res = of_property_read_u32_index(device, "interrupts",
+ (index * intsize) + i,
+ out_irq->args + i);
+ if (res)
+ return res;
+ }
- /* Copy intspec into irq structure */
- out_irq->np = p;
- out_irq->args_count = intsize;
- for (i = 0; i < intsize; i++) {
- res = of_property_read_u32_index(device, "interrupts",
- (index * intsize) + i,
- out_irq->args + i);
- if (res)
- goto out;
+ pr_debug(" intspec=%d\n", *out_irq->args);
}
- pr_debug(" intspec=%d\n", *out_irq->args);
-
-
/* Check if there are any interrupt-map translations to process */
- res = of_irq_parse_raw(addr_buf, out_irq);
- out:
- of_node_put(p);
- return res;
+ return of_irq_parse_raw(addr_buf, out_irq);
}
EXPORT_SYMBOL_GPL(of_irq_parse_one);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 419/449] of/irq: Fix device node refcount leakage in API of_irq_parse_raw()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (417 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 418/449] of/irq: Fix device node refcount leakage in API of_irq_parse_one() Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 420/449] of/irq: Fix device node refcount leakages in of_irq_count() Greg Kroah-Hartman
` (36 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit ff93e7213d6cc8d9a7b0bc64f70ed26094e168f3 upstream.
if the node @out_irq->np got by of_irq_parse_raw() is a combo node which
consists of both controller and nexus, namely, of_irq_parse_raw() returns
due to condition (@ipar == @newpar), then the node's refcount was increased
twice, hence causes refcount leakage.
Fix by putting @out_irq->np refcount before returning due to the condition.
Also add comments about refcount of node @out_irq->np got by the API.
Fixes: 041284181226 ("of/irq: Allow matching of an interrupt-map local to an interrupt controller")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-4-93e3a2659aa7@quicinc.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/irq.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -166,6 +166,8 @@ const __be32 *of_irq_parse_imap_parent(c
* the specifier for each map, and then returns the translated map.
*
* Return: 0 on success and a negative number on error
+ *
+ * Note: refcount of node @out_irq->np is increased by 1 on success.
*/
int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
{
@@ -311,6 +313,12 @@ int of_irq_parse_raw(const __be32 *addr,
addrsize = (imap - match_array) - intsize;
if (ipar == newpar) {
+ /*
+ * We got @ipar's refcount, but the refcount was
+ * gotten again by of_irq_parse_imap_parent() via its
+ * alias @newpar.
+ */
+ of_node_put(ipar);
pr_debug("%pOF interrupt-map entry to self\n", ipar);
return 0;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 420/449] of/irq: Fix device node refcount leakages in of_irq_count()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (418 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 419/449] of/irq: Fix device node refcount leakage in API of_irq_parse_raw() Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 421/449] of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Greg Kroah-Hartman
` (35 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit bbf71f44aaf241d853759a71de7e7ebcdb89be3d upstream.
of_irq_count() invokes of_irq_parse_one() to count IRQs, and successful
invocation of the later will get device node @irq.np refcount, but the
former does not put the refcount before next iteration invocation, hence
causes device node refcount leakages.
Fix by putting @irq.np refcount before the next iteration invocation.
Fixes: 3da5278727a8 ("of/irq: Rework of_irq_count()")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-5-93e3a2659aa7@quicinc.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/irq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -508,8 +508,10 @@ int of_irq_count(struct device_node *dev
struct of_phandle_args irq;
int nr = 0;
- while (of_irq_parse_one(dev, nr, &irq) == 0)
+ while (of_irq_parse_one(dev, nr, &irq) == 0) {
+ of_node_put(irq.np);
nr++;
+ }
return nr;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 421/449] of/irq: Fix device node refcount leakage in API irq_of_parse_and_map()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (419 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 420/449] of/irq: Fix device node refcount leakages in of_irq_count() Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 422/449] of/irq: Fix device node refcount leakages in of_irq_init() Greg Kroah-Hartman
` (34 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit 962a2805e47b933876ba0e4c488d9e89ced2dd29 upstream.
In irq_of_parse_and_map(), refcount of device node @oirq.np was got
by successful of_irq_parse_one() invocation, but it does not put the
refcount before return, so causes @oirq.np refcount leakage.
Fix by putting @oirq.np refcount before return.
Fixes: e3873444990d ("of/irq: Move irq_of_parse_and_map() to common code")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-6-93e3a2659aa7@quicinc.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/irq.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -39,11 +39,15 @@
unsigned int irq_of_parse_and_map(struct device_node *dev, int index)
{
struct of_phandle_args oirq;
+ unsigned int ret;
if (of_irq_parse_one(dev, index, &oirq))
return 0;
- return irq_create_of_mapping(&oirq);
+ ret = irq_create_of_mapping(&oirq);
+ of_node_put(oirq.np);
+
+ return ret;
}
EXPORT_SYMBOL_GPL(irq_of_parse_and_map);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 422/449] of/irq: Fix device node refcount leakages in of_irq_init()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (420 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 421/449] of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 423/449] PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Greg Kroah-Hartman
` (33 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rob Herring (Arm)
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit 708124d9e6e7ac5ebf927830760679136b23fdf0 upstream.
of_irq_init() will leak interrupt controller device node refcounts
in two places as explained below:
1) Leak refcounts of both @desc->dev and @desc->interrupt_parent when
suffers @desc->irq_init_cb() failure.
2) Leak refcount of @desc->interrupt_parent when cleans up list
@intc_desc_list in the end.
Refcounts of both @desc->dev and @desc->interrupt_parent were got in
the first loop, but of_irq_init() does not put them before kfree(@desc)
in places mentioned above, so causes refcount leakages.
Fix by putting refcounts involved before kfree(@desc).
Fixes: 8363ccb917c6 ("of/irq: add missing of_node_put")
Fixes: c71a54b08201 ("of/irq: introduce of_irq_init")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-7-93e3a2659aa7@quicinc.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/irq.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -632,6 +632,8 @@ void __init of_irq_init(const struct of_
__func__, desc->dev, desc->dev,
desc->interrupt_parent);
of_node_clear_flag(desc->dev, OF_POPULATED);
+ of_node_put(desc->interrupt_parent);
+ of_node_put(desc->dev);
kfree(desc);
continue;
}
@@ -662,6 +664,7 @@ void __init of_irq_init(const struct of_
err:
list_for_each_entry_safe(desc, temp_desc, &intc_desc_list, list) {
list_del(&desc->list);
+ of_node_put(desc->interrupt_parent);
of_node_put(desc->dev);
kfree(desc);
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 423/449] PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (421 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 422/449] of/irq: Fix device node refcount leakages in of_irq_init() Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 424/449] PCI: j721e: Fix the value of .linkdown_irq_regfield for J784S4 Greg Kroah-Hartman
` (32 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanimir Varbanov, Florian Fainelli,
Manivannan Sadhasivam, Krzysztof Wilczyński
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanimir Varbanov <svarbanov@suse.de>
commit 2df181e1aea4628a8fd257f866026625d0519627 upstream.
A call to of_parse_phandle() is incrementing the refcount, and as such,
the of_node_put() must be called when the reference is no longer needed.
Thus, refactor the existing code and add a missing of_node_put() call
following the check to ensure that "msi_np" matches "pcie->np" and after
MSI initialization, but only if the MSI support is enabled system-wide.
Cc: stable@vger.kernel.org # v5.10+
Fixes: 40ca1bf580ef ("PCI: brcmstb: Add MSI support")
Signed-off-by: Stanimir Varbanov <svarbanov@suse.de>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20250122222955.1752778-1-svarbanov@suse.de
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-brcmstb.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/pci/controller/pcie-brcmstb.c
+++ b/drivers/pci/controller/pcie-brcmstb.c
@@ -1786,7 +1786,7 @@ static struct pci_ops brcm7425_pcie_ops
static int brcm_pcie_probe(struct platform_device *pdev)
{
- struct device_node *np = pdev->dev.of_node, *msi_np;
+ struct device_node *np = pdev->dev.of_node;
struct pci_host_bridge *bridge;
const struct pcie_cfg_data *data;
struct brcm_pcie *pcie;
@@ -1890,9 +1890,14 @@ static int brcm_pcie_probe(struct platfo
goto fail;
}
- msi_np = of_parse_phandle(pcie->np, "msi-parent", 0);
- if (pci_msi_enabled() && msi_np == pcie->np) {
- ret = brcm_pcie_enable_msi(pcie);
+ if (pci_msi_enabled()) {
+ struct device_node *msi_np = of_parse_phandle(pcie->np, "msi-parent", 0);
+
+ if (msi_np == pcie->np)
+ ret = brcm_pcie_enable_msi(pcie);
+
+ of_node_put(msi_np);
+
if (ret) {
dev_err(pcie->dev, "probe of internal MSI failed");
goto fail;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 424/449] PCI: j721e: Fix the value of .linkdown_irq_regfield for J784S4
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (422 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 423/449] PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 425/449] PCI: layerscape: Fix arg_count to syscon_regmap_lookup_by_phandle_args() Greg Kroah-Hartman
` (31 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siddharth Vadapalli,
Krzysztof Wilczyński
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siddharth Vadapalli <s-vadapalli@ti.com>
commit d66b5b336245b91681c2042e7eedf63ef7c2f6db upstream.
Commit e49ad667815d ("PCI: j721e: Add TI J784S4 PCIe configuration")
assigned the value of .linkdown_irq_regfield for the J784S4 SoC as the
"LINK_DOWN" macro corresponding to BIT(1), and as a result, the Link
Down interrupts on J784S4 SoC are missed.
According to the Technical Reference Manual and Register Documentation
for the J784S4 SoC[1], BIT(1) corresponds to "ENABLE_SYS_EN_PCIE_DPA_1",
which is not the correct field for the link-state interrupt. Instead, it
is BIT(10) of the "PCIE_INTD_ENABLE_REG_SYS_2" register that corresponds
to the link-state field named as "ENABLE_SYS_EN_PCIE_LINK_STATE".
Thus, set .linkdown_irq_regfield to the macro "J7200_LINK_DOWN", which
expands to BIT(10) and was first defined for the J7200 SoC. Other SoCs
already reuse this macro since it accurately represents the "link-state"
field in their respective "PCIE_INTD_ENABLE_REG_SYS_2" register.
1: https://www.ti.com/lit/zip/spruj52
Fixes: e49ad667815d ("PCI: j721e: Add TI J784S4 PCIe configuration")
Cc: stable@vger.kernel.org
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
[kwilczynski: commit log, add a missing .linkdown_irq_regfield member
set to the J7200_LINK_DOWN macro to struct j7200_pcie_ep_data]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Link: https://lore.kernel.org/r/20250305132018.2260771-1-s-vadapalli@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/cadence/pci-j721e.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/pci/controller/cadence/pci-j721e.c
+++ b/drivers/pci/controller/cadence/pci-j721e.c
@@ -355,6 +355,7 @@ static const struct j721e_pcie_data j720
static const struct j721e_pcie_data j7200_pcie_ep_data = {
.mode = PCI_MODE_EP,
.quirk_detect_quiet_flag = true,
+ .linkdown_irq_regfield = J7200_LINK_DOWN,
.quirk_disable_flr = true,
.max_lanes = 2,
};
@@ -376,13 +377,13 @@ static const struct j721e_pcie_data j784
.mode = PCI_MODE_RC,
.quirk_retrain_flag = true,
.byte_access_allowed = false,
- .linkdown_irq_regfield = LINK_DOWN,
+ .linkdown_irq_regfield = J7200_LINK_DOWN,
.max_lanes = 4,
};
static const struct j721e_pcie_data j784s4_pcie_ep_data = {
.mode = PCI_MODE_EP,
- .linkdown_irq_regfield = LINK_DOWN,
+ .linkdown_irq_regfield = J7200_LINK_DOWN,
.max_lanes = 4,
};
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 425/449] PCI: layerscape: Fix arg_count to syscon_regmap_lookup_by_phandle_args()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (423 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 424/449] PCI: j721e: Fix the value of .linkdown_irq_regfield for J784S4 Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 426/449] PCI: pciehp: Avoid unnecessary device replacement check Greg Kroah-Hartman
` (30 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ioana Ciornei, Bjorn Helgaas,
Frank Li, Krzysztof Kozlowski, Roy Zang
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ioana Ciornei <ioana.ciornei@nxp.com>
commit 4c8c0ffd41d16cf08ccb0d3626beb54adfe5450a upstream.
The arg_count parameter to syscon_regmap_lookup_by_phandle_args()
represents the number of argument cells following the phandle. In this
case, the number of arguments should be 1 instead of 2 since the dt
property looks like this:
fsl,pcie-scfg = <&scfg 0>;
Without this fix, layerscape-pcie fails with the following message on
LS1043A:
OF: /soc/pcie@3500000: phandle scfg@1570000 needs 2, found 1
layerscape-pcie 3500000.pcie: No syscfg phandle specified
layerscape-pcie 3500000.pcie: probe with driver layerscape-pcie failed with error -22
Link: https://lore.kernel.org/r/20250327151949.2765193-1-ioana.ciornei@nxp.com
Fixes: 149fc35734e5 ("PCI: layerscape: Use syscon_regmap_lookup_by_phandle_args")
Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Acked-by: Roy Zang <Roy.Zang@nxp.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/dwc/pci-layerscape.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/controller/dwc/pci-layerscape.c b/drivers/pci/controller/dwc/pci-layerscape.c
index 239a05b36e8e..a44b5c256d6e 100644
--- a/drivers/pci/controller/dwc/pci-layerscape.c
+++ b/drivers/pci/controller/dwc/pci-layerscape.c
@@ -356,7 +356,7 @@ static int ls_pcie_probe(struct platform_device *pdev)
if (pcie->drvdata->scfg_support) {
pcie->scfg =
syscon_regmap_lookup_by_phandle_args(dev->of_node,
- "fsl,pcie-scfg", 2,
+ "fsl,pcie-scfg", 1,
index);
if (IS_ERR(pcie->scfg)) {
dev_err(dev, "No syscfg phandle specified\n");
--
2.49.0
^ permalink raw reply related [flat|nested] 469+ messages in thread
* [PATCH 6.14 426/449] PCI: pciehp: Avoid unnecessary device replacement check
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (424 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 425/449] PCI: layerscape: Fix arg_count to syscon_regmap_lookup_by_phandle_args() Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 427/449] PCI: Fix reference leak in pci_alloc_child_bus() Greg Kroah-Hartman
` (29 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kenneth Crudup,
Chia-Lin Kao (AceLan), Mika Westerberg, Lukas Wunner,
Bjorn Helgaas, Kuppuswamy Sathyanarayanan
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit e3260237aaadc9799107ccb940c6688195c4518d upstream.
Hot-removal of nested PCI hotplug ports suffers from a long-standing race
condition which can lead to a deadlock: A parent hotplug port acquires
pci_lock_rescan_remove(), then waits for pciehp to unbind from a child
hotplug port. Meanwhile that child hotplug port tries to acquire
pci_lock_rescan_remove() as well in order to remove its own children.
The deadlock only occurs if the parent acquires pci_lock_rescan_remove()
first, not if the child happens to acquire it first.
Several workarounds to avoid the issue have been proposed and discarded
over the years, e.g.:
https://lore.kernel.org/r/4c882e25194ba8282b78fe963fec8faae7cf23eb.1529173804.git.lukas@wunner.de/
A proper fix is being worked on, but needs more time as it is nontrivial
and necessarily intrusive.
Recent commit 9d573d19547b ("PCI: pciehp: Detect device replacement during
system sleep") provokes more frequent occurrence of the deadlock when
removing more than one Thunderbolt device during system sleep. The commit
sought to detect device replacement, but also triggered on device removal.
Differentiating reliably between replacement and removal is impossible
because pci_get_dsn() returns 0 both if the device was removed, as well as
if it was replaced with one lacking a Device Serial Number.
Avoid the more frequent occurrence of the deadlock by checking whether the
hotplug port itself was hot-removed. If so, there's no sense in checking
whether its child device was replaced.
This works because the ->resume_noirq() callback is invoked in top-down
order for the entire hierarchy: A parent hotplug port detecting device
replacement (or removal) marks all children as removed using
pci_dev_set_disconnected() and a child hotplug port can then reliably
detect being removed.
Link: https://lore.kernel.org/r/02f166e24c87d6cde4085865cce9adfdfd969688.1741674172.git.lukas@wunner.de
Fixes: 9d573d19547b ("PCI: pciehp: Detect device replacement during system sleep")
Reported-by: Kenneth Crudup <kenny@panix.com>
Closes: https://lore.kernel.org/r/83d9302a-f743-43e4-9de2-2dd66d91ab5b@panix.com/
Reported-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
Closes: https://lore.kernel.org/r/20240926125909.2362244-1-acelan.kao@canonical.com/
Tested-by: Kenneth Crudup <kenny@panix.com>
Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Cc: stable@vger.kernel.org # v6.11+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/hotplug/pciehp_core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/pci/hotplug/pciehp_core.c
+++ b/drivers/pci/hotplug/pciehp_core.c
@@ -286,9 +286,12 @@ static int pciehp_suspend(struct pcie_de
static bool pciehp_device_replaced(struct controller *ctrl)
{
- struct pci_dev *pdev __free(pci_dev_put);
+ struct pci_dev *pdev __free(pci_dev_put) = NULL;
u32 reg;
+ if (pci_dev_is_disconnected(ctrl->pcie->port))
+ return false;
+
pdev = pci_get_slot(ctrl->pcie->port->subordinate, PCI_DEVFN(0, 0));
if (!pdev)
return true;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 427/449] PCI: Fix reference leak in pci_alloc_child_bus()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (425 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 426/449] PCI: pciehp: Avoid unnecessary device replacement check Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 428/449] PCI: Fix reference leak in pci_register_host_bridge() Greg Kroah-Hartman
` (28 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Ke, Bjorn Helgaas,
Ilpo Järvinen
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 1f2768b6a3ee77a295106e3a5d68458064923ede upstream.
If device_register(&child->dev) fails, call put_device() to explicitly
release child->dev, per the comment at device_register().
Found by code review.
Link: https://lore.kernel.org/r/20250202062357.872971-1-make24@iscas.ac.cn
Fixes: 4f535093cf8f ("PCI: Put pci_dev in device tree as early as possible")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/probe.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -1217,7 +1217,10 @@ static struct pci_bus *pci_alloc_child_b
add_dev:
pci_set_bus_msi_domain(child);
ret = device_register(&child->dev);
- WARN_ON(ret < 0);
+ if (WARN_ON(ret < 0)) {
+ put_device(&child->dev);
+ return NULL;
+ }
pcibios_add_bus(child);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 428/449] PCI: Fix reference leak in pci_register_host_bridge()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (426 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 427/449] PCI: Fix reference leak in pci_alloc_child_bus() Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 429/449] PCI: Fix wrong length of devres array Greg Kroah-Hartman
` (27 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Bjorn Helgaas
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 804443c1f27883926de94c849d91f5b7d7d696e9 upstream.
If device_register() fails, call put_device() to give up the reference to
avoid a memory leak, per the comment at device_register().
Found by code review.
Link: https://lore.kernel.org/r/20250225021440.3130264-1-make24@iscas.ac.cn
Fixes: 37d6a0a6f470 ("PCI: Add pci_register_host_bridge() interface")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
[bhelgaas: squash Dan Carpenter's double free fix from
https://lore.kernel.org/r/db806a6c-a91b-4e5a-a84b-6b7e01bdac85@stanley.mountain]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/probe.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -954,6 +954,7 @@ static int pci_register_host_bridge(stru
resource_size_t offset, next_offset;
LIST_HEAD(resources);
struct resource *res, *next_res;
+ bool bus_registered = false;
char addr[64], *fmt;
const char *name;
int err;
@@ -1017,6 +1018,7 @@ static int pci_register_host_bridge(stru
name = dev_name(&bus->dev);
err = device_register(&bus->dev);
+ bus_registered = true;
if (err)
goto unregister;
@@ -1103,12 +1105,15 @@ static int pci_register_host_bridge(stru
unregister:
put_device(&bridge->dev);
device_del(&bridge->dev);
-
free:
#ifdef CONFIG_PCI_DOMAINS_GENERIC
pci_bus_release_domain_nr(parent, bus->domain_nr);
#endif
- kfree(bus);
+ if (bus_registered)
+ put_device(&bus->dev);
+ else
+ kfree(bus);
+
return err;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 429/449] PCI: Fix wrong length of devres array
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (427 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 428/449] PCI: Fix reference leak in pci_register_host_bridge() Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 430/449] phy: freescale: imx8m-pcie: assert phy reset and perst in power off Greg Kroah-Hartman
` (26 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philipp Stanner, Bjorn Helgaas,
Krzysztof Wilczyński
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philipp Stanner <phasta@kernel.org>
commit f09d3937d400433080d17982bd1a540da53a156d upstream.
The array for the iomapping cookie addresses has a length of
PCI_STD_NUM_BARS. This constant, however, only describes standard BARs;
while PCI can allow for additional, special BARs.
The total number of PCI resources is described by constant
PCI_NUM_RESOURCES, which is also used in, e.g., pci_select_bars().
Thus, the devres array has so far been too small.
Change the length of the devres array to PCI_NUM_RESOURCES.
Link: https://lore.kernel.org/r/20250312080634.13731-3-phasta@kernel.org
Fixes: bbaff68bf4a4 ("PCI: Add managed partial-BAR request and map infrastructure")
Signed-off-by: Philipp Stanner <phasta@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Cc: stable@vger.kernel.org # v6.11+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/devres.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pci/devres.c
+++ b/drivers/pci/devres.c
@@ -40,7 +40,7 @@
* Legacy struct storing addresses to whole mapped BARs.
*/
struct pcim_iomap_devres {
- void __iomem *table[PCI_STD_NUM_BARS];
+ void __iomem *table[PCI_NUM_RESOURCES];
};
/* Used to restore the old INTx state on driver detach. */
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 430/449] phy: freescale: imx8m-pcie: assert phy reset and perst in power off
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (428 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 429/449] PCI: Fix wrong length of devres array Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 431/449] pinctrl: qcom: Clear latched interrupt status when changing IRQ type Greg Kroah-Hartman
` (25 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Eichenberger, Frank Li,
Vinod Koul
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
commit aecb63e88c5e5fb9afb782a1577264c76f179af9 upstream.
Ensure the PHY reset and perst is asserted during power-off to
guarantee it is in a reset state upon repeated power-on calls. This
resolves an issue where the PHY may not properly initialize during
subsequent power-on cycles. Power-on will deassert the reset at the
appropriate time after tuning the PHY parameters.
During suspend/resume cycles, we observed that the PHY PLL failed to
lock during resume when the CPU temperature increased from 65C to 75C.
The observed errors were:
phy phy-32f00000.pcie-phy.3: phy poweron failed --> -110
imx6q-pcie 33800000.pcie: waiting for PHY ready timeout!
imx6q-pcie 33800000.pcie: PM: dpm_run_callback(): genpd_resume_noirq+0x0/0x80 returns -110
imx6q-pcie 33800000.pcie: PM: failed to resume noirq: error -110
This resulted in a complete CPU freeze, which is resolved by ensuring
the PHY is in reset during power-on, thus preventing PHY PLL failures.
Cc: stable@vger.kernel.org
Fixes: 1aa97b002258 ("phy: freescale: pcie: Initialize the imx8 pcie standalone phy driver")
Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/r/20250305144355.20364-3-eichest@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/phy/freescale/phy-fsl-imx8m-pcie.c
+++ b/drivers/phy/freescale/phy-fsl-imx8m-pcie.c
@@ -162,6 +162,16 @@ static int imx8_pcie_phy_power_on(struct
return ret;
}
+static int imx8_pcie_phy_power_off(struct phy *phy)
+{
+ struct imx8_pcie_phy *imx8_phy = phy_get_drvdata(phy);
+
+ reset_control_assert(imx8_phy->reset);
+ reset_control_assert(imx8_phy->perst);
+
+ return 0;
+}
+
static int imx8_pcie_phy_init(struct phy *phy)
{
struct imx8_pcie_phy *imx8_phy = phy_get_drvdata(phy);
@@ -182,6 +192,7 @@ static const struct phy_ops imx8_pcie_ph
.init = imx8_pcie_phy_init,
.exit = imx8_pcie_phy_exit,
.power_on = imx8_pcie_phy_power_on,
+ .power_off = imx8_pcie_phy_power_off,
.owner = THIS_MODULE,
};
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 431/449] pinctrl: qcom: Clear latched interrupt status when changing IRQ type
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (429 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 430/449] phy: freescale: imx8m-pcie: assert phy reset and perst in power off Greg Kroah-Hartman
@ 2025-04-17 17:51 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 432/449] pinctrl: samsung: add support for eint_fltcon_offset Greg Kroah-Hartman
` (24 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Andersson, Stephan Gerhold,
Bjorn Andersson, Linus Walleij
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
commit e225128c3f8be879e7d4eb71a25949e188b420ae upstream.
When submitting the TLMM test driver, Bjorn reported that some of the test
cases are failing for GPIOs that not are backed by PDC (i.e. "non-wakeup"
GPIOs that are handled directly in pinctrl-msm). Basically, lingering
latched interrupt state is still being delivered at IRQ request time, e.g.:
ok 1 tlmm_test_silent_rising
tlmm_test_silent_falling: ASSERTION FAILED at drivers/pinctrl/qcom/tlmm-test.c:178
Expected atomic_read(&priv->intr_count) == 0, but
atomic_read(&priv->intr_count) == 1 (0x1)
not ok 2 tlmm_test_silent_falling
tlmm_test_silent_low: ASSERTION FAILED at drivers/pinctrl/qcom/tlmm-test.c:178
Expected atomic_read(&priv->intr_count) == 0, but
atomic_read(&priv->intr_count) == 1 (0x1)
not ok 3 tlmm_test_silent_low
ok 4 tlmm_test_silent_high
Whether to report interrupts that came in while the IRQ was unclaimed
doesn't seem to be well-defined in the Linux IRQ API. However, looking
closer at these specific cases, we're actually reporting events that do not
match the interrupt type requested by the driver:
1. After "ok 1 tlmm_test_silent_rising", the GPIO is in low state and
configured for IRQF_TRIGGER_RISING.
2. (a) In preparation for "tlmm_test_silent_falling", the GPIO is switched
to high state. The rising interrupt gets latched.
(b) The GPIO is re-configured for IRQF_TRIGGER_FALLING, but the latched
interrupt isn't cleared.
(c) The IRQ handler is called for the latched interrupt, but there
wasn't any falling edge.
3. (a) For "tlmm_test_silent_low", the GPIO remains in high state.
(b) The GPIO is re-configured for IRQF_TRIGGER_LOW. This seems to
result in a phantom interrupt that gets latched.
(c) The IRQ handler is called for the latched interrupt, but the GPIO
isn't in low state.
4. (a) For "tlmm_test_silent_high", the GPIO is switched to low state.
(b) This doesn't result in a latched interrupt, because RAW_STATUS_EN
was cleared when masking the level-triggered interrupt.
Fix this by clearing the interrupt state whenever making any changes to the
interrupt configuration. This includes previously disabled interrupts, but
also any changes to interrupt polarity or detection type.
With this change, all 16 test cases are now passing for the non-wakeup
GPIOs in the TLMM.
Cc: stable@vger.kernel.org
Fixes: cf9d052aa600 ("pinctrl: qcom: Don't clear pending interrupts when enabling")
Reported-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Closes: https://lore.kernel.org/r/20250227-tlmm-test-v1-1-d18877b4a5db@oss.qualcomm.com/
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Tested-by: Bjorn Andersson <andersson@kernel.org>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/20250312-pinctrl-msm-type-latch-v1-1-ce87c561d3d7@linaro.org
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/qcom/pinctrl-msm.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/pinctrl/qcom/pinctrl-msm.c
+++ b/drivers/pinctrl/qcom/pinctrl-msm.c
@@ -1045,8 +1045,7 @@ static int msm_gpio_irq_set_type(struct
const struct msm_pingroup *g;
u32 intr_target_mask = GENMASK(2, 0);
unsigned long flags;
- bool was_enabled;
- u32 val;
+ u32 val, oldval;
if (msm_gpio_needs_dual_edge_parent_workaround(d, type)) {
set_bit(d->hwirq, pctrl->dual_edge_irqs);
@@ -1108,8 +1107,7 @@ static int msm_gpio_irq_set_type(struct
* internal circuitry of TLMM, toggling the RAW_STATUS
* could cause the INTR_STATUS to be set for EDGE interrupts.
*/
- val = msm_readl_intr_cfg(pctrl, g);
- was_enabled = val & BIT(g->intr_raw_status_bit);
+ val = oldval = msm_readl_intr_cfg(pctrl, g);
val |= BIT(g->intr_raw_status_bit);
if (g->intr_detection_width == 2) {
val &= ~(3 << g->intr_detection_bit);
@@ -1162,9 +1160,11 @@ static int msm_gpio_irq_set_type(struct
/*
* The first time we set RAW_STATUS_EN it could trigger an interrupt.
* Clear the interrupt. This is safe because we have
- * IRQCHIP_SET_TYPE_MASKED.
+ * IRQCHIP_SET_TYPE_MASKED. When changing the interrupt type, we could
+ * also still have a non-matching interrupt latched, so clear whenever
+ * making changes to the interrupt configuration.
*/
- if (!was_enabled)
+ if (val != oldval)
msm_ack_intr_status(pctrl, g);
if (test_bit(d->hwirq, pctrl->dual_edge_irqs))
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 432/449] pinctrl: samsung: add support for eint_fltcon_offset
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (430 preceding siblings ...)
2025-04-17 17:51 ` [PATCH 6.14 431/449] pinctrl: qcom: Clear latched interrupt status when changing IRQ type Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 433/449] ring-buffer: Use flush_kernel_vmap_range() over flush_dcache_folio() Greg Kroah-Hartman
` (23 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, André Draszik, Peter Griffin,
Krzysztof Kozlowski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Griffin <peter.griffin@linaro.org>
commit 701d0e910955627734917c3587258aa7e73068bb upstream.
On gs101 SoC the fltcon0 (filter configuration 0) offset isn't at a
fixed offset like previous SoCs as the fltcon1 register only exists when
there are more than 4 pins in the bank.
Add a eint_fltcon_offset and new GS101_PIN_BANK_EINT* macros that take
an additional fltcon_offs variable.
This can then be used in suspend/resume callbacks to save and restore
the fltcon0 and fltcon1 registers.
Fixes: 4a8be01a1a7a ("pinctrl: samsung: Add gs101 SoC pinctrl configuration")
Cc: stable@vger.kernel.org
Reviewed-by: André Draszik <andre.draszik@linaro.org>
Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
Link: https://lore.kernel.org/r/20250307-pinctrl-fltcon-suspend-v4-1-2d775e486036@linaro.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/samsung/pinctrl-exynos-arm64.c | 98 ++++++++++++-------------
drivers/pinctrl/samsung/pinctrl-exynos.h | 22 +++++
drivers/pinctrl/samsung/pinctrl-samsung.c | 1
drivers/pinctrl/samsung/pinctrl-samsung.h | 4 +
4 files changed, 76 insertions(+), 49 deletions(-)
--- a/drivers/pinctrl/samsung/pinctrl-exynos-arm64.c
+++ b/drivers/pinctrl/samsung/pinctrl-exynos-arm64.c
@@ -1370,83 +1370,83 @@ const struct samsung_pinctrl_of_match_da
/* pin banks of gs101 pin-controller (ALIVE) */
static const struct samsung_pin_bank_data gs101_pin_alive[] = {
- EXYNOS850_PIN_BANK_EINTW(8, 0x0, "gpa0", 0x00),
- EXYNOS850_PIN_BANK_EINTW(7, 0x20, "gpa1", 0x04),
- EXYNOS850_PIN_BANK_EINTW(5, 0x40, "gpa2", 0x08),
- EXYNOS850_PIN_BANK_EINTW(4, 0x60, "gpa3", 0x0c),
- EXYNOS850_PIN_BANK_EINTW(4, 0x80, "gpa4", 0x10),
- EXYNOS850_PIN_BANK_EINTW(7, 0xa0, "gpa5", 0x14),
- EXYNOS850_PIN_BANK_EINTW(8, 0xc0, "gpa9", 0x18),
- EXYNOS850_PIN_BANK_EINTW(2, 0xe0, "gpa10", 0x1c),
+ GS101_PIN_BANK_EINTW(8, 0x0, "gpa0", 0x00, 0x00),
+ GS101_PIN_BANK_EINTW(7, 0x20, "gpa1", 0x04, 0x08),
+ GS101_PIN_BANK_EINTW(5, 0x40, "gpa2", 0x08, 0x10),
+ GS101_PIN_BANK_EINTW(4, 0x60, "gpa3", 0x0c, 0x18),
+ GS101_PIN_BANK_EINTW(4, 0x80, "gpa4", 0x10, 0x1c),
+ GS101_PIN_BANK_EINTW(7, 0xa0, "gpa5", 0x14, 0x20),
+ GS101_PIN_BANK_EINTW(8, 0xc0, "gpa9", 0x18, 0x28),
+ GS101_PIN_BANK_EINTW(2, 0xe0, "gpa10", 0x1c, 0x30),
};
/* pin banks of gs101 pin-controller (FAR_ALIVE) */
static const struct samsung_pin_bank_data gs101_pin_far_alive[] = {
- EXYNOS850_PIN_BANK_EINTW(8, 0x0, "gpa6", 0x00),
- EXYNOS850_PIN_BANK_EINTW(4, 0x20, "gpa7", 0x04),
- EXYNOS850_PIN_BANK_EINTW(8, 0x40, "gpa8", 0x08),
- EXYNOS850_PIN_BANK_EINTW(2, 0x60, "gpa11", 0x0c),
+ GS101_PIN_BANK_EINTW(8, 0x0, "gpa6", 0x00, 0x00),
+ GS101_PIN_BANK_EINTW(4, 0x20, "gpa7", 0x04, 0x08),
+ GS101_PIN_BANK_EINTW(8, 0x40, "gpa8", 0x08, 0x0c),
+ GS101_PIN_BANK_EINTW(2, 0x60, "gpa11", 0x0c, 0x14),
};
/* pin banks of gs101 pin-controller (GSACORE) */
static const struct samsung_pin_bank_data gs101_pin_gsacore[] = {
- EXYNOS850_PIN_BANK_EINTG(2, 0x0, "gps0", 0x00),
- EXYNOS850_PIN_BANK_EINTG(8, 0x20, "gps1", 0x04),
- EXYNOS850_PIN_BANK_EINTG(3, 0x40, "gps2", 0x08),
+ GS101_PIN_BANK_EINTG(2, 0x0, "gps0", 0x00, 0x00),
+ GS101_PIN_BANK_EINTG(8, 0x20, "gps1", 0x04, 0x04),
+ GS101_PIN_BANK_EINTG(3, 0x40, "gps2", 0x08, 0x0c),
};
/* pin banks of gs101 pin-controller (GSACTRL) */
static const struct samsung_pin_bank_data gs101_pin_gsactrl[] = {
- EXYNOS850_PIN_BANK_EINTW(6, 0x0, "gps3", 0x00),
+ GS101_PIN_BANK_EINTW(6, 0x0, "gps3", 0x00, 0x00),
};
/* pin banks of gs101 pin-controller (PERIC0) */
static const struct samsung_pin_bank_data gs101_pin_peric0[] = {
- EXYNOS850_PIN_BANK_EINTG(5, 0x0, "gpp0", 0x00),
- EXYNOS850_PIN_BANK_EINTG(4, 0x20, "gpp1", 0x04),
- EXYNOS850_PIN_BANK_EINTG(4, 0x40, "gpp2", 0x08),
- EXYNOS850_PIN_BANK_EINTG(2, 0x60, "gpp3", 0x0c),
- EXYNOS850_PIN_BANK_EINTG(4, 0x80, "gpp4", 0x10),
- EXYNOS850_PIN_BANK_EINTG(2, 0xa0, "gpp5", 0x14),
- EXYNOS850_PIN_BANK_EINTG(4, 0xc0, "gpp6", 0x18),
- EXYNOS850_PIN_BANK_EINTG(2, 0xe0, "gpp7", 0x1c),
- EXYNOS850_PIN_BANK_EINTG(4, 0x100, "gpp8", 0x20),
- EXYNOS850_PIN_BANK_EINTG(2, 0x120, "gpp9", 0x24),
- EXYNOS850_PIN_BANK_EINTG(4, 0x140, "gpp10", 0x28),
- EXYNOS850_PIN_BANK_EINTG(2, 0x160, "gpp11", 0x2c),
- EXYNOS850_PIN_BANK_EINTG(4, 0x180, "gpp12", 0x30),
- EXYNOS850_PIN_BANK_EINTG(2, 0x1a0, "gpp13", 0x34),
- EXYNOS850_PIN_BANK_EINTG(4, 0x1c0, "gpp14", 0x38),
- EXYNOS850_PIN_BANK_EINTG(2, 0x1e0, "gpp15", 0x3c),
- EXYNOS850_PIN_BANK_EINTG(4, 0x200, "gpp16", 0x40),
- EXYNOS850_PIN_BANK_EINTG(2, 0x220, "gpp17", 0x44),
- EXYNOS850_PIN_BANK_EINTG(4, 0x240, "gpp18", 0x48),
- EXYNOS850_PIN_BANK_EINTG(4, 0x260, "gpp19", 0x4c),
+ GS101_PIN_BANK_EINTG(5, 0x0, "gpp0", 0x00, 0x00),
+ GS101_PIN_BANK_EINTG(4, 0x20, "gpp1", 0x04, 0x08),
+ GS101_PIN_BANK_EINTG(4, 0x40, "gpp2", 0x08, 0x0c),
+ GS101_PIN_BANK_EINTG(2, 0x60, "gpp3", 0x0c, 0x10),
+ GS101_PIN_BANK_EINTG(4, 0x80, "gpp4", 0x10, 0x14),
+ GS101_PIN_BANK_EINTG(2, 0xa0, "gpp5", 0x14, 0x18),
+ GS101_PIN_BANK_EINTG(4, 0xc0, "gpp6", 0x18, 0x1c),
+ GS101_PIN_BANK_EINTG(2, 0xe0, "gpp7", 0x1c, 0x20),
+ GS101_PIN_BANK_EINTG(4, 0x100, "gpp8", 0x20, 0x24),
+ GS101_PIN_BANK_EINTG(2, 0x120, "gpp9", 0x24, 0x28),
+ GS101_PIN_BANK_EINTG(4, 0x140, "gpp10", 0x28, 0x2c),
+ GS101_PIN_BANK_EINTG(2, 0x160, "gpp11", 0x2c, 0x30),
+ GS101_PIN_BANK_EINTG(4, 0x180, "gpp12", 0x30, 0x34),
+ GS101_PIN_BANK_EINTG(2, 0x1a0, "gpp13", 0x34, 0x38),
+ GS101_PIN_BANK_EINTG(4, 0x1c0, "gpp14", 0x38, 0x3c),
+ GS101_PIN_BANK_EINTG(2, 0x1e0, "gpp15", 0x3c, 0x40),
+ GS101_PIN_BANK_EINTG(4, 0x200, "gpp16", 0x40, 0x44),
+ GS101_PIN_BANK_EINTG(2, 0x220, "gpp17", 0x44, 0x48),
+ GS101_PIN_BANK_EINTG(4, 0x240, "gpp18", 0x48, 0x4c),
+ GS101_PIN_BANK_EINTG(4, 0x260, "gpp19", 0x4c, 0x50),
};
/* pin banks of gs101 pin-controller (PERIC1) */
static const struct samsung_pin_bank_data gs101_pin_peric1[] = {
- EXYNOS850_PIN_BANK_EINTG(8, 0x0, "gpp20", 0x00),
- EXYNOS850_PIN_BANK_EINTG(4, 0x20, "gpp21", 0x04),
- EXYNOS850_PIN_BANK_EINTG(2, 0x40, "gpp22", 0x08),
- EXYNOS850_PIN_BANK_EINTG(8, 0x60, "gpp23", 0x0c),
- EXYNOS850_PIN_BANK_EINTG(4, 0x80, "gpp24", 0x10),
- EXYNOS850_PIN_BANK_EINTG(4, 0xa0, "gpp25", 0x14),
- EXYNOS850_PIN_BANK_EINTG(5, 0xc0, "gpp26", 0x18),
- EXYNOS850_PIN_BANK_EINTG(4, 0xe0, "gpp27", 0x1c),
+ GS101_PIN_BANK_EINTG(8, 0x0, "gpp20", 0x00, 0x00),
+ GS101_PIN_BANK_EINTG(4, 0x20, "gpp21", 0x04, 0x08),
+ GS101_PIN_BANK_EINTG(2, 0x40, "gpp22", 0x08, 0x0c),
+ GS101_PIN_BANK_EINTG(8, 0x60, "gpp23", 0x0c, 0x10),
+ GS101_PIN_BANK_EINTG(4, 0x80, "gpp24", 0x10, 0x18),
+ GS101_PIN_BANK_EINTG(4, 0xa0, "gpp25", 0x14, 0x1c),
+ GS101_PIN_BANK_EINTG(5, 0xc0, "gpp26", 0x18, 0x20),
+ GS101_PIN_BANK_EINTG(4, 0xe0, "gpp27", 0x1c, 0x28),
};
/* pin banks of gs101 pin-controller (HSI1) */
static const struct samsung_pin_bank_data gs101_pin_hsi1[] = {
- EXYNOS850_PIN_BANK_EINTG(6, 0x0, "gph0", 0x00),
- EXYNOS850_PIN_BANK_EINTG(7, 0x20, "gph1", 0x04),
+ GS101_PIN_BANK_EINTG(6, 0x0, "gph0", 0x00, 0x00),
+ GS101_PIN_BANK_EINTG(7, 0x20, "gph1", 0x04, 0x08),
};
/* pin banks of gs101 pin-controller (HSI2) */
static const struct samsung_pin_bank_data gs101_pin_hsi2[] = {
- EXYNOS850_PIN_BANK_EINTG(6, 0x0, "gph2", 0x00),
- EXYNOS850_PIN_BANK_EINTG(2, 0x20, "gph3", 0x04),
- EXYNOS850_PIN_BANK_EINTG(6, 0x40, "gph4", 0x08),
+ GS101_PIN_BANK_EINTG(6, 0x0, "gph2", 0x00, 0x00),
+ GS101_PIN_BANK_EINTG(2, 0x20, "gph3", 0x04, 0x08),
+ GS101_PIN_BANK_EINTG(6, 0x40, "gph4", 0x08, 0x0c),
};
static const struct samsung_pin_ctrl gs101_pin_ctrl[] __initconst = {
--- a/drivers/pinctrl/samsung/pinctrl-exynos.h
+++ b/drivers/pinctrl/samsung/pinctrl-exynos.h
@@ -175,6 +175,28 @@
.name = id \
}
+#define GS101_PIN_BANK_EINTG(pins, reg, id, offs, fltcon_offs) \
+ { \
+ .type = &exynos850_bank_type_off, \
+ .pctl_offset = reg, \
+ .nr_pins = pins, \
+ .eint_type = EINT_TYPE_GPIO, \
+ .eint_offset = offs, \
+ .eint_fltcon_offset = fltcon_offs, \
+ .name = id \
+ }
+
+#define GS101_PIN_BANK_EINTW(pins, reg, id, offs, fltcon_offs) \
+ { \
+ .type = &exynos850_bank_type_alive, \
+ .pctl_offset = reg, \
+ .nr_pins = pins, \
+ .eint_type = EINT_TYPE_WKUP, \
+ .eint_offset = offs, \
+ .eint_fltcon_offset = fltcon_offs, \
+ .name = id \
+ }
+
/**
* struct exynos_weint_data: irq specific data for all the wakeup interrupts
* generated by the external wakeup interrupt controller.
--- a/drivers/pinctrl/samsung/pinctrl-samsung.c
+++ b/drivers/pinctrl/samsung/pinctrl-samsung.c
@@ -1230,6 +1230,7 @@ samsung_pinctrl_get_soc_data(struct sams
bank->eint_con_offset = bdata->eint_con_offset;
bank->eint_mask_offset = bdata->eint_mask_offset;
bank->eint_pend_offset = bdata->eint_pend_offset;
+ bank->eint_fltcon_offset = bdata->eint_fltcon_offset;
bank->name = bdata->name;
raw_spin_lock_init(&bank->slock);
--- a/drivers/pinctrl/samsung/pinctrl-samsung.h
+++ b/drivers/pinctrl/samsung/pinctrl-samsung.h
@@ -144,6 +144,7 @@ struct samsung_pin_bank_type {
* @eint_con_offset: ExynosAuto SoC-specific EINT control register offset of bank.
* @eint_mask_offset: ExynosAuto SoC-specific EINT mask register offset of bank.
* @eint_pend_offset: ExynosAuto SoC-specific EINT pend register offset of bank.
+ * @eint_fltcon_offset: GS101 SoC-specific EINT filter config register offset.
* @name: name to be prefixed for each pin in this pin bank.
*/
struct samsung_pin_bank_data {
@@ -158,6 +159,7 @@ struct samsung_pin_bank_data {
u32 eint_con_offset;
u32 eint_mask_offset;
u32 eint_pend_offset;
+ u32 eint_fltcon_offset;
const char *name;
};
@@ -175,6 +177,7 @@ struct samsung_pin_bank_data {
* @eint_con_offset: ExynosAuto SoC-specific EINT register or interrupt offset of bank.
* @eint_mask_offset: ExynosAuto SoC-specific EINT mask register offset of bank.
* @eint_pend_offset: ExynosAuto SoC-specific EINT pend register offset of bank.
+ * @eint_fltcon_offset: GS101 SoC-specific EINT filter config register offset.
* @name: name to be prefixed for each pin in this pin bank.
* @id: id of the bank, propagated to the pin range.
* @pin_base: starting pin number of the bank.
@@ -201,6 +204,7 @@ struct samsung_pin_bank {
u32 eint_con_offset;
u32 eint_mask_offset;
u32 eint_pend_offset;
+ u32 eint_fltcon_offset;
const char *name;
u32 id;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 433/449] ring-buffer: Use flush_kernel_vmap_range() over flush_dcache_folio()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (431 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 432/449] pinctrl: samsung: add support for eint_fltcon_offset Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 434/449] s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs Greg Kroah-Hartman
` (22 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Torvalds, Masami Hiramatsu,
Mark Rutland, Mathieu Desnoyers, Andrew Morton, Vincent Donnefort,
Vlastimil Babka, Mike Rapoport, Jann Horn,
Steven Rostedt (Google)
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit e4d4b8670c44cdd22212cab3c576e2d317efa67c upstream.
Some architectures do not have data cache coherency between user and
kernel space. For these architectures, the cache needs to be flushed on
both the kernel and user addresses so that user space can see the updates
the kernel has made.
Instead of using flush_dcache_folio() and playing with virt_to_folio()
within the call to that function, use flush_kernel_vmap_range() which
takes the virtual address and does the work for those architectures that
need it.
This also fixes a bug where the flush of the reader page only flushed one
page. If the sub-buffer order is 1 or more, where the sub-buffer size
would be greater than a page, it would miss the rest of the sub-buffer
content, as the "reader page" is not just a page, but the size of a
sub-buffer.
Link: https://lore.kernel.org/all/CAG48ez3w0my4Rwttbc5tEbNsme6tc0mrSN95thjXUFaJ3aQ6SA@mail.gmail.com/
Cc: stable@vger.kernel.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Vincent Donnefort <vdonnefort@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Mike Rapoport <rppt@kernel.org>
Link: https://lore.kernel.org/20250402144953.920792197@goodmis.org
Fixes: 117c39200d9d7 ("ring-buffer: Introducing ring-buffer mapping functions");
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ring_buffer.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -5963,7 +5963,7 @@ static void rb_update_meta_page(struct r
meta->read = cpu_buffer->read;
/* Some archs do not have data cache coherency between kernel and user-space */
- flush_dcache_folio(virt_to_folio(cpu_buffer->meta_page));
+ flush_kernel_vmap_range(cpu_buffer->meta_page, PAGE_SIZE);
}
static void
@@ -7278,7 +7278,8 @@ consume:
out:
/* Some archs do not have data cache coherency between kernel and user-space */
- flush_dcache_folio(virt_to_folio(cpu_buffer->reader_page->page));
+ flush_kernel_vmap_range(cpu_buffer->reader_page->page,
+ buffer->subbuf_size + BUF_PAGE_HDR_SIZE);
rb_update_meta_page(cpu_buffer);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 434/449] s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (432 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 433/449] ring-buffer: Use flush_kernel_vmap_range() over flush_dcache_folio() Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 435/449] s390/virtio_ccw: Dont allocate/assign airqs for non-existing queues Greg Kroah-Hartman
` (21 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Schnelle, Halil Pasic,
Vasily Gorbik
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Schnelle <schnelle@linux.ibm.com>
commit 8691abd3afaadd816a298503ec1a759df1305d2e upstream.
For non-VFs, zpci_bus_is_isolated_vf() should return false because they
aren't VFs. While zpci_iov_find_parent_pf() specifically checks if
a function is a VF, it then simply returns that there is no parent. The
simplistic check for a parent then leads to these functions being
confused with isolated VFs and isolating them on their own domain even
if sibling PFs should share the domain.
Fix this by explicitly checking if a function is not a VF. Note also
that at this point the case where RIDs are ignored is already handled
and in this case all PCI functions get isolated by being detected in
zpci_bus_is_multifunction_root().
Cc: stable@vger.kernel.org
Fixes: 2844ddbd540f ("s390/pci: Fix handling of isolated VFs")
Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/pci/pci_bus.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/s390/pci/pci_bus.c
+++ b/arch/s390/pci/pci_bus.c
@@ -335,6 +335,9 @@ static bool zpci_bus_is_isolated_vf(stru
{
struct pci_dev *pdev;
+ if (!zdev->vfn)
+ return false;
+
pdev = zpci_iov_find_parent_pf(zbus, zdev);
if (!pdev)
return true;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 435/449] s390/virtio_ccw: Dont allocate/assign airqs for non-existing queues
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (433 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 434/449] s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 436/449] s390: Fix linker error when -no-pie option is unavailable Greg Kroah-Hartman
` (20 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chandra Merla, David Hildenbrand,
Thomas Huth, Cornelia Huck, Michael S. Tsirkin,
Christian Borntraeger, Heiko Carstens
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
commit 2ccd42b959aaf490333dbd3b9b102eaf295c036a upstream.
If we finds a vq without a name in our input array in
virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer
to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq.
Consequently, we create only a queue if it actually exists (name != NULL)
and assign an incremental queue index to each such existing queue.
However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we
will not ignore these "non-existing queues", but instead assign an airq
indicator to them.
Besides never releasing them in virtio_ccw_drop_indicators() (because
there is no virtqueue), the bigger issue seems to be that there will be a
disagreement between the device and the Linux guest about the airq
indicator to be used for notifying a queue, because the indicator bit
for adapter I/O interrupt is derived from the queue index.
The virtio spec states under "Setting Up Two-Stage Queue Indicators":
... indicator contains the guest address of an area wherein the
indicators for the devices are contained, starting at bit_nr, one
bit per virtqueue of the device.
And further in "Notification via Adapter I/O Interrupts":
For notifying the driver of virtqueue buffers, the device sets the
bit in the guest-provided indicator area at the corresponding
offset.
For example, QEMU uses in virtio_ccw_notify() the queue index (passed as
"vector") to select the relevant indicator bit. If a queue does not exist,
it does not have a corresponding indicator bit assigned, because it
effectively doesn't have a queue index.
Using a virtio-balloon-ccw device under QEMU with free-page-hinting
disabled ("free-page-hint=off") but free-page-reporting enabled
("free-page-reporting=on") will result in free page reporting
not working as expected: in the virtio_balloon driver, we'll be stuck
forever in virtballoon_free_page_report()->wait_event(), because the
waitqueue will not be woken up as the notification from the device is
lost: it would use the wrong indicator bit.
Free page reporting stops working and we get splats (when configured to
detect hung wqs) like:
INFO: task kworker/1:3:463 blocked for more than 61 seconds.
Not tainted 6.14.0 #4
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:3 [...]
Workqueue: events page_reporting_process
Call Trace:
[<000002f404e6dfb2>] __schedule+0x402/0x1640
[<000002f404e6f22e>] schedule+0x3e/0xe0
[<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon]
[<000002f40435c8a4>] page_reporting_process+0x2e4/0x740
[<000002f403fd3ee2>] process_one_work+0x1c2/0x400
[<000002f403fd4b96>] worker_thread+0x296/0x420
[<000002f403fe10b4>] kthread+0x124/0x290
[<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60
[<000002f404e77272>] ret_from_fork+0xa/0x38
There was recently a discussion [1] whether the "holes" should be
treated differently again, effectively assigning also non-existing
queues a queue index: that should also fix the issue, but requires other
workarounds to not break existing setups.
Let's fix it without affecting existing setups for now by properly ignoring
the non-existing queues, so the indicator bits will match the queue
indexes.
[1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/
Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL")
Reported-by: Chandra Merla <cmerla@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: David Hildenbrand <david@redhat.com>
Tested-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/virtio/virtio_ccw.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/drivers/s390/virtio/virtio_ccw.c
+++ b/drivers/s390/virtio/virtio_ccw.c
@@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(i
static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs,
u64 *first, void **airq_info)
{
- int i, j;
+ int i, j, queue_idx, highest_queue_idx = -1;
struct airq_info *info;
unsigned long *indicator_addr = NULL;
unsigned long bit, flags;
+ /* Array entries without an actual queue pointer must be ignored. */
+ for (i = 0; i < nvqs; i++) {
+ if (vqs[i])
+ highest_queue_idx++;
+ }
+
for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) {
mutex_lock(&airq_areas_lock);
if (!airq_areas[i])
@@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator
if (!info)
return NULL;
write_lock_irqsave(&info->lock, flags);
- bit = airq_iv_alloc(info->aiv, nvqs);
+ bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1);
if (bit == -1UL) {
/* Not enough vacancies. */
write_unlock_irqrestore(&info->lock, flags);
@@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator
*first = bit;
*airq_info = info;
indicator_addr = info->aiv->vector;
- for (j = 0; j < nvqs; j++) {
- airq_iv_set_ptr(info->aiv, bit + j,
+ for (j = 0, queue_idx = 0; j < nvqs; j++) {
+ if (!vqs[j])
+ continue;
+ airq_iv_set_ptr(info->aiv, bit + queue_idx++,
(unsigned long)vqs[j]);
}
write_unlock_irqrestore(&info->lock, flags);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 436/449] s390: Fix linker error when -no-pie option is unavailable
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (434 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 435/449] s390/virtio_ccw: Dont allocate/assign airqs for non-existing queues Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 437/449] sched_ext: create_dsq: Return -EEXIST on duplicate request Greg Kroah-Hartman
` (19 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Jens Remus,
Sumanth Korikkar, Vasily Gorbik
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sumanth Korikkar <sumanthk@linux.ibm.com>
commit 991a20173a1fbafd9fc0df0c7e17bb62d44a4deb upstream.
The kernel build may fail if the linker does not support -no-pie option,
as it always included in LDFLAGS_vmlinux.
Error log:
s390-linux-ld: unable to disambiguate: -no-pie (did you mean --no-pie ?)
Although the GNU linker defaults to -no-pie, the ability to explicitly
specify this option was introduced in binutils 2.36.
Hence, fix it by adding -no-pie to LDFLAGS_vmlinux only when it is
available.
Cc: stable@vger.kernel.org
Fixes: 00cda11d3b2e ("s390: Compile kernel with -fPIC and link with -no-pie")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202503220342.T3fElO9L-lkp@intel.com/
Suggested-by: Jens Remus <jremus@linux.ibm.com>
Reviewed-by: Jens Remus <jremus@linux.ibm.com>
Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/s390/Makefile
+++ b/arch/s390/Makefile
@@ -15,7 +15,7 @@ KBUILD_CFLAGS_MODULE += -fPIC
KBUILD_AFLAGS += -m64
KBUILD_CFLAGS += -m64
KBUILD_CFLAGS += -fPIC
-LDFLAGS_vmlinux := -no-pie --emit-relocs --discard-none
+LDFLAGS_vmlinux := $(call ld-option,-no-pie) --emit-relocs --discard-none
extra_tools := relocs
aflags_dwarf := -Wa,-gdwarf-2
KBUILD_AFLAGS_DECOMPRESSOR := $(CLANG_FLAGS) -m64 -D__ASSEMBLY__
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 437/449] sched_ext: create_dsq: Return -EEXIST on duplicate request
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (435 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 436/449] s390: Fix linker error when -no-pie option is unavailable Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 438/449] selftests: mptcp: close fd_in before returning in main_loop Greg Kroah-Hartman
` (18 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jake Hillion, Andrea Righi,
Tejun Heo
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jake Hillion <jake@hillion.co.uk>
commit a8897ed8523d4c9d782e282b18005a3779c92714 upstream.
create_dsq and therefore the scx_bpf_create_dsq kfunc currently silently
ignore duplicate entries. As a sched_ext scheduler is creating each DSQ
for a different purpose this is surprising behaviour.
Replace rhashtable_insert_fast which ignores duplicates with
rhashtable_lookup_insert_fast that reports duplicates (though doesn't
return their value). The rest of the code is structured correctly and
this now returns -EEXIST.
Tested by adding an extra scx_bpf_create_dsq to scx_simple. Previously
this was ignored, now init fails with a -17 code. Also ran scx_lavd
which continued to work well.
Signed-off-by: Jake Hillion <jake@hillion.co.uk>
Acked-by: Andrea Righi <arighi@nvidia.com>
Fixes: f0e1a0643a59 ("sched_ext: Implement BPF extensible scheduler class")
Cc: stable@vger.kernel.org # v6.12+
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -4523,8 +4523,8 @@ static struct scx_dispatch_q *create_dsq
init_dsq(dsq, dsq_id);
- ret = rhashtable_insert_fast(&dsq_hash, &dsq->hash_node,
- dsq_hash_params);
+ ret = rhashtable_lookup_insert_fast(&dsq_hash, &dsq->hash_node,
+ dsq_hash_params);
if (ret) {
kfree(dsq);
return ERR_PTR(ret);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 438/449] selftests: mptcp: close fd_in before returning in main_loop
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (436 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 437/449] sched_ext: create_dsq: Return -EEXIST on duplicate request Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 439/449] selftests: mptcp: fix incorrect fd checks " Greg Kroah-Hartman
` (17 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cong Liu, Geliang Tang,
Matthieu Baerts (NGI0), Jakub Kicinski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geliang Tang <tanggeliang@kylinos.cn>
commit c183165f87a486d5879f782c05a23c179c3794ab upstream.
The file descriptor 'fd_in' is opened when cfg_input is configured, but
not closed in main_loop(), this patch fixes it.
Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests")
Cc: stable@vger.kernel.org
Co-developed-by: Cong Liu <liucong2@kylinos.cn>
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250328-net-mptcp-misc-fixes-6-15-v1-3-34161a482a7f@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_connect.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c
+++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c
@@ -1299,7 +1299,7 @@ again:
ret = copyfd_io(fd_in, fd, 1, 0, &winfo);
if (ret)
- return ret;
+ goto out;
if (cfg_truncate > 0) {
shutdown(fd, SHUT_WR);
@@ -1320,7 +1320,10 @@ again:
close(fd);
}
- return 0;
+out:
+ if (cfg_input)
+ close(fd_in);
+ return ret;
}
int parse_proto(const char *proto)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 439/449] selftests: mptcp: fix incorrect fd checks in main_loop
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (437 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 438/449] selftests: mptcp: close fd_in before returning in main_loop Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 440/449] spi: fsl-qspi: use devm function instead of driver remove Greg Kroah-Hartman
` (16 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geliang Tang, Cong Liu,
Matthieu Baerts (NGI0), Jakub Kicinski
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Liu <liucong2@kylinos.cn>
commit 7335d4ac812917c16e04958775826d12d481c92d upstream.
Fix a bug where the code was checking the wrong file descriptors
when opening the input files. The code was checking 'fd' instead
of 'fd_in', which could lead to incorrect error handling.
Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests")
Cc: stable@vger.kernel.org
Fixes: ca7ae8916043 ("selftests: mptcp: mptfo Initiator/Listener")
Co-developed-by: Geliang Tang <geliang@kernel.org>
Signed-off-by: Geliang Tang <geliang@kernel.org>
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250328-net-mptcp-misc-fixes-6-15-v1-2-34161a482a7f@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_connect.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c
+++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c
@@ -1270,7 +1270,7 @@ int main_loop(void)
if (cfg_input && cfg_sockopt_types.mptfo) {
fd_in = open(cfg_input, O_RDONLY);
- if (fd < 0)
+ if (fd_in < 0)
xerror("can't open %s:%d", cfg_input, errno);
}
@@ -1293,7 +1293,7 @@ again:
if (cfg_input && !cfg_sockopt_types.mptfo) {
fd_in = open(cfg_input, O_RDONLY);
- if (fd < 0)
+ if (fd_in < 0)
xerror("can't open %s:%d", cfg_input, errno);
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 440/449] spi: fsl-qspi: use devm function instead of driver remove
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (438 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 439/449] selftests: mptcp: fix incorrect fd checks " Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 441/449] spi: fsl-qspi: Fix double cleanup in probe error path Greg Kroah-Hartman
` (15 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kevin Hao, Han Xu, Frank Li,
Mark Brown
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Han Xu <han.xu@nxp.com>
commit 40369bfe717e96e26650eeecfa5a6363563df6e4 upstream.
Driver use devm APIs to manage clk/irq/resources and register the spi
controller, but the legacy remove function will be called first during
device detach and trigger kernel panic. Drop the remove function and use
devm_add_action_or_reset() for driver cleanup to ensure the release
sequence.
Trigger kernel panic on i.MX8MQ by
echo 30bb0000.spi >/sys/bus/platform/drivers/fsl-quadspi/unbind
Cc: stable@vger.kernel.org
Fixes: 8fcb830a00f0 ("spi: spi-fsl-qspi: use devm_spi_register_controller")
Reported-by: Kevin Hao <haokexin@gmail.com>
Signed-off-by: Han Xu <han.xu@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20250326224152.2147099-1-han.xu@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-fsl-qspi.c | 31 +++++++++++++++++--------------
1 file changed, 17 insertions(+), 14 deletions(-)
--- a/drivers/spi/spi-fsl-qspi.c
+++ b/drivers/spi/spi-fsl-qspi.c
@@ -844,6 +844,19 @@ static const struct spi_controller_mem_c
.per_op_freq = true,
};
+static void fsl_qspi_cleanup(void *data)
+{
+ struct fsl_qspi *q = data;
+
+ /* disable the hardware */
+ qspi_writel(q, QUADSPI_MCR_MDIS_MASK, q->iobase + QUADSPI_MCR);
+ qspi_writel(q, 0x0, q->iobase + QUADSPI_RSER);
+
+ fsl_qspi_clk_disable_unprep(q);
+
+ mutex_destroy(&q->lock);
+}
+
static int fsl_qspi_probe(struct platform_device *pdev)
{
struct spi_controller *ctlr;
@@ -934,6 +947,10 @@ static int fsl_qspi_probe(struct platfor
ctlr->dev.of_node = np;
+ ret = devm_add_action_or_reset(dev, fsl_qspi_cleanup, q);
+ if (ret)
+ goto err_destroy_mutex;
+
ret = devm_spi_register_controller(dev, ctlr);
if (ret)
goto err_destroy_mutex;
@@ -953,19 +970,6 @@ err_put_ctrl:
return ret;
}
-static void fsl_qspi_remove(struct platform_device *pdev)
-{
- struct fsl_qspi *q = platform_get_drvdata(pdev);
-
- /* disable the hardware */
- qspi_writel(q, QUADSPI_MCR_MDIS_MASK, q->iobase + QUADSPI_MCR);
- qspi_writel(q, 0x0, q->iobase + QUADSPI_RSER);
-
- fsl_qspi_clk_disable_unprep(q);
-
- mutex_destroy(&q->lock);
-}
-
static int fsl_qspi_suspend(struct device *dev)
{
return 0;
@@ -1003,7 +1007,6 @@ static struct platform_driver fsl_qspi_d
.pm = &fsl_qspi_pm_ops,
},
.probe = fsl_qspi_probe,
- .remove = fsl_qspi_remove,
};
module_platform_driver(fsl_qspi_driver);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 441/449] spi: fsl-qspi: Fix double cleanup in probe error path
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (439 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 440/449] spi: fsl-qspi: use devm function instead of driver remove Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 442/449] thermal/drivers/mediatek/lvts: Disable monitor mode during suspend Greg Kroah-Hartman
` (14 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kevin Hao, Mark Brown
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Hao <haokexin@gmail.com>
commit 5d07ab2a7fa1305e429d9221716582f290b58078 upstream.
Commit 40369bfe717e ("spi: fsl-qspi: use devm function instead of driver
remove") introduced managed cleanup via fsl_qspi_cleanup(), but
incorrectly retain manual cleanup in two scenarios:
- On devm_add_action_or_reset() failure, the function automatically call
fsl_qspi_cleanup(). However, the current code still jumps to
err_destroy_mutex, repeating cleanup.
- After the fsl_qspi_cleanup() action is added successfully, there is no
need to manually perform the cleanup in the subsequent error path.
However, the current code still jumps to err_destroy_mutex on spi
controller failure, repeating cleanup.
Skip redundant manual cleanup calls to fix these issues.
Cc: stable@vger.kernel.org
Fixes: 40369bfe717e ("spi: fsl-qspi: use devm function instead of driver remove")
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Link: https://patch.msgid.link/20250410-spi-v1-1-56e867cc19cf@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-fsl-qspi.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/drivers/spi/spi-fsl-qspi.c
+++ b/drivers/spi/spi-fsl-qspi.c
@@ -949,17 +949,14 @@ static int fsl_qspi_probe(struct platfor
ret = devm_add_action_or_reset(dev, fsl_qspi_cleanup, q);
if (ret)
- goto err_destroy_mutex;
+ goto err_put_ctrl;
ret = devm_spi_register_controller(dev, ctlr);
if (ret)
- goto err_destroy_mutex;
+ goto err_put_ctrl;
return 0;
-err_destroy_mutex:
- mutex_destroy(&q->lock);
-
err_disable_clk:
fsl_qspi_clk_disable_unprep(q);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 442/449] thermal/drivers/mediatek/lvts: Disable monitor mode during suspend
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (440 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 441/449] spi: fsl-qspi: Fix double cleanup in probe error path Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 443/449] thermal/drivers/mediatek/lvts: Disable Stage 3 thermal threshold Greg Kroah-Hartman
` (13 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hsin-Te Yuan,
AngeloGioacchino Del Regno, Nícolas F . R . A . Prado,
Daniel Lezcano
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
commit 65594b3745024857f812145a58db3601d733676c upstream.
When configured in filtered mode, the LVTS thermal controller will
monitor the temperature from the sensors and trigger an interrupt once a
thermal threshold is crossed.
Currently this is true even during suspend and resume. The problem with
that is that when enabling the internal clock of the LVTS controller in
lvts_ctrl_set_enable() during resume, the temperature reading can glitch
and appear much higher than the real one, resulting in a spurious
interrupt getting generated.
Disable the temperature monitoring and give some time for the signals to
stabilize during suspend in order to prevent such spurious interrupts.
Cc: stable@vger.kernel.org
Reported-by: Hsin-Te Yuan <yuanhsinte@chromium.org>
Closes: https://lore.kernel.org/all/20241108-lvts-v1-1-eee339c6ca20@chromium.org/
Fixes: 8137bb90600d ("thermal/drivers/mediatek/lvts_thermal: Add suspend and resume")
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
Link: https://lore.kernel.org/r/20250113-mt8192-lvts-filtered-suspend-fix-v2-1-07a25200c7c6@collabora.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/mediatek/lvts_thermal.c | 36 ++++++++++++++++++++++++++++++--
1 file changed, 34 insertions(+), 2 deletions(-)
--- a/drivers/thermal/mediatek/lvts_thermal.c
+++ b/drivers/thermal/mediatek/lvts_thermal.c
@@ -860,6 +860,32 @@ static int lvts_ctrl_init(struct device
return 0;
}
+static void lvts_ctrl_monitor_enable(struct device *dev, struct lvts_ctrl *lvts_ctrl, bool enable)
+{
+ /*
+ * Bitmaps to enable each sensor on filtered mode in the MONCTL0
+ * register.
+ */
+ static const u8 sensor_filt_bitmap[] = { BIT(0), BIT(1), BIT(2), BIT(3) };
+ u32 sensor_map = 0;
+ int i;
+
+ if (lvts_ctrl->mode != LVTS_MSR_FILTERED_MODE)
+ return;
+
+ if (enable) {
+ lvts_for_each_valid_sensor(i, lvts_ctrl)
+ sensor_map |= sensor_filt_bitmap[i];
+ }
+
+ /*
+ * Bits:
+ * 9: Single point access flow
+ * 0-3: Enable sensing point 0-3
+ */
+ writel(sensor_map | BIT(9), LVTS_MONCTL0(lvts_ctrl->base));
+}
+
/*
* At this point the configuration register is the only place in the
* driver where we write multiple values. Per hardware constraint,
@@ -1381,8 +1407,11 @@ static int lvts_suspend(struct device *d
lvts_td = dev_get_drvdata(dev);
- for (i = 0; i < lvts_td->num_lvts_ctrl; i++)
+ for (i = 0; i < lvts_td->num_lvts_ctrl; i++) {
+ lvts_ctrl_monitor_enable(dev, &lvts_td->lvts_ctrl[i], false);
+ usleep_range(100, 200);
lvts_ctrl_set_enable(&lvts_td->lvts_ctrl[i], false);
+ }
clk_disable_unprepare(lvts_td->clk);
@@ -1400,8 +1429,11 @@ static int lvts_resume(struct device *de
if (ret)
return ret;
- for (i = 0; i < lvts_td->num_lvts_ctrl; i++)
+ for (i = 0; i < lvts_td->num_lvts_ctrl; i++) {
lvts_ctrl_set_enable(&lvts_td->lvts_ctrl[i], true);
+ usleep_range(100, 200);
+ lvts_ctrl_monitor_enable(dev, &lvts_td->lvts_ctrl[i], true);
+ }
return 0;
}
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 443/449] thermal/drivers/mediatek/lvts: Disable Stage 3 thermal threshold
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (441 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 442/449] thermal/drivers/mediatek/lvts: Disable monitor mode during suspend Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 444/449] wifi: ath11k: update channel list in worker when wait flag is set Greg Kroah-Hartman
` (12 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hsin-Te Yuan,
AngeloGioacchino Del Regno, Nícolas F . R . A . Prado,
Daniel Lezcano
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
commit c612cbcdf603aefb3358b2e3964dcd5aa3f827a0 upstream.
The Stage 3 thermal threshold is currently configured during
the controller initialization to 105 Celsius. From the kernel
perspective, this configuration is harmful because:
* The stage 3 interrupt that gets triggered when the threshold is
crossed is not handled in any way by the IRQ handler, it just gets
cleared. Besides, the temperature used for stage 3 comes from the
sensors, and the critical thermal trip points described in the
Devicetree will already cause a shutdown when crossed (at a lower
temperature, of 100 Celsius, for all SoCs currently using this
driver).
* The only effect of crossing the stage 3 threshold that has been
observed is that it causes the machine to no longer be able to enter
suspend. Even if that was a result of a momentary glitch in the
temperature reading of a sensor (as has been observed on the
MT8192-based Chromebooks).
For those reasons, disable the Stage 3 thermal threshold configuration.
Cc: stable@vger.kernel.org
Reported-by: Hsin-Te Yuan <yuanhsinte@chromium.org>
Closes: https://lore.kernel.org/all/20241108-lvts-v1-1-eee339c6ca20@chromium.org/
Fixes: f5f633b18234 ("thermal/drivers/mediatek: Add the Low Voltage Thermal Sensor driver")
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
Link: https://lore.kernel.org/r/20250113-mt8192-lvts-filtered-suspend-fix-v2-2-07a25200c7c6@collabora.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/mediatek/lvts_thermal.c | 16 ++--------------
1 file changed, 2 insertions(+), 14 deletions(-)
--- a/drivers/thermal/mediatek/lvts_thermal.c
+++ b/drivers/thermal/mediatek/lvts_thermal.c
@@ -65,7 +65,7 @@
#define LVTS_HW_FILTER 0x0
#define LVTS_TSSEL_CONF 0x13121110
#define LVTS_CALSCALE_CONF 0x300
-#define LVTS_MONINT_CONF 0x8300318C
+#define LVTS_MONINT_CONF 0x0300318C
#define LVTS_MONINT_OFFSET_SENSOR0 0xC
#define LVTS_MONINT_OFFSET_SENSOR1 0x180
@@ -91,8 +91,6 @@
#define LVTS_MSR_READ_TIMEOUT_US 400
#define LVTS_MSR_READ_WAIT_US (LVTS_MSR_READ_TIMEOUT_US / 2)
-#define LVTS_HW_TSHUT_TEMP 105000
-
#define LVTS_MINIMUM_THRESHOLD 20000
static int golden_temp = LVTS_GOLDEN_TEMP_DEFAULT;
@@ -145,7 +143,6 @@ struct lvts_ctrl {
struct lvts_sensor sensors[LVTS_SENSOR_MAX];
const struct lvts_data *lvts_data;
u32 calibration[LVTS_SENSOR_MAX];
- u32 hw_tshut_raw_temp;
u8 valid_sensor_mask;
int mode;
void __iomem *base;
@@ -837,14 +834,6 @@ static int lvts_ctrl_init(struct device
*/
lvts_ctrl[i].mode = lvts_data->lvts_ctrl[i].mode;
- /*
- * The temperature to raw temperature must be done
- * after initializing the calibration.
- */
- lvts_ctrl[i].hw_tshut_raw_temp =
- lvts_temp_to_raw(LVTS_HW_TSHUT_TEMP,
- lvts_data->temp_factor);
-
lvts_ctrl[i].low_thresh = INT_MIN;
lvts_ctrl[i].high_thresh = INT_MIN;
}
@@ -919,7 +908,6 @@ static int lvts_irq_init(struct lvts_ctr
* 10 : Selected sensor with bits 19-18
* 11 : Reserved
*/
- writel(BIT(16), LVTS_PROTCTL(lvts_ctrl->base));
/*
* LVTS_PROTTA : Stage 1 temperature threshold
@@ -932,8 +920,8 @@ static int lvts_irq_init(struct lvts_ctr
*
* writel(0x0, LVTS_PROTTA(lvts_ctrl->base));
* writel(0x0, LVTS_PROTTB(lvts_ctrl->base));
+ * writel(0x0, LVTS_PROTTC(lvts_ctrl->base));
*/
- writel(lvts_ctrl->hw_tshut_raw_temp, LVTS_PROTTC(lvts_ctrl->base));
/*
* LVTS_MONINT : Interrupt configuration register
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 444/449] wifi: ath11k: update channel list in worker when wait flag is set
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (442 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 443/449] thermal/drivers/mediatek/lvts: Disable Stage 3 thermal threshold Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 445/449] arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists Greg Kroah-Hartman
` (11 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wen Gong, Kang Yang,
Aditya Kumar Singh, Jeff Johnson, Mario Limonciello
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wen Gong <quic_wgong@quicinc.com>
commit 02aae8e2f957adc1b15b6b8055316f8a154ac3f5 upstream.
With previous patch "wifi: ath11k: move update channel list from update
reg worker to reg notifier", ath11k_reg_update_chan_list() will be
called during reg_process_self_managed_hint().
reg_process_self_managed_hint() will hold rtnl_lock all the time.
But ath11k_reg_update_chan_list() may increase the occupation time of
rtnl_lock, because when wait flag is set, wait_for_completion_timeout()
will be called during 11d/hw scan.
Should minimize the occupation time of rtnl_lock as much as possible
to avoid interfering with rest of the system. So move the update channel
list operation to a new worker, so that wait_for_completion_timeout()
won't be called and will not increase the occupation time of rtnl_lock.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3
Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
Co-developed-by: Kang Yang <quic_kangyang@quicinc.com>
Signed-off-by: Kang Yang <quic_kangyang@quicinc.com>
Reviewed-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Link: https://patch.msgid.link/20250117061737.1921-3-quic_kangyang@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Cc: Mario Limonciello <superm1@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath11k/core.c | 1
drivers/net/wireless/ath/ath11k/core.h | 5 +
drivers/net/wireless/ath/ath11k/mac.c | 14 +++++
drivers/net/wireless/ath/ath11k/reg.c | 85 ++++++++++++++++++++++-----------
drivers/net/wireless/ath/ath11k/reg.h | 3 -
drivers/net/wireless/ath/ath11k/wmi.h | 1
6 files changed, 81 insertions(+), 28 deletions(-)
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -2056,6 +2056,7 @@ void ath11k_core_halt(struct ath11k *ar)
ath11k_mac_scan_finish(ar);
ath11k_mac_peer_cleanup_all(ar);
cancel_delayed_work_sync(&ar->scan.timeout);
+ cancel_work_sync(&ar->channel_update_work);
cancel_work_sync(&ar->regd_update_work);
cancel_work_sync(&ab->update_11d_work);
--- a/drivers/net/wireless/ath/ath11k/core.h
+++ b/drivers/net/wireless/ath/ath11k/core.h
@@ -685,7 +685,7 @@ struct ath11k {
struct mutex conf_mutex;
/* protects the radio specific data like debug stats, ppdu_stats_info stats,
* vdev_stop_status info, scan data, ath11k_sta info, ath11k_vif info,
- * channel context data, survey info, test mode data.
+ * channel context data, survey info, test mode data, channel_update_queue.
*/
spinlock_t data_lock;
@@ -743,6 +743,9 @@ struct ath11k {
struct completion bss_survey_done;
struct work_struct regd_update_work;
+ struct work_struct channel_update_work;
+ /* protected with data_lock */
+ struct list_head channel_update_queue;
struct work_struct wmi_mgmt_tx_work;
struct sk_buff_head wmi_mgmt_tx_queue;
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -6283,6 +6283,7 @@ static void ath11k_mac_op_stop(struct ie
{
struct ath11k *ar = hw->priv;
struct htt_ppdu_stats_info *ppdu_stats, *tmp;
+ struct scan_chan_list_params *params;
int ret;
ath11k_mac_drain_tx(ar);
@@ -6298,6 +6299,7 @@ static void ath11k_mac_op_stop(struct ie
mutex_unlock(&ar->conf_mutex);
cancel_delayed_work_sync(&ar->scan.timeout);
+ cancel_work_sync(&ar->channel_update_work);
cancel_work_sync(&ar->regd_update_work);
cancel_work_sync(&ar->ab->update_11d_work);
@@ -6307,10 +6309,19 @@ static void ath11k_mac_op_stop(struct ie
}
spin_lock_bh(&ar->data_lock);
+
list_for_each_entry_safe(ppdu_stats, tmp, &ar->ppdu_stats_info, list) {
list_del(&ppdu_stats->list);
kfree(ppdu_stats);
}
+
+ while ((params = list_first_entry_or_null(&ar->channel_update_queue,
+ struct scan_chan_list_params,
+ list))) {
+ list_del(¶ms->list);
+ kfree(params);
+ }
+
spin_unlock_bh(&ar->data_lock);
rcu_assign_pointer(ar->ab->pdevs_active[ar->pdev_idx], NULL);
@@ -10014,6 +10025,7 @@ static const struct wiphy_iftype_ext_cap
static void __ath11k_mac_unregister(struct ath11k *ar)
{
+ cancel_work_sync(&ar->channel_update_work);
cancel_work_sync(&ar->regd_update_work);
ieee80211_unregister_hw(ar->hw);
@@ -10413,6 +10425,8 @@ int ath11k_mac_allocate(struct ath11k_ba
init_completion(&ar->thermal.wmi_sync);
INIT_DELAYED_WORK(&ar->scan.timeout, ath11k_scan_timeout_work);
+ INIT_WORK(&ar->channel_update_work, ath11k_regd_update_chan_list_work);
+ INIT_LIST_HEAD(&ar->channel_update_queue);
INIT_WORK(&ar->regd_update_work, ath11k_regd_update_work);
INIT_WORK(&ar->wmi_mgmt_tx_work, ath11k_mgmt_over_wmi_tx_work);
--- a/drivers/net/wireless/ath/ath11k/reg.c
+++ b/drivers/net/wireless/ath/ath11k/reg.c
@@ -124,32 +124,7 @@ int ath11k_reg_update_chan_list(struct a
struct channel_param *ch;
enum nl80211_band band;
int num_channels = 0;
- int i, ret, left;
-
- if (wait && ar->state_11d != ATH11K_11D_IDLE) {
- left = wait_for_completion_timeout(&ar->completed_11d_scan,
- ATH11K_SCAN_TIMEOUT_HZ);
- if (!left) {
- ath11k_dbg(ar->ab, ATH11K_DBG_REG,
- "failed to receive 11d scan complete: timed out\n");
- ar->state_11d = ATH11K_11D_IDLE;
- }
- ath11k_dbg(ar->ab, ATH11K_DBG_REG,
- "11d scan wait left time %d\n", left);
- }
-
- if (wait &&
- (ar->scan.state == ATH11K_SCAN_STARTING ||
- ar->scan.state == ATH11K_SCAN_RUNNING)) {
- left = wait_for_completion_timeout(&ar->scan.completed,
- ATH11K_SCAN_TIMEOUT_HZ);
- if (!left)
- ath11k_dbg(ar->ab, ATH11K_DBG_REG,
- "failed to receive hw scan complete: timed out\n");
-
- ath11k_dbg(ar->ab, ATH11K_DBG_REG,
- "hw scan wait left time %d\n", left);
- }
+ int i, ret = 0;
if (ar->state == ATH11K_STATE_RESTARTING)
return 0;
@@ -231,6 +206,16 @@ int ath11k_reg_update_chan_list(struct a
}
}
+ if (wait) {
+ spin_lock_bh(&ar->data_lock);
+ list_add_tail(¶ms->list, &ar->channel_update_queue);
+ spin_unlock_bh(&ar->data_lock);
+
+ queue_work(ar->ab->workqueue, &ar->channel_update_work);
+
+ return 0;
+ }
+
ret = ath11k_wmi_send_scan_chan_list_cmd(ar, params);
kfree(params);
@@ -811,6 +796,54 @@ ret:
return new_regd;
}
+void ath11k_regd_update_chan_list_work(struct work_struct *work)
+{
+ struct ath11k *ar = container_of(work, struct ath11k,
+ channel_update_work);
+ struct scan_chan_list_params *params;
+ struct list_head local_update_list;
+ int left;
+
+ INIT_LIST_HEAD(&local_update_list);
+
+ spin_lock_bh(&ar->data_lock);
+ list_splice_tail_init(&ar->channel_update_queue, &local_update_list);
+ spin_unlock_bh(&ar->data_lock);
+
+ while ((params = list_first_entry_or_null(&local_update_list,
+ struct scan_chan_list_params,
+ list))) {
+ if (ar->state_11d != ATH11K_11D_IDLE) {
+ left = wait_for_completion_timeout(&ar->completed_11d_scan,
+ ATH11K_SCAN_TIMEOUT_HZ);
+ if (!left) {
+ ath11k_dbg(ar->ab, ATH11K_DBG_REG,
+ "failed to receive 11d scan complete: timed out\n");
+ ar->state_11d = ATH11K_11D_IDLE;
+ }
+
+ ath11k_dbg(ar->ab, ATH11K_DBG_REG,
+ "reg 11d scan wait left time %d\n", left);
+ }
+
+ if ((ar->scan.state == ATH11K_SCAN_STARTING ||
+ ar->scan.state == ATH11K_SCAN_RUNNING)) {
+ left = wait_for_completion_timeout(&ar->scan.completed,
+ ATH11K_SCAN_TIMEOUT_HZ);
+ if (!left)
+ ath11k_dbg(ar->ab, ATH11K_DBG_REG,
+ "failed to receive hw scan complete: timed out\n");
+
+ ath11k_dbg(ar->ab, ATH11K_DBG_REG,
+ "reg hw scan wait left time %d\n", left);
+ }
+
+ ath11k_wmi_send_scan_chan_list_cmd(ar, params);
+ list_del(¶ms->list);
+ kfree(params);
+ }
+}
+
static bool ath11k_reg_is_world_alpha(char *alpha)
{
if (alpha[0] == '0' && alpha[1] == '0')
--- a/drivers/net/wireless/ath/ath11k/reg.h
+++ b/drivers/net/wireless/ath/ath11k/reg.h
@@ -1,7 +1,7 @@
/* SPDX-License-Identifier: BSD-3-Clause-Clear */
/*
* Copyright (c) 2019 The Linux Foundation. All rights reserved.
- * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2025 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#ifndef ATH11K_REG_H
@@ -33,6 +33,7 @@ void ath11k_reg_init(struct ath11k *ar);
void ath11k_reg_reset_info(struct cur_regulatory_info *reg_info);
void ath11k_reg_free(struct ath11k_base *ab);
void ath11k_regd_update_work(struct work_struct *work);
+void ath11k_regd_update_chan_list_work(struct work_struct *work);
struct ieee80211_regdomain *
ath11k_reg_build_regd(struct ath11k_base *ab,
struct cur_regulatory_info *reg_info, bool intersect,
--- a/drivers/net/wireless/ath/ath11k/wmi.h
+++ b/drivers/net/wireless/ath/ath11k/wmi.h
@@ -3817,6 +3817,7 @@ struct wmi_stop_scan_cmd {
};
struct scan_chan_list_params {
+ struct list_head list;
u32 pdev_id;
u16 nallchans;
struct channel_param ch_param[];
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 445/449] arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (443 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 444/449] wifi: ath11k: update channel list in worker when wait flag is set Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 446/449] iommufd: Make attach_handle generic than fault specific Greg Kroah-Hartman
` (10 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Douglas Anderson, James Morse,
Catalin Marinas
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
commit a5951389e58d2e816eed3dbec5877de9327fd881 upstream.
When comparing to the ARM list [1], it appears that several ARM cores
were missing from the lists in spectre_bhb_loop_affected(). Add them.
NOTE: for some of these cores it may not matter since other ways of
clearing the BHB may be used (like the CLRBHB instruction or ECBHB),
but it still seems good to have all the info from ARM's whitepaper
included.
[1] https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB
Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
Cc: stable@vger.kernel.org
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: James Morse <james.morse@arm.com>
Link: https://lore.kernel.org/r/20250107120555.v4.5.I4a9a527e03f663040721c5401c41de587d015c82@changeid
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/proton-pack.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -876,6 +876,14 @@ static u8 spectre_bhb_loop_affected(void
{
u8 k = 0;
+ static const struct midr_range spectre_bhb_k132_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X3),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
+ };
+ static const struct midr_range spectre_bhb_k38_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A715),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A720),
+ };
static const struct midr_range spectre_bhb_k32_list[] = {
MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
@@ -889,6 +897,7 @@ static u8 spectre_bhb_loop_affected(void
};
static const struct midr_range spectre_bhb_k24_list[] = {
MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE),
MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
@@ -904,7 +913,11 @@ static u8 spectre_bhb_loop_affected(void
{},
};
- if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
+ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k132_list))
+ k = 132;
+ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k38_list))
+ k = 38;
+ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
k = 32;
else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
k = 24;
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 446/449] iommufd: Make attach_handle generic than fault specific
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (444 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 445/449] arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 447/449] iommufd: Fail replace if device has not been attached Greg Kroah-Hartman
` (9 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicolin Chen, Yi Liu,
Jason Gunthorpe
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
commit fb21b1568adaa76af7a8c853f37c60fba8b28661 upstream.
"attach_handle" was added exclusively for the iommufd_fault_iopf_handler()
used by IOPF/PRI use cases. Now, both the MSI and PASID series require to
reuse the attach_handle for non-fault cases.
Add a set of new attach/detach/replace helpers that does the attach_handle
allocation/releasing/replacement in the common path and also handles those
fault specific routines such as iopf enabling/disabling and auto response.
This covers both non-fault and fault cases in a clean way, replacing those
inline helpers in the header. The following patch will clean up those old
helpers in the fault.c file.
Link: https://patch.msgid.link/r/32687df01c02291d89986a9fca897bbbe2b10987.1738645017.git.nicolinc@nvidia.com
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Yi Liu <yi.l.liu@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/device.c | 105 ++++++++++++++++++++++++++++++++
drivers/iommu/iommufd/fault.c | 8 +-
drivers/iommu/iommufd/iommufd_private.h | 33 +---------
3 files changed, 113 insertions(+), 33 deletions(-)
--- a/drivers/iommu/iommufd/device.c
+++ b/drivers/iommu/iommufd/device.c
@@ -352,6 +352,111 @@ iommufd_device_attach_reserved_iova(stru
return 0;
}
+/* The device attach/detach/replace helpers for attach_handle */
+
+static int iommufd_hwpt_attach_device(struct iommufd_hw_pagetable *hwpt,
+ struct iommufd_device *idev)
+{
+ struct iommufd_attach_handle *handle;
+ int rc;
+
+ lockdep_assert_held(&idev->igroup->lock);
+
+ handle = kzalloc(sizeof(*handle), GFP_KERNEL);
+ if (!handle)
+ return -ENOMEM;
+
+ if (hwpt->fault) {
+ rc = iommufd_fault_iopf_enable(idev);
+ if (rc)
+ goto out_free_handle;
+ }
+
+ handle->idev = idev;
+ rc = iommu_attach_group_handle(hwpt->domain, idev->igroup->group,
+ &handle->handle);
+ if (rc)
+ goto out_disable_iopf;
+
+ return 0;
+
+out_disable_iopf:
+ if (hwpt->fault)
+ iommufd_fault_iopf_disable(idev);
+out_free_handle:
+ kfree(handle);
+ return rc;
+}
+
+static struct iommufd_attach_handle *
+iommufd_device_get_attach_handle(struct iommufd_device *idev)
+{
+ struct iommu_attach_handle *handle;
+
+ lockdep_assert_held(&idev->igroup->lock);
+
+ handle =
+ iommu_attach_handle_get(idev->igroup->group, IOMMU_NO_PASID, 0);
+ if (IS_ERR(handle))
+ return NULL;
+ return to_iommufd_handle(handle);
+}
+
+static void iommufd_hwpt_detach_device(struct iommufd_hw_pagetable *hwpt,
+ struct iommufd_device *idev)
+{
+ struct iommufd_attach_handle *handle;
+
+ handle = iommufd_device_get_attach_handle(idev);
+ iommu_detach_group_handle(hwpt->domain, idev->igroup->group);
+ if (hwpt->fault) {
+ iommufd_auto_response_faults(hwpt, handle);
+ iommufd_fault_iopf_disable(idev);
+ }
+ kfree(handle);
+}
+
+static int iommufd_hwpt_replace_device(struct iommufd_device *idev,
+ struct iommufd_hw_pagetable *hwpt,
+ struct iommufd_hw_pagetable *old)
+{
+ struct iommufd_attach_handle *handle, *old_handle =
+ iommufd_device_get_attach_handle(idev);
+ int rc;
+
+ handle = kzalloc(sizeof(*handle), GFP_KERNEL);
+ if (!handle)
+ return -ENOMEM;
+
+ if (hwpt->fault && !old->fault) {
+ rc = iommufd_fault_iopf_enable(idev);
+ if (rc)
+ goto out_free_handle;
+ }
+
+ handle->idev = idev;
+ rc = iommu_replace_group_handle(idev->igroup->group, hwpt->domain,
+ &handle->handle);
+ if (rc)
+ goto out_disable_iopf;
+
+ if (old->fault) {
+ iommufd_auto_response_faults(hwpt, old_handle);
+ if (!hwpt->fault)
+ iommufd_fault_iopf_disable(idev);
+ }
+ kfree(old_handle);
+
+ return 0;
+
+out_disable_iopf:
+ if (hwpt->fault && !old->fault)
+ iommufd_fault_iopf_disable(idev);
+out_free_handle:
+ kfree(handle);
+ return rc;
+}
+
int iommufd_hw_pagetable_attach(struct iommufd_hw_pagetable *hwpt,
struct iommufd_device *idev)
{
--- a/drivers/iommu/iommufd/fault.c
+++ b/drivers/iommu/iommufd/fault.c
@@ -17,7 +17,7 @@
#include "../iommu-priv.h"
#include "iommufd_private.h"
-static int iommufd_fault_iopf_enable(struct iommufd_device *idev)
+int iommufd_fault_iopf_enable(struct iommufd_device *idev)
{
struct device *dev = idev->dev;
int ret;
@@ -50,7 +50,7 @@ static int iommufd_fault_iopf_enable(str
return ret;
}
-static void iommufd_fault_iopf_disable(struct iommufd_device *idev)
+void iommufd_fault_iopf_disable(struct iommufd_device *idev)
{
mutex_lock(&idev->iopf_lock);
if (!WARN_ON(idev->iopf_enabled == 0)) {
@@ -98,8 +98,8 @@ int iommufd_fault_domain_attach_dev(stru
return ret;
}
-static void iommufd_auto_response_faults(struct iommufd_hw_pagetable *hwpt,
- struct iommufd_attach_handle *handle)
+void iommufd_auto_response_faults(struct iommufd_hw_pagetable *hwpt,
+ struct iommufd_attach_handle *handle)
{
struct iommufd_fault *fault = hwpt->fault;
struct iopf_group *group, *next;
--- a/drivers/iommu/iommufd/iommufd_private.h
+++ b/drivers/iommu/iommufd/iommufd_private.h
@@ -504,35 +504,10 @@ int iommufd_fault_domain_replace_dev(str
struct iommufd_hw_pagetable *hwpt,
struct iommufd_hw_pagetable *old);
-static inline int iommufd_hwpt_attach_device(struct iommufd_hw_pagetable *hwpt,
- struct iommufd_device *idev)
-{
- if (hwpt->fault)
- return iommufd_fault_domain_attach_dev(hwpt, idev);
-
- return iommu_attach_group(hwpt->domain, idev->igroup->group);
-}
-
-static inline void iommufd_hwpt_detach_device(struct iommufd_hw_pagetable *hwpt,
- struct iommufd_device *idev)
-{
- if (hwpt->fault) {
- iommufd_fault_domain_detach_dev(hwpt, idev);
- return;
- }
-
- iommu_detach_group(hwpt->domain, idev->igroup->group);
-}
-
-static inline int iommufd_hwpt_replace_device(struct iommufd_device *idev,
- struct iommufd_hw_pagetable *hwpt,
- struct iommufd_hw_pagetable *old)
-{
- if (old->fault || hwpt->fault)
- return iommufd_fault_domain_replace_dev(idev, hwpt, old);
-
- return iommu_group_replace_domain(idev->igroup->group, hwpt->domain);
-}
+int iommufd_fault_iopf_enable(struct iommufd_device *idev);
+void iommufd_fault_iopf_disable(struct iommufd_device *idev);
+void iommufd_auto_response_faults(struct iommufd_hw_pagetable *hwpt,
+ struct iommufd_attach_handle *handle);
static inline struct iommufd_viommu *
iommufd_get_viommu(struct iommufd_ucmd *ucmd, u32 id)
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 447/449] iommufd: Fail replace if device has not been attached
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (445 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 446/449] iommufd: Make attach_handle generic than fault specific Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 448/449] x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Greg Kroah-Hartman
` (8 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kevin Tian, Yi Liu, Jason Gunthorpe
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yi Liu <yi.l.liu@intel.com>
commit 55c85fa7579dc2e3f5399ef5bad67a44257c1a48 upstream.
The current implementation of iommufd_device_do_replace() implicitly
assumes that the input device has already been attached. However, there
is no explicit check to verify this assumption. If another device within
the same group has been attached, the replace operation might succeed,
but the input device itself may not have been attached yet.
As a result, the input device might not be tracked in the
igroup->device_list, and its reserved IOVA might not be added. Despite
this, the caller might incorrectly assume that the device has been
successfully replaced, which could lead to unexpected behavior or errors.
To address this issue, add a check to ensure that the input device has
been attached before proceeding with the replace operation. This check
will help maintain the integrity of the device tracking system and prevent
potential issues arising from incorrect assumptions about the device's
attachment status.
Fixes: e88d4ec154a8 ("iommufd: Add iommufd_device_replace()")
Link: https://patch.msgid.link/r/20250306034842.5950-1-yi.l.liu@intel.com
Cc: stable@vger.kernel.org
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Yi Liu <yi.l.liu@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/device.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/iommu/iommufd/device.c
+++ b/drivers/iommu/iommufd/device.c
@@ -354,6 +354,17 @@ iommufd_device_attach_reserved_iova(stru
/* The device attach/detach/replace helpers for attach_handle */
+/* Check if idev is attached to igroup->hwpt */
+static bool iommufd_device_is_attached(struct iommufd_device *idev)
+{
+ struct iommufd_device *cur;
+
+ list_for_each_entry(cur, &idev->igroup->device_list, group_item)
+ if (cur == idev)
+ return true;
+ return false;
+}
+
static int iommufd_hwpt_attach_device(struct iommufd_hw_pagetable *hwpt,
struct iommufd_device *idev)
{
@@ -592,6 +603,11 @@ iommufd_device_do_replace(struct iommufd
rc = -EINVAL;
goto err_unlock;
}
+
+ if (!iommufd_device_is_attached(idev)) {
+ rc = -EINVAL;
+ goto err_unlock;
+ }
if (hwpt == igroup->hwpt) {
mutex_unlock(&idev->igroup->lock);
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 448/449] x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions()
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (446 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 447/449] iommufd: Fail replace if device has not been attached Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 449/449] Bluetooth: hci_uart: Fix another race during initialization Greg Kroah-Hartman
` (7 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roberto Ricci, Myrrh Periwinkle,
Ingo Molnar, Rafael J. Wysocki, Ard Biesheuvel, H. Peter Anvin,
Kees Cook, Linus Torvalds, David Woodhouse, Len Brown
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
commit f2f29da9f0d4367f6ff35e0d9d021257bb53e273 upstream.
While debugging kexec/hibernation hangs and crashes, it turned out that
the current implementation of e820__register_nosave_regions() suffers from
multiple serious issues:
- The end of last region is tracked by PFN, causing it to find holes
that aren't there if two consecutive subpage regions are present
- The nosave PFN ranges derived from holes are rounded out (instead of
rounded in) which makes it inconsistent with how explicitly reserved
regions are handled
Fix this by:
- Treating reserved regions as if they were holes, to ensure consistent
handling (rounding out nosave PFN ranges is more correct as the
kernel does not use partial pages)
- Tracking the end of the last RAM region by address instead of pages
to detect holes more precisely
These bugs appear to have been introduced about ~18 years ago with the very
first version of e820_mark_nosave_regions(), and its flawed assumptions were
carried forward uninterrupted through various waves of rewrites and renames.
[ mingo: Added Git archeology details, for kicks and giggles. ]
Fixes: e8eff5ac294e ("[PATCH] Make swsusp avoid memory holes and reserved memory regions on x86_64")
Reported-by: Roberto Ricci <io@r-ricci.it>
Tested-by: Roberto Ricci <io@r-ricci.it>
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Len Brown <len.brown@intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250406-fix-e820-nosave-v3-1-f3787bc1ee1d@qtmlabs.xyz
Closes: https://lore.kernel.org/all/Z4WFjBVHpndct7br@desktop0a/
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/e820.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
--- a/arch/x86/kernel/e820.c
+++ b/arch/x86/kernel/e820.c
@@ -754,22 +754,21 @@ void __init e820__memory_setup_extended(
void __init e820__register_nosave_regions(unsigned long limit_pfn)
{
int i;
- unsigned long pfn = 0;
+ u64 last_addr = 0;
for (i = 0; i < e820_table->nr_entries; i++) {
struct e820_entry *entry = &e820_table->entries[i];
- if (pfn < PFN_UP(entry->addr))
- register_nosave_region(pfn, PFN_UP(entry->addr));
-
- pfn = PFN_DOWN(entry->addr + entry->size);
-
if (entry->type != E820_TYPE_RAM && entry->type != E820_TYPE_RESERVED_KERN)
- register_nosave_region(PFN_UP(entry->addr), pfn);
+ continue;
- if (pfn >= limit_pfn)
- break;
+ if (last_addr < entry->addr)
+ register_nosave_region(PFN_DOWN(last_addr), PFN_UP(entry->addr));
+
+ last_addr = entry->addr + entry->size;
}
+
+ register_nosave_region(PFN_DOWN(last_addr), limit_pfn);
}
#ifdef CONFIG_ACPI
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH 6.14 449/449] Bluetooth: hci_uart: Fix another race during initialization
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (447 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 448/449] x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Greg Kroah-Hartman
@ 2025-04-17 17:52 ` Greg Kroah-Hartman
2025-04-17 18:53 ` [PATCH 6.14 000/449] 6.14.3-rc1 review Ronald Warsow
` (6 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-17 17:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arseniy Krasnov,
syzbot+683f8cb11b94b1824c77, Luiz Augusto von Dentz
6.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arseniy Krasnov <avkrasnov@salutedevices.com>
commit 5df5dafc171b90d0b8d51547a82657cd5a1986c7 upstream.
Do not set 'HCI_UART_PROTO_READY' before call 'hci_uart_register_dev()'.
Possible race is when someone calls 'hci_tty_uart_close()' after this bit
is set, but 'hci_uart_register_dev()' wasn't done. This leads to access
to uninitialized fields. To fix it let's set this bit after device was
registered (as before patch c411c62cc133) and to fix previous problem let's
add one more bit in addition to 'HCI_UART_PROTO_READY' which allows to
perform power up without original bit set (pls see commit c411c62cc133).
Crash backtrace from syzbot report:
RIP: 0010:skb_queue_empty_lockless include/linux/skbuff.h:1887 [inline]
RIP: 0010:skb_queue_purge_reason+0x6d/0x140 net/core/skbuff.c:3936
Call Trace:
<TASK>
skb_queue_purge include/linux/skbuff.h:3364 [inline]
mrvl_close+0x2f/0x90 drivers/bluetooth/hci_mrvl.c:100
hci_uart_tty_close+0xb6/0x120 drivers/bluetooth/hci_ldisc.c:557
tty_ldisc_close drivers/tty/tty_ldisc.c:455 [inline]
tty_ldisc_kill+0x66/0xc0 drivers/tty/tty_ldisc.c:613
tty_ldisc_release+0xc9/0x120 drivers/tty/tty_ldisc.c:781
tty_release_struct+0x10/0x80 drivers/tty/tty_io.c:1690
tty_release+0x4ef/0x640 drivers/tty/tty_io.c:1861
__fput+0x86/0x2a0 fs/file_table.c:450
task_work_run+0x82/0xb0 kernel/task_work.c:239
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xa3/0x1b0 kernel/entry/common.c:218
do_syscall_64+0x9a/0x190 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
Reported-by: syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com
Tested-by: syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-bluetooth/d159c57f-8490-4c26-79da-6ad3612c4a14@salutedevices.com/
Fixes: 366ceff495f9 ("Bluetooth: hci_uart: fix race during initialization")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_ldisc.c | 20 ++++++++++++++------
drivers/bluetooth/hci_uart.h | 1 +
2 files changed, 15 insertions(+), 6 deletions(-)
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -102,7 +102,8 @@ static inline struct sk_buff *hci_uart_d
if (!skb) {
percpu_down_read(&hu->proto_lock);
- if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
+ if (test_bit(HCI_UART_PROTO_READY, &hu->flags) ||
+ test_bit(HCI_UART_PROTO_INIT, &hu->flags))
skb = hu->proto->dequeue(hu);
percpu_up_read(&hu->proto_lock);
@@ -124,7 +125,8 @@ int hci_uart_tx_wakeup(struct hci_uart *
if (!percpu_down_read_trylock(&hu->proto_lock))
return 0;
- if (!test_bit(HCI_UART_PROTO_READY, &hu->flags))
+ if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) &&
+ !test_bit(HCI_UART_PROTO_INIT, &hu->flags))
goto no_schedule;
set_bit(HCI_UART_TX_WAKEUP, &hu->tx_state);
@@ -278,7 +280,8 @@ static int hci_uart_send_frame(struct hc
percpu_down_read(&hu->proto_lock);
- if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) {
+ if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) &&
+ !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) {
percpu_up_read(&hu->proto_lock);
return -EUNATCH;
}
@@ -585,7 +588,8 @@ static void hci_uart_tty_wakeup(struct t
if (tty != hu->tty)
return;
- if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
+ if (test_bit(HCI_UART_PROTO_READY, &hu->flags) ||
+ test_bit(HCI_UART_PROTO_INIT, &hu->flags))
hci_uart_tx_wakeup(hu);
}
@@ -611,7 +615,8 @@ static void hci_uart_tty_receive(struct
percpu_down_read(&hu->proto_lock);
- if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) {
+ if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) &&
+ !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) {
percpu_up_read(&hu->proto_lock);
return;
}
@@ -707,13 +712,16 @@ static int hci_uart_set_proto(struct hci
hu->proto = p;
- set_bit(HCI_UART_PROTO_READY, &hu->flags);
+ set_bit(HCI_UART_PROTO_INIT, &hu->flags);
err = hci_uart_register_dev(hu);
if (err) {
return err;
}
+ set_bit(HCI_UART_PROTO_READY, &hu->flags);
+ clear_bit(HCI_UART_PROTO_INIT, &hu->flags);
+
return 0;
}
--- a/drivers/bluetooth/hci_uart.h
+++ b/drivers/bluetooth/hci_uart.h
@@ -90,6 +90,7 @@ struct hci_uart {
#define HCI_UART_REGISTERED 1
#define HCI_UART_PROTO_READY 2
#define HCI_UART_NO_SUSPEND_NOTIFIER 3
+#define HCI_UART_PROTO_INIT 4
/* TX states */
#define HCI_UART_SENDING 1
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH 6.14 000/449] 6.14.3-rc1 review
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (448 preceding siblings ...)
2025-04-17 17:52 ` [PATCH 6.14 449/449] Bluetooth: hci_uart: Fix another race during initialization Greg Kroah-Hartman
@ 2025-04-17 18:53 ` Ronald Warsow
2025-04-17 19:53 ` Florian Fainelli
` (5 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Ronald Warsow @ 2025-04-17 18:53 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
conor, hargar, broonie
Hi Greg
no regressions here on x86_64 (RKL, Intel 11th Gen. CPU)
Thanks
Tested-by: Ronald Warsow <rwarsow@gmx.de>
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH 6.14 000/449] 6.14.3-rc1 review
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (449 preceding siblings ...)
2025-04-17 18:53 ` [PATCH 6.14 000/449] 6.14.3-rc1 review Ronald Warsow
@ 2025-04-17 19:53 ` Florian Fainelli
2025-04-18 0:02 ` Peter Schneider
` (4 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Florian Fainelli @ 2025-04-17 19:53 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow,
conor, hargar, broonie
On 4/17/25 10:44, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.14.3 release.
> There are 449 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 19 Apr 2025 17:49:48 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.14.3-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH 6.14 000/449] 6.14.3-rc1 review
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (450 preceding siblings ...)
2025-04-17 19:53 ` Florian Fainelli
@ 2025-04-18 0:02 ` Peter Schneider
2025-04-18 6:30 ` Naresh Kamboju
` (3 subsequent siblings)
455 siblings, 0 replies; 469+ messages in thread
From: Peter Schneider @ 2025-04-18 0:02 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie
Am 17.04.2025 um 19:44 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.14.3 release.
> There are 449 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg
oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH 6.14 197/449] HID: pidff: Stop all effects before enabling actuators
[not found] ` <763f6566-9806-4e09-a633-b27fe1767f38@orange.fr>
@ 2025-04-18 4:47 ` Greg Kroah-Hartman
0 siblings, 0 replies; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-18 4:47 UTC (permalink / raw)
To: Jules Noirant
Cc: stable, patches, Tomasz Pakuła, Michał Kopeć,
Paul Dino Jones, Cristóferson Bueno, Pablo Cisneros,
Jiri Kosina, Sasha Levin
On Thu, Apr 17, 2025 at 08:47:05PM +0200, Jules Noirant wrote:
> Hi,
>
> Thanks for the review. Technically, that patch should at least be Co-authored by me since it's a slightly reworded rebase of a patch I submitted last year: https://lore.kernel.org/lkml/20240304195745.10195-1-jules.noirant@orange.fr/t/
This is just a copy of what went into Linus's tree, sorry.
greg k-h
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH 6.14 000/449] 6.14.3-rc1 review
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (451 preceding siblings ...)
2025-04-18 0:02 ` Peter Schneider
@ 2025-04-18 6:30 ` Naresh Kamboju
2025-04-18 11:03 ` Greg Kroah-Hartman
2025-04-18 7:53 ` Naresh Kamboju
` (2 subsequent siblings)
455 siblings, 1 reply; 469+ messages in thread
From: Naresh Kamboju @ 2025-04-18 6:30 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie, PCI,
linux-s390, Tudor Ambarus, Bjorn Andersson, Manivannan Sadhasivam,
Krzysztof Kozlowski, Anders Roxell, Dan Carpenter, Arnd Bergmann,
Niklas Schnelle, Bjorn Helgaas
On Thu, 17 Apr 2025 at 23:23, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.14.3 release.
> There are 449 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 19 Apr 2025 17:49:48 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.14.3-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Regressions on arm64 and s390 allmodconfig and allyesconfig builds failed
on the stable rc 6.14.3-rc1 with gcc-13 and clang-20.
There are two different types of build errors on arm64 and s390.
These regressions on arm64 are also found on stable-rc 6.13 and 6.12.
First seen on the 6.14.3-rc1
Good: v6.14.2
Bad: v6.14.2-450-g0e7f2bba84c1
Regressions found on arm64 s390:
- build/gcc-13-allmodconfig
- build/gcc-13-allyesconfig
- build/clang-20-allmodconfig
- build/clang-20-allyesconfig
Regression Analysis:
- New regression? Yes
- Reproducibility? Yes
Build regression: arm64 s390 ufs-qcom.c implicit declaration
'devm_of_qcom_ice_get'
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build log arm64
drivers/ufs/host/ufs-qcom.c: In function 'ufs_qcom_ice_init':
drivers/ufs/host/ufs-qcom.c:128:15: error: implicit declaration of
function 'devm_of_qcom_ice_get'; did you mean 'of_qcom_ice_get'?
[-Werror=implicit-function-declaration]
128 | ice = devm_of_qcom_ice_get(dev);
| ^~~~~~~~~~~~~~~~~~~~
| of_qcom_ice_get
drivers/ufs/host/ufs-qcom.c:128:13: error: assignment to 'struct
qcom_ice *' from 'int' makes pointer from integer without a cast
[-Werror=int-conversion]
128 | ice = devm_of_qcom_ice_get(dev);
| ^
cc1: all warnings being treated as errors
## Build log s390
arch/s390/pci/pci_fixup.c: In function 'zpci_ism_bar_no_mmap':
arch/s390/pci/pci_fixup.c:19:13: error: 'struct pci_dev' has no member
named 'non_mappable_bars'
19 | pdev->non_mappable_bars = 1;
| ^~
## Source
* Kernel version: 6.14.3-rc1
* Git tree: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* Git sha: 0e7f2bba84c1f492e15812fade27cc0a697f3cb6
* Git describe: v6.14.2-450-g0e7f2bba84c1
* Project details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.14.y/build/v6.14.2-450-g0e7f2bba84c1/
* Architectures: arm64, s390
* Toolchains: clang-20, gcc-13
* Kconfigs: allmodconfig, allyesconfig
## Build arm64
* Build log: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.14.y/build/v6.14.2-450-g0e7f2bba84c1/testrun/28150920/suite/build/test/gcc-13-allmodconfig/log
* Build history:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.14.y/build/v6.14.2-450-g0e7f2bba84c1/testrun/28150920/suite/build/test/gcc-13-allmodconfig/history/
* Build details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.14.y/build/v6.14.2-450-g0e7f2bba84c1/testrun/28150920/suite/build/test/gcc-13-allmodconfig/
* Build link: https://storage.tuxsuite.com/public/linaro/lkft/builds/2vrqIAiN9QWCPEV6FWrOWIRos2j/
* Kernel config:
https://storage.tuxsuite.com/public/linaro/lkft/builds/2vrqIAiN9QWCPEV6FWrOWIRos2j/config
## Build s390
* Build log: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.14.y/build/v6.14.2-450-g0e7f2bba84c1/testrun/28148516/suite/build/test/gcc-13-allmodconfig/log
* Build history:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.14.y/build/v6.14.2-450-g0e7f2bba84c1/testrun/28148516/suite/build/test/gcc-13-allmodconfig/history/
* Build details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.14.y/build/v6.14.2-450-g0e7f2bba84c1/testrun/28148516/suite/build/test/gcc-13-allmodconfig/
* Build link: https://storage.tuxsuite.com/public/linaro/lkft/builds/2vrqI5I7Rtlnhj4xhKXAwkGJ27o/
* Kernel config:
https://storage.tuxsuite.com/public/linaro/lkft/builds/2vrqI5I7Rtlnhj4xhKXAwkGJ27o/config
## Steps to reproduce on arm64
- tuxmake --runtime podman --target-arch arm64 --toolchain gcc-13
--kconfig allmodconfig
## Steps to reproduce on s390
- tuxmake --runtime podman --target-arch s390 --toolchain gcc-13
--kconfig allmodconfig
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH 6.14 000/449] 6.14.3-rc1 review
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (452 preceding siblings ...)
2025-04-18 6:30 ` Naresh Kamboju
@ 2025-04-18 7:53 ` Naresh Kamboju
2025-04-23 16:25 ` Dan Carpenter
2025-04-23 17:22 ` [PATCH] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Dan Carpenter
2025-04-18 11:38 ` [PATCH 6.14 000/449] 6.14.3-rc1 review Pavel Machek
2025-04-18 14:30 ` Shuah Khan
455 siblings, 2 replies; 469+ messages in thread
From: Naresh Kamboju @ 2025-04-18 7:53 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie,
Arnd Bergmann, Liam Girdwood, Frieder Schrempf, Marek Vasut,
Dan Carpenter, Anders Roxell
On Thu, 17 Apr 2025 at 23:23, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.14.3 release.
> There are 449 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 19 Apr 2025 17:49:48 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.14.3-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Regressions on arm64 dragonboard 410c boot failed with lkftconfig on
the stable rc
6.14.3-rc1. While booting, the following kernel warnings were noticed
and boot failed.
First seen on the 6.14.3-rc1
Good: v6.14.2
Bad: v6.14.2-450-g0e7f2bba84c1
Regressions found on arm64 dragonboard 410c:
- Boot/clang-20-lkftconfig
Regression Analysis:
- New regression? Yes
- Reproducibility? Yes
Boot regression: arm64 dragonboard 410c WARNING regulator core.c regulator_put
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Boot log arm64 dragonboard 410c
[ 3.924339] remoteproc:smd-edge: failed to parse smd edge
[ 4.051490] msm_hsusb 78d9000.usb: Failed to create device link
(0x180) with supplier remoteproc for /soc@0/usb@78d9000/ulpi/phy
[ 4.055155] qcom-clk-smd-rpm
remoteproc:smd-edge:rpm-requests:clock-controller: Error registering
SMD clock driver (-1431655766)
[ 4.062274] qcom-clk-smd-rpm
remoteproc:smd-edge:rpm-requests:clock-controller: probe with driver
qcom-clk-smd-rpm failed with error -1431655766
[ 4.091319] sdhci_msm 7864900.mmc: Got CD GPIO
[ 4.101827] s3: Bringing 0uV into 1250000-1250000uV
[ 4.101935] s3: failed to enable: (____ptrval____)
[ 4.105657] ------------[ cut here ]------------
[ 4.110395] WARNING: CPU: 3 PID: 14 at
drivers/regulator/core.c:2450 regulator_put
(drivers/regulator/core.c:2473 drivers/regulator/core.c:2471)
[ 4.115181] Modules linked in:
[ 4.116774] input: gpio-keys as /devices/platform/gpio-keys/input/input0
[ 4.123575] CPU: 3 UID: 0 PID: 14 Comm: kworker/u16:1 Not tainted
6.14.3-rc1 #1
[ 4.123587] Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
[ 4.123593] Workqueue: async async_run_entry_fn
[ 4.123608] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 4.123619] pc : regulator_put (drivers/regulator/core.c:2473
drivers/regulator/core.c:2471)
[ 4.124148] sdhci_msm 7864900.mmc: Got CD GPIO
[ 4.128587] clk: Disabling unused clocks
[ 4.133299] lr : regulator_put (drivers/regulator/core.c:2444
drivers/regulator/core.c:2471)
[ 4.133312] sp : ffff80008300ba40
[ 4.133317] x29: ffff80008300ba40 x28: 0000000000000000 x27: ffff800081b850f8
[ 4.141083] PM: genpd: Disabling unused power domains
[ 4.147271]
[ 4.147274] x26: ffff800081b850b8 x25: 0000000000000001 x24: 00000000aaaaaaaa
[ 4.147288] x23: ffff000009d64480 x22: ffff000005b10000
[ 4.151676] qcom-rpmpd
remoteproc:smd-edge:rpm-requests:power-controller: failed to sync cx:
-1431655766
[ 4.158467] x21: ffff000005b10000
[ 4.158474] x20: ffff0000044e41c0 x19: ffff0000055f00c0 x18: 0000000000000002
[ 4.158488] x17: 0000000000000000
[ 4.162763] qcom-rpmpd
remoteproc:smd-edge:rpm-requests:power-controller: failed to sync
cx_ao: -1431655766
[ 4.166888] x16: 0000000000000001 x15: 0000000000000003
[ 4.166898] x14: ffff8000828ad200 x13: 0000000000000003 x12: 0000000000000003
[ 4.171011] qcom-rpmpd
remoteproc:smd-edge:rpm-requests:power-controller: failed to sync
cx_vfc: -1431655766
[ 4.174872]
[ 4.174876] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
[ 4.174889] x8 : 0000000000000001
[ 4.178116] qcom-rpmpd
remoteproc:smd-edge:rpm-requests:power-controller: failed to sync mx:
-1431655766
[ 4.185205] x7 : 0720072007200720 x6 : 0720072007200720
[ 4.185216] x5 : ffff000003201f00 x4 : 0000000000000000 x3 : 0000000000000000
[ 4.190259] qcom-rpmpd
remoteproc:smd-edge:rpm-requests:power-controller: failed to sync
mx_ao: -1431655766
[ 4.191806]
[ 4.191809] x2 : 0000000000000000
[ 4.198858] ALSA device list:
[ 4.203876] x1 : ffff800080201224 x0 : ffff0000055f00c0
[ 4.203888] Call trace:
[ 4.203893] regulator_put (drivers/regulator/core.c:2473
drivers/regulator/core.c:2471) (P)
[ 4.213658] No soundcards found.
[ 4.216808] regulator_register (drivers/regulator/core.c:5964)
[ 4.216819] devm_regulator_register (drivers/regulator/devres.c:477)
[ 4.329706] rpm_reg_probe
(drivers/regulator/qcom_smd-regulator.c:1425
drivers/regulator/qcom_smd-regulator.c:1462)
[ 4.329719] platform_probe (drivers/base/platform.c:1405)
[ 4.329730] really_probe (drivers/base/dd.c:581 drivers/base/dd.c:658)
[ 4.329743] __driver_probe_device (drivers/base/dd.c:0)
[ 4.329755] driver_probe_device (drivers/base/dd.c:830)
[ 4.329768] __device_attach_driver (drivers/base/dd.c:959)
[ 4.329780] bus_for_each_drv (drivers/base/bus.c:462)
[ 4.329791] __device_attach_async_helper
(arch/arm64/include/asm/jump_label.h:36 drivers/base/dd.c:988)
[ 4.329804] async_run_entry_fn
(arch/arm64/include/asm/jump_label.h:36 kernel/async.c:131)
[ 4.329814] process_scheduled_works (kernel/workqueue.c:3243
kernel/workqueue.c:3319)
[ 4.329827] worker_thread (include/linux/list.h:373
kernel/workqueue.c:946 kernel/workqueue.c:3401)
[ 4.375850] kthread (kernel/kthread.c:466)
[ 4.379397] ret_from_fork (arch/arm64/kernel/entry.S:863)
[�+HH��4.387392] s4: Bringing 0uV into 1850000-1850000uV
[ 4.387486] s4: failed to enable: (____ptrval____)
[ 4.391254] ------------[ cut here ]------------
[ 4.395957] WARNING: CPU: 2 PID: 14 at
drivers/regulator/core.c:2450 regulator_put
(drivers/regulator/core.c:2473 drivers/regulator/core.c:2471)
[ 4.400742] Modules linked in:
[ 4.409148] CPU: 2 UID: 0 PID: 14 Comm: kworker/u16:1 Tainted: G
W 6.14.3-rc1 #1
[ 4.412028] Tainted: [W]=WARN
[ 4.420949] Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
[ 4.421397] sdhci_msm 7864900.mmc: Got CD GPIO
[ 4.423810] Workqueue: async async_run_entry_fn
[ 4.434842] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 4.439274] pc : regulator_put (drivers/regulator/core.c:2473
drivers/regulator/core.c:2471)
[ 4.446210] lr : regulator_put (drivers/regulator/core.c:2444
drivers/regulator/core.c:2471)
[ 4.450376] sp : ffff80008300ba40
[ 4.454281] x29: ffff80008300ba40 x28: 0000000000000000 x27: ffff800081b85118
[ 4.457503] x26: ffff800081b850b8 x25: 0000000000000001 x24: 00000000aaaaaaaa
[ 4.464622] x23: ffff00000459ae80 x22: ffff000004510800 x21: ffff000004510800
[ 4.471739] x20: ffff0000038e3180 x19: ffff0000055f1000 x18: 0000000000000068
[ 4.478857] x17: 0000000000000000 x16: 0000000000000024 x15: 0000000000000301
[ 4.485976] x14: 0000000000000024 x13: 00000000150d0cc9 x12: fffffffffffffff0
[ 4.493093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
[ 4.500211] x8 : 0000000000000001 x7 : 0720072007200720 x6 : 0720072007200720
[ 4.507328] x5 : ffff000003201f00 x4 : 0000000000000000 x3 : 0000000000000010
[ 4.514446] x2 : ffff80008300b6d0 x1 : ffff800080201224 x0 : ffff0000055f1000
[ 4.521566] Call trace:
[ 4.528671] regulator_put (drivers/regulator/core.c:2473
drivers/regulator/core.c:2471) (P)
[ 4.530931] regulator_register (drivers/regulator/core.c:5964)
[ 4.535099] devm_regulator_register (drivers/regulator/devres.c:477)
[ 4.539006] rpm_reg_probe
(drivers/regulator/qcom_smd-regulator.c:1425
drivers/regulator/qcom_smd-regulator.c:1462)
[ 4.543518] platform_probe (drivers/base/platform.c:1405)
[ 4.547249] really_probe (drivers/base/dd.c:581 drivers/base/dd.c:658)
[ 4.550983] __driver_probe_device (drivers/base/dd.c:0)
[ 4.554630] driver_probe_device (drivers/base/dd.c:830)
[ 4.558970] __device_attach_driver (drivers/base/dd.c:959)
[ 4.562965] bus_for_each_drv (drivers/base/bus.c:462)
[ 4.567477] __device_attach_async_helper
(arch/arm64/include/asm/jump_label.h:36 drivers/base/dd.c:988)
[ 4.571646] async_run_entry_fn
(arch/arm64/include/asm/jump_label.h:36 kernel/async.c:131)
[ 4.576679] process_scheduled_works (kernel/workqueue.c:3243
kernel/workqueue.c:3319)
[ 4.580586] worker_thread (include/linux/list.h:373
kernel/workqueue.c:946 kernel/workqueue.c:3401)
[ 4.585358] kthread (kernel/kthread.c:466)
[ 4.588915] ret_from_fork (arch/arm64/kernel/entry.S:863)
[ 4.592304] ---[ end trace 0000000000000000 ]---
[ 4.597057] l2: Bringing 0uV into 1200000-1200000uV
[ 4.600531] qcom_rpm_smd_regulator
remoteproc:smd-edge:rpm-requests:regulators: l2:
devm_regulator_register() failed, ret=-517
[ 4.605612] Unable to handle kernel paging request at virtual
address ffffffffaaaaae6a
[ 4.616566] Mem abort info:
[ 4.624438] ESR = 0x0000000096000005
[ 4.627130] EC = 0x25: DABT (current EL), IL = 32 bits
[ 4.630953] SET = 0, FnV = 0
[ 4.636417] EA = 0, S1PTW = 0
[ 4.639281] FSC = 0x05: level 1 translation fault
[ 4.642325] Data abort info:
[ 4.647183] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
[ 4.650313] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 4.655606] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 4.660730] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000824f1000
[ 4.666115] [ffffffffaaaaae6a] pgd=0000000000000000,
p4d=0000000082f1c403, pud=0000000000000000
[ 4.672816] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
[ 4.681201] Modules linked in:
[ 4.687443] CPU: 2 UID: 0 PID: 14 Comm: kworker/u16:1 Tainted: G
W 6.14.3-rc1 #1
[ 4.690584] Tainted: [W]=WARN
[ 4.699505] Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
[ 4.702381] Workqueue: async async_run_entry_fn
[ 4.709147] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 4.713405] pc : regulator_unregister (drivers/regulator/core.c:5991)
[ 4.720342] lr : devm_rdev_release (drivers/regulator/devres.c:453)
[ 4.725203] sp : ffff80008300bae0
[ 4.729454] x29: ffff80008300bb00 x28: ffff000003301340 x27: 00000000000001c8
[ 4.732683] x26: ffff000003231a00 x25: ffff00000459ae00 x24: ffff000003301340
[ 4.739794] x23: ffff80008286ed00 x22: ffff8000823fc4a1 x21: ffff0000033aac00
[ 4.746913] x20: ffff000005ac7410 x19: ffff80008300bba8 x18: 0000000000000002
[ 4.754030] x17: 6f74616c75676572 x16: 3a73747365757165 x15: 00000ff00003fd36
[ 4.761148] x14: 000000000000ffff x13: 0000000000000020 x12: 0000000000000003
[ 4.768267] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff800080b59fe0
[ 4.775384] x8 : 06678d1f10cf8900 x7 : 3d4e5f454c424954 x6 : 000000004e514553
[ 4.782502] x5 : 0000000000000008 x4 : ffff800082276255 x3 : 0000000000000010
[ 4.789620] x2 : ffff80008300ba60 x1 : ffff0000033aac80 x0 : ffffffffaaaaaaaa
[ 4.796740] Call trace:
[ 4.803845] regulator_unregister (drivers/regulator/core.c:5991) (P)
[ 4.806108] devm_rdev_release (drivers/regulator/devres.c:453)
[ 4.810966] release_nodes (drivers/base/devres.c:506)
[ 4.814872] devres_release_all (drivers/base/devres.c:0)
[ 4.818432] really_probe (drivers/base/dd.c:551 drivers/base/dd.c:724)
[ 4.822423] __driver_probe_device (drivers/base/dd.c:0)
[ 4.826072] driver_probe_device (drivers/base/dd.c:830)
[ 4.830324] __device_attach_driver (drivers/base/dd.c:959)
[ 4.834317] bus_for_each_drv (drivers/base/bus.c:462)
[ 4.838831] __device_attach_async_helper
(arch/arm64/include/asm/jump_label.h:36 drivers/base/dd.c:988)
[ 4.843001] async_run_entry_fn
(arch/arm64/include/asm/jump_label.h:36 kernel/async.c:131)
[ 4.848032] process_scheduled_works (kernel/workqueue.c:3243
kernel/workqueue.c:3319)
[ 4.851941] worker_thread (include/linux/list.h:373
kernel/workqueue.c:946 kernel/workqueue.c:3401)
[ 4.856713] kthread (kernel/kthread.c:466)
[ 4.860270] ret_from_fork (arch/arm64/kernel/entry.S:863)
[ 4.863661] Code: d5384108 f9430d08 f81f83a8 b4000bc0 (f941e014)
All code
========
Code starting with the faulting instruction
===========================================
[ 4.867227] ---[ end trace 0000000000000000 ]---
[ 14.238655] sdhci_msm 7864900.mmc: Got CD GPIO
## Source
* Kernel version: 6.14.3-rc1
* Git tree: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* Git sha: 0e7f2bba84c1f492e15812fade27cc0a697f3cb6
* Git describe: v6.14.2-450-g0e7f2bba84c1
* Project details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.14.y/Boot/v6.14.2-450-g0e7f2bba84c1/
* Architectures: arm64 dragonboard 410c
* Toolchains: clang-20
* Kconfigs: lkftconfig
## Boot
* Boot log: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.14.y/build/v6.14.2-450-g0e7f2bba84c1/testrun/28150326/suite/boot/test/clang-20-lkftconfig/log
* Boot history:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.14.y/build/v6.14.2-450-g0e7f2bba84c1/testrun/28150326/suite/boot/test/clang-20-lkftconfig/
* Boot details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.14.y/build/v6.14.2-450-g0e7f2bba84c1/testrun/28150326/suite/boot/test/clang-20-lkftconfig/details/
* Build link: https://storage.tuxsuite.com/public/linaro/lkft/builds/2vrqGz3vUNvc2w9PJfCD1r7ChKx/
* Kernel config:
https://storage.tuxsuite.com/public/linaro/lkft/builds/2vrqGz3vUNvc2w9PJfCD1r7ChKx/config
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH 6.14 000/449] 6.14.3-rc1 review
2025-04-18 6:30 ` Naresh Kamboju
@ 2025-04-18 11:03 ` Greg Kroah-Hartman
2025-04-22 10:07 ` Niklas Schnelle
0 siblings, 1 reply; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-04-18 11:03 UTC (permalink / raw)
To: Naresh Kamboju
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie, PCI,
linux-s390, Tudor Ambarus, Bjorn Andersson, Manivannan Sadhasivam,
Krzysztof Kozlowski, Anders Roxell, Dan Carpenter, Arnd Bergmann,
Niklas Schnelle, Bjorn Helgaas
On Fri, Apr 18, 2025 at 12:00:33PM +0530, Naresh Kamboju wrote:
> On Thu, 17 Apr 2025 at 23:23, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > This is the start of the stable review cycle for the 6.14.3 release.
> > There are 449 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat, 19 Apr 2025 17:49:48 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.14.3-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.14.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> Regressions on arm64 and s390 allmodconfig and allyesconfig builds failed
> on the stable rc 6.14.3-rc1 with gcc-13 and clang-20.
>
> There are two different types of build errors on arm64 and s390.
> These regressions on arm64 are also found on stable-rc 6.13 and 6.12.
>
> First seen on the 6.14.3-rc1
> Good: v6.14.2
> Bad: v6.14.2-450-g0e7f2bba84c1
>
> Regressions found on arm64 s390:
> - build/gcc-13-allmodconfig
> - build/gcc-13-allyesconfig
> - build/clang-20-allmodconfig
> - build/clang-20-allyesconfig
>
> Regression Analysis:
> - New regression? Yes
> - Reproducibility? Yes
>
> Build regression: arm64 s390 ufs-qcom.c implicit declaration
> 'devm_of_qcom_ice_get'
>
> Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
>
> ## Build log arm64
> drivers/ufs/host/ufs-qcom.c: In function 'ufs_qcom_ice_init':
> drivers/ufs/host/ufs-qcom.c:128:15: error: implicit declaration of
> function 'devm_of_qcom_ice_get'; did you mean 'of_qcom_ice_get'?
> [-Werror=implicit-function-declaration]
> 128 | ice = devm_of_qcom_ice_get(dev);
> | ^~~~~~~~~~~~~~~~~~~~
> | of_qcom_ice_get
> drivers/ufs/host/ufs-qcom.c:128:13: error: assignment to 'struct
> qcom_ice *' from 'int' makes pointer from integer without a cast
> [-Werror=int-conversion]
> 128 | ice = devm_of_qcom_ice_get(dev);
> | ^
> cc1: all warnings being treated as errors
Offending commit now dropped from everywhere, I'll push out new -rcs
soon.
>
> ## Build log s390
> arch/s390/pci/pci_fixup.c: In function 'zpci_ism_bar_no_mmap':
> arch/s390/pci/pci_fixup.c:19:13: error: 'struct pci_dev' has no member
> named 'non_mappable_bars'
> 19 | pdev->non_mappable_bars = 1;
> | ^~
Will go drop the offending commit now too, thanks!
greg k-h
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH 6.14 000/449] 6.14.3-rc1 review
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (453 preceding siblings ...)
2025-04-18 7:53 ` Naresh Kamboju
@ 2025-04-18 11:38 ` Pavel Machek
2025-04-18 14:30 ` Shuah Khan
455 siblings, 0 replies; 469+ messages in thread
From: Pavel Machek @ 2025-04-18 11:38 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, jonathanh, f.fainelli, sudipm.mukherjee,
srw, rwarsow, conor, hargar, broonie
[-- Attachment #1: Type: text/plain, Size: 868 bytes --]
Hi!
> This is the start of the stable review cycle for the 6.14.3 release.
> There are 449 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-6.14.y
6.12 and 6.13 pass our testing, too:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-6.12.y
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-6.13.y
Tested-by: Pavel Machek (CIP) <pavel@denx.de>
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH 6.14 000/449] 6.14.3-rc1 review
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
` (454 preceding siblings ...)
2025-04-18 11:38 ` [PATCH 6.14 000/449] 6.14.3-rc1 review Pavel Machek
@ 2025-04-18 14:30 ` Shuah Khan
455 siblings, 0 replies; 469+ messages in thread
From: Shuah Khan @ 2025-04-18 14:30 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie, Shuah Khan
On 4/17/25 11:44, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.14.3 release.
> There are 449 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 19 Apr 2025 17:49:48 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.14.3-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH 6.14 000/449] 6.14.3-rc1 review
2025-04-18 11:03 ` Greg Kroah-Hartman
@ 2025-04-22 10:07 ` Niklas Schnelle
0 siblings, 0 replies; 469+ messages in thread
From: Niklas Schnelle @ 2025-04-22 10:07 UTC (permalink / raw)
To: Greg Kroah-Hartman, Naresh Kamboju
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie, PCI,
linux-s390, Tudor Ambarus, Bjorn Andersson, Manivannan Sadhasivam,
Krzysztof Kozlowski, Anders Roxell, Dan Carpenter, Arnd Bergmann,
Bjorn Helgaas
On Fri, 2025-04-18 at 13:03 +0200, Greg Kroah-Hartman wrote:
> On Fri, Apr 18, 2025 at 12:00:33PM +0530, Naresh Kamboju wrote:
> > On Thu, 17 Apr 2025 at 23:23, Greg Kroah-Hartman
> > <gregkh@linuxfoundation.org> wrote:
> > >
> > > This is the start of the stable review cycle for the 6.14.3 release.
> > > There are 449 patches in this series, all will be posted as a response
> > > to this one. If anyone has any issues with these being applied, please
> > > let me know.
> > >
> > > Responses should be made by Sat, 19 Apr 2025 17:49:48 +0000.
> > > Anything received after that time might be too late.
> > >
> > > The whole patch series can be found in one patch at:
> > > https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.14.3-rc1.gz
> > > or in the git tree and branch at:
> > > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.14.y
> > > and the diffstat can be found below.
> > >
> > > thanks,
> > >
> > > greg k-h
> >
> > Regressions on arm64 and s390 allmodconfig and allyesconfig builds failed
> > on the stable rc 6.14.3-rc1 with gcc-13 and clang-20.
> >
> > There are two different types of build errors on arm64 and s390.
> > These regressions on arm64 are also found on stable-rc 6.13 and 6.12.
> >
> > First seen on the 6.14.3-rc1
> > Good: v6.14.2
> > Bad: v6.14.2-450-g0e7f2bba84c1
> >
> > Regressions found on arm64 s390:
> > - build/gcc-13-allmodconfig
> > - build/gcc-13-allyesconfig
> > - build/clang-20-allmodconfig
> > - build/clang-20-allyesconfig
> >
> > Regression Analysis:
> > - New regression? Yes
> > - Reproducibility? Yes
> >
> > Build regression: arm64 s390 ufs-qcom.c implicit declaration
> > 'devm_of_qcom_ice_get'
> >
> > Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
> >
> >
--- snip ---
>
> >
> > ## Build log s390
> > arch/s390/pci/pci_fixup.c: In function 'zpci_ism_bar_no_mmap':
> > arch/s390/pci/pci_fixup.c:19:13: error: 'struct pci_dev' has no member
> > named 'non_mappable_bars'
> > 19 | pdev->non_mappable_bars = 1;
> > | ^~
>
> Will go drop the offending commit now too, thanks!
>
> greg k-h
Hi Greg,
This looks like we're missing commit 888bd8322dfc ("s390/pci: Introduce
pdev->non_mappable_bars and replace VFIO_PCI_MMAP") which is a
prerequisite. I wonder if you might want that anyway to keep struct
pci_dev consistent when other backports might touch it. The original
commit aa9f168d55dc ("s390/pci: Support mmap() of PCI resources except
for ISM devices") isn't strictly a fix but it adds quirk support so
could be relevant for future backports. There is also a chance that we
may backport it for RHEL/SLES/Ubuntu in the medium term.
Thanks,
Niklas
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH 6.14 000/449] 6.14.3-rc1 review
2025-04-18 7:53 ` Naresh Kamboju
@ 2025-04-23 16:25 ` Dan Carpenter
2025-04-23 17:22 ` [PATCH] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Dan Carpenter
1 sibling, 0 replies; 469+ messages in thread
From: Dan Carpenter @ 2025-04-23 16:25 UTC (permalink / raw)
To: Naresh Kamboju, Bjorn Andersson
Cc: Greg Kroah-Hartman, stable, patches, linux-kernel, torvalds, akpm,
linux, shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie,
Arnd Bergmann, Liam Girdwood, Frieder Schrempf, Marek Vasut,
Anders Roxell
On Fri, Apr 18, 2025 at 01:23:27PM +0530, Naresh Kamboju wrote:
> On Thu, 17 Apr 2025 at 23:23, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > This is the start of the stable review cycle for the 6.14.3 release.
> > There are 449 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat, 19 Apr 2025 17:49:48 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.14.3-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.14.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> Regressions on arm64 dragonboard 410c boot failed with lkftconfig on
> the stable rc
> 6.14.3-rc1. While booting, the following kernel warnings were noticed
> and boot failed.
>
> First seen on the 6.14.3-rc1
> Good: v6.14.2
> Bad: v6.14.2-450-g0e7f2bba84c1
>
> Regressions found on arm64 dragonboard 410c:
> - Boot/clang-20-lkftconfig
>
> Regression Analysis:
> - New regression? Yes
> - Reproducibility? Yes
>
> Boot regression: arm64 dragonboard 410c WARNING regulator core.c regulator_put
>
> Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
>
> ## Boot log arm64 dragonboard 410c
> [ 3.924339] remoteproc:smd-edge: failed to parse smd edge
> [ 4.051490] msm_hsusb 78d9000.usb: Failed to create device link
> (0x180) with supplier remoteproc for /soc@0/usb@78d9000/ulpi/phy
> [ 4.055155] qcom-clk-smd-rpm
> remoteproc:smd-edge:rpm-requests:clock-controller: Error registering
> SMD clock driver (-1431655766)
> [ 4.062274] qcom-clk-smd-rpm
> remoteproc:smd-edge:rpm-requests:clock-controller: probe with driver
> qcom-clk-smd-rpm failed with error -1431655766
^^^^^^^^^^^
This is 0xaaaaaaaa which is very suspicious.
We recently changed out test configs to use
CONFIG_INIT_STACK_ALL_PATTERN=y (my fault) and the documentation says
that 0xaaaaaaaa is the default uninitialized variable pattern for
Clang 64bit. So it's possible that this is not a regression but an
older bug which is only detected with that config change. Could
you try again with CONFIG_INIT_STACK_ALL_ZERO=y instead?
However, I don't see how this can be stack data.
This error code is from qcom_rpm_smd_write() and I'm pretty sure
it's from the ret = rpm->ack_status; assignment and it's supposed
to be zero.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 469+ messages in thread
* [PATCH] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()
2025-04-18 7:53 ` Naresh Kamboju
2025-04-23 16:25 ` Dan Carpenter
@ 2025-04-23 17:22 ` Dan Carpenter
2025-04-24 7:02 ` Abel Vesa
` (2 more replies)
1 sibling, 3 replies; 469+ messages in thread
From: Dan Carpenter @ 2025-04-23 17:22 UTC (permalink / raw)
To: Bjorn Andersson, Naresh Kamboju
Cc: Mathieu Poirier, linux-arm-msm, linux-remoteproc, linux-kernel,
kernel-janitors, Greg Kroah-Hartman, stable, patches, torvalds,
akpm, linux, shuah, patches, lkft-triage, pavel, jonathanh,
f.fainelli, sudipm.mukherjee, srw, rwarsow, conor, hargar,
broonie, Arnd Bergmann, Liam Girdwood, Frieder Schrempf,
Marek Vasut, Anders Roxell
The "ret" variable isn't initialized if we don't enter the loop. For
example, if "channel->state" is not SMD_CHANNEL_OPENED.
Fixes: 33e3820dda88 ("rpmsg: smd: Use spinlock in tx path")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
Naresh, could you test this patch and see if it fixes the boot
problems you saw?
drivers/rpmsg/qcom_smd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c
index 40d386809d6b..bb161def3175 100644
--- a/drivers/rpmsg/qcom_smd.c
+++ b/drivers/rpmsg/qcom_smd.c
@@ -746,7 +746,7 @@ static int __qcom_smd_send(struct qcom_smd_channel *channel, const void *data,
__le32 hdr[5] = { cpu_to_le32(len), };
int tlen = sizeof(hdr) + len;
unsigned long flags;
- int ret;
+ int ret = 0;
/* Word aligned channels only accept word size aligned data */
if (channel->info_word && len % 4)
--
2.47.2
^ permalink raw reply related [flat|nested] 469+ messages in thread
* Re: [PATCH] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()
2025-04-23 17:22 ` [PATCH] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Dan Carpenter
@ 2025-04-24 7:02 ` Abel Vesa
2025-04-25 6:06 ` Naresh Kamboju
2025-05-08 6:40 ` Dan Carpenter
2 siblings, 0 replies; 469+ messages in thread
From: Abel Vesa @ 2025-04-24 7:02 UTC (permalink / raw)
To: Dan Carpenter
Cc: Bjorn Andersson, Naresh Kamboju, Mathieu Poirier, linux-arm-msm,
linux-remoteproc, linux-kernel, kernel-janitors,
Greg Kroah-Hartman, stable, patches, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie,
Arnd Bergmann, Liam Girdwood, Frieder Schrempf, Marek Vasut,
Anders Roxell
On 25-04-23 20:22:05, Dan Carpenter wrote:
> The "ret" variable isn't initialized if we don't enter the loop. For
> example, if "channel->state" is not SMD_CHANNEL_OPENED.
>
> Fixes: 33e3820dda88 ("rpmsg: smd: Use spinlock in tx path")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()
2025-04-23 17:22 ` [PATCH] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Dan Carpenter
2025-04-24 7:02 ` Abel Vesa
@ 2025-04-25 6:06 ` Naresh Kamboju
2025-04-25 8:17 ` Dan Carpenter
2025-05-08 6:40 ` Dan Carpenter
2 siblings, 1 reply; 469+ messages in thread
From: Naresh Kamboju @ 2025-04-25 6:06 UTC (permalink / raw)
To: Dan Carpenter
Cc: Bjorn Andersson, Mathieu Poirier, linux-arm-msm, linux-remoteproc,
linux-kernel, kernel-janitors, Greg Kroah-Hartman, stable,
patches, torvalds, akpm, linux, shuah, patches, lkft-triage,
pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw, rwarsow,
conor, hargar, broonie, Arnd Bergmann, Liam Girdwood,
Frieder Schrempf, Marek Vasut, Anders Roxell
On Wed, 23 Apr 2025 at 22:52, Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> The "ret" variable isn't initialized if we don't enter the loop. For
> example, if "channel->state" is not SMD_CHANNEL_OPENED.
>
> Fixes: 33e3820dda88 ("rpmsg: smd: Use spinlock in tx path")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
> Naresh, could you test this patch and see if it fixes the boot
> problems you saw?
Dan, This patch fixes the reported problem.
Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Links:
- https://lkft.validation.linaro.org/scheduler/job/8244118#L2441
>
> drivers/rpmsg/qcom_smd.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c
> index 40d386809d6b..bb161def3175 100644
> --- a/drivers/rpmsg/qcom_smd.c
> +++ b/drivers/rpmsg/qcom_smd.c
> @@ -746,7 +746,7 @@ static int __qcom_smd_send(struct qcom_smd_channel *channel, const void *data,
> __le32 hdr[5] = { cpu_to_le32(len), };
> int tlen = sizeof(hdr) + len;
> unsigned long flags;
> - int ret;
> + int ret = 0;
>
> /* Word aligned channels only accept word size aligned data */
> if (channel->info_word && len % 4)
> --
> 2.47.2
>
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()
2025-04-25 6:06 ` Naresh Kamboju
@ 2025-04-25 8:17 ` Dan Carpenter
0 siblings, 0 replies; 469+ messages in thread
From: Dan Carpenter @ 2025-04-25 8:17 UTC (permalink / raw)
To: Naresh Kamboju
Cc: Bjorn Andersson, Mathieu Poirier, linux-arm-msm, linux-remoteproc,
linux-kernel, kernel-janitors, Greg Kroah-Hartman, stable,
patches, torvalds, akpm, linux, shuah, patches, lkft-triage,
pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw, rwarsow,
conor, hargar, broonie, Arnd Bergmann, Liam Girdwood,
Frieder Schrempf, Marek Vasut, Anders Roxell
On Fri, Apr 25, 2025 at 11:36:24AM +0530, Naresh Kamboju wrote:
> On Wed, 23 Apr 2025 at 22:52, Dan Carpenter <dan.carpenter@linaro.org> wrote:
> >
> > The "ret" variable isn't initialized if we don't enter the loop. For
> > example, if "channel->state" is not SMD_CHANNEL_OPENED.
> >
> > Fixes: 33e3820dda88 ("rpmsg: smd: Use spinlock in tx path")
> > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> > ---
> > Naresh, could you test this patch and see if it fixes the boot
> > problems you saw?
>
> Dan, This patch fixes the reported problem.
>
> Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
>
Thanks Naresh,
I left off your reported by tag as well.
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
regards,
dan carpenter
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()
2025-04-23 17:22 ` [PATCH] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Dan Carpenter
2025-04-24 7:02 ` Abel Vesa
2025-04-25 6:06 ` Naresh Kamboju
@ 2025-05-08 6:40 ` Dan Carpenter
2025-05-08 6:46 ` Greg Kroah-Hartman
2 siblings, 1 reply; 469+ messages in thread
From: Dan Carpenter @ 2025-05-08 6:40 UTC (permalink / raw)
To: Bjorn Andersson, Naresh Kamboju
Cc: Mathieu Poirier, linux-arm-msm, linux-remoteproc, linux-kernel,
kernel-janitors, Greg Kroah-Hartman, stable, patches, torvalds,
akpm, linux, shuah, patches, lkft-triage, pavel, jonathanh,
f.fainelli, sudipm.mukherjee, srw, rwarsow, conor, hargar,
broonie, Arnd Bergmann, Liam Girdwood, Frieder Schrempf,
Marek Vasut, Anders Roxell
Hi Greg,
I'm sorry I forgot to add the:
Cc: stable@vger.kernel.org
to this patch. Could we backport it to stable, please?
regards,
dan carpenter
On Wed, Apr 23, 2025 at 08:22:05PM +0300, Dan Carpenter wrote:
> The "ret" variable isn't initialized if we don't enter the loop. For
> example, if "channel->state" is not SMD_CHANNEL_OPENED.
>
> Fixes: 33e3820dda88 ("rpmsg: smd: Use spinlock in tx path")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
> Naresh, could you test this patch and see if it fixes the boot
> problems you saw?
>
> drivers/rpmsg/qcom_smd.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c
> index 40d386809d6b..bb161def3175 100644
> --- a/drivers/rpmsg/qcom_smd.c
> +++ b/drivers/rpmsg/qcom_smd.c
> @@ -746,7 +746,7 @@ static int __qcom_smd_send(struct qcom_smd_channel *channel, const void *data,
> __le32 hdr[5] = { cpu_to_le32(len), };
> int tlen = sizeof(hdr) + len;
> unsigned long flags;
> - int ret;
> + int ret = 0;
>
> /* Word aligned channels only accept word size aligned data */
> if (channel->info_word && len % 4)
> --
> 2.47.2
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()
2025-05-08 6:40 ` Dan Carpenter
@ 2025-05-08 6:46 ` Greg Kroah-Hartman
2025-05-08 6:48 ` Dan Carpenter
0 siblings, 1 reply; 469+ messages in thread
From: Greg Kroah-Hartman @ 2025-05-08 6:46 UTC (permalink / raw)
To: Dan Carpenter
Cc: Bjorn Andersson, Naresh Kamboju, Mathieu Poirier, linux-arm-msm,
linux-remoteproc, linux-kernel, kernel-janitors, stable, patches,
torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
jonathanh, f.fainelli, sudipm.mukherjee, srw, rwarsow, conor,
hargar, broonie, Arnd Bergmann, Liam Girdwood, Frieder Schrempf,
Marek Vasut, Anders Roxell
On Thu, May 08, 2025 at 09:40:26AM +0300, Dan Carpenter wrote:
> Hi Greg,
>
> I'm sorry I forgot to add the:
>
> Cc: stable@vger.kernel.org
>
> to this patch. Could we backport it to stable, please?
What is the git id of it in Linus's tree?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()
2025-05-08 6:46 ` Greg Kroah-Hartman
@ 2025-05-08 6:48 ` Dan Carpenter
2025-05-08 6:50 ` Dan Carpenter
0 siblings, 1 reply; 469+ messages in thread
From: Dan Carpenter @ 2025-05-08 6:48 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Bjorn Andersson, Naresh Kamboju, Mathieu Poirier, linux-arm-msm,
linux-remoteproc, linux-kernel, kernel-janitors, stable, patches,
torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
jonathanh, f.fainelli, sudipm.mukherjee, srw, rwarsow, conor,
hargar, broonie, Arnd Bergmann, Liam Girdwood, Frieder Schrempf,
Marek Vasut, Anders Roxell
On Thu, May 08, 2025 at 08:46:04AM +0200, Greg Kroah-Hartman wrote:
> On Thu, May 08, 2025 at 09:40:26AM +0300, Dan Carpenter wrote:
> > Hi Greg,
> >
> > I'm sorry I forgot to add the:
> >
> > Cc: stable@vger.kernel.org
> >
> > to this patch. Could we backport it to stable, please?
>
> What is the git id of it in Linus's tree?
>
77feb17c950e ("rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()")
regards,
dan carpenter
^ permalink raw reply [flat|nested] 469+ messages in thread
* Re: [PATCH] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()
2025-05-08 6:48 ` Dan Carpenter
@ 2025-05-08 6:50 ` Dan Carpenter
0 siblings, 0 replies; 469+ messages in thread
From: Dan Carpenter @ 2025-05-08 6:50 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Bjorn Andersson, Naresh Kamboju, Mathieu Poirier, linux-arm-msm,
linux-remoteproc, linux-kernel, kernel-janitors, stable, patches,
torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
jonathanh, f.fainelli, sudipm.mukherjee, srw, rwarsow, conor,
hargar, broonie, Arnd Bergmann, Liam Girdwood, Frieder Schrempf,
Marek Vasut, Anders Roxell
On Thu, May 08, 2025 at 09:48:34AM +0300, Dan Carpenter wrote:
> On Thu, May 08, 2025 at 08:46:04AM +0200, Greg Kroah-Hartman wrote:
> > On Thu, May 08, 2025 at 09:40:26AM +0300, Dan Carpenter wrote:
> > > Hi Greg,
> > >
> > > I'm sorry I forgot to add the:
> > >
> > > Cc: stable@vger.kernel.org
> > >
> > > to this patch. Could we backport it to stable, please?
> >
> > What is the git id of it in Linus's tree?
> >
>
> 77feb17c950e ("rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()")
>
Ugh. Nope. It hasn't hit Linus's tree yet.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 469+ messages in thread
end of thread, other threads:[~2025-05-08 6:50 UTC | newest]
Thread overview: 469+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-17 17:44 [PATCH 6.14 000/449] 6.14.3-rc1 review Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 001/449] ASoC: Intel: adl: add 2xrt1316 audio configuration Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 002/449] cgroup/cpuset: Fix incorrect isolated_cpus update in update_parent_effective_cpumask() Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 003/449] cgroup/cpuset: Fix error handling in remote_partition_disable() Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 004/449] cgroup/cpuset: Fix race between newly created partition and dying one Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 005/449] tracing: fprobe: Cleanup fprobe hash when module unloading Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 006/449] gpiolib: of: Fix the choice for Ingenic NAND quirk Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 007/449] selftests/futex: futex_waitv wouldblock test should fail Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 008/449] ublk: fix handling recovery & reissue in ublk_abort_queue() Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 009/449] drm/virtio: Fix flickering issue seen with imported dmabufs Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 010/449] drm/i915: Disable RPG during live selftest Greg Kroah-Hartman
2025-04-17 17:44 ` [PATCH 6.14 011/449] x86/acpi: Dont limit CPUs to 1 for Xen PV guests due to disabled ACPI Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 012/449] net: ethtool: fix ethtool_ringparam_get_cfg() returns a hds_thresh value always as 0 Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 013/449] drm/xe/hw_engine: define sysfs_ops on all directories Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 014/449] drm/xe: Restore EIO errno return when GuC PC start fails Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 015/449] ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 016/449] objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 017/449] tipc: fix memory leak in tipc_link_xmit Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 018/449] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 019/449] net: tls: explicitly disallow disconnect Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 020/449] octeontx2-pf: qos: fix VF root node parent queue index Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 021/449] tc: Ensure we have enough buffer space when sending filter netlink notifications Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 022/449] net: ethtool: Dont call .cleanup_data when prepare_data fails Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 023/449] drm/tests: modeset: Fix drm_display_mode memory leak Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 024/449] drm/tests: helpers: Create kunit helper to destroy a drm_display_mode Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 025/449] drm/tests: cmdline: Fix drm_display_mode memory leak Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 026/449] drm/tests: modes: " Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 027/449] drm/tests: probe-helper: " Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 028/449] net: libwx: handle page_pool_dev_alloc_pages error Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 029/449] cifs: Fix support for WSL-style symlinks Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 030/449] ata: sata_sx4: Add error handling in pdc20621_i2c_read() Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 031/449] drm/i915/huc: Fix fence not released on early probe errors Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 032/449] s390/cpumf: Fix double free on error in cpumf_pmu_event_init() Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 033/449] nvmet-fcloop: swap list_add_tail arguments Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 034/449] net_sched: sch_sfq: use a temporary work area for validating configuration Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 035/449] net_sched: sch_sfq: move the limit validation Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 036/449] x86/cpu: Avoid running off the end of an AMD erratum table Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 037/449] smb: client: fix UAF in decryption with multichannel Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 038/449] net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 039/449] net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 040/449] ipv6: Align behavior across nexthops during path selection Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 041/449] net: ppp: Add bound checking for skb data on ppp_sync_txmung Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 042/449] nft_set_pipapo: fix incorrect avx2 match of 5th field octet Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 043/449] ethtool: cmis_cdb: Fix incorrect read / write length extension Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 044/449] iommu/exynos: Fix suspend/resume with IDENTITY domain Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 045/449] iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 046/449] net: libwx: Fix the wrong Rx descriptor field Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 047/449] perf/core: Simplify the perf_event_alloc() error path Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 048/449] perf: Fix hang while freeing sigtrap event Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 049/449] fs: consistently deref the files table with rcu_dereference_raw() Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 050/449] umount: Allow superblock owners to force umount Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 051/449] srcu: Force synchronization for srcu_get_delay() Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 052/449] pm: cpupower: bench: Prevent NULL dereference on malloc failure Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 053/449] irqchip/gic-v3: Add Rockchip 3568002 erratum workaround Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 054/449] x86/mm: Clear _PAGE_DIRTY for kernel mappings when we clear _PAGE_RW Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 055/449] x86/percpu: Disable named address spaces for UBSAN_BOOL with KASAN for GCC < 14.2 Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 056/449] x86/ia32: Leave NULL selector values 0~3 unchanged Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 057/449] x86/cpu: Dont clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 058/449] perf: arm_pmu: Dont disable counter in armpmu_add() Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 059/449] perf/dwc_pcie: fix some unreleased resources Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 060/449] perf/dwc_pcie: fix duplicate pci_dev devices Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 061/449] PM: hibernate: Avoid deadlock in hibernate_compressor_param_set() Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 062/449] Flush console log from kernel_power_off() Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 063/449] cpufreq/amd-pstate: Invalidate cppc_req_cached during suspend Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 064/449] arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 065/449] xen/mcelog: Add __nonstring annotations for unterminated strings Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 066/449] zstd: Increase DYNAMIC_BMI2 GCC version cutoff from 4.8 to 11.0 to work around compiler segfault Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 067/449] tracing: Disable branch profiling in noinstr code Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 068/449] platform/chrome: cros_ec_lpc: Match on Framework ACPI device Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 069/449] ASoC: SOF: topology: Use krealloc_array() to replace krealloc() Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 070/449] HID: pidff: Convert infinite length from Linux API to PID standard Greg Kroah-Hartman
2025-04-17 17:45 ` [PATCH 6.14 071/449] HID: pidff: Do not send effect envelope if its empty Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 072/449] HID: pidff: Add MISSING_DELAY quirk and its detection Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 073/449] HID: pidff: Add MISSING_PBO " Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 074/449] HID: pidff: Add PERMISSIVE_CONTROL quirk Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 075/449] HID: pidff: Add hid_pidff_init_with_quirks and export as GPL symbol Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 076/449] HID: pidff: Add FIX_WHEEL_DIRECTION quirk Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 077/449] HID: Add hid-universal-pidff driver and supported device ids Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 078/449] HID: pidff: Add PERIODIC_SINE_ONLY quirk Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 079/449] HID: pidff: Fix null pointer dereference in pidff_find_fields Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 080/449] ASoC: amd: ps: use macro for ACP6.3 pci revision id Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 081/449] ASoC: amd: amd_sdw: Add quirks for Dell SKUs Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 082/449] ALSA: hda: intel: Fix Optimus when GPU has no sound Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 083/449] ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 084/449] ASoC: fsl_audmix: register card device depends on dais property Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 085/449] media: uvcvideo: Add quirk for Actions UVC05 Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 086/449] HID: lenovo: Fix to ensure the data as __le32 instead of u32 Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 087/449] media: s5p-mfc: Corrected NV12M/NV21M plane-sizes Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 088/449] mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 089/449] ALSA: usb-audio: Fix CME quirk for UF series keyboards Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 090/449] ASoC: amd: Add DMI quirk for ACP6X mic support Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 091/449] ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3315 Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 092/449] ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3247 Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 093/449] ASoC: amd: yc: update quirk data for new Lenovo model Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 094/449] platform/x86: x86-android-tablets: Add select POWER_SUPPLY to Kconfig Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 095/449] wifi: ath9k: use unsigned long for activity check timestamp Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 096/449] wifi: ath11k: Fix DMA buffer allocation to resolve SWIOTLB issues Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 097/449] wifi: ath11k: fix memory leak in ath11k_xxx_remove() Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 098/449] wifi: ath12k: fix memory leak in ath12k_pci_remove() Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 099/449] wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 100/449] wifi: ath12k: Avoid memory leak while enabling statistics Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 101/449] ata: libata-core: Add external to the libata.force kernel parameter Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 102/449] scsi: mpi3mr: Avoid reply queue full condition Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 103/449] scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 104/449] net: page_pool: dont cast mp param to devmem Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 105/449] f2fs: dont retry IO for corrupted data scenario Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 106/449] wifi: mac80211: add strict mode disabling workarounds Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 107/449] wifi: mac80211: ensure sdata->work is canceled before initialized Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 108/449] scsi: target: spc: Fix RSOC parameter data header size Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 109/449] net: usb: asix_devices: add FiberGecko DeviceID Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 110/449] page_pool: avoid infinite loop to schedule delayed worker Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 111/449] can: flexcan: Add quirk to handle separate interrupt lines for mailboxes Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 112/449] can: flexcan: add NXP S32G2/S32G3 SoC support Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 113/449] jfs: Fix uninit-value access of imap allocated in the diMount() function Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 114/449] fs/jfs: cast inactags to s64 to prevent potential overflow Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 115/449] fs/jfs: Prevent integer overflow in AG size calculation Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 116/449] jfs: Prevent copying of nlink with value 0 from disk inode Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 117/449] jfs: add sanity check for agwidth in dbMount Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 118/449] wifi: rtw88: Add support for Mercusys MA30N and D-Link DWA-T185 rev. A1 Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 119/449] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 120/449] net: sfp: add quirk for 2.5G OEM BX SFP Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 121/449] wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 122/449] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 123/449] net: sfp: add quirk for FS SFP-10GM-T copper SFP+ module Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 124/449] ahci: add PCI ID for Marvell 88SE9215 SATA Controller Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 125/449] ext4: protect ext4_release_dquot against freezing Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 126/449] Revert "f2fs: rebuild nat_bits during umount" Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 127/449] wifi: mac80211: fix userspace_selectors corruption Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 128/449] ext4: ignore xattrs past end Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 129/449] cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 130/449] scsi: st: Fix array overflow in st_setup() Greg Kroah-Hartman
2025-04-17 17:46 ` [PATCH 6.14 131/449] ahci: Marvell 88SE9215 controllers prefer DMA for ATAPI Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 132/449] btrfs: harden block_group::bg_list against list_del() races Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 133/449] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 134/449] net: vlan: dont propagate flags on open Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 135/449] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 136/449] Bluetooth: btusb: Add new VID/PID for WCN785x Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 137/449] Bluetooth: btintel_pcie: Add device id of Whale Peak Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 138/449] Bluetooth: btusb: Add 13 USB device IDs for Qualcomm WCN785x Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 139/449] Bluetooth: hci_uart: fix race during initialization Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 140/449] Bluetooth: btusb: Add 2 HWIDs for MT7922 Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 141/449] Bluetooth: hci_qca: use the power sequencer for wcn6750 Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 142/449] Bluetooth: qca: simplify WCN399x NVM loading Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 143/449] Bluetooth: qca: add WCN3950 support Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 144/449] drm: allow encoder mode_set even when connectors change for crtc Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 145/449] drm/virtio: Set missing bo->attached flag Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 146/449] drm/rockchip: Dont change hdmi reference clock rate Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 147/449] drm/xe/bmg: Add new PCI IDs Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 148/449] drm/xe/ptl: Update the PTL pci id table Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 149/449] drm/xe/pf: Dont send BEGIN_ID if VF has no context/doorbells Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 150/449] drm/xe/vf: Dont try to trigger a full GT reset if VF Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 151/449] drm/amd/display: Update Cursor request mode to the beginning prefetch always Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 152/449] drm/amd/display: Guard Possible Null Pointer Dereference Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 153/449] drm/amd/display: add workaround flag to link to force FFE preset Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 154/449] drm/amdgpu: Unlocked unmap only clear page table leaves Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 155/449] drm: panel-orientation-quirks: Add support for AYANEO 2S Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 156/449] drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 157/449] drm: panel-orientation-quirks: Add quirk for AYA NEO Slide Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 158/449] drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 159/449] drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 160/449] drm/debugfs: fix printk format for bridge index Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 161/449] drm/bridge: panel: forbid initializing a panel with unknown connector type Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 162/449] drm/amd/display: Update FIXED_VS Link Rate Toggle Workaround Usage Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 163/449] drm/amd/display: stop DML2 from removing pipes based on planes Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 164/449] drivers: base: devres: Allow to release group on device release Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 165/449] drm/amdkfd: clamp queue size to minimum Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 166/449] drm/amdkfd: Fix mode1 reset crash issue Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 167/449] drm/amdkfd: Fix pqm_destroy_queue race with GPU reset Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 168/449] drm/amdkfd: debugfs hang_hws skip GPU with MES Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 169/449] drm/xe/xelp: Move Wa_16011163337 from tunings to workarounds Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 170/449] drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 171/449] drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 172/449] drm/rockchip: stop passing non struct drm_device to drm_err() and friends Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 173/449] PCI: Add Rockchip Vendor ID Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 174/449] drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 175/449] drm/amd/display: Prevent VStartup Overflow Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 176/449] PCI: Enable Configuration RRS SV early Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 177/449] drm/amdgpu: Fix the race condition for draining retry fault Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 178/449] PCI: Check BAR index for validity Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 179/449] PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 180/449] drm/amdgpu: grab an additional reference on the gang fence v2 Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 181/449] s390/pci: Support mmap() of PCI resources except for ISM devices Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 182/449] fbdev: omapfb: Add plane value check Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 183/449] tracing: probe-events: Log error for exceeding the number of arguments Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 184/449] tracing: probe-events: Add comments about entry data storing code Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 185/449] ktest: Fix Test Failures Due to Missing LOG_FILE Directories Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 186/449] tpm, tpm_tis: Workaround failed command reception on Infineon devices Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 187/449] tpm: End any active auth session before shutdown Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 188/449] pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 189/449] pwm: rcar: Improve register calculation Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 190/449] pwm: fsl-ftm: Handle clk_get_rate() returning 0 Greg Kroah-Hartman
2025-04-17 17:47 ` [PATCH 6.14 191/449] pwm: stm32: Search an appropriate duty_cycle if period cannot be modified Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 192/449] erofs: set error to bio if file-backed IO fails Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 193/449] bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 194/449] ext4: dont treat fhandle lookup of ea_inode as FS corruption Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 195/449] s390/pci: Fix s390_mmio_read/write syscall page fault handling Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 196/449] HID: pidff: Clamp PERIODIC effect period to devices logical range Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 197/449] HID: pidff: Stop all effects before enabling actuators Greg Kroah-Hartman
[not found] ` <763f6566-9806-4e09-a633-b27fe1767f38@orange.fr>
2025-04-18 4:47 ` Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 198/449] HID: pidff: Completely rework and fix pidff_reset function Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 199/449] HID: pidff: Simplify pidff_upload_effect function Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 200/449] HID: pidff: Define values used in pidff_find_special_fields Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 201/449] HID: pidff: Rescale time values to match field units Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 202/449] HID: pidff: Factor out code for setting gain Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 203/449] HID: pidff: Move all hid-pidff definitions to a dedicated header Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 204/449] HID: pidff: Simplify pidff_rescale_signed Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 205/449] HID: pidff: Use macros instead of hardcoded min/max values for shorts Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 206/449] HID: pidff: Factor out pool report fetch and remove excess declaration Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 207/449] HID: pidff: Make sure to fetch pool before checking SIMULTANEOUS_MAX Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 208/449] HID: hid-universal-pidff: Add Asetek wheelbases support Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 209/449] HID: pidff: Comment and code style update Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 210/449] HID: pidff: Support device error response from PID_BLOCK_LOAD Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 211/449] HID: pidff: Remove redundant call to pidff_find_special_keys Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 212/449] HID: pidff: Rename two functions to align them with naming convention Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 213/449] HID: pidff: Clamp effect playback LOOP_COUNT value Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 214/449] HID: pidff: Compute INFINITE value instead of using hardcoded 0xffff Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 215/449] HID: pidff: Fix 90 degrees direction name North -> East Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 216/449] HID: pidff: Fix set_device_control() Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 217/449] auxdisplay: hd44780: Fix an API misuse in hd44780.c Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 218/449] dt-bindings: media: st,stmipid02: correct lane-polarities maxItems Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 219/449] media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 220/449] media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 221/449] media: uapi: rkisp1-config: Fix typo in extensible params example Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 222/449] media: mgb4: Fix CMT registers update logic Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 223/449] media: i2c: adv748x: Fix test pattern selection mask Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 224/449] media: mgb4: Fix switched CMT frequency range "magic values" sets Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 225/449] media: intel/ipu6: set the dev_parent of video device to pdev Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 226/449] media: venus: hfi: add a check to handle OOB in sfr region Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 227/449] media: venus: hfi: add check to handle incorrect queue size Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 228/449] media: vim2m: print device name after registering device Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 229/449] media: siano: Fix error handling in smsdvb_module_init() Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 230/449] media: rockchip: rga: fix rga offset lookup Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 231/449] xenfs/xensyms: respect hypervisors "next" indication Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 232/449] KVM: arm64: PMU: Set raw values from user to PM{C,I}NTEN{SET,CLR}, PMOVS{SET,CLR} Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 233/449] arm64: cputype: Add MIDR_CORTEX_A76AE Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 234/449] arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 235/449] arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 236/449] arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 237/449] KVM: arm64: Tear down vGIC on failed vCPU creation Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 238/449] KVM: arm64: Set HCR_EL2.TID1 unconditionally Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 239/449] spi: cadence-qspi: Fix probe on AM62A LP SK Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 240/449] mtd: rawnand: brcmnand: fix PM resume warning Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 241/449] tpm, tpm_tis: Fix timeout handling when waiting for TPM status Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 242/449] accel/ivpu: Fix PM related deadlocks in MS IOCTLs Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 243/449] media: ov08x40: Properly turn sensor on/off when runtime-suspended Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 244/449] media: streamzap: prevent processing IR data on URB failure Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 245/449] media: hi556: Fix memory leak (on error) in hi556_check_hwcfg() Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 246/449] media: visl: Fix ERANGE error when setting enum controls Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 247/449] media: platform: stm32: Add check for clk_enable() Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 248/449] media: xilinx-tpg: fix double put in xtpg_parse_of() Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 249/449] media: imx219: Adjust PLL settings based on the number of MIPI lanes Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 250/449] media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Greg Kroah-Hartman
2025-04-17 17:48 ` [PATCH 6.14 251/449] Revert "media: imx214: Fix the error handling in imx214_probe()" Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 252/449] media: i2c: ccs: Set the devices runtime PM status correctly in remove Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 253/449] media: i2c: ccs: Set the devices runtime PM status correctly in probe Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 254/449] media: i2c: ov7251: Set enable GPIO low " Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 255/449] media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 256/449] media: nuvoton: Fix reference handling of ece_node Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 257/449] media: nuvoton: Fix reference handling of ece_pdev Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 258/449] media: venus: hfi_parser: add check to avoid out of bound access Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 259/449] media: venus: hfi_parser: refactor hfi packet parsing logic Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 260/449] media: i2c: imx319: Rectify runtime PM handling probe and remove Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 261/449] media: i2c: imx219: Rectify runtime PM handling in " Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 262/449] media: i2c: imx214: Rectify probe error handling related to runtime PM Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 263/449] media: chips-media: wave5: Fix gray color on screen Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 264/449] media: chips-media: wave5: Avoid race condition in the interrupt handler Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 265/449] media: chips-media: wave5: Fix a hang after seeking Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 266/449] media: chips-media: wave5: Fix timeout while testing 10bit hevc fluster Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 267/449] irqchip/renesas-rzv2h: Fix wrong variable usage in rzv2h_tint_set_type() Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 268/449] gve: unlink old napi only if page pool exists Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 269/449] mptcp: sockopt: fix getting IPV6_V6ONLY Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 270/449] mptcp: sockopt: fix getting freebind & transparent Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 271/449] block: make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 272/449] mtd: Add check for devm_kcalloc() Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 273/449] net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 274/449] net: dsa: mv88e6xxx: fix internal PHYs " Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 275/449] mtd: Replace kcalloc() with devm_kcalloc() Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 276/449] clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 277/449] Revert "wifi: mt76: mt7925: Update mt7925_mcu_uni_[tx,rx]_ba for MLO" Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 278/449] wifi: mt76: Add check for devm_kstrdup() Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 279/449] wifi: mt76: mt792x: re-register CHANCTX_STA_CSA only for the mt7921 series Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 280/449] wifi: mac80211: fix integer overflow in hwmp_route_info_get() Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 281/449] wifi: mt76: mt7925: ensure wow pattern command align fw format Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 282/449] wifi: mt76: mt7925: fix country count limitation for CLC Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 283/449] wifi: mt76: mt7925: fix the wrong link_idx when a p2p_device is present Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 284/449] wifi: mt76: mt7925: fix the wrong simultaneous cap for MLO Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 285/449] wifi: mt76: mt7925: adjust rm BSS flow to prevent next connection failure Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 286/449] wifi: mt76: mt7925: integrate *mlo_sta_cmd and *sta_cmd Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 287/449] wifi: mt76: mt7925: update the power-saving flow Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 288/449] scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 289/449] net: stmmac: Fix accessing freed irq affinity_hint Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 290/449] io_uring/net: fix accept multishot handling Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 291/449] io_uring/net: fix io_req_post_cqe abuse by send bundle Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 292/449] io_uring/kbuf: reject zero sized provided buffers Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 293/449] ASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe() Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 294/449] ASoC: q6apm: add q6apm_get_hw_pointer helper Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 295/449] ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 296/449] ASoC: q6apm-dai: make use of q6apm_get_hw_pointer Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 297/449] ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 298/449] ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 299/449] ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 300/449] ALSA: hda/realtek: Enable Mute LED on HP OMEN 16 Laptop xd000xx Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 301/449] accel/ivpu: Fix warning in ivpu_ipc_send_receive_internal() Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 302/449] accel/ivpu: Fix deadlock in ivpu_ms_cleanup() Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 303/449] arm/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch() Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 304/449] arm64/crc-t10dif: " Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 305/449] bus: mhi: host: Fix race between unprepare and queue_buf Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 306/449] ext4: fix off-by-one error in do_split Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 307/449] f2fs: fix the missing write pointer correction Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 308/449] f2fs: fix to avoid atomicity corruption of atomic file Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 309/449] vdpa/mlx5: Fix oversized null mkey longer than 32bit Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 310/449] udf: Fix inode_getblk() return value Greg Kroah-Hartman
2025-04-17 17:49 ` [PATCH 6.14 311/449] tpm: do not start chip while suspended Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 312/449] svcrdma: do not unregister device for listeners Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 313/449] soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 314/449] smb311 client: fix missing tcon check when mounting with linux/posix extensions Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 315/449] ima: limit the number of open-writers integrity violations Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 316/449] ima: limit the number of ToMToU " Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 317/449] igc: Fix XSK queue NAPI ID mapping Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 318/449] i3c: master: svc: Use readsb helper for reading MDB Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 319/449] i3c: Add NULL pointer check in i3c_master_queue_ibi() Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 320/449] jbd2: remove wrong sb->s_sequence check Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 321/449] kbuild: exclude .rodata.(cst|str)* when building ranges Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 322/449] kbuild: Add -fno-builtin-wcslen Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 323/449] leds: rgb: leds-qcom-lpg: Fix pwm resolution max for Hi-Res PWMs Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 324/449] leds: rgb: leds-qcom-lpg: Fix calculation of best period " Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 325/449] mfd: ene-kb3930: Fix a potential NULL pointer dereference Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 326/449] mailbox: tegra-hsp: Define dimensioning masks in SoC data Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 327/449] locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 328/449] lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 329/449] mptcp: fix NULL pointer in can_accept_new_subflow Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 330/449] mptcp: only inc MPJoinAckHMacFailure for HMAC failures Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 331/449] mtd: inftlcore: Add error check for inftl_read_oob() Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 332/449] mtd: rawnand: Add status chack in r852_ready() Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 333/449] mtd: spinand: Fix build with gcc < 7.5 Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 334/449] arm64: mops: Do not dereference src reg for a set operation Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 335/449] arm64: tegra: Remove the Orin NX/Nano suspend key Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 336/449] arm64: mm: Correct the update of max_pfn Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 337/449] arm64: dts: ti: k3-j784s4-j742s2-main-common: Correct the GICD size Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 338/449] arm64: dts: ti: k3-j784s4-j742s2-main-common: Fix serdes_ln_ctrl reg-masks Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 339/449] arm64: dts: mediatek: mt8188: Assign apll1 clock as parent to avoid hang Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 340/449] arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 341/449] arm64: dts: exynos: gs101: disable pinctrl_gsacore node Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 342/449] backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 343/449] btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 344/449] btrfs: tests: fix chunk map leak after failure to add it to the tree Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 345/449] btrfs: zoned: fix zone activation with missing devices Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 346/449] btrfs: zoned: fix zone finishing " Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 347/449] iommufd: Fix uninitialized rc in iommufd_access_rw() Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 348/449] iommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent() Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 349/449] iommu/vt-d: Put IRTE back into posted MSI mode if vCPU posting is disabled Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 350/449] iommu/vt-d: Dont clobber posted vCPU IRTE when host IRQ affinity changes Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 351/449] iommu/vt-d: Fix possible circular locking dependency Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 352/449] iommu/vt-d: Wire up irq_ack() to irq_move_irq() for posted MSIs Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 353/449] sparc/mm: disable preemption in lazy mmu mode Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 354/449] sparc/mm: avoid calling arch_enter/leave_lazy_mmu() in set_ptes Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 355/449] net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 356/449] mm/damon/ops: have damon_get_folio return folio even for tail pages Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 357/449] mm/damon: avoid applying DAMOS action to same entity multiple times Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 358/449] mm/rmap: reject hugetlb folios in folio_make_device_exclusive() Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 359/449] mm: make page_mapped_in_vma() hugetlb walk aware Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 360/449] mm: fix lazy mmu docs and usage Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 361/449] mm/mremap: correctly handle partial mremap() of VMA starting at 0 Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 362/449] mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 363/449] mm/userfaultfd: fix release hang over concurrent GUP Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 364/449] mm/hwpoison: do not send SIGBUS to processes with recovered clean pages Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 365/449] mm/hugetlb: move hugetlb_sysctl_init() to the __init section Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 366/449] mm/hwpoison: introduce folio_contain_hwpoisoned_page() helper Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 367/449] sctp: detect and prevent references to a freed transport in sendmsg Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 368/449] x86/xen: fix balloon target initialization for PVH dom0 Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 369/449] uprobes: Avoid false-positive lockdep splat on CONFIG_PREEMPT_RT=y in the ri_timer() uprobe timer callback, use raw_write_seqcount_*() Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 370/449] tracing: fprobe: Fix to lock module while registering fprobe Greg Kroah-Hartman
2025-04-17 17:50 ` [PATCH 6.14 371/449] tracing: fprobe events: Fix possible UAF on modules Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 372/449] tracing: Do not add length to print format in synthetic events Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 373/449] thermal/drivers/rockchip: Add missing rk3328 mapping entry Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 374/449] CIFS: Propagate min offload along with other parameters from primary to secondary channels Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 375/449] cifs: avoid NULL pointer dereference in dbg call Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 376/449] cifs: fix integer overflow in match_server() Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 377/449] cifs: Ensure that all non-client-specific reparse points are processed by the server Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 378/449] clk: renesas: r9a07g043: Fix HP clock source for RZ/Five Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 379/449] clk: qcom: clk-branch: Fix invert halt status bit check for votable clocks Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 380/449] clk: qcom: gdsc: Release pm subdomains in reverse add order Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 381/449] clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 382/449] clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 383/449] crypto: ccp - Fix check for the primary ASP device Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 384/449] crypto: ccp - Fix uAPI definitions of PSP errors Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 385/449] dlm: fix error if inactive rsb is not hashed Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 386/449] dlm: fix error if active " Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 387/449] dm-ebs: fix prefetch-vs-suspend race Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 388/449] dm-integrity: set ti->error on memory allocation failure Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 389/449] dm-integrity: fix non-constant-time tag verification Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 390/449] dm-verity: fix prefetch-vs-suspend race Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 391/449] dt-bindings: coresight: qcom,coresight-tpda: Fix too many reg Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 392/449] dt-bindings: coresight: qcom,coresight-tpdm: " Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 393/449] firmware: cs_dsp: test_control_parse: null-terminate test strings Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 394/449] ftrace: Add cond_resched() to ftrace_graph_set_hash() Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 395/449] ftrace: Properly merge notrace hashes Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 396/449] fuse: {io-uring} Fix a possible req cancellation race Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 397/449] gpio: mpc8xxx: Fix wakeup source leaks on device unbind Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 398/449] gpio: tegra186: fix resource handling in ACPI probe path Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 399/449] gpio: zynq: Fix wakeup source leaks on device unbind Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 400/449] gve: handle overflow when reporting TX consumed descriptors Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 401/449] KVM: Allow building irqbypass.ko as as module when kvm.ko is a module Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 402/449] KVM: PPC: Enable CAP_SPAPR_TCE_VFIO on pSeries KVM guests Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 403/449] KVM: x86: Explicitly zero-initialize on-stack CPUID unions Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 404/449] KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 405/449] scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 406/449] landlock: Move code to ease future backports Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 407/449] landlock: Add the errata interface Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 408/449] landlock: Add erratum for TCP fix Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 409/449] landlock: Always allow signals between threads of the same process Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 410/449] landlock: Prepare to add second errata Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 411/449] selftests/landlock: Split signal_scoping_threads tests Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 412/449] selftests/landlock: Add a new test for setuid() Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 413/449] misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 414/449] misc: pci_endpoint_test: Fix displaying irq_type " Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 415/449] misc: pci_endpoint_test: Fix irq_type to convey the correct type Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 416/449] net: mana: Switch to page pool for jumbo frames Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 417/449] ntb: use 64-bit arithmetic for the MSI doorbell mask Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 418/449] of/irq: Fix device node refcount leakage in API of_irq_parse_one() Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 419/449] of/irq: Fix device node refcount leakage in API of_irq_parse_raw() Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 420/449] of/irq: Fix device node refcount leakages in of_irq_count() Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 421/449] of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 422/449] of/irq: Fix device node refcount leakages in of_irq_init() Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 423/449] PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 424/449] PCI: j721e: Fix the value of .linkdown_irq_regfield for J784S4 Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 425/449] PCI: layerscape: Fix arg_count to syscon_regmap_lookup_by_phandle_args() Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 426/449] PCI: pciehp: Avoid unnecessary device replacement check Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 427/449] PCI: Fix reference leak in pci_alloc_child_bus() Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 428/449] PCI: Fix reference leak in pci_register_host_bridge() Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 429/449] PCI: Fix wrong length of devres array Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 430/449] phy: freescale: imx8m-pcie: assert phy reset and perst in power off Greg Kroah-Hartman
2025-04-17 17:51 ` [PATCH 6.14 431/449] pinctrl: qcom: Clear latched interrupt status when changing IRQ type Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 432/449] pinctrl: samsung: add support for eint_fltcon_offset Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 433/449] ring-buffer: Use flush_kernel_vmap_range() over flush_dcache_folio() Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 434/449] s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 435/449] s390/virtio_ccw: Dont allocate/assign airqs for non-existing queues Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 436/449] s390: Fix linker error when -no-pie option is unavailable Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 437/449] sched_ext: create_dsq: Return -EEXIST on duplicate request Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 438/449] selftests: mptcp: close fd_in before returning in main_loop Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 439/449] selftests: mptcp: fix incorrect fd checks " Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 440/449] spi: fsl-qspi: use devm function instead of driver remove Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 441/449] spi: fsl-qspi: Fix double cleanup in probe error path Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 442/449] thermal/drivers/mediatek/lvts: Disable monitor mode during suspend Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 443/449] thermal/drivers/mediatek/lvts: Disable Stage 3 thermal threshold Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 444/449] wifi: ath11k: update channel list in worker when wait flag is set Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 445/449] arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 446/449] iommufd: Make attach_handle generic than fault specific Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 447/449] iommufd: Fail replace if device has not been attached Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 448/449] x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Greg Kroah-Hartman
2025-04-17 17:52 ` [PATCH 6.14 449/449] Bluetooth: hci_uart: Fix another race during initialization Greg Kroah-Hartman
2025-04-17 18:53 ` [PATCH 6.14 000/449] 6.14.3-rc1 review Ronald Warsow
2025-04-17 19:53 ` Florian Fainelli
2025-04-18 0:02 ` Peter Schneider
2025-04-18 6:30 ` Naresh Kamboju
2025-04-18 11:03 ` Greg Kroah-Hartman
2025-04-22 10:07 ` Niklas Schnelle
2025-04-18 7:53 ` Naresh Kamboju
2025-04-23 16:25 ` Dan Carpenter
2025-04-23 17:22 ` [PATCH] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Dan Carpenter
2025-04-24 7:02 ` Abel Vesa
2025-04-25 6:06 ` Naresh Kamboju
2025-04-25 8:17 ` Dan Carpenter
2025-05-08 6:40 ` Dan Carpenter
2025-05-08 6:46 ` Greg Kroah-Hartman
2025-05-08 6:48 ` Dan Carpenter
2025-05-08 6:50 ` Dan Carpenter
2025-04-18 11:38 ` [PATCH 6.14 000/449] 6.14.3-rc1 review Pavel Machek
2025-04-18 14:30 ` Shuah Khan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).