* [PATCH 6.6 000/356] 6.6.94-rc1 review
@ 2025-06-17 15:21 Greg Kroah-Hartman
2025-06-17 15:21 ` [PATCH 6.6 001/356] tracing: Fix compilation warning on arm32 Greg Kroah-Hartman
` (364 more replies)
0 siblings, 365 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie
This is the start of the stable review cycle for the 6.6.94 release.
There are 356 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 19 Jun 2025 15:22:33 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.94-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.6.94-rc1
I Hsin Cheng <richard120310@gmail.com>
drm/meson: Use 1000ULL when operating with mode->clock
Oliver Neukum <oneukum@suse.com>
net: usb: aqc111: debug info before sanitation
Nícolas F. R. A. Prado <nfraprado@collabora.com>
regulator: dt-bindings: mt6357: Drop fixed compatible requirement
Eric Dumazet <edumazet@google.com>
calipso: unlock rcu before returning -EAFNOSUPPORT
Thomas Gleixner <tglx@linutronix.de>
x86/iopl: Cure TIF_IO_BITMAP inconsistencies
Stefano Stabellini <stefano.stabellini@amd.com>
xen/arm: call uaccess_ttbr0_enable for dm_op hypercall
Amit Sunil Dhamne <amitsd@google.com>
usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx()
Mathias Nyman <mathias.nyman@linux.intel.com>
usb: Flush altsetting 0 endpoints before reinitializating them after reset.
Pawel Laszczak <pawell@cadence.com>
usb: cdnsp: Fix issue with detecting USB 3.2 speed
Pawel Laszczak <pawell@cadence.com>
usb: cdnsp: Fix issue with detecting command completion event
Wupeng Ma <mawupeng1@huawei.com>
VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify
Dave Penkler <dpenkler@gmail.com>
usb: usbtmc: Fix read_stb function and get_stb ioctl
Nathan Chancellor <nathan@kernel.org>
kbuild: Disable -Wdefault-const-init-unsafe
Oleg Nesterov <oleg@redhat.com>
posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Revert "io_uring: ensure deferred completions are posted for multishot"
Jens Axboe <axboe@kernel.dk>
io_uring/rw: fix wrong NOWAIT check in io_rw_init_file()
Jens Axboe <axboe@kernel.dk>
io_uring/rw: allow pollable non-blocking attempts for !FMODE_NOWAIT
Jens Axboe <axboe@kernel.dk>
io_uring: add io_file_can_poll() helper
Terry Junge <linuxhid@cosmicgizmosystems.com>
HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()
David Heimann <d@dmeh.net>
ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1
Suleiman Souhlal <suleiman@google.com>
tools/resolve_btfids: Fix build when cross compiling kernel with clang.
Matthew Wilcox (Oracle) <willy@infradead.org>
block: Fix bvec_set_folio() for very large folios
Matthew Wilcox (Oracle) <willy@infradead.org>
bio: Fix bio_first_folio() for SPARSEMEM without VMEMMAP
Peter Zijlstra <peterz@infradead.org>
perf: Ensure bpf_perf_link path is properly serialized
Daniel Wagner <wagi@kernel.org>
nvmet-fcloop: access fcpreq only when holding reqlock
Zijun Hu <quic_zijuhu@quicinc.com>
fs/filesystems: Fix potential unsigned integer underflow in fs_name()
Eric Dumazet <edumazet@google.com>
net_sched: ets: fix a race in ets_qdisc_change()
Eric Dumazet <edumazet@google.com>
net_sched: tbf: fix a race in tbf_change()
Eric Dumazet <edumazet@google.com>
net_sched: red: fix a race in __red_change()
Eric Dumazet <edumazet@google.com>
net_sched: prio: fix a race in prio_tune()
Jianbo Liu <jianbol@nvidia.com>
net/mlx5e: Fix leak of Geneve TLV option object
Patrisious Haddad <phaddad@nvidia.com>
net/mlx5: Fix return value when searching for existing flow group
Amir Tzin <amirtz@nvidia.com>
net/mlx5: Fix ECVF vports unload on shutdown flow
Moshe Shemesh <moshe@nvidia.com>
net/mlx5: Ensure fw pages are always allocated on same NUMA
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: MGMT: Fix sparse errors
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: Fix NULL pointer deference on eir_get_service_data
Jakub Raczynski <j.raczynski@samsung.com>
net/mdiobus: Fix potential out-of-bounds clause 45 read/write access
Jakub Raczynski <j.raczynski@samsung.com>
net/mdiobus: Fix potential out-of-bounds read/write access
Carlos Fernandez <carlos.fernandez@technica-engineering.de>
macsec: MACsec SCI assignment for ES = 0
Michal Luczaj <mhal@rbox.co>
net: Fix TOCTOU issue in sk_is_readable()
Yunhui Cui <cuiyunhui@bytedance.com>
ACPI: CPPC: Fix NULL pointer dereference when nosmp is used
Robert Malz <robert.malz@canonical.com>
i40e: retry VFLR handling if there is ongoing VF reset
Robert Malz <robert.malz@canonical.com>
i40e: return false from i40e_reset_vf if reset is in progress
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
drm/meson: fix more rounding issues with 59.94Hz modes
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
drm/meson: use vclk_freq instead of pixel_freq in debug print
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
drm/meson: fix debug log statement when setting the HDMI clocks
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
drm/meson: use unsigned long long / Hz for frequency types
Haren Myneni <haren@linux.ibm.com>
powerpc/vas: Return -EINVAL if the offset is non-zero in mmap()
Ritesh Harjani (IBM) <ritesh.list@gmail.com>
powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap
Eric Dumazet <edumazet@google.com>
net_sched: sch_sfq: fix a potential crash on gso_skb handling
Alok Tiwari <alok.a.tiwari@oracle.com>
scsi: iscsi: Fix incorrect error path labels for flashnode operations
Wojciech Slenska <wojciech.slenska@gmail.com>
pinctrl: qcom: pinctrl-qcm2290: Add missing pins
Dan Carpenter <dan.carpenter@linaro.org>
regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt()
Rodrigo Gobbi <rodrigo.gobbi.7@gmail.com>
wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready
Baochen Qiang <quic_bqiang@quicinc.com>
wifi: ath11k: don't wait when there is no vdev started
Baochen Qiang <quic_bqiang@quicinc.com>
wifi: ath11k: don't use static variables in ath11k_debugfs_fw_stats_process()
Baochen Qiang <quic_bqiang@quicinc.com>
wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request()
Easwar Hariharan <eahariha@linux.microsoft.com>
wifi: ath11k: convert timeouts to secs_to_jiffies()
Jeff Johnson <quic_jjohnson@quicinc.com>
wifi: ath11k: fix soc_dp_stats debugfs file permission
Caleb Connolly <caleb.connolly@linaro.org>
ath10k: snoc: fix unbalanced IRQ enable in crash recovery
Jeongjun Park <aha310510@gmail.com>
ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: MGMT: Protect mgmt_pending list with its own lock
Dr. David Alan Gilbert <linux@treblig.org>
Bluetooth: MGMT: Remove unused mgmt_pending_find_data
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
Pauli Virtanen <pav@iki.fi>
Bluetooth: hci_core: fix list_for_each_entry_rcu usage
Sanjeev Yadav <sanjeev.y@mediatek.com>
scsi: core: ufs: Fix a hang in the error handler
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
serial: sh-sci: Clean sci_ports[0] after at earlycon exit
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
serial: sh-sci: Move runtime PM enable to sci_probe_single()
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
serial: sh-sci: Check if TX data was written to device in .tx_empty()
Yemike Abhilash Chandra <y-abhilashchandra@ti.com>
arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators
Beleswar Padhi <b-padhi@ti.com>
arm64: dts: ti: k3-j721e-sk: Add support for multiple CAN instances
Vaishnav Achath <vaishnav.a@ti.com>
arm64: dts: ti: k3-j721e-sk: Model CSI2RX connector mux
Judith Mendez <jm@ti.com>
arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0
Judith Mendez <jm@ti.com>
arm64: dts: ti: k3-am65-main: Fix sdhci node properties
Andrey Konovalov <andreyknvl@gmail.com>
kasan: use unchecked __memset internally
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: synaptics-rmi - fix crash with unsupported versions of F34
Dan Carpenter <dan.carpenter@linaro.org>
pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()
Jakob Unterwurzacher <jakobunt@gmail.com>
net: dsa: microchip: linearize skb for tail-tagging switches
Pieter Van Trappen <pieter.van.trappen@cern.ch>
net: dsa: microchip: update tag_ksz masks for KSZ9477 family
Al Viro <viro@zeniv.linux.org.uk>
do_change_type(): refuse to operate on unmounted/not ours mounts
Al Viro <viro@zeniv.linux.org.uk>
fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2)
Al Viro <viro@zeniv.linux.org.uk>
path_overmount(): avoid false negatives
Yuuki NAGAO <wf.yn386@gmail.com>
ASoC: ti: omap-hdmi: Re-add dai_link->platform to fix card init
Cezary Rojewski <cezary.rojewski@intel.com>
ASoC: Intel: avs: Verify content returned by parse_int_array()
Cezary Rojewski <cezary.rojewski@intel.com>
ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX
Cezary Rojewski <cezary.rojewski@intel.com>
ASoC: codecs: hda: Fix RPM usage count underflow
Nitin Rawat <quic_nitirawa@quicinc.com>
scsi: ufs: qcom: Prevent calling phy_exit() before phy_init()
Ido Schimmel <idosch@nvidia.com>
seg6: Fix validation of nexthop addresses
Mirco Barone <mirco.barone@polito.it>
wireguard: device: enable threaded NAPI
Jonas Gorski <jonas.gorski@gmail.com>
net: dsa: b53: allow RGMII for bcm63xx RGMII ports
Jonas Gorski <jonas.gorski@gmail.com>
net: dsa: b53: do not enable RGMII delay on bcm63xx
Florian Westphal <fw@strlen.de>
netfilter: nf_nat: also check reverse tuple to obtain clashing entry
Florian Westphal <fw@strlen.de>
netfilter: nf_set_pipapo_avx2: fix initial map fill
Alok Tiwari <alok.a.tiwari@oracle.com>
gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: sleep: Fix power.is_suspended cleanup for direct-complete devices
Ronak Doshi <ronak.doshi@broadcom.com>
vmxnet3: correctly report gso type for UDP tunnels
Jinjian Song <jinjian.song@fibocom.com>
net: wwan: t7xx: Fix napi rx poll issue
Shiming Cheng <shiming.cheng@mediatek.com>
net: fix udp gso skb_segment after pull from frag_list
Paul Chaignon <paul.chaignon@gmail.com>
net: Fix checksum update for ILA adj-transport
Alexis Lothoré <alexis.lothore@bootlin.com>
net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping
Álvaro Fernández Rojas <noltari@gmail.com>
net: dsa: tag_brcm: legacy: fix pskb_may_pull length
Michal Kubiak <michal.kubiak@intel.com>
ice: fix rebuilding the Tx scheduler tree for large queue counts
Michal Kubiak <michal.kubiak@intel.com>
ice: create new Tx scheduler nodes for new queues only
Michal Kubiak <michal.kubiak@intel.com>
ice: fix Tx scheduler error handling in XDP callback
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION
Álvaro Fernández Rojas <noltari@gmail.com>
spi: bcm63xx-hsspi: fix shared reset
Álvaro Fernández Rojas <noltari@gmail.com>
spi: bcm63xx-spi: fix shared reset
Horatiu Vultur <horatiu.vultur@microchip.com>
net: lan966x: Make sure to insert the vlan tags also in host mode
Dan Carpenter <dan.carpenter@linaro.org>
net/mlx4_en: Prevent potential integer overflow calculating Hz
Yanqing Wang <ot_yanqing.wang@mediatek.com>
driver: net: ethernet: mtk_star_emac: fix suspend/resume issue
Charalampos Mitrodimas <charmitro@posteo.net>
net: tipc: fix refcount warning in tipc_aead_encrypt
Alok Tiwari <alok.a.tiwari@oracle.com>
gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt
Quentin Schulz <quentin.schulz@cherry.de>
net: stmmac: platform: guarantee uniqueness of bus_id
Nicolas Pitre <npitre@baylibre.com>
vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()
Yeoreum Yun <yeoreum.yun@arm.com>
coresight: prevent deactivate active config while enabling the config
Qasim Ijaz <qasdev00@gmail.com>
fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt()
Alexander Sverdlin <alexander.sverdlin@siemens.com>
counter: interrupt-cnt: Protect enable/disable OPs with mutex
WangYuli <wangyuli@uniontech.com>
MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
iio: adc: ad7124: Fix 3dB filter frequency reading
Brian Pellegrino <bpellegrino@arka.org>
iio: filter: admv8818: Support frequencies >= 2^32
Sam Winchenbach <swinchenbach@arka.org>
iio: filter: admv8818: fix range calculation
Sam Winchenbach <swinchenbach@arka.org>
iio: filter: admv8818: fix integer overflow
Sam Winchenbach <swinchenbach@arka.org>
iio: filter: admv8818: fix band 4, state 15
Mario Limonciello <mario.limonciello@amd.com>
thunderbolt: Fix a logic error in wake on connect
Henry Martin <bsdhenrymartin@gmail.com>
serial: Fix potential null-ptr-deref in mlb_usio_probe()
Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
usb: renesas_usbhs: Reorder clock handling and power management in probe
Liu Dalin <liudalin@kylinsec.com.cn>
rtc: loongson: Add missing alarm notifications for ACPI RTC events
Bjorn Helgaas <bhelgaas@google.com>
PCI/DPC: Initialize aer_err_info before using it
Henry Martin <bsdhenrymartin@gmail.com>
dmaengine: ti: Add NULL check in udma_probe()
Chenyuan Yang <chenyuan0y@gmail.com>
phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug
Mario Limonciello <mario.limonciello@amd.com>
PCI: Explicitly put devices into D0 when initializing
Hector Martin <marcan@marcan.st>
PCI: apple: Use gpiod_set_value_cansleep in probe flow
Hans Zhang <18255117159@163.com>
PCI: cadence: Fix runtime atomic count underflow
Wilfred Mallawa <wilfred.mallawa@wdc.com>
PCI: Print the actual delay time in pci_bridge_wait_for_secondary_bus()
Wolfram Sang <wsa+renesas@sang-engineering.com>
rtc: sh: assign correct interrupts with DT
Pali Rohár <pali@kernel.org>
cifs: Fix validation of SMB1 query reparse point response
Li Lingfeng <lilingfeng3@huawei.com>
nfs: ignore SB_RDONLY when remounting nfs
Li Lingfeng <lilingfeng3@huawei.com>
nfs: clear SB_RDONLY before getting superblock
Anubhav Shelat <ashelat@redhat.com>
perf trace: Always print return value for syscalls returning a pid
Dapeng Mi <dapeng1.mi@linux.intel.com>
perf record: Fix incorrect --user-regs comments
Leo Yan <leo.yan@arm.com>
perf tests switch-tracking: Fix timestamp comparison
Alexey Gladkov <legion@kernel.org>
mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove()
Dan Carpenter <dan.carpenter@linaro.org>
rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()
Siddharth Vadapalli <s-vadapalli@ti.com>
remoteproc: k3-r5: Drop check performed in k3_r5_rproc_{mbox_callback/kick}
Dan Carpenter <dan.carpenter@linaro.org>
remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe
Adrian Hunter <adrian.hunter@intel.com>
perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3
Adrian Hunter <adrian.hunter@intel.com>
perf intel-pt: Fix PEBS-via-PT data_src
Namhyung Kim <namhyung@kernel.org>
perf trace: Fix leaks of 'struct thread' in set_filter_loop_pids()
Benjamin Marzinski <bmarzins@redhat.com>
dm-flakey: make corrupting read bios work
Benjamin Marzinski <bmarzins@redhat.com>
dm-flakey: error all IOs when num_features is absent
Alexei Safin <a.safin@rosa.ru>
hwmon: (asus-ec-sensors) check sensor index in read_string()
Mikhail Arkhipov <m.arhipov@rosa.ru>
mtd: nand: ecc-mxic: Fix use of uninitialized variable ret
Henry Martin <bsdhenrymartin@gmail.com>
backlight: pm8941: Add NULL check in wled_configure()
Benjamin Marzinski <bmarzins@redhat.com>
dm: free table mempools if not used in __bind
Benjamin Marzinski <bmarzins@redhat.com>
dm: don't change md if dm_table_set_restrictions() fails
Arnaldo Carvalho de Melo <acme@redhat.com>
perf ui browser hists: Set actions->thread before calling do_zoom_thread()
Arnaldo Carvalho de Melo <acme@redhat.com>
perf build: Warn when libdebuginfod devel files are not available
Kees Cook <kees@kernel.org>
randstruct: gcc-plugin: Fix attribute addition
Kees Cook <kees@kernel.org>
randstruct: gcc-plugin: Remove bogus void member
Sergey Shtylyov <s.shtylyov@omp.ru>
fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()
Henry Martin <bsdhenrymartin@gmail.com>
soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()
Su Hui <suhui@nfschina.com>
soc: aspeed: lpc: Fix impossible judgment condition
Joel Stanley <joel@jms.id.au>
ARM: aspeed: Don't select SRAM
Julien Massot <julien.massot@collabora.com>
arm64: dts: mt6359: Rename RTC node to match binding expectations
Thuan Nguyen <thuan.nguyen-hong@banvien.com.vn>
arm64: dts: renesas: white-hawk-ard-audio: Fix TPU0 groups
Quentin Schulz <quentin.schulz@cherry.de>
arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou
Vignesh Raman <vignesh.raman@collabora.com>
arm64: defconfig: mediatek: enable PHY drivers
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
ARM: dts: qcom: apq8064: add missing clocks to the timer node
Andre Przywara <andre.przywara@arm.com>
dt-bindings: vendor-prefixes: Add Liontron name
Ioana Ciornei <ioana.ciornei@nxp.com>
bus: fsl-mc: fix double-free on mc_dev
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: do not propagate ENOENT error from nilfs_btree_propagate()
Wentao Liang <vulab@iscas.ac.cn>
nilfs2: add pointer check for nilfs_direct_propagate()
Murad Masimov <m.masimov@mt-integration.ru>
ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery
Phillip Lougher <phillip@squashfs.org.uk>
Squashfs: check return result of sb_min_blocksize
Prasanth Babu Mantena <p-mantena@ti.com>
arm64: dts: ti: k3-j721e-common-proc-board: Enable OSPI1 on J721E
Aaron Kling <webgeek1234@gmail.com>
arm64: tegra: Drop remaining serial clock-names and reset-names
Peter Robinson <pbrobinson@gmail.com>
arm64: dts: rockchip: Update eMMC for NanoPi R5 series
Alexey Minnekhanov <alexeymin@postmarketos.org>
arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning
Alexey Minnekhanov <alexeymin@postmarketos.org>
arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply
Julien Massot <julien.massot@collabora.com>
arm64: dts: mt6359: Add missing 'compatible' property to regulators node
Nícolas F. R. A. Prado <nfraprado@collabora.com>
arm64: dts: mediatek: mt6357: Drop regulator-fixed compatibles
Adam Ford <aford173@gmail.com>
arm64: dts: imx8mn-beacon: Set SAI5 MCLK direction to output for HDMI audio
Adam Ford <aford173@gmail.com>
arm64: dts: imx8mm-beacon: Set SAI5 MCLK direction to output for HDMI audio
Adam Ford <aford173@gmail.com>
arm64: dts: imx8mp-beacon: Fix RTC capacitive load
Adam Ford <aford173@gmail.com>
arm64: dts: imx8mn-beacon: Fix RTC capacitive load
Adam Ford <aford173@gmail.com>
arm64: dts: imx8mm-beacon: Fix RTC capacitive load
Alexey Minnekhanov <alexeymin@postmarketos.org>
arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect GPIO
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power domains
Wolfram Sang <wsa+renesas@sang-engineering.com>
ARM: dts: at91: at91sam9263: fix NAND chip selects
Wolfram Sang <wsa+renesas@sang-engineering.com>
ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select
Stephan Gerhold <stephan.gerhold@linaro.org>
arm64: dts: qcom: sc8280xp-x13s: Drop duplicate DMIC supplies
Xilin Wu <wuxilin123@gmail.com>
arm64: dts: qcom: sm8250: Fix CPU7 opp table
Luca Weiss <luca.weiss@fairphone.com>
arm64: dts: qcom: sm8350: Reenable crypto & cryptobam
Dzmitry Sankouski <dsankouski@gmail.com>
arm64: dts: qcom: sdm845-starqltechn: remove excess reserved gpios
Dzmitry Sankouski <dsankouski@gmail.com>
arm64: dts: qcom: sdm845-starqltechn: refactor node order
Dzmitry Sankouski <dsankouski@gmail.com>
arm64: dts: qcom: sdm845-starqltechn: fix usb regulator mistake
Dzmitry Sankouski <dsankouski@gmail.com>
arm64: dts: qcom: sdm845-starqltechn: remove wifi
Zhiguo Niu <zhiguo.niu@unisoc.com>
f2fs: fix to correct check conditions in f2fs_cross_rename
Zhiguo Niu <zhiguo.niu@unisoc.com>
f2fs: use d_inode(dentry) cleanup dentry->d_inode
Horatiu Vultur <horatiu.vultur@microchip.com>
net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames
Faicker Mo <faicker.mo@zenlayer.com>
net: openvswitch: Fix the dead loop of MPLS parse
Kuniyuki Iwashima <kuniyu@amazon.com>
calipso: Don't call calipso functions for AF_INET sk.
Hariprasad Kelam <hkelam@marvell.com>
octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback
Horatiu Vultur <horatiu.vultur@microchip.com>
net: phy: mscc: Fix memory leak when using one step timestamping
Thangaraj Samynathan <thangaraj.s@microchip.com>
net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net: phy: fix up const issues in to_mdio_device() and to_phy_device()
Wei Fang <wei.fang@nxp.com>
net: phy: clear phydev->devlink when the link is deleted
KaFai Wan <mannkafai@gmail.com>
bpf: Avoid __bpf_prog_ret0_warn when jit fails
Horatiu Vultur <horatiu.vultur@microchip.com>
net: lan966x: Fix 1-step timestamping over ipv4 or ipv6
Jack Morgenstein <jackm@nvidia.com>
RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
net: usb: aqc111: fix error handling of usbnet read calls
Radim Krčmář <rkrcmar@ventanamicro.com>
RISC-V: KVM: lock the correct mp_state during reset
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nft_tunnel: fix geneve_opt dump
Jiayuan Chen <jiayuan.chen@linux.dev>
bpf, sockmap: Avoid using sk_socket after free when sending
Dmitry Antipov <dmantipov@yandex.ru>
Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach()
Li RongQing <lirongqing@baidu.com>
vfio/type1: Fix error unwind in migration dirty bitmap allocation
Florian Westphal <fw@strlen.de>
netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy
Shayne Chen <shayne.chen@mediatek.com>
wifi: mt76: mt7996: fix RX buffer size of MCU event
Peter Chiu <chui-hao.chiu@mediatek.com>
wifi: mt76: mt7996: set EHT max ampdu length capability
Henry Martin <bsdhenrymartin@gmail.com>
wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()
Michal Koutný <mkoutny@suse.com>
kernfs: Relax constraint in draining guard
ping.gao <ping.gao@samsung.com>
scsi: ufs: mcq: Delete ufshcd_release_scsi_cmd() in ufshcd_mcq_abort()
Toke Høiland-Jørgensen <toke@toke.dk>
wifi: ath9k_htc: Abort software beacon handling if disabled
Longfang Liu <liulongfang@huawei.com>
hisi_acc_vfio_pci: bugfix live migration function without VF device driver
Longfang Liu <liulongfang@huawei.com>
hisi_acc_vfio_pci: add eq and aeq interruption restore
Longfang Liu <liulongfang@huawei.com>
hisi_acc_vfio_pci: fix XQE dma address error
Rajat Soni <quic_rajson@quicinc.com>
wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event
Rolf Eike Beer <eb@emlix.com>
iommu: remove duplicate selection of DMAR_TABLE
Alexey Kodanev <aleksei.kodanev@bell-sw.com>
wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds
Ilya Leoshkevich <iii@linux.ibm.com>
s390/bpf: Store backchain even for leaf progs
Vincent Knecht <vincent.knecht@mailoo.org>
clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz
Tao Chen <chen.dylane@linux.dev>
bpf: Fix WARN() in get_bpf_raw_tp_regs
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pinctrl: at91: Fix possible out-of-boundary access
Anton Protopopov <a.s.protopopov@gmail.com>
libbpf: Use proper errno value in nlattr
Jiayuan Chen <jiayuan.chen@linux.dev>
ktls, sockmap: Fix missing uncharge operation
Miaoqian Lin <linmq006@gmail.com>
tracing: Fix error handling in event_trigger_parse()
Steven Rostedt <rostedt@goodmis.org>
tracing: Rename event_trigger_alloc() to trigger_data_alloc()
Hans Zhang <18255117159@163.com>
efi/libstub: Describe missing 'out' parameter in efi_load_initrd
Henry Martin <bsdhenrymartin@gmail.com>
clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()
Luca Weiss <luca.weiss@fairphone.com>
clk: qcom: gpucc-sm6350: Add *_wait_val values for GDSCs
Luca Weiss <luca.weiss@fairphone.com>
clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs
Luca Weiss <luca.weiss@fairphone.com>
clk: qcom: dispcc-sm6350: Add *_wait_val values for GDSCs
Luca Weiss <luca.weiss@fairphone.com>
clk: qcom: camcc-sm6350: Add *_wait_val values for GDSCs
Steven Rostedt <rostedt@goodmis.org>
tracing: Move histogram trigger variables from stack to per CPU structure
Anton Protopopov <a.s.protopopov@gmail.com>
bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ
Patrisious Haddad <phaddad@nvidia.com>
RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction
Zhongqiu Duan <dzq.aishenghu0@gmail.com>
netfilter: nft_quota: match correctly when the quota just depleted
Huajian Yang <huajianyang@asrmicro.com>
netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it
Lorenzo Bianconi <lorenzo@kernel.org>
bpf: Allow XDP dev-bound programs to perform XDP_REDIRECT into maps
Anton Protopopov <a.s.protopopov@gmail.com>
libbpf: Use proper errno value in linker
Chao Yu <chao@kernel.org>
f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed()
Chao Yu <chao@kernel.org>
f2fs: clean up w/ fscrypt_is_bounce_page()
Hangbin Liu <liuhangbin@gmail.com>
bonding: assign random address if device address is same as bond
Jason Gunthorpe <jgg@ziepe.ca>
iommu: Protect against overflow in iommu_pgsize()
Jonathan Wiepert <jonathan.wiepert@gmail.com>
Use thread-safe function pointer in libbpf_print
Tao Chen <chen.dylane@linux.dev>
libbpf: Remove sample_period init in perf_buffer
Yihang Li <liyihang9@huawei.com>
scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk
Junxian Huang <huangjunxian6@hisilicon.com>
RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h
Maharaja Kennadyrajan <maharaja.kennadyrajan@oss.qualcomm.com>
wifi: ath12k: fix node corruption in ar->arvifs list
P Praneesh <quic_ppranees@quicinc.com>
wifi: ath12k: Add MSDU length validation for TKIP MIC error
Dmitry Antipov <dmantipov@yandex.ru>
wifi: rtw88: do not ignore hardware read error during DPK
Zhen XIN <zhen.xin@nokia-sbell.com>
wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally
Zhen XIN <zhen.xin@nokia-sbell.com>
wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT
Cosmin Ratiu <cratiu@nvidia.com>
xfrm: Use xdo.dev instead of xdo.real_dev
Viktor Malik <vmalik@redhat.com>
libbpf: Fix buffer overflow in bpf_object__init_prog
Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
net: ncsi: Fix GCPS 64-bit member variables
Chao Yu <chao@kernel.org>
f2fs: fix to do sanity check on sbi->total_valid_block_count
Ramya Gnanasekar <ramya.gnanasekar@oss.qualcomm.com>
wifi: ath12k: Fix WMI tag for EHT rate in peer assoc
Jiayuan Chen <jiayuan.chen@linux.dev>
bpf, sockmap: Fix panic when calling skb_linearize
Jiayuan Chen <jiayuan.chen@linux.dev>
bpf, sockmap: fix duplicated data transmission
Jiayuan Chen <jiayuan.chen@linux.dev>
bpf: fix ktls panic with sockmap
Saket Kumar Bhaskar <skb99@linux.ibm.com>
selftests/bpf: Fix bpf_nf selftest failure
Jacob Moroni <jmoroni@google.com>
IB/cm: use rwlock for MAD agent lock
Stone Zhang <quic_stonez@quicinc.com>
wifi: ath11k: fix node corruption in ar->arvifs list
Roger Pau Monne <roger.pau@citrix.com>
xen/x86: fix initial memory balloon target
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
drm/mediatek: Fix kobject put for component sub-drivers
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr
Anand Moon <linux.amoon@gmail.com>
perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create()
Kees Cook <kees@kernel.org>
scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops
Mark Rutland <mark.rutland@arm.com>
arm64/fpsimd: Do not discard modified SVE state
Huang Yiwei <quic_hyiwei@quicinc.com>
firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES
Biju Das <biju.das.jz@bp.renesas.com>
drm/tegra: rgb: Fix the unbound reference count
Kees Cook <kees@kernel.org>
drm/vkms: Adjust vkms_state->active_planes allocation type
Biju Das <biju.das.jz@bp.renesas.com>
drm: rcar-du: Fix memory leak in rcar_du_vsps_init()
Neill Kapron <nkapron@google.com>
selftests/seccomp: fix syscall_restart test for arm compat
Kornel Dulęba <korneld@google.com>
arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX
Miaoqian Lin <linmq006@gmail.com>
firmware: psci: Fix refcount leak in psci_dt_init
Finn Thain <fthain@linux-m68k.org>
m68k: mac: Fix macintosh_config for Mac II
Kees Cook <kees@kernel.org>
watchdog: exar: Shorten identity name to fit correctly
Andrey Vatoropin <a.vatoropin@crpt.ru>
fs/ntfs3: handle hdr_first_de() return value
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe()
Mark Rutland <mark.rutland@arm.com>
arm64/fpsimd: Fix merging of FPSIMD state during signal return
Mark Brown <broonie@kernel.org>
arm64/fpsimd: Discard stale CPU state when handling SME traps
Mark Rutland <mark.rutland@arm.com>
arm64/fpsimd: Avoid RES0 bits in the SME trap handler
Jonas Karlman <jonas@kwiboo.se>
media: rkvdec: Fix frame size enumeration
Charles Han <hanchunchao@inspur.com>
drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table
Maxime Ripard <mripard@kernel.org>
drm/vc4: tests: Use return instead of assert
Ian Forbes <ian.forbes@broadcom.com>
drm/vmwgfx: Add seqno waiter for sync_files
Martin Povišer <povik+lin@cutebit.org>
ASoC: apple: mca: Constrain channels according to TDM mask
Geert Uytterhoeven <geert+renesas@glider.be>
spi: sh-msiof: Fix maximum DMA transfer size
Armin Wolf <W_Armin@gmx.de>
ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions"
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: sleep: Print PM debug messages during hibernation
Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges()
Zijun Hu <quic_zijuhu@quicinc.com>
PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks()
Kees Cook <kees@kernel.org>
ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type
Alexander Shiyan <eagle.alexander923@gmail.com>
power: reset: at91-reset: Optimize at91_reset()
Vishwaroop A <va@nvidia.com>
spi: tegra210-quad: modify chip select (CS) deactivation
Vishwaroop A <va@nvidia.com>
spi: tegra210-quad: remove redundant error handling code
Vishwaroop A <va@nvidia.com>
spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers
Thomas Weißschuh <linux@weissschuh.net>
tools/nolibc: fix integer overflow in i{64,}toa_r() and
Qiuxu Zhuo <qiuxu.zhuo@intel.com>
EDAC/{skx_common,i10nm}: Fix the loss of saved RRL for HBM pseudo channel 0
Qiuxu Zhuo <qiuxu.zhuo@intel.com>
EDAC/skx_common: Fix general protection fault
Hector Martin <marcan@marcan.st>
ASoC: tas2764: Enable main IRQs
Jemmy Wong <jemmywong512@gmail.com>
tools/nolibc/types.h: fix mismatched parenthesis in minor()
Daniil Tatianin <d-tatianin@yandex-team.ru>
ACPICA: exserial: don't forget to handle FFixedHW opregions for reading
Tzung-Bi Shih <tzungbi@kernel.org>
kunit: Fix wrong parameter to kunit_deactivate_static_stub()
Ovidiu Panait <ovidiu.panait.oss@gmail.com>
crypto: sun8i-ce - move fallback ahash_request to the end of the struct
Herbert Xu <herbert@gondor.apana.org.au>
crypto: xts - Only add ecb if it is not already there
Herbert Xu <herbert@gondor.apana.org.au>
crypto: lrw - Only add ecb if it is not already there
Yongliang Gao <leonylgao@tencent.com>
rcu/cpu_stall_cputime: fix the hardirq count for x86 architecture
Qu Wenruo <wqu@suse.com>
btrfs: scrub: fix a wrong error type when metadata bytenr mismatches
Qu Wenruo <wqu@suse.com>
btrfs: scrub: update device stats when an error is detected
Herbert Xu <herbert@gondor.apana.org.au>
crypto: marvell/cesa - Avoid empty transfer descriptor
Herbert Xu <herbert@gondor.apana.org.au>
crypto: marvell/cesa - Handle zero-length skcipher requests
Ahmed S. Darwish <darwi@linutronix.de>
x86/cpu: Sanitize CPUID(0x80000000) output
Annie Li <jiayanli@google.com>
x86/microcode/AMD: Do not return error when microcode update is not necessary
Eddie James <eajames@linux.ibm.com>
powerpc/crash: Fix non-smp kexec preparation
Jiri Slaby (SUSE) <jirislaby@kernel.org>
powerpc: do not build ppc_save_regs.o always
Corentin Labbe <clabbe.montjoie@gmail.com>
crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions
Ovidiu Panait <ovidiu.panait.oss@gmail.com>
crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare()
Qing Wang <wangqing7171@gmail.com>
perf/core: Fix broken throttling when max_samples_per_tick=1
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: gfs2_create_inode error handling fix
Ovidiu Panait <ovidiu.panait.oss@gmail.com>
crypto: sun8i-ce-hash - fix error handling in sun8i_ce_hash_run()
Andrew Cooper <andrew.cooper3@citrix.com>
x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt()
Ahmed S. Darwish <darwi@linutronix.de>
tools/x86/kcpuid: Fix error handling
Aurabindo Pillai <aurabindo.pillai@amd.com>
Revert "drm/amd/display: more liberal vmin/vmax update for freesync"
Xu Yang <xu.yang_2@nxp.com>
dt-bindings: phy: imx8mq-usb: fix fsl,phy-tx-vboost-level-microvolt property
Lukasz Czechowski <lukasz.czechowski@thaumatec.com>
dt-bindings: usb: cypress,hx3: Add support for all variants
Sergey Senozhatsky <senozhatsky@chromium.org>
thunderbolt: Do not double dequeue a configuration request
Dave Penkler <dpenkler@gmail.com>
usb: usbtmc: Fix timeout value in get_stb
Dustin Lundquist <dustin@null-ptr.net>
serial: jsm: fix NPE during jsm_uart_port_init
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Bluetooth: hci_qca: move the SoC type check to the right place
Qasim Ijaz <qasdev00@gmail.com>
usb: typec: ucsi: fix Clang -Wsign-conversion warning
Charles Yeh <charlesyeh522@gmail.com>
USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB
Hongyu Xie <xiehongyu1@kylinos.cn>
usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device
Jiayi Li <lijiayi@kylinos.cn>
usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE
Alexandre Mergnat <amergnat@baylibre.com>
rtc: Fix offset calculation for .start_secs < 0
Alexandre Mergnat <amergnat@baylibre.com>
rtc: Make rtc_time64_to_tm() support dates before 1970
Gautham R. Shenoy <gautham.shenoy@amd.com>
acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio()
Gabor Juhos <j4g8y7@gmail.com>
pinctrl: armada-37xx: set GPIO output value before setting direction
Gabor Juhos <j4g8y7@gmail.com>
pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31
Pan Taixi <pantaixi@huaweicloud.com>
tracing: Fix compilation warning on arm32
-------------
Diffstat:
.../bindings/phy/fsl,imx8mq-usb-phy.yaml | 3 +-
.../regulator/mediatek,mt6357-regulator.yaml | 12 +-
.../devicetree/bindings/usb/cypress,hx3.yaml | 19 +-
.../devicetree/bindings/vendor-prefixes.yaml | 2 +
Makefile | 4 +-
arch/arm/boot/dts/microchip/at91sam9263ek.dts | 2 +-
arch/arm/boot/dts/microchip/tny_a9263.dts | 2 +-
arch/arm/boot/dts/microchip/usb_a9263.dts | 4 +-
arch/arm/boot/dts/qcom/qcom-apq8064.dtsi | 15 +-
arch/arm/mach-aspeed/Kconfig | 1 -
arch/arm64/Kconfig | 6 +-
.../arm64/boot/dts/freescale/imx8mm-beacon-kit.dts | 1 +
.../boot/dts/freescale/imx8mm-beacon-som.dtsi | 1 +
.../arm64/boot/dts/freescale/imx8mn-beacon-kit.dts | 1 +
.../boot/dts/freescale/imx8mn-beacon-som.dtsi | 1 +
.../boot/dts/freescale/imx8mp-beacon-som.dtsi | 1 +
arch/arm64/boot/dts/mediatek/mt6357.dtsi | 10 -
arch/arm64/boot/dts/mediatek/mt6359.dtsi | 4 +-
arch/arm64/boot/dts/mediatek/mt8195.dtsi | 50 ++---
arch/arm64/boot/dts/nvidia/tegra186.dtsi | 12 --
arch/arm64/boot/dts/nvidia/tegra194.dtsi | 12 --
.../dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts | 3 -
.../arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts | 2 +
.../arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts | 3 +
.../boot/dts/qcom/sdm845-samsung-starqltechn.dts | 16 +-
arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +-
arch/arm64/boot/dts/qcom/sm8350.dtsi | 6 +-
.../r8a779g0-white-hawk-ard-audio-da7212.dtso | 2 +-
.../arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 -
.../arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi | 5 +-
arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 19 +-
.../boot/dts/ti/k3-j721e-common-proc-board.dts | 1 +
arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 166 ++++++++++++++-
arch/arm64/configs/defconfig | 3 +
arch/arm64/include/asm/esr.h | 12 +-
arch/arm64/include/asm/fpsimd.h | 3 +
arch/arm64/kernel/entry-common.c | 46 ++++-
arch/arm64/kernel/fpsimd.c | 21 +-
arch/arm64/xen/hypercall.S | 21 +-
arch/m68k/mac/config.c | 2 +-
.../boot/dts/loongson/loongson64c_4core_ls7a.dts | 1 +
arch/powerpc/kernel/Makefile | 2 +-
arch/powerpc/kexec/crash.c | 5 +-
arch/powerpc/platforms/book3s/vas-api.c | 9 +
arch/powerpc/platforms/powernv/memtrace.c | 8 +-
arch/riscv/kvm/vcpu_sbi.c | 4 +-
arch/s390/net/bpf_jit_comp.c | 12 +-
arch/x86/include/asm/mwait.h | 9 +-
arch/x86/kernel/cpu/common.c | 17 +-
arch/x86/kernel/cpu/microcode/core.c | 2 +
arch/x86/kernel/cpu/mtrr/generic.c | 2 +-
arch/x86/kernel/ioport.c | 13 +-
arch/x86/kernel/process.c | 15 +-
crypto/lrw.c | 4 +-
crypto/xts.c | 4 +-
drivers/acpi/acpica/exserial.c | 6 +
drivers/acpi/apei/Kconfig | 1 +
drivers/acpi/apei/ghes.c | 2 +-
drivers/acpi/cppc_acpi.c | 2 +-
drivers/acpi/osi.c | 1 -
drivers/base/power/domain.c | 2 +-
drivers/base/power/main.c | 3 +-
drivers/bluetooth/hci_qca.c | 14 +-
drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +-
drivers/clk/bcm/clk-raspberrypi.c | 2 +
drivers/clk/qcom/camcc-sm6350.c | 18 ++
drivers/clk/qcom/dispcc-sm6350.c | 3 +
drivers/clk/qcom/gcc-msm8939.c | 4 +-
drivers/clk/qcom/gcc-sm6350.c | 6 +
drivers/clk/qcom/gpucc-sm6350.c | 6 +
drivers/counter/interrupt-cnt.c | 9 +
drivers/cpufreq/acpi-cpufreq.c | 2 +-
.../crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 7 +-
drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 34 +--
drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 +-
.../crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +-
drivers/crypto/marvell/cesa/cipher.c | 3 +
drivers/crypto/marvell/cesa/hash.c | 2 +-
drivers/dma/ti/k3-udma.c | 3 +-
drivers/edac/i10nm_base.c | 35 ++--
drivers/edac/skx_common.c | 1 +
drivers/edac/skx_common.h | 11 +-
drivers/firmware/Kconfig | 1 -
drivers/firmware/arm_sdei.c | 11 +-
drivers/firmware/efi/libstub/efi-stub-helper.c | 1 +
drivers/firmware/psci/psci.c | 4 +-
drivers/fpga/tests/fpga-mgr-test.c | 1 +
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 16 +-
.../gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 8 +
drivers/gpu/drm/bridge/lontium-lt9611uxc.c | 6 +-
drivers/gpu/drm/mediatek/mtk_drm_drv.c | 31 ++-
drivers/gpu/drm/meson/meson_drv.c | 2 +-
drivers/gpu/drm/meson/meson_drv.h | 2 +-
drivers/gpu/drm/meson/meson_encoder_hdmi.c | 29 +--
drivers/gpu/drm/meson/meson_vclk.c | 226 +++++++++++---------
drivers/gpu/drm/meson/meson_vclk.h | 13 +-
drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c | 10 +-
drivers/gpu/drm/tegra/rgb.c | 14 +-
drivers/gpu/drm/vc4/tests/vc4_mock_output.c | 36 ++--
drivers/gpu/drm/vkms/vkms_crtc.c | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 26 +++
drivers/hid/hid-hyperv.c | 4 +-
drivers/hid/usbhid/hid-core.c | 25 ++-
drivers/hwmon/asus-ec-sensors.c | 4 +
drivers/hwtracing/coresight/coresight-config.h | 2 +-
drivers/hwtracing/coresight/coresight-syscfg.c | 49 +++--
drivers/iio/adc/ad7124.c | 4 +-
drivers/iio/filter/admv8818.c | 230 ++++++++++++++++-----
drivers/infiniband/core/cm.c | 16 +-
drivers/infiniband/core/cma.c | 3 +-
drivers/infiniband/hw/hns/hns_roce_ah.c | 1 -
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 -
drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 +
drivers/infiniband/hw/hns/hns_roce_main.c | 1 -
drivers/infiniband/hw/hns/hns_roce_restrack.c | 1 -
drivers/infiniband/hw/mlx5/qpc.c | 30 ++-
drivers/input/rmi4/rmi_f34.c | 133 ++++++------
drivers/iommu/Kconfig | 1 -
drivers/iommu/iommu.c | 4 +-
drivers/md/dm-flakey.c | 70 ++++---
drivers/md/dm.c | 30 +--
drivers/mfd/exynos-lpass.c | 1 -
drivers/mfd/stmpe-spi.c | 2 +-
drivers/misc/vmw_vmci/vmci_host.c | 11 +-
drivers/mtd/nand/ecc-mxic.c | 2 +-
drivers/net/bonding/bond_main.c | 25 ++-
drivers/net/dsa/b53/b53_common.c | 23 +--
drivers/net/ethernet/google/gve/gve_main.c | 2 +-
drivers/net/ethernet/google/gve/gve_tx_dqo.c | 3 +
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 11 +-
drivers/net/ethernet/intel/ice/ice_main.c | 47 +++--
drivers/net/ethernet/intel/ice/ice_sched.c | 181 +++++++++++++---
drivers/net/ethernet/marvell/octeontx2/nic/qos.c | 4 +-
drivers/net/ethernet/mediatek/mtk_star_emac.c | 4 +
drivers/net/ethernet/mellanox/mlx4/en_clock.c | 2 +-
.../ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 12 +-
drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 21 +-
drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 5 +-
.../net/ethernet/mellanox/mlx5/core/pagealloc.c | 2 +-
drivers/net/ethernet/microchip/lan743x_main.c | 4 +-
.../net/ethernet/microchip/lan966x/lan966x_main.c | 7 +
.../net/ethernet/microchip/lan966x/lan966x_main.h | 6 +
.../net/ethernet/microchip/lan966x/lan966x_ptp.c | 49 +++--
.../ethernet/microchip/lan966x/lan966x_switchdev.c | 1 +
.../net/ethernet/microchip/lan966x/lan966x_vlan.c | 21 ++
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +
.../net/ethernet/stmicro/stmmac/stmmac_platform.c | 11 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 2 +-
drivers/net/macsec.c | 40 +++-
drivers/net/phy/mdio_bus.c | 12 ++
drivers/net/phy/mscc/mscc_ptp.c | 20 +-
drivers/net/phy/phy_device.c | 4 +-
drivers/net/usb/aqc111.c | 10 +-
drivers/net/vmxnet3/vmxnet3_drv.c | 26 +++
drivers/net/wireguard/device.c | 1 +
drivers/net/wireless/ath/ath10k/snoc.c | 4 +-
drivers/net/wireless/ath/ath11k/core.c | 37 ++--
drivers/net/wireless/ath/ath11k/core.h | 4 +-
drivers/net/wireless/ath/ath11k/debugfs.c | 62 +++---
drivers/net/wireless/ath/ath11k/mac.c | 4 +-
drivers/net/wireless/ath/ath11k/wmi.c | 2 +-
drivers/net/wireless/ath/ath12k/core.c | 8 +-
drivers/net/wireless/ath/ath12k/dp_rx.c | 9 +
drivers/net/wireless/ath/ath12k/wmi.c | 3 +-
drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 +
drivers/net/wireless/mediatek/mt76/mt7915/mmio.c | 6 +
drivers/net/wireless/mediatek/mt76/mt7996/dma.c | 4 +-
drivers/net/wireless/mediatek/mt76/mt7996/init.c | 3 +
drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 3 +
drivers/net/wireless/realtek/rtw88/coex.c | 2 +-
drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 +-
drivers/net/wireless/realtek/rtw88/sdio.c | 10 +-
drivers/net/wwan/t7xx/t7xx_netdev.c | 11 +-
drivers/nvme/target/fcloop.c | 31 +--
drivers/pci/controller/cadence/pcie-cadence-host.c | 11 +-
drivers/pci/controller/pcie-apple.c | 4 +-
drivers/pci/pci-driver.c | 6 -
drivers/pci/pci.c | 15 +-
drivers/pci/pci.h | 1 +
drivers/pci/pcie/dpc.c | 2 +-
drivers/perf/amlogic/meson_ddr_pmu_core.c | 2 +-
drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 6 +-
drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 14 +-
drivers/pinctrl/pinctrl-at91.c | 6 +-
drivers/pinctrl/qcom/pinctrl-qcm2290.c | 9 +
drivers/power/reset/at91-reset.c | 5 +-
drivers/ptp/ptp_private.h | 12 +-
drivers/regulator/max20086-regulator.c | 6 +-
drivers/remoteproc/qcom_wcnss_iris.c | 2 +
drivers/remoteproc/ti_k3_r5_remoteproc.c | 8 -
drivers/rpmsg/qcom_smd.c | 2 +-
drivers/rtc/class.c | 2 +-
drivers/rtc/lib.c | 24 ++-
drivers/rtc/rtc-loongson.c | 8 +
drivers/rtc/rtc-sh.c | 12 +-
drivers/scsi/hisi_sas/hisi_sas_main.c | 29 +--
drivers/scsi/qedf/qedf_main.c | 2 +-
drivers/scsi/scsi_transport_iscsi.c | 11 +-
drivers/soc/aspeed/aspeed-lpc-snoop.c | 17 +-
drivers/spi/spi-bcm63xx-hsspi.c | 2 +-
drivers/spi/spi-bcm63xx.c | 2 +-
drivers/spi/spi-sh-msiof.c | 13 +-
drivers/spi/spi-tegra210-quad.c | 24 +--
drivers/staging/media/rkvdec/rkvdec.c | 10 +-
drivers/thunderbolt/ctl.c | 5 +
drivers/thunderbolt/usb4.c | 4 +-
drivers/tty/serial/jsm/jsm_tty.c | 1 +
drivers/tty/serial/milbeaut_usio.c | 5 +-
drivers/tty/serial/sh-sci.c | 81 ++++++--
drivers/tty/vt/vt_ioctl.c | 2 -
drivers/ufs/core/ufs-mcq.c | 6 -
drivers/ufs/core/ufshcd.c | 7 +-
drivers/ufs/host/ufs-qcom.c | 5 +-
drivers/usb/cdns3/cdnsp-gadget.c | 21 +-
drivers/usb/cdns3/cdnsp-gadget.h | 4 +
drivers/usb/class/usbtmc.c | 21 +-
drivers/usb/core/hub.c | 16 +-
drivers/usb/core/quirks.c | 3 +
drivers/usb/gadget/function/f_hid.c | 12 +-
drivers/usb/renesas_usbhs/common.c | 50 +++--
drivers/usb/serial/pl2303.c | 2 +
drivers/usb/storage/unusual_uas.h | 7 +
drivers/usb/typec/tcpm/tcpci_maxim_core.c | 3 +-
drivers/usb/typec/ucsi/ucsi.h | 2 +-
drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 79 +++++--
drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h | 14 +-
drivers/vfio/vfio_iommu_type1.c | 2 +-
drivers/video/backlight/qcom-wled.c | 6 +-
drivers/video/fbdev/core/fbcvt.c | 2 +-
drivers/watchdog/exar_wdt.c | 2 +-
drivers/xen/balloon.c | 13 +-
fs/btrfs/scrub.c | 34 ++-
fs/f2fs/data.c | 4 +-
fs/f2fs/f2fs.h | 10 +-
fs/f2fs/namei.c | 10 +-
fs/f2fs/super.c | 4 +-
fs/filesystems.c | 14 +-
fs/gfs2/inode.c | 3 +-
fs/kernfs/dir.c | 5 +-
fs/kernfs/file.c | 3 +-
fs/namespace.c | 25 ++-
fs/nfs/super.c | 19 ++
fs/nilfs2/btree.c | 4 +-
fs/nilfs2/direct.c | 3 +
fs/ntfs3/index.c | 8 +
fs/ocfs2/quota_local.c | 2 +-
fs/smb/client/cifssmb.c | 20 +-
fs/squashfs/super.c | 5 +
include/linux/arm_sdei.h | 4 +-
include/linux/bio.h | 2 +-
include/linux/bvec.h | 7 +-
include/linux/hid.h | 3 +-
include/linux/io_uring_types.h | 3 +
include/linux/mdio.h | 5 +-
include/linux/mlx5/driver.h | 1 +
include/linux/phy.h | 5 +-
include/net/bluetooth/hci_core.h | 2 +-
include/net/checksum.h | 2 +-
include/net/sock.h | 7 +-
io_uring/io_uring.c | 10 +-
io_uring/io_uring.h | 12 ++
io_uring/kbuf.c | 3 +-
io_uring/poll.c | 2 +-
io_uring/rw.c | 26 ++-
kernel/bpf/core.c | 29 +--
kernel/events/core.c | 50 +++--
kernel/power/hibernate.c | 5 +
kernel/power/main.c | 3 +-
kernel/power/power.h | 4 +
kernel/power/wakelock.c | 3 +
kernel/rcu/tree.c | 10 +-
kernel/rcu/tree.h | 2 +-
kernel/rcu/tree_stall.h | 4 +-
kernel/time/posix-cpu-timers.c | 9 +
kernel/trace/bpf_trace.c | 2 +-
kernel/trace/trace.c | 2 +-
kernel/trace/trace.h | 8 +-
kernel/trace/trace_events_hist.c | 122 +++++++++--
kernel/trace/trace_events_trigger.c | 20 +-
lib/kunit/static_stub.c | 2 +-
mm/kasan/report.c | 4 +-
mm/kasan/shadow.c | 2 +-
net/bluetooth/eir.c | 10 +-
net/bluetooth/hci_core.c | 16 +-
net/bluetooth/hci_sync.c | 20 +-
net/bluetooth/l2cap_core.c | 3 +-
net/bluetooth/mgmt.c | 140 ++++++-------
net/bluetooth/mgmt_util.c | 51 ++---
net/bluetooth/mgmt_util.h | 8 +-
net/bridge/netfilter/nf_conntrack_bridge.c | 12 +-
net/core/filter.c | 2 +-
net/core/skmsg.c | 53 +++--
net/core/utils.c | 4 +-
net/dsa/tag_brcm.c | 2 +-
net/dsa/tag_ksz.c | 22 +-
net/ipv4/udp_offload.c | 5 +
net/ipv6/ila/ila_common.c | 6 +-
net/ipv6/netfilter.c | 12 +-
net/ipv6/netfilter/nft_fib_ipv6.c | 13 +-
net/ipv6/seg6_local.c | 6 +-
net/ncsi/internal.h | 21 +-
net/ncsi/ncsi-pkt.h | 23 +--
net/ncsi/ncsi-rsp.c | 21 +-
net/netfilter/nf_nat_core.c | 12 +-
net/netfilter/nft_quota.c | 20 +-
net/netfilter/nft_set_pipapo_avx2.c | 21 +-
net/netfilter/nft_tunnel.c | 8 +-
net/netlabel/netlabel_kapi.c | 5 +
net/openvswitch/flow.c | 2 +-
net/sched/sch_ets.c | 2 +-
net/sched/sch_prio.c | 2 +-
net/sched/sch_red.c | 2 +-
net/sched/sch_sfq.c | 5 +-
net/sched/sch_tbf.c | 2 +-
net/tipc/crypto.c | 6 +-
net/tls/tls_sw.c | 15 +-
net/xfrm/xfrm_device.c | 2 -
net/xfrm/xfrm_state.c | 2 -
scripts/Makefile.extrawarn | 12 ++
scripts/gcc-plugins/gcc-common.h | 32 +++
scripts/gcc-plugins/randomize_layout_plugin.c | 40 ++--
sound/soc/apple/mca.c | 23 +++
sound/soc/codecs/hda.c | 4 +-
sound/soc/codecs/tas2764.c | 2 +-
sound/soc/intel/avs/debugfs.c | 6 +-
sound/soc/intel/avs/ipc.c | 4 +-
sound/soc/sof/ipc4-pcm.c | 3 +-
sound/soc/ti/omap-hdmi.c | 7 +-
sound/usb/implicit.c | 1 +
tools/arch/x86/kcpuid/kcpuid.c | 47 +++--
tools/bpf/resolve_btfids/Makefile | 2 +-
tools/include/nolibc/stdlib.h | 4 +-
tools/include/nolibc/types.h | 2 +-
tools/lib/bpf/bpf_core_read.h | 6 +
tools/lib/bpf/libbpf.c | 5 +-
tools/lib/bpf/linker.c | 4 +-
tools/lib/bpf/nlattr.c | 15 +-
tools/perf/Makefile.config | 2 +
tools/perf/builtin-record.c | 2 +-
tools/perf/builtin-trace.c | 5 +-
tools/perf/scripts/python/exported-sql-viewer.py | 5 +-
tools/perf/tests/switch-tracking.c | 2 +-
tools/perf/ui/browsers/hists.c | 2 +-
tools/perf/util/intel-pt.c | 205 +++++++++++++++++-
tools/testing/selftests/bpf/prog_tests/bpf_nf.c | 6 +
tools/testing/selftests/seccomp/seccomp_bpf.c | 7 +-
347 files changed, 3285 insertions(+), 1551 deletions(-)
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 001/356] tracing: Fix compilation warning on arm32
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
@ 2025-06-17 15:21 ` Greg Kroah-Hartman
2025-06-17 15:21 ` [PATCH 6.6 002/356] pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 Greg Kroah-Hartman
` (363 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeongjun Park, Pan Taixi,
Steven Rostedt (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pan Taixi <pantaixi@huaweicloud.com>
commit 2fbdb6d8e03b70668c0876e635506540ae92ab05 upstream.
On arm32, size_t is defined to be unsigned int, while PAGE_SIZE is
unsigned long. This hence triggers a compilation warning as min()
asserts the type of two operands to be equal. Casting PAGE_SIZE to size_t
solves this issue and works on other target architectures as well.
Compilation warning details:
kernel/trace/trace.c: In function 'tracing_splice_read_pipe':
./include/linux/minmax.h:20:28: warning: comparison of distinct pointer types lacks a cast
(!!(sizeof((typeof(x) *)1 == (typeof(y) *)1)))
^
./include/linux/minmax.h:26:4: note: in expansion of macro '__typecheck'
(__typecheck(x, y) && __no_side_effects(x, y))
^~~~~~~~~~~
...
kernel/trace/trace.c:6771:8: note: in expansion of macro 'min'
min((size_t)trace_seq_used(&iter->seq),
^~~
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/20250526013731.1198030-1-pantaixi@huaweicloud.com
Fixes: f5178c41bb43 ("tracing: Fix oob write in trace_seq_to_buffer()")
Reviewed-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Pan Taixi <pantaixi@huaweicloud.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -7023,7 +7023,7 @@ static ssize_t tracing_splice_read_pipe(
ret = trace_seq_to_buffer(&iter->seq,
page_address(spd.pages[i]),
min((size_t)trace_seq_used(&iter->seq),
- PAGE_SIZE));
+ (size_t)PAGE_SIZE));
if (ret < 0) {
__free_page(spd.pages[i]);
break;
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 002/356] pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
2025-06-17 15:21 ` [PATCH 6.6 001/356] tracing: Fix compilation warning on arm32 Greg Kroah-Hartman
@ 2025-06-17 15:21 ` Greg Kroah-Hartman
2025-06-17 15:21 ` [PATCH 6.6 003/356] pinctrl: armada-37xx: set GPIO output value before setting direction Greg Kroah-Hartman
` (362 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Imre Kaloz, Andrew Lunn, Gabor Juhos,
Linus Walleij
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
commit 947c93eb29c2a581c0b0b6d5f21af3c2b7ff6d25 upstream.
The controller has two consecutive OUTPUT_VAL registers and both
holds output value for 32 GPIOs. Due to a missing adjustment, the
current code always uses the first register while setting the
output value whereas it should use the second one for GPIOs > 31.
Add the missing armada_37xx_update_reg() call to adjust the register
according to the 'offset' parameter of the function to fix the issue.
Cc: stable@vger.kernel.org
Fixes: 6702abb3bf23 ("pinctrl: armada-37xx: Fix direction_output() callback behavior")
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-1-07e9ac1ab737@gmail.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
+++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
@@ -417,6 +417,7 @@ static int armada_37xx_gpio_direction_ou
unsigned int offset, int value)
{
struct armada_37xx_pinctrl *info = gpiochip_get_data(chip);
+ unsigned int val_offset = offset;
unsigned int reg = OUTPUT_EN;
unsigned int mask, val, ret;
@@ -429,6 +430,8 @@ static int armada_37xx_gpio_direction_ou
return ret;
reg = OUTPUT_VAL;
+ armada_37xx_update_reg(®, &val_offset);
+
val = value ? mask : 0;
regmap_update_bits(info->regmap, reg, mask, val);
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 003/356] pinctrl: armada-37xx: set GPIO output value before setting direction
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
2025-06-17 15:21 ` [PATCH 6.6 001/356] tracing: Fix compilation warning on arm32 Greg Kroah-Hartman
2025-06-17 15:21 ` [PATCH 6.6 002/356] pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 Greg Kroah-Hartman
@ 2025-06-17 15:21 ` Greg Kroah-Hartman
2025-06-17 15:21 ` [PATCH 6.6 004/356] acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() Greg Kroah-Hartman
` (361 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Imre Kaloz, Andrew Lunn, Gabor Juhos,
Linus Walleij
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
commit e6ebd4942981f8ad37189bbb36a3c8495e21ef4c upstream.
Changing the direction before updating the output value in the
OUTPUT_VAL register may result in a glitch on the output line
if the previous value in the OUTPUT_VAL register is different
from the one we want to set.
In order to avoid that, update the output value before changing
the direction.
Cc: stable@vger.kernel.org
Fixes: 6702abb3bf23 ("pinctrl: armada-37xx: Fix direction_output() callback behavior")
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-2-07e9ac1ab737@gmail.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
+++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
@@ -417,23 +417,22 @@ static int armada_37xx_gpio_direction_ou
unsigned int offset, int value)
{
struct armada_37xx_pinctrl *info = gpiochip_get_data(chip);
- unsigned int val_offset = offset;
- unsigned int reg = OUTPUT_EN;
+ unsigned int en_offset = offset;
+ unsigned int reg = OUTPUT_VAL;
unsigned int mask, val, ret;
armada_37xx_update_reg(®, &offset);
mask = BIT(offset);
+ val = value ? mask : 0;
- ret = regmap_update_bits(info->regmap, reg, mask, mask);
-
+ ret = regmap_update_bits(info->regmap, reg, mask, val);
if (ret)
return ret;
- reg = OUTPUT_VAL;
- armada_37xx_update_reg(®, &val_offset);
+ reg = OUTPUT_EN;
+ armada_37xx_update_reg(®, &en_offset);
- val = value ? mask : 0;
- regmap_update_bits(info->regmap, reg, mask, val);
+ regmap_update_bits(info->regmap, reg, mask, mask);
return 0;
}
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 004/356] acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2025-06-17 15:21 ` [PATCH 6.6 003/356] pinctrl: armada-37xx: set GPIO output value before setting direction Greg Kroah-Hartman
@ 2025-06-17 15:21 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 005/356] rtc: Make rtc_time64_to_tm() support dates before 1970 Greg Kroah-Hartman
` (360 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manu Bretelle, Gautham R. Shenoy,
Rafael J. Wysocki
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gautham R. Shenoy <gautham.shenoy@amd.com>
commit cb6a85f38f456b086c366e346ebb67ffa70c7243 upstream.
commit 083466754596 ("cpufreq: ACPI: Fix max-frequency computation")
modified get_max_boost_ratio() to return the nominal_freq advertised
in the _CPC object. This was for the purposes of computing the maximum
frequency. The frequencies advertised in _CPC objects are in
MHz. However, cpufreq expects the frequency to be in KHz. Since the
nominal_freq returned by get_max_boost_ratio() was not in KHz but
instead in MHz,the cpuinfo_max_frequency that was computed using this
nominal_freq was incorrect and an invalid value which resulted in
cpufreq reporting the P0 frequency as the cpuinfo_max_freq.
Fix this by converting the nominal_freq to KHz before returning the
same from get_max_boost_ratio().
Reported-by: Manu Bretelle <chantr4@gmail.com>
Closes: https://lore.kernel.org/lkml/aDaB63tDvbdcV0cg@HQ-GR2X1W2P57/
Fixes: 083466754596 ("cpufreq: ACPI: Fix max-frequency computation")
Signed-off-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
Cc: 6.14+ <stable@vger.kernel.org> # 6.14+
Link: https://patch.msgid.link/20250529085143.709-1-gautham.shenoy@amd.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/acpi-cpufreq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/cpufreq/acpi-cpufreq.c
+++ b/drivers/cpufreq/acpi-cpufreq.c
@@ -659,7 +659,7 @@ static u64 get_max_boost_ratio(unsigned
nominal_perf = perf_caps.nominal_perf;
if (nominal_freq)
- *nominal_freq = perf_caps.nominal_freq;
+ *nominal_freq = perf_caps.nominal_freq * 1000;
if (!highest_perf || !nominal_perf) {
pr_debug("CPU%d: highest or nominal performance missing\n", cpu);
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 005/356] rtc: Make rtc_time64_to_tm() support dates before 1970
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2025-06-17 15:21 ` [PATCH 6.6 004/356] acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 006/356] rtc: Fix offset calculation for .start_secs < 0 Greg Kroah-Hartman
` (359 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Mergnat,
Uwe Kleine-König, Alexandre Belloni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Mergnat <amergnat@baylibre.com>
commit 7df4cfef8b351fec3156160bedfc7d6d29de4cce upstream.
Conversion of dates before 1970 is still relevant today because these
dates are reused on some hardwares to store dates bigger than the
maximal date that is representable in the device's native format.
This prominently and very soon affects the hardware covered by the
rtc-mt6397 driver that can only natively store dates in the interval
1900-01-01 up to 2027-12-31. So to store the date 2028-01-01 00:00:00
to such a device, rtc_time64_to_tm() must do the right thing for
time=-2208988800.
Signed-off-by: Alexandre Mergnat <amergnat@baylibre.com>
Reviewed-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/20250428-enable-rtc-v4-1-2b2f7e3f9349@baylibre.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rtc/lib.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
--- a/drivers/rtc/lib.c
+++ b/drivers/rtc/lib.c
@@ -46,24 +46,38 @@ EXPORT_SYMBOL(rtc_year_days);
* rtc_time64_to_tm - converts time64_t to rtc_time.
*
* @time: The number of seconds since 01-01-1970 00:00:00.
- * (Must be positive.)
+ * Works for values since at least 1900
* @tm: Pointer to the struct rtc_time.
*/
void rtc_time64_to_tm(time64_t time, struct rtc_time *tm)
{
- unsigned int secs;
- int days;
+ int days, secs;
u64 u64tmp;
u32 u32tmp, udays, century, day_of_century, year_of_century, year,
day_of_year, month, day;
bool is_Jan_or_Feb, is_leap_year;
- /* time must be positive */
+ /*
+ * Get days and seconds while preserving the sign to
+ * handle negative time values (dates before 1970-01-01)
+ */
days = div_s64_rem(time, 86400, &secs);
+ /*
+ * We need 0 <= secs < 86400 which isn't given for negative
+ * values of time. Fixup accordingly.
+ */
+ if (secs < 0) {
+ days -= 1;
+ secs += 86400;
+ }
+
/* day of the week, 1970-01-01 was a Thursday */
tm->tm_wday = (days + 4) % 7;
+ /* Ensure tm_wday is always positive */
+ if (tm->tm_wday < 0)
+ tm->tm_wday += 7;
/*
* The following algorithm is, basically, Proposition 6.3 of Neri
@@ -93,7 +107,7 @@ void rtc_time64_to_tm(time64_t time, str
* thus, is slightly different from [1].
*/
- udays = ((u32) days) + 719468;
+ udays = days + 719468;
u32tmp = 4 * udays + 3;
century = u32tmp / 146097;
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 006/356] rtc: Fix offset calculation for .start_secs < 0
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 005/356] rtc: Make rtc_time64_to_tm() support dates before 1970 Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 007/356] usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE Greg Kroah-Hartman
` (358 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Mergnat,
Uwe Kleine-König, Alexandre Belloni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Mergnat <amergnat@baylibre.com>
commit fe9f5f96cfe8b82d0f24cbfa93718925560f4f8d upstream.
The comparison
rtc->start_secs > rtc->range_max
has a signed left-hand side and an unsigned right-hand side.
So the comparison might become true for negative start_secs which is
interpreted as a (possibly very large) positive value.
As a negative value can never be bigger than an unsigned value
the correct representation of the (mathematical) comparison
rtc->start_secs > rtc->range_max
in C is:
rtc->start_secs >= 0 && rtc->start_secs > rtc->range_max
Use that to fix the offset calculation currently used in the
rtc-mt6397 driver.
Fixes: 989515647e783 ("rtc: Add one offset seconds to expand RTC range")
Signed-off-by: Alexandre Mergnat <amergnat@baylibre.com>
Reviewed-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/20250428-enable-rtc-v4-2-2b2f7e3f9349@baylibre.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rtc/class.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/rtc/class.c
+++ b/drivers/rtc/class.c
@@ -323,7 +323,7 @@ static void rtc_device_get_offset(struct
*
* Otherwise the offset seconds should be 0.
*/
- if (rtc->start_secs > rtc->range_max ||
+ if ((rtc->start_secs >= 0 && rtc->start_secs > rtc->range_max) ||
rtc->start_secs + range_secs - 1 < rtc->range_min)
rtc->offset_secs = rtc->start_secs - rtc->range_min;
else if (rtc->start_secs > rtc->range_min)
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 007/356] usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 006/356] rtc: Fix offset calculation for .start_secs < 0 Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 008/356] usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device Greg Kroah-Hartman
` (357 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiayi Li, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayi Li <lijiayi@kylinos.cn>
commit 19f795591947596b5b9efa86fd4b9058e45786e9 upstream.
This device exhibits I/O errors during file transfers due to unstable
link power management (LPM) behavior. The kernel logs show repeated
warm resets and eventual disconnection when LPM is enabled:
[ 3467.810740] hub 2-0:1.0: state 7 ports 6 chg 0000 evt 0020
[ 3467.810740] usb usb2-port5: do warm reset
[ 3467.866444] usb usb2-port5: not warm reset yet, waiting 50ms
[ 3467.907407] sd 0:0:0:0: [sda] tag#12 sense submit err -19
[ 3467.994423] usb usb2-port5: status 02c0, change 0001, 10.0 Gb/s
[ 3467.994453] usb 2-5: USB disconnect, device number 4
The error -19 (ENODEV) occurs when the device disappears during write
operations. Adding USB_QUIRK_NO_LPM disables link power management
for this specific device, resolving the stability issues.
Signed-off-by: Jiayi Li <lijiayi@kylinos.cn>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20250508055947.764538-1-lijiayi@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -372,6 +372,9 @@ static const struct usb_device_id usb_qu
/* SanDisk Corp. SanDisk 3.2Gen1 */
{ USB_DEVICE(0x0781, 0x55a3), .driver_info = USB_QUIRK_DELAY_INIT },
+ /* SanDisk Extreme 55AE */
+ { USB_DEVICE(0x0781, 0x55ae), .driver_info = USB_QUIRK_NO_LPM },
+
/* Realforce 87U Keyboard */
{ USB_DEVICE(0x0853, 0x011b), .driver_info = USB_QUIRK_NO_LPM },
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 008/356] usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 007/356] usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 009/356] USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB Greg Kroah-Hartman
` (356 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hongyu Xie, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongyu Xie <xiehongyu1@kylinos.cn>
commit a541acceedf4f639f928f41fbb676b75946dc295 upstream.
SanDisk 3.2 Gen2 storage device(0781:55e8) doesn't work well with UAS.
Log says,
[ 6.507865][ 3] [ T159] usb 2-1.4: new SuperSpeed Gen 1 USB device number 4 using xhci_hcd
[ 6.540314][ 3] [ T159] usb 2-1.4: New USB device found, idVendor=0781, idProduct=55e8, bcdDevice= 0.01
[ 6.576304][ 3] [ T159] usb 2-1.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 6.584727][ 3] [ T159] usb 2-1.4: Product: SanDisk 3.2 Gen2
[ 6.590459][ 3] [ T159] usb 2-1.4: Manufacturer: SanDisk
[ 6.595845][ 3] [ T159] usb 2-1.4: SerialNumber: 03021707022525140940
[ 7.230852][ 0] [ T265] usbcore: registered new interface driver usb-storage
[ 7.251247][ 0] [ T265] scsi host3: uas
[ 7.255280][ 0] [ T265] usbcore: registered new interface driver uas
[ 7.270498][ 1] [ T192] scsi 3:0:0:0: Direct-Access SanDisk Extreme Pro DDE1 0110 PQ: 0 ANSI: 6
[ 7.299588][ 3] [ T192] scsi 3:0:0:1: Enclosure SanDisk SES Device 0110 PQ: 0 ANSI: 6
[ 7.321681][ 3] [ T192] sd 3:0:0:0: Attached scsi generic sg1 type 0
[ 7.328185][ 3] [ T192] scsi 3:0:0:1: Attached scsi generic sg2 type 13
[ 7.328804][ 0] [ T191] sd 3:0:0:0: [sda] 976773168 512-byte logical blocks: (500 GB/466 GiB)
[ 7.343486][ 0] [ T191] sd 3:0:0:0: [sda] 4096-byte physical blocks
[ 7.364611][ 0] [ T191] sd 3:0:0:0: [sda] Write Protect is off
[ 7.370524][ 0] [ T191] sd 3:0:0:0: [sda] Mode Sense: 3d 00 10 00
[ 7.390655][ 0] [ T191] sd 3:0:0:0: [sda] Write cache: enabled, read cache: enabled, supports DPO and FUA
[ 7.401363][ 0] [ T191] sd 3:0:0:0: [sda] Optimal transfer size 1048576 bytes
[ 7.436010][ 0] [ T191] sda: sda1
[ 7.450850][ 0] [ T191] sd 3:0:0:0: [sda] Attached SCSI disk
[ 7.470218][ 4] [ T262] scsi 3:0:0:1: Failed to get diagnostic page 0x1
[ 7.474869][ 0] [ C0] sd 3:0:0:0: [sda] tag#0 data cmplt err -75 uas-tag 2 inflight: CMD
[ 7.476911][ 4] [ T262] scsi 3:0:0:1: Failed to bind enclosure -19
[ 7.485330][ 0] [ C0] sd 3:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 00 00 28 00 00 10 00
[ 7.491593][ 4] [ T262] ses 3:0:0:1: Attached Enclosure device
[ 38.066980][ 4] [ T192] sd 3:0:0:0: [sda] tag#4 uas_eh_abort_handler 0 uas-tag 5 inflight: CMD IN
[ 38.076012][ 4] [ T192] sd 3:0:0:0: [sda] tag#4 CDB: Read(10) 28 00 00 00 01 08 00 00 f8 00
[ 38.086485][ 4] [ T192] sd 3:0:0:0: [sda] tag#3 uas_eh_abort_handler 0 uas-tag 1 inflight: CMD IN
[ 38.095515][ 4] [ T192] sd 3:0:0:0: [sda] tag#3 CDB: Read(10) 28 00 00 00 00 10 00 00 08 00
[ 38.104122][ 4] [ T192] sd 3:0:0:0: [sda] tag#2 uas_eh_abort_handler 0 uas-tag 4 inflight: CMD IN
[ 38.113152][ 4] [ T192] sd 3:0:0:0: [sda] tag#2 CDB: Read(10) 28 00 00 00 00 88 00 00 78 00
[ 38.121761][ 4] [ T192] sd 3:0:0:0: [sda] tag#1 uas_eh_abort_handler 0 uas-tag 3 inflight: CMD IN
[ 38.130791][ 4] [ T192] sd 3:0:0:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 48 00 00 30 00
[ 38.139401][ 4] [ T192] sd 3:0:0:0: [sda] tag#0 uas_eh_abort_handler 0 uas-tag 2 inflight: CMD
[ 38.148170][ 4] [ T192] sd 3:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 00 00 28 00 00 10 00
[ 38.178980][ 2] [ T304] scsi host3: uas_eh_device_reset_handler start
[ 38.901540][ 2] [ T304] usb 2-1.4: reset SuperSpeed Gen 1 USB device number 4 using xhci_hcd
[ 38.936791][ 2] [ T304] scsi host3: uas_eh_device_reset_handler success
Device decriptor is below,
Bus 002 Device 006: ID 0781:55e8 SanDisk Corp. SanDisk 3.2 Gen2
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 3.20
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 9
idVendor 0x0781 SanDisk Corp.
idProduct 0x55e8
bcdDevice 0.01
iManufacturer 1 SanDisk
iProduct 2 SanDisk 3.2 Gen2
iSerial 3 03021707022525140940
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0079
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 896mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 8 Mass Storage
bInterfaceSubClass 6 SCSI
bInterfaceProtocol 80 Bulk-Only
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 15
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 15
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 1
bNumEndpoints 4
bInterfaceClass 8 Mass Storage
bInterfaceSubClass 6 SCSI
bInterfaceProtocol 98
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 0
Command pipe (0x01)
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x84 EP 4 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 15
MaxStreams 32
Status pipe (0x02)
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 15
MaxStreams 32
Data-in pipe (0x03)
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x03 EP 3 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 15
MaxStreams 32
Data-out pipe (0x04)
Binary Object Store Descriptor:
bLength 5
bDescriptorType 15
wTotalLength 0x002a
bNumDeviceCaps 3
USB 2.0 Extension Device Capability:
bLength 7
bDescriptorType 16
bDevCapabilityType 2
bmAttributes 0x0000f41e
BESL Link Power Management (LPM) Supported
BESL value 1024 us
Deep BESL value 61440 us
SuperSpeed USB Device Capability:
bLength 10
bDescriptorType 16
bDevCapabilityType 3
bmAttributes 0x00
wSpeedsSupported 0x000e
Device can operate at Full Speed (12Mbps)
Device can operate at High Speed (480Mbps)
Device can operate at SuperSpeed (5Gbps)
bFunctionalitySupport 1
Lowest fully-functional device speed is Full Speed (12Mbps)
bU1DevExitLat 10 micro seconds
bU2DevExitLat 2047 micro seconds
SuperSpeedPlus USB Device Capability:
bLength 20
bDescriptorType 16
bDevCapabilityType 10
bmAttributes 0x00000001
Sublink Speed Attribute count 1
Sublink Speed ID count 0
wFunctionalitySupport 0x1100
bmSublinkSpeedAttr[0] 0x000a4030
Speed Attribute ID: 0 10Gb/s Symmetric RX SuperSpeedPlus
bmSublinkSpeedAttr[1] 0x000a40b0
Speed Attribute ID: 0 10Gb/s Symmetric TX SuperSpeedPlus
Device Status: 0x0000
(Bus Powered)
So ignore UAS driver for this device.
Signed-off-by: Hongyu Xie <xiehongyu1@kylinos.cn>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20250519023328.1498856-1-xiehongyu1@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_uas.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -52,6 +52,13 @@ UNUSUAL_DEV(0x059f, 0x1061, 0x0000, 0x99
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_NO_REPORT_OPCODES | US_FL_NO_SAME),
+/* Reported-by: Zhihong Zhou <zhouzhihong@greatwall.com.cn> */
+UNUSUAL_DEV(0x0781, 0x55e8, 0x0000, 0x9999,
+ "SanDisk",
+ "",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_IGNORE_UAS),
+
/* Reported-by: Hongling Zeng <zenghongling@kylinos.cn> */
UNUSUAL_DEV(0x090c, 0x2000, 0x0000, 0x9999,
"Hiksemi",
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 009/356] USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 008/356] usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 010/356] usb: typec: ucsi: fix Clang -Wsign-conversion warning Greg Kroah-Hartman
` (355 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Charles Yeh, Johan Hovold
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Yeh <charlesyeh522@gmail.com>
commit d3a889482bd5abf2bbdc1ec3d2d49575aa160c9c upstream.
Add new bcd (0x905) to support PL2303GT-2AB (TYPE_HXN).
Add new bcd (0x1005) to support PL2303GC-Q20 (TYPE_HXN).
Signed-off-by: Charles Yeh <charlesyeh522@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/pl2303.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -457,6 +457,8 @@ static int pl2303_detect_type(struct usb
case 0x605:
case 0x700: /* GR */
case 0x705:
+ case 0x905: /* GT-2AB */
+ case 0x1005: /* GC-Q20 */
return TYPE_HXN;
}
break;
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 010/356] usb: typec: ucsi: fix Clang -Wsign-conversion warning
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 009/356] USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 011/356] Bluetooth: hci_qca: move the SoC type check to the right place Greg Kroah-Hartman
` (354 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qasim Ijaz, Heikki Krogerus
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qasim Ijaz <qasdev00@gmail.com>
commit f4239ace2dd8606f6824757f192965a95746da05 upstream.
debugfs.c emits the following warnings when compiling with the -Wsign-conversion flag with clang 15:
drivers/usb/typec/ucsi/debugfs.c:58:27: warning: implicit conversion changes signedness: 'int' to 'u32' (aka 'unsigned int') [-Wsign-conversion]
ucsi->debugfs->status = ret;
~ ^~~
drivers/usb/typec/ucsi/debugfs.c:71:25: warning: implicit conversion changes signedness: 'u32' (aka 'unsigned int') to 'int' [-Wsign-conversion]
return ucsi->debugfs->status;
~~~~~~ ~~~~~~~~~~~~~~~^~~~~~
During ucsi_cmd() we see:
if (ret < 0) {
ucsi->debugfs->status = ret;
return ret;
}
But "status" is u32 meaning unsigned wrap-around occurs when assigning a value which is < 0 to it, this obscures the real status.
To fix this make the "status" of type int since ret is also of type int.
Fixes: df0383ffad64 ("usb: typec: ucsi: Add debugfs for ucsi commands")
Cc: stable@vger.kernel.org
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250422134717.66218-1-qasdev00@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/typec/ucsi/ucsi.h
+++ b/drivers/usb/typec/ucsi/ucsi.h
@@ -302,7 +302,7 @@ struct ucsi_debugfs_entry {
u64 low;
u64 high;
} response;
- u32 status;
+ int status;
struct dentry *dentry;
};
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 011/356] Bluetooth: hci_qca: move the SoC type check to the right place
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 010/356] usb: typec: ucsi: fix Clang -Wsign-conversion warning Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 012/356] serial: jsm: fix NPE during jsm_uart_port_init Greg Kroah-Hartman
` (353 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski,
Krzysztof Kozlowski, Hsin-chen Chuang, Luiz Augusto von Dentz
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
commit 0fb410c914eb03c7e9d821e26d03bac0a239e5db upstream.
Commit 3d05fc82237a ("Bluetooth: qca: set power_ctrl_enabled on NULL
returned by gpiod_get_optional()") accidentally changed the prevous
behavior where power control would be disabled without the BT_EN GPIO
only on QCA_WCN6750 and QCA_WCN6855 while also getting the error check
wrong. We should treat every IS_ERR() return value from
devm_gpiod_get_optional() as a reason to bail-out while we should only
set power_ctrl_enabled to false on the two models mentioned above. While
at it: use dev_err_probe() to save a LOC.
Cc: stable@vger.kernel.org
Fixes: 3d05fc82237a ("Bluetooth: qca: set power_ctrl_enabled on NULL returned by gpiod_get_optional()")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Tested-by: Hsin-chen Chuang <chharry@chromium.org>
Reviewed-by: Hsin-chen Chuang <chharry@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_qca.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -2307,14 +2307,14 @@ static int qca_serdev_probe(struct serde
qcadev->bt_en = devm_gpiod_get_optional(&serdev->dev, "enable",
GPIOD_OUT_LOW);
- if (IS_ERR(qcadev->bt_en) &&
- (data->soc_type == QCA_WCN6750 ||
- data->soc_type == QCA_WCN6855)) {
- dev_err(&serdev->dev, "failed to acquire BT_EN gpio\n");
- return PTR_ERR(qcadev->bt_en);
- }
+ if (IS_ERR(qcadev->bt_en))
+ return dev_err_probe(&serdev->dev,
+ PTR_ERR(qcadev->bt_en),
+ "failed to acquire BT_EN gpio\n");
- if (!qcadev->bt_en)
+ if (!qcadev->bt_en &&
+ (data->soc_type == QCA_WCN6750 ||
+ data->soc_type == QCA_WCN6855))
power_ctrl_enabled = false;
qcadev->sw_ctrl = devm_gpiod_get_optional(&serdev->dev, "swctrl",
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 012/356] serial: jsm: fix NPE during jsm_uart_port_init
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 011/356] Bluetooth: hci_qca: move the SoC type check to the right place Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 013/356] usb: usbtmc: Fix timeout value in get_stb Greg Kroah-Hartman
` (352 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Dustin Lundquist
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dustin Lundquist <dustin@null-ptr.net>
commit e3975aa899c0a3bbc10d035e699b142cd1373a71 upstream.
No device was set which caused serial_base_ctrl_add to crash.
BUG: kernel NULL pointer dereference, address: 0000000000000050
Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 16 UID: 0 PID: 368 Comm: (udev-worker) Not tainted 6.12.25-amd64 #1 Debian 6.12.25-1
RIP: 0010:serial_base_ctrl_add+0x96/0x120
Call Trace:
<TASK>
serial_core_register_port+0x1a0/0x580
? __setup_irq+0x39c/0x660
? __kmalloc_cache_noprof+0x111/0x310
jsm_uart_port_init+0xe8/0x180 [jsm]
jsm_probe_one+0x1f4/0x410 [jsm]
local_pci_probe+0x42/0x90
pci_device_probe+0x22f/0x270
really_probe+0xdb/0x340
? pm_runtime_barrier+0x54/0x90
? __pfx___driver_attach+0x10/0x10
__driver_probe_device+0x78/0x110
driver_probe_device+0x1f/0xa0
__driver_attach+0xba/0x1c0
bus_for_each_dev+0x8c/0xe0
bus_add_driver+0x112/0x1f0
driver_register+0x72/0xd0
jsm_init_module+0x36/0xff0 [jsm]
? __pfx_jsm_init_module+0x10/0x10 [jsm]
do_one_initcall+0x58/0x310
do_init_module+0x60/0x230
Tested with Digi Neo PCIe 8 port card.
Fixes: 84a9582fd203 ("serial: core: Start managing serial controllers to enable runtime PM")
Cc: stable <stable@kernel.org>
Signed-off-by: Dustin Lundquist <dustin@null-ptr.net>
Link: https://lore.kernel.org/r/3f31d4f75863614655c4673027a208be78d022ec.camel@null-ptr.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/jsm/jsm_tty.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/tty/serial/jsm/jsm_tty.c
+++ b/drivers/tty/serial/jsm/jsm_tty.c
@@ -451,6 +451,7 @@ int jsm_uart_port_init(struct jsm_board
if (!brd->channels[i])
continue;
+ brd->channels[i]->uart_port.dev = &brd->pci_dev->dev;
brd->channels[i]->uart_port.irq = brd->irq;
brd->channels[i]->uart_port.uartclk = 14745600;
brd->channels[i]->uart_port.type = PORT_JSM;
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 013/356] usb: usbtmc: Fix timeout value in get_stb
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 012/356] serial: jsm: fix NPE during jsm_uart_port_init Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 014/356] thunderbolt: Do not double dequeue a configuration request Greg Kroah-Hartman
` (351 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dave Penkler
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Penkler <dpenkler@gmail.com>
commit 342e4955a1f1ce28c70a589999b76365082dbf10 upstream.
wait_event_interruptible_timeout requires a timeout argument
in units of jiffies. It was being called in usbtmc_get_stb
with the usb timeout value which is in units of milliseconds.
Pass the timeout argument converted to jiffies.
Fixes: 048c6d88a021 ("usb: usbtmc: Add ioctls to set/get usb timeout")
Cc: stable@vger.kernel.org
Signed-off-by: Dave Penkler <dpenkler@gmail.com>
Link: https://lore.kernel.org/r/20250521121656.18174-4-dpenkler@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -483,6 +483,7 @@ static int usbtmc_get_stb(struct usbtmc_
u8 tag;
int rv;
long wait_rv;
+ unsigned long expire;
dev_dbg(dev, "Enter ioctl_read_stb iin_ep_present: %d\n",
data->iin_ep_present);
@@ -512,10 +513,11 @@ static int usbtmc_get_stb(struct usbtmc_
}
if (data->iin_ep_present) {
+ expire = msecs_to_jiffies(file_data->timeout);
wait_rv = wait_event_interruptible_timeout(
data->waitq,
atomic_read(&data->iin_data_valid) != 0,
- file_data->timeout);
+ expire);
if (wait_rv < 0) {
dev_dbg(dev, "wait interrupted %ld\n", wait_rv);
rv = wait_rv;
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 014/356] thunderbolt: Do not double dequeue a configuration request
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 013/356] usb: usbtmc: Fix timeout value in get_stb Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 015/356] dt-bindings: usb: cypress,hx3: Add support for all variants Greg Kroah-Hartman
` (350 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sergey Senozhatsky, Mika Westerberg
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Senozhatsky <senozhatsky@chromium.org>
commit 0f73628e9da1ee39daf5f188190cdbaee5e0c98c upstream.
Some of our devices crash in tb_cfg_request_dequeue():
general protection fault, probably for non-canonical address 0xdead000000000122
CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65
RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0
Call Trace:
<TASK>
? tb_cfg_request_dequeue+0x2d/0xa0
tb_cfg_request_work+0x33/0x80
worker_thread+0x386/0x8f0
kthread+0xed/0x110
ret_from_fork+0x38/0x50
ret_from_fork_asm+0x1b/0x30
The circumstances are unclear, however, the theory is that
tb_cfg_request_work() can be scheduled twice for a request:
first time via frame.callback from ring_work() and second
time from tb_cfg_request(). Both times kworkers will execute
tb_cfg_request_dequeue(), which results in double list_del()
from the ctl->request_queue (the list poison deference hints
at it: 0xdead000000000122).
Do not dequeue requests that don't have TB_CFG_REQUEST_ACTIVE
bit set.
Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/ctl.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/thunderbolt/ctl.c
+++ b/drivers/thunderbolt/ctl.c
@@ -143,6 +143,11 @@ static void tb_cfg_request_dequeue(struc
struct tb_ctl *ctl = req->ctl;
mutex_lock(&ctl->request_queue_lock);
+ if (!test_bit(TB_CFG_REQUEST_ACTIVE, &req->flags)) {
+ mutex_unlock(&ctl->request_queue_lock);
+ return;
+ }
+
list_del(&req->list);
clear_bit(TB_CFG_REQUEST_ACTIVE, &req->flags);
if (test_bit(TB_CFG_REQUEST_CANCELED, &req->flags))
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 015/356] dt-bindings: usb: cypress,hx3: Add support for all variants
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 014/356] thunderbolt: Do not double dequeue a configuration request Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 016/356] dt-bindings: phy: imx8mq-usb: fix fsl,phy-tx-vboost-level-microvolt property Greg Kroah-Hartman
` (349 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukasz Czechowski, Rob Herring (Arm),
Heiko Stuebner
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukasz Czechowski <lukasz.czechowski@thaumatec.com>
commit 1ad4b5a7de16806afc1aeaf012337e62af04e001 upstream.
The Cypress HX3 hubs use different default PID value depending
on the variant. Update compatibles list.
Becasuse all hub variants use the same driver data, allow the
dt node to have two compatibles: leftmost which matches the HW
exactly, and the second one as fallback.
Fixes: 1eca51f58a10 ("dt-bindings: usb: Add binding for Cypress HX3 USB 3.0 family")
Cc: stable@vger.kernel.org # 6.6
Cc: stable@vger.kernel.org # Backport of the patch ("dt-bindings: usb: usb-device: relax compatible pattern to a contains") from list: https://lore.kernel.org/linux-usb/20250418-dt-binding-usb-device-compatibles-v2-1-b3029f14e800@cherry.de/
Cc: stable@vger.kernel.org # Backport of the patch in this series fixing product ID in onboard_dev_id_table in drivers/usb/misc/onboard_usb_dev.c driver
Signed-off-by: Lukasz Czechowski <lukasz.czechowski@thaumatec.com>
Reviewed-by: "Rob Herring (Arm)" <robh@kernel.org>
Link: https://lore.kernel.org/r/20250425-onboard_usb_dev-v2-2-4a76a474a010@thaumatec.com
[taken with Greg's blessing]
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
.../devicetree/bindings/usb/cypress,hx3.yaml | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/Documentation/devicetree/bindings/usb/cypress,hx3.yaml b/Documentation/devicetree/bindings/usb/cypress,hx3.yaml
index 1033b7a4b8f9..d6eac1213228 100644
--- a/Documentation/devicetree/bindings/usb/cypress,hx3.yaml
+++ b/Documentation/devicetree/bindings/usb/cypress,hx3.yaml
@@ -14,9 +14,22 @@ allOf:
properties:
compatible:
- enum:
- - usb4b4,6504
- - usb4b4,6506
+ oneOf:
+ - enum:
+ - usb4b4,6504
+ - usb4b4,6506
+ - items:
+ - enum:
+ - usb4b4,6500
+ - usb4b4,6508
+ - const: usb4b4,6504
+ - items:
+ - enum:
+ - usb4b4,6502
+ - usb4b4,6503
+ - usb4b4,6507
+ - usb4b4,650a
+ - const: usb4b4,6506
reg: true
--
2.49.0
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 016/356] dt-bindings: phy: imx8mq-usb: fix fsl,phy-tx-vboost-level-microvolt property
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 015/356] dt-bindings: usb: cypress,hx3: Add support for all variants Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 017/356] Revert "drm/amd/display: more liberal vmin/vmax update for freesync" Greg Kroah-Hartman
` (348 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jun Li, Xu Yang, Krzysztof Kozlowski,
Vinod Koul
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 5b3a91b207c00a8d27f75ce8aaa9860844da72c8 upstream.
The ticket TKT0676370 shows the description of TX_VBOOST_LVL is wrong in
register PHY_CTRL3 bit[31:29].
011: Corresponds to a launch amplitude of 1.12 V.
010: Corresponds to a launch amplitude of 1.04 V.
000: Corresponds to a launch amplitude of 0.88 V.
After updated:
011: Corresponds to a launch amplitude of 0.844 V.
100: Corresponds to a launch amplitude of 1.008 V.
101: Corresponds to a launch amplitude of 1.156 V.
This will correct it accordingly.
Fixes: b2e75563dc39 ("dt-bindings: phy: imx8mq-usb: add phy tuning properties")
Cc: stable@vger.kernel.org
Reviewed-by: Jun Li <jun.li@nxp.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20250430094502.2723983-1-xu.yang_2@nxp.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/phy/fsl,imx8mq-usb-phy.yaml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/Documentation/devicetree/bindings/phy/fsl,imx8mq-usb-phy.yaml
+++ b/Documentation/devicetree/bindings/phy/fsl,imx8mq-usb-phy.yaml
@@ -58,8 +58,7 @@ properties:
fsl,phy-tx-vboost-level-microvolt:
description:
Adjust the boosted transmit launch pk-pk differential amplitude
- minimum: 880
- maximum: 1120
+ enum: [844, 1008, 1156]
fsl,phy-comp-dis-tune-percent:
description:
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 017/356] Revert "drm/amd/display: more liberal vmin/vmax update for freesync"
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 016/356] dt-bindings: phy: imx8mq-usb: fix fsl,phy-tx-vboost-level-microvolt property Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 018/356] tools/x86/kcpuid: Fix error handling Greg Kroah-Hartman
` (347 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aurabindo Pillai, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aurabindo Pillai <aurabindo.pillai@amd.com>
commit 1b824eef269db44d068bbc0de74c94a8e8f9ce02 upstream.
This reverts commit cfb2d41831ee5647a4ae0ea7c24971a92d5dfa0d since it
causes regressions on certain configs. Revert until the issue can be
isolated and debugged.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4238
Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -610,21 +610,15 @@ static void dm_crtc_high_irq(void *inter
spin_lock_irqsave(&adev_to_drm(adev)->event_lock, flags);
if (acrtc->dm_irq_params.stream &&
- acrtc->dm_irq_params.vrr_params.supported) {
- bool replay_en = acrtc->dm_irq_params.stream->link->replay_settings.replay_feature_enabled;
- bool psr_en = acrtc->dm_irq_params.stream->link->psr_settings.psr_feature_enabled;
- bool fs_active_var_en = acrtc->dm_irq_params.freesync_config.state == VRR_STATE_ACTIVE_VARIABLE;
-
+ acrtc->dm_irq_params.vrr_params.supported &&
+ acrtc->dm_irq_params.freesync_config.state ==
+ VRR_STATE_ACTIVE_VARIABLE) {
mod_freesync_handle_v_update(adev->dm.freesync_module,
acrtc->dm_irq_params.stream,
&acrtc->dm_irq_params.vrr_params);
- /* update vmin_vmax only if freesync is enabled, or only if PSR and REPLAY are disabled */
- if (fs_active_var_en || (!fs_active_var_en && !replay_en && !psr_en)) {
- dc_stream_adjust_vmin_vmax(adev->dm.dc,
- acrtc->dm_irq_params.stream,
- &acrtc->dm_irq_params.vrr_params.adjust);
- }
+ dc_stream_adjust_vmin_vmax(adev->dm.dc, acrtc->dm_irq_params.stream,
+ &acrtc->dm_irq_params.vrr_params.adjust);
}
/*
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 018/356] tools/x86/kcpuid: Fix error handling
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 017/356] Revert "drm/amd/display: more liberal vmin/vmax update for freesync" Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 019/356] x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() Greg Kroah-Hartman
` (346 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Remington Brasga, Ahmed S. Darwish,
Ingo Molnar, H. Peter Anvin, Linus Torvalds, Josh Poimboeuf,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahmed S. Darwish <darwi@linutronix.de>
[ Upstream commit 116edfe173d0c59ec2aa87fb91f2f31d477b61b3 ]
Error handling in kcpuid is unreliable. On malloc() failures, the code
prints an error then just goes on. The error messages are also printed
to standard output instead of standard error.
Use err() and errx() from <err.h> to direct all error messages to
standard error and automatically exit the program. Use err() to include
the errno information, and errx() otherwise. Use warnx() for warnings.
While at it, alphabetically reorder the header includes.
[ mingo: Fix capitalization in the help text while at it. ]
Fixes: c6b2f240bf8d ("tools/x86: Add a kcpuid tool to show raw CPU features")
Reported-by: Remington Brasga <rbrasga@uci.edu>
Signed-off-by: Ahmed S. Darwish <darwi@linutronix.de>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Link: https://lore.kernel.org/r/20250324142042.29010-2-darwi@linutronix.de
Closes: https://lkml.kernel.org/r/20240926223557.2048-1-rbrasga@uci.edu
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/arch/x86/kcpuid/kcpuid.c | 47 +++++++++++++++++-----------------
1 file changed, 23 insertions(+), 24 deletions(-)
diff --git a/tools/arch/x86/kcpuid/kcpuid.c b/tools/arch/x86/kcpuid/kcpuid.c
index b7965dfff33a9..8c2644f3497e6 100644
--- a/tools/arch/x86/kcpuid/kcpuid.c
+++ b/tools/arch/x86/kcpuid/kcpuid.c
@@ -1,11 +1,12 @@
// SPDX-License-Identifier: GPL-2.0
#define _GNU_SOURCE
-#include <stdio.h>
+#include <err.h>
+#include <getopt.h>
#include <stdbool.h>
+#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#include <getopt.h>
#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
#define min(a, b) (((a) < (b)) ? (a) : (b))
@@ -156,14 +157,14 @@ static bool cpuid_store(struct cpuid_range *range, u32 f, int subleaf,
if (!func->leafs) {
func->leafs = malloc(sizeof(struct subleaf));
if (!func->leafs)
- perror("malloc func leaf");
+ err(EXIT_FAILURE, NULL);
func->nr = 1;
} else {
s = func->nr;
func->leafs = realloc(func->leafs, (s + 1) * sizeof(*leaf));
if (!func->leafs)
- perror("realloc f->leafs");
+ err(EXIT_FAILURE, NULL);
func->nr++;
}
@@ -222,7 +223,7 @@ struct cpuid_range *setup_cpuid_range(u32 input_eax)
range = malloc(sizeof(struct cpuid_range));
if (!range)
- perror("malloc range");
+ err(EXIT_FAILURE, NULL);
if (input_eax & 0x80000000)
range->is_ext = true;
@@ -231,7 +232,7 @@ struct cpuid_range *setup_cpuid_range(u32 input_eax)
range->funcs = malloc(sizeof(struct cpuid_func) * idx_func);
if (!range->funcs)
- perror("malloc range->funcs");
+ err(EXIT_FAILURE, NULL);
range->nr = idx_func;
memset(range->funcs, 0, sizeof(struct cpuid_func) * idx_func);
@@ -387,8 +388,8 @@ static int parse_line(char *line)
return 0;
err_exit:
- printf("Warning: wrong line format:\n");
- printf("\tline[%d]: %s\n", flines, line);
+ warnx("Wrong line format:\n"
+ "\tline[%d]: %s", flines, line);
return -1;
}
@@ -410,10 +411,8 @@ static void parse_text(void)
file = fopen("./cpuid.csv", "r");
}
- if (!file) {
- printf("Fail to open '%s'\n", filename);
- return;
- }
+ if (!file)
+ err(EXIT_FAILURE, "%s", filename);
while (1) {
ret = getline(&line, &len, file);
@@ -521,7 +520,7 @@ static inline struct cpuid_func *index_to_func(u32 index)
func_idx = index & 0xffff;
if ((func_idx + 1) > (u32)range->nr) {
- printf("ERR: invalid input index (0x%x)\n", index);
+ warnx("Invalid input index (0x%x)", index);
return NULL;
}
return &range->funcs[func_idx];
@@ -553,7 +552,7 @@ static void show_info(void)
return;
}
- printf("ERR: invalid input subleaf (0x%x)\n", user_sub);
+ warnx("Invalid input subleaf (0x%x)", user_sub);
}
show_func(func);
@@ -584,15 +583,15 @@ static void setup_platform_cpuid(void)
static void usage(void)
{
- printf("kcpuid [-abdfhr] [-l leaf] [-s subleaf]\n"
- "\t-a|--all Show both bit flags and complex bit fields info\n"
- "\t-b|--bitflags Show boolean flags only\n"
- "\t-d|--detail Show details of the flag/fields (default)\n"
- "\t-f|--flags Specify the cpuid csv file\n"
- "\t-h|--help Show usage info\n"
- "\t-l|--leaf=index Specify the leaf you want to check\n"
- "\t-r|--raw Show raw cpuid data\n"
- "\t-s|--subleaf=sub Specify the subleaf you want to check\n"
+ warnx("kcpuid [-abdfhr] [-l leaf] [-s subleaf]\n"
+ "\t-a|--all Show both bit flags and complex bit fields info\n"
+ "\t-b|--bitflags Show boolean flags only\n"
+ "\t-d|--detail Show details of the flag/fields (default)\n"
+ "\t-f|--flags Specify the CPUID CSV file\n"
+ "\t-h|--help Show usage info\n"
+ "\t-l|--leaf=index Specify the leaf you want to check\n"
+ "\t-r|--raw Show raw CPUID data\n"
+ "\t-s|--subleaf=sub Specify the subleaf you want to check"
);
}
@@ -643,7 +642,7 @@ static int parse_options(int argc, char *argv[])
user_sub = strtoul(optarg, NULL, 0);
break;
default:
- printf("%s: Invalid option '%c'\n", argv[0], optopt);
+ warnx("Invalid option '%c'", optopt);
return -1;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 019/356] x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 018/356] tools/x86/kcpuid: Fix error handling Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 020/356] crypto: sun8i-ce-hash - fix error handling in sun8i_ce_hash_run() Greg Kroah-Hartman
` (345 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Cooper, Ingo Molnar,
Dave Hansen, Borislav Petkov (AMD), H. Peter Anvin,
Peter Zijlstra, Rik van Riel, Linus Torvalds, Andy Lutomirski,
Brian Gerst, Juergen Gross, Rafael J. Wysocki, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Cooper <andrew.cooper3@citrix.com>
[ Upstream commit 1f13c60d84e880df6698441026e64f84c7110c49 ]
The following commit, 12 years ago:
7e98b7192046 ("x86, idle: Use static_cpu_has() for CLFLUSH workaround, add barriers")
added barriers around the CLFLUSH in mwait_idle_with_hints(), justified with:
... and add memory barriers around it since the documentation is explicit
that CLFLUSH is only ordered with respect to MFENCE.
This also triggered, 11 years ago, the same adjustment in:
f8e617f45829 ("sched/idle/x86: Optimize unnecessary mwait_idle() resched IPIs")
during development, although it failed to get the static_cpu_has_bug() treatment.
X86_BUG_CLFLUSH_MONITOR (a.k.a the AAI65 errata) is specific to Intel CPUs,
and the SDM currently states:
Executions of the CLFLUSH instruction are ordered with respect to each
other and with respect to writes, locked read-modify-write instructions,
and fence instructions[1].
With footnote 1 reading:
Earlier versions of this manual specified that executions of the CLFLUSH
instruction were ordered only by the MFENCE instruction. All processors
implementing the CLFLUSH instruction also order it relative to the other
operations enumerated above.
i.e. The SDM was incorrect at the time, and barriers should not have been
inserted. Double checking the original AAI65 errata (not available from
intel.com any more) shows no mention of barriers either.
Note: If this were a general codepath, the MFENCEs would be needed, because
AMD CPUs of the same vintage do sport otherwise-unordered CLFLUSHs.
Remove the unnecessary barriers. Furthermore, use a plain alternative(),
rather than static_cpu_has_bug() and/or no optimisation. The workaround
is a single instruction.
Use an explicit %rax pointer rather than a general memory operand, because
MONITOR takes the pointer implicitly in the same way.
[ mingo: Cleaned up the commit a bit. ]
Fixes: 7e98b7192046 ("x86, idle: Use static_cpu_has() for CLFLUSH workaround, add barriers")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Dave Hansen <dave.hansen@intel.com>
Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@surriel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://lore.kernel.org/r/20250402172458.1378112-1-andrew.cooper3@citrix.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/mwait.h | 9 +++------
arch/x86/kernel/process.c | 9 +++------
2 files changed, 6 insertions(+), 12 deletions(-)
diff --git a/arch/x86/include/asm/mwait.h b/arch/x86/include/asm/mwait.h
index bae83810505bf..a541411d9226e 100644
--- a/arch/x86/include/asm/mwait.h
+++ b/arch/x86/include/asm/mwait.h
@@ -108,13 +108,10 @@ static __always_inline void __sti_mwait(unsigned long eax, unsigned long ecx)
static __always_inline void mwait_idle_with_hints(unsigned long eax, unsigned long ecx)
{
if (static_cpu_has_bug(X86_BUG_MONITOR) || !current_set_polling_and_test()) {
- if (static_cpu_has_bug(X86_BUG_CLFLUSH_MONITOR)) {
- mb();
- clflush((void *)¤t_thread_info()->flags);
- mb();
- }
+ const void *addr = ¤t_thread_info()->flags;
- __monitor((void *)¤t_thread_info()->flags, 0, 0);
+ alternative_input("", "clflush (%[addr])", X86_BUG_CLFLUSH_MONITOR, [addr] "a" (addr));
+ __monitor(addr, 0, 0);
if (!need_resched()) {
if (ecx & 1) {
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index 419353904173f..8a398acfdea2e 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -923,13 +923,10 @@ static int prefer_mwait_c1_over_halt(const struct cpuinfo_x86 *c)
static __cpuidle void mwait_idle(void)
{
if (!current_set_polling_and_test()) {
- if (this_cpu_has(X86_BUG_CLFLUSH_MONITOR)) {
- mb(); /* quirk */
- clflush((void *)¤t_thread_info()->flags);
- mb(); /* quirk */
- }
+ const void *addr = ¤t_thread_info()->flags;
- __monitor((void *)¤t_thread_info()->flags, 0, 0);
+ alternative_input("", "clflush (%[addr])", X86_BUG_CLFLUSH_MONITOR, [addr] "a" (addr));
+ __monitor(addr, 0, 0);
if (!need_resched()) {
__sti_mwait(0, 0);
raw_local_irq_disable();
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 020/356] crypto: sun8i-ce-hash - fix error handling in sun8i_ce_hash_run()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 019/356] x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 021/356] gfs2: gfs2_create_inode error handling fix Greg Kroah-Hartman
` (344 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ovidiu Panait, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
[ Upstream commit ea4dd134ef332bd9e3e734c1ba0a1521f436b678 ]
Rework error handling in sun8i_ce_hash_run() to unmap the dma buffers in
case of failure. Currently, the dma unmap functions are not called if the
function errors out at various points.
Fixes: 56f6d5aee88d1 ("crypto: sun8i-ce - support hash algorithms")
Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 34 ++++++++++++-------
1 file changed, 21 insertions(+), 13 deletions(-)
diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c
index d358334e59811..ebc857ed10e11 100644
--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c
+++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c
@@ -343,9 +343,8 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
u32 common;
u64 byte_count;
__le32 *bf;
- void *buf = NULL;
+ void *buf, *result;
int j, i, todo;
- void *result = NULL;
u64 bs;
int digestsize;
dma_addr_t addr_res, addr_pad;
@@ -365,14 +364,14 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
buf = kzalloc(bs * 2, GFP_KERNEL | GFP_DMA);
if (!buf) {
err = -ENOMEM;
- goto theend;
+ goto err_out;
}
bf = (__le32 *)buf;
result = kzalloc(digestsize, GFP_KERNEL | GFP_DMA);
if (!result) {
err = -ENOMEM;
- goto theend;
+ goto err_free_buf;
}
flow = rctx->flow;
@@ -398,7 +397,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
if (nr_sgs <= 0 || nr_sgs > MAX_SG) {
dev_err(ce->dev, "Invalid sg number %d\n", nr_sgs);
err = -EINVAL;
- goto theend;
+ goto err_free_result;
}
len = areq->nbytes;
@@ -411,7 +410,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
if (len > 0) {
dev_err(ce->dev, "remaining len %d\n", len);
err = -EINVAL;
- goto theend;
+ goto err_unmap_src;
}
addr_res = dma_map_single(ce->dev, result, digestsize, DMA_FROM_DEVICE);
cet->t_dst[0].addr = cpu_to_le32(addr_res);
@@ -419,7 +418,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
if (dma_mapping_error(ce->dev, addr_res)) {
dev_err(ce->dev, "DMA map dest\n");
err = -EINVAL;
- goto theend;
+ goto err_unmap_src;
}
byte_count = areq->nbytes;
@@ -441,7 +440,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
}
if (!j) {
err = -EINVAL;
- goto theend;
+ goto err_unmap_result;
}
addr_pad = dma_map_single(ce->dev, buf, j * 4, DMA_TO_DEVICE);
@@ -450,7 +449,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
if (dma_mapping_error(ce->dev, addr_pad)) {
dev_err(ce->dev, "DMA error on padding SG\n");
err = -EINVAL;
- goto theend;
+ goto err_unmap_result;
}
if (ce->variant->hash_t_dlen_in_bits)
@@ -463,16 +462,25 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
err = sun8i_ce_run_task(ce, flow, crypto_ahash_alg_name(tfm));
dma_unmap_single(ce->dev, addr_pad, j * 4, DMA_TO_DEVICE);
- dma_unmap_sg(ce->dev, areq->src, ns, DMA_TO_DEVICE);
+
+err_unmap_result:
dma_unmap_single(ce->dev, addr_res, digestsize, DMA_FROM_DEVICE);
+ if (!err)
+ memcpy(areq->result, result, algt->alg.hash.base.halg.digestsize);
+err_unmap_src:
+ dma_unmap_sg(ce->dev, areq->src, ns, DMA_TO_DEVICE);
- memcpy(areq->result, result, algt->alg.hash.base.halg.digestsize);
-theend:
- kfree(buf);
+err_free_result:
kfree(result);
+
+err_free_buf:
+ kfree(buf);
+
+err_out:
local_bh_disable();
crypto_finalize_hash_request(engine, breq, err);
local_bh_enable();
+
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 021/356] gfs2: gfs2_create_inode error handling fix
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 020/356] crypto: sun8i-ce-hash - fix error handling in sun8i_ce_hash_run() Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 022/356] perf/core: Fix broken throttling when max_samples_per_tick=1 Greg Kroah-Hartman
` (343 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andreas Gruenbacher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit af4044fd0b77e915736527dd83011e46e6415f01 ]
When gfs2_create_inode() finds a directory, make sure to return -EISDIR.
Fixes: 571a4b57975a ("GFS2: bugger off early if O_CREAT open finds a directory")
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 29085643ad104..1cb5ce63fbf69 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -658,7 +658,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
if (!IS_ERR(inode)) {
if (S_ISDIR(inode->i_mode)) {
iput(inode);
- inode = ERR_PTR(-EISDIR);
+ inode = NULL;
+ error = -EISDIR;
goto fail_gunlock;
}
d_instantiate(dentry, inode);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 022/356] perf/core: Fix broken throttling when max_samples_per_tick=1
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 021/356] gfs2: gfs2_create_inode error handling fix Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 023/356] crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Greg Kroah-Hartman
` (342 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qing Wang, Peter Zijlstra (Intel),
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qing Wang <wangqing7171@gmail.com>
[ Upstream commit f51972e6f8b9a737b2b3eb588069acb538fa72de ]
According to the throttling mechanism, the pmu interrupts number can not
exceed the max_samples_per_tick in one tick. But this mechanism is
ineffective when max_samples_per_tick=1, because the throttling check is
skipped during the first interrupt and only performed when the second
interrupt arrives.
Perhaps this bug may cause little influence in one tick, but if in a
larger time scale, the problem can not be underestimated.
When max_samples_per_tick = 1:
Allowed-interrupts-per-second max-samples-per-second default-HZ ARCH
200 100 100 X86
500 250 250 ARM64
...
Obviously, the pmu interrupt number far exceed the user's expect.
Fixes: e050e3f0a71b ("perf: Fix broken interrupt rate throttling")
Signed-off-by: Qing Wang <wangqing7171@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20250405141635.243786-3-wangqing7171@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 5dd6424e62fa8..6460f79280ed2 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -9553,14 +9553,14 @@ __perf_event_account_interrupt(struct perf_event *event, int throttle)
hwc->interrupts = 1;
} else {
hwc->interrupts++;
- if (unlikely(throttle &&
- hwc->interrupts > max_samples_per_tick)) {
- __this_cpu_inc(perf_throttled_count);
- tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS);
- hwc->interrupts = MAX_INTERRUPTS;
- perf_log_throttle(event, 0);
- ret = 1;
- }
+ }
+
+ if (unlikely(throttle && hwc->interrupts >= max_samples_per_tick)) {
+ __this_cpu_inc(perf_throttled_count);
+ tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS);
+ hwc->interrupts = MAX_INTERRUPTS;
+ perf_log_throttle(event, 0);
+ ret = 1;
}
if (event->attr.freq) {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 023/356] crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 022/356] perf/core: Fix broken throttling when max_samples_per_tick=1 Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 024/356] crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions Greg Kroah-Hartman
` (341 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ovidiu Panait, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
[ Upstream commit f31adc3e356f7350d4a4d68c98d3f60f2f6e26b3 ]
Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare():
1] If dma_map_sg() fails for areq->dst, the device driver would try to free
DMA memory it has not allocated in the first place. To fix this, on the
"theend_sgs" error path, call dma unmap only if the corresponding dma
map was successful.
2] If the dma_map_single() call for the IV fails, the device driver would
try to free an invalid DMA memory address on the "theend_iv" path:
------------[ cut here ]------------
DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address
WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90
Modules linked in: skcipher_example(O+)
CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT
Tainted: [O]=OOT_MODULE
Hardware name: OrangePi Zero2 (DT)
pc : check_unmap+0x123c/0x1b90
lr : check_unmap+0x123c/0x1b90
...
Call trace:
check_unmap+0x123c/0x1b90 (P)
debug_dma_unmap_page+0xac/0xc0
dma_unmap_page_attrs+0x1f4/0x5fc
sun8i_ce_cipher_do_one+0x1bd4/0x1f40
crypto_pump_work+0x334/0x6e0
kthread_worker_fn+0x21c/0x438
kthread+0x374/0x664
ret_from_fork+0x10/0x20
---[ end trace 0000000000000000 ]---
To fix this, check for !dma_mapping_error() before calling
dma_unmap_single() on the "theend_iv" path.
Fixes: 06f751b61329 ("crypto: allwinner - Add sun8i-ce Crypto Engine")
Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
index d2cf9619018b1..70434601f99be 100644
--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
+++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
@@ -275,13 +275,16 @@ static int sun8i_ce_cipher_prepare(struct crypto_engine *engine, void *async_req
} else {
if (nr_sgs > 0)
dma_unmap_sg(ce->dev, areq->src, ns, DMA_TO_DEVICE);
- dma_unmap_sg(ce->dev, areq->dst, nd, DMA_FROM_DEVICE);
+
+ if (nr_sgd > 0)
+ dma_unmap_sg(ce->dev, areq->dst, nd, DMA_FROM_DEVICE);
}
theend_iv:
if (areq->iv && ivsize > 0) {
- if (rctx->addr_iv)
+ if (!dma_mapping_error(ce->dev, rctx->addr_iv))
dma_unmap_single(ce->dev, rctx->addr_iv, rctx->ivlen, DMA_TO_DEVICE);
+
offset = areq->cryptlen - ivsize;
if (rctx->op_dir & CE_DECRYPTION) {
memcpy(areq->iv, chan->backup_iv, ivsize);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 024/356] crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 023/356] crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 025/356] powerpc: do not build ppc_save_regs.o always Greg Kroah-Hartman
` (340 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Corentin Labbe, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corentin Labbe <clabbe.montjoie@gmail.com>
[ Upstream commit 2dfc7cd74a5e062a5405560447517e7aab1c7341 ]
When testing sun8i-ss with multi_v7_defconfig, all CBC algorithm fail crypto
selftests.
This is strange since on sunxi_defconfig, everything was ok.
The problem was in the IV setup loop which never run because sg_dma_len
was 0.
Fixes: 359e893e8af4 ("crypto: sun8i-ss - rework handling of IV")
Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
index 7fa359725ec75..9b18fb46a2c89 100644
--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
+++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
@@ -141,7 +141,7 @@ static int sun8i_ss_setup_ivs(struct skcipher_request *areq)
/* we need to copy all IVs from source in case DMA is bi-directionnal */
while (sg && len) {
- if (sg_dma_len(sg) == 0) {
+ if (sg->length == 0) {
sg = sg_next(sg);
continue;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 025/356] powerpc: do not build ppc_save_regs.o always
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 024/356] crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-20 1:50 ` Shiji Yang
2025-06-17 15:22 ` [PATCH 6.6 026/356] powerpc/crash: Fix non-smp kexec preparation Greg Kroah-Hartman
` (339 subsequent siblings)
364 siblings, 1 reply; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Slaby (SUSE), Stephen Rothwell,
Madhavan Srinivasan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
[ Upstream commit 497b7794aef03d525a5be05ae78dd7137c6861a5 ]
The Fixes commit below tried to add CONFIG_PPC_BOOK3S to one of the
conditions to enable the build of ppc_save_regs.o. But it failed to do
so, in fact. The commit omitted to add a dollar sign.
Therefore, ppc_save_regs.o is built always these days (as
"(CONFIG_PPC_BOOK3S)" is never an empty string).
Fix this by adding the missing dollar sign.
Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
Fixes: fc2a5a6161a2 ("powerpc/64s: ppc_save_regs is now needed for all 64s builds")
Acked-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250417105305.397128-1-jirislaby@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
index 2919433be3557..b7629122680b1 100644
--- a/arch/powerpc/kernel/Makefile
+++ b/arch/powerpc/kernel/Makefile
@@ -165,7 +165,7 @@ endif
obj64-$(CONFIG_PPC_TRANSACTIONAL_MEM) += tm.o
-ifneq ($(CONFIG_XMON)$(CONFIG_KEXEC_CORE)(CONFIG_PPC_BOOK3S),)
+ifneq ($(CONFIG_XMON)$(CONFIG_KEXEC_CORE)$(CONFIG_PPC_BOOK3S),)
obj-y += ppc_save_regs.o
endif
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 026/356] powerpc/crash: Fix non-smp kexec preparation
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 025/356] powerpc: do not build ppc_save_regs.o always Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 027/356] x86/microcode/AMD: Do not return error when microcode update is not necessary Greg Kroah-Hartman
` (338 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eddie James, Hari Bathini,
Madhavan Srinivasan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eddie James <eajames@linux.ibm.com>
[ Upstream commit 882b25af265de8e05c66f72b9a29f6047102958f ]
In non-smp configurations, crash_kexec_prepare is never called in
the crash shutdown path. One result of this is that the crashing_cpu
variable is never set, preventing crash_save_cpu from storing the
NT_PRSTATUS elf note in the core dump.
Fixes: c7255058b543 ("powerpc/crash: save cpu register data in crash_smp_send_stop()")
Signed-off-by: Eddie James <eajames@linux.ibm.com>
Reviewed-by: Hari Bathini <hbathini@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250211162054.857762-1-eajames@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kexec/crash.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kexec/crash.c b/arch/powerpc/kexec/crash.c
index ef5c2d25ec397..61552bbb1ea8a 100644
--- a/arch/powerpc/kexec/crash.c
+++ b/arch/powerpc/kexec/crash.c
@@ -356,7 +356,10 @@ void default_machine_crash_shutdown(struct pt_regs *regs)
if (TRAP(regs) == INTERRUPT_SYSTEM_RESET)
is_via_system_reset = 1;
- crash_smp_send_stop();
+ if (IS_ENABLED(CONFIG_SMP))
+ crash_smp_send_stop();
+ else
+ crash_kexec_prepare();
crash_save_cpu(regs, crashing_cpu);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 027/356] x86/microcode/AMD: Do not return error when microcode update is not necessary
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 026/356] powerpc/crash: Fix non-smp kexec preparation Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 028/356] x86/cpu: Sanitize CPUID(0x80000000) output Greg Kroah-Hartman
` (337 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Annie Li, Borislav Petkov (AMD),
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Annie Li <jiayanli@google.com>
[ Upstream commit b43dc4ab097859c24e2a6993119c927cffc856aa ]
After
6f059e634dcd("x86/microcode: Clarify the late load logic"),
if the load is up-to-date, the AMD side returns UCODE_OK which leads to
load_late_locked() returning -EBADFD.
Handle UCODE_OK in the switch case to avoid this error.
[ bp: Massage commit message. ]
Fixes: 6f059e634dcd ("x86/microcode: Clarify the late load logic")
Signed-off-by: Annie Li <jiayanli@google.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250430053424.77438-1-jiayanli@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/microcode/core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
index 5b47c320f17a6..fc539346599cb 100644
--- a/arch/x86/kernel/cpu/microcode/core.c
+++ b/arch/x86/kernel/cpu/microcode/core.c
@@ -703,6 +703,8 @@ static int load_late_locked(void)
return load_late_stop_cpus(true);
case UCODE_NFOUND:
return -ENOENT;
+ case UCODE_OK:
+ return 0;
default:
return -EBADFD;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 028/356] x86/cpu: Sanitize CPUID(0x80000000) output
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 027/356] x86/microcode/AMD: Do not return error when microcode update is not necessary Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 029/356] crypto: marvell/cesa - Handle zero-length skcipher requests Greg Kroah-Hartman
` (336 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahmed S. Darwish, Ingo Molnar,
Andrew Cooper, H. Peter Anvin, John Ogness, x86-cpuid,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahmed S. Darwish <darwi@linutronix.de>
[ Upstream commit cc663ba3fe383a628a812f893cc98aafff39ab04 ]
CPUID(0x80000000).EAX returns the max extended CPUID leaf available. On
x86-32 machines without an extended CPUID range, a CPUID(0x80000000)
query will just repeat the output of the last valid standard CPUID leaf
on the CPU; i.e., a garbage values. Current tip:x86/cpu code protects against
this by doing:
eax = cpuid_eax(0x80000000);
c->extended_cpuid_level = eax;
if ((eax & 0xffff0000) == 0x80000000) {
// CPU has an extended CPUID range. Check for 0x80000001
if (eax >= 0x80000001) {
cpuid(0x80000001, ...);
}
}
This is correct so far. Afterwards though, the same possibly broken EAX
value is used to check the availability of other extended CPUID leaves:
if (c->extended_cpuid_level >= 0x80000007)
...
if (c->extended_cpuid_level >= 0x80000008)
...
if (c->extended_cpuid_level >= 0x8000000a)
...
if (c->extended_cpuid_level >= 0x8000001f)
...
which is invalid. Fix this by immediately setting the CPU's max extended
CPUID leaf to zero if CPUID(0x80000000).EAX doesn't indicate a valid
CPUID extended range.
While at it, add a comment, similar to kernel/head_32.S, clarifying the
CPUID(0x80000000) sanity check.
References: 8a50e5135af0 ("x86-32: Use symbolic constants, safer CPUID when enabling EFER.NX")
Fixes: 3da99c977637 ("x86: make (early)_identify_cpu more the same between 32bit and 64 bit")
Signed-off-by: Ahmed S. Darwish <darwi@linutronix.de>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: John Ogness <john.ogness@linutronix.de>
Cc: x86-cpuid@lists.linux.dev
Link: https://lore.kernel.org/r/20250506050437.10264-3-darwi@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/common.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 067e31fb9e165..b6e43dad577a3 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1066,17 +1066,18 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
c->x86_capability[CPUID_D_1_EAX] = eax;
}
- /* AMD-defined flags: level 0x80000001 */
+ /*
+ * Check if extended CPUID leaves are implemented: Max extended
+ * CPUID leaf must be in the 0x80000001-0x8000ffff range.
+ */
eax = cpuid_eax(0x80000000);
- c->extended_cpuid_level = eax;
+ c->extended_cpuid_level = ((eax & 0xffff0000) == 0x80000000) ? eax : 0;
- if ((eax & 0xffff0000) == 0x80000000) {
- if (eax >= 0x80000001) {
- cpuid(0x80000001, &eax, &ebx, &ecx, &edx);
+ if (c->extended_cpuid_level >= 0x80000001) {
+ cpuid(0x80000001, &eax, &ebx, &ecx, &edx);
- c->x86_capability[CPUID_8000_0001_ECX] = ecx;
- c->x86_capability[CPUID_8000_0001_EDX] = edx;
- }
+ c->x86_capability[CPUID_8000_0001_ECX] = ecx;
+ c->x86_capability[CPUID_8000_0001_EDX] = edx;
}
if (c->extended_cpuid_level >= 0x80000007) {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 029/356] crypto: marvell/cesa - Handle zero-length skcipher requests
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 028/356] x86/cpu: Sanitize CPUID(0x80000000) output Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 030/356] crypto: marvell/cesa - Avoid empty transfer descriptor Greg Kroah-Hartman
` (335 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 8a4e047c6cc07676f637608a9dd675349b5de0a7 ]
Do not access random memory for zero-length skcipher requests.
Just return 0.
Fixes: f63601fd616a ("crypto: marvell/cesa - add a new driver for Marvell's CESA")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/marvell/cesa/cipher.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/crypto/marvell/cesa/cipher.c b/drivers/crypto/marvell/cesa/cipher.c
index 0f37dfd42d850..3876e3ce822f4 100644
--- a/drivers/crypto/marvell/cesa/cipher.c
+++ b/drivers/crypto/marvell/cesa/cipher.c
@@ -459,6 +459,9 @@ static int mv_cesa_skcipher_queue_req(struct skcipher_request *req,
struct mv_cesa_skcipher_req *creq = skcipher_request_ctx(req);
struct mv_cesa_engine *engine;
+ if (!req->cryptlen)
+ return 0;
+
ret = mv_cesa_skcipher_req_init(req, tmpl);
if (ret)
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 030/356] crypto: marvell/cesa - Avoid empty transfer descriptor
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 029/356] crypto: marvell/cesa - Handle zero-length skcipher requests Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 031/356] btrfs: scrub: update device stats when an error is detected Greg Kroah-Hartman
` (334 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 1bafd82d9a40cf09c6c40f1c09cc35b7050b1a9f ]
The user may set req->src even if req->nbytes == 0. If there
is no data to hash from req->src, do not generate an empty TDMA
descriptor.
Fixes: db509a45339f ("crypto: marvell/cesa - add TDMA support")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/marvell/cesa/hash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/marvell/cesa/hash.c b/drivers/crypto/marvell/cesa/hash.c
index f150861ceaf69..6815eddc90681 100644
--- a/drivers/crypto/marvell/cesa/hash.c
+++ b/drivers/crypto/marvell/cesa/hash.c
@@ -663,7 +663,7 @@ static int mv_cesa_ahash_dma_req_init(struct ahash_request *req)
if (ret)
goto err_free_tdma;
- if (iter.src.sg) {
+ if (iter.base.len > iter.src.op_offset) {
/*
* Add all the new data, inserting an operation block and
* launch command between each full SRAM block-worth of
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 031/356] btrfs: scrub: update device stats when an error is detected
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 030/356] crypto: marvell/cesa - Avoid empty transfer descriptor Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 032/356] btrfs: scrub: fix a wrong error type when metadata bytenr mismatches Greg Kroah-Hartman
` (333 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, Qu Wenruo,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit ec1f3a207cdf314eae4d4ae145f1ffdb829f0652 ]
[BUG]
Since the migration to the new scrub_stripe interface, scrub no longer
updates the device stats when hitting an error, no matter if it's a read
or checksum mismatch error. E.g:
BTRFS info (device dm-2): scrub: started on devid 1
BTRFS error (device dm-2): unable to fixup (regular) error at logical 13631488 on dev /dev/mapper/test-scratch1 physical 13631488
BTRFS warning (device dm-2): checksum error at logical 13631488 on dev /dev/mapper/test-scratch1, physical 13631488, root 5, inode 257, offset 0, length 4096, links 1 (path: file)
BTRFS error (device dm-2): unable to fixup (regular) error at logical 13631488 on dev /dev/mapper/test-scratch1 physical 13631488
BTRFS warning (device dm-2): checksum error at logical 13631488 on dev /dev/mapper/test-scratch1, physical 13631488, root 5, inode 257, offset 0, length 4096, links 1 (path: file)
BTRFS info (device dm-2): scrub: finished on devid 1 with status: 0
Note there is no line showing the device stats error update.
[CAUSE]
In the migration to the new scrub_stripe interface, we no longer call
btrfs_dev_stat_inc_and_print().
[FIX]
- Introduce a new bitmap for metadata generation errors
* A new bitmap
@meta_gen_error_bitmap is introduced to record which blocks have
metadata generation mismatch errors.
* A new counter for that bitmap
@init_nr_meta_gen_errors, is also introduced to store the number of
generation mismatch errors that are found during the initial read.
This is for the error reporting at scrub_stripe_report_errors().
* New dedicated error message for unrepaired generation mismatches
* Update @meta_gen_error_bitmap if a transid mismatch is hit
- Add btrfs_dev_stat_inc_and_print() calls to the following call sites
* scrub_stripe_report_errors()
* scrub_write_endio()
This is only for the write errors.
This means there is a minor behavior change:
- The timing of device stats error message
Since we concentrate the error messages at
scrub_stripe_report_errors(), the device stats error messages will all
show up in one go, after the detailed scrub error messages:
BTRFS error (device dm-2): unable to fixup (regular) error at logical 13631488 on dev /dev/mapper/test-scratch1 physical 13631488
BTRFS warning (device dm-2): checksum error at logical 13631488 on dev /dev/mapper/test-scratch1, physical 13631488, root 5, inode 257, offset 0, length 4096, links 1 (path: file)
BTRFS error (device dm-2): unable to fixup (regular) error at logical 13631488 on dev /dev/mapper/test-scratch1 physical 13631488
BTRFS warning (device dm-2): checksum error at logical 13631488 on dev /dev/mapper/test-scratch1, physical 13631488, root 5, inode 257, offset 0, length 4096, links 1 (path: file)
BTRFS error (device dm-2): bdev /dev/mapper/test-scratch1 errs: wr 0, rd 0, flush 0, corrupt 1, gen 0
BTRFS error (device dm-2): bdev /dev/mapper/test-scratch1 errs: wr 0, rd 0, flush 0, corrupt 2, gen 0
Fixes: e02ee89baa66 ("btrfs: scrub: switch scrub_simple_mirror() to scrub_stripe infrastructure")
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/scrub.c | 32 +++++++++++++++++++++++++++++---
1 file changed, 29 insertions(+), 3 deletions(-)
diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
index da49bdb70375b..97c17025b31e6 100644
--- a/fs/btrfs/scrub.c
+++ b/fs/btrfs/scrub.c
@@ -153,12 +153,14 @@ struct scrub_stripe {
unsigned int init_nr_io_errors;
unsigned int init_nr_csum_errors;
unsigned int init_nr_meta_errors;
+ unsigned int init_nr_meta_gen_errors;
/*
* The following error bitmaps are all for the current status.
* Every time we submit a new read, these bitmaps may be updated.
*
- * error_bitmap = io_error_bitmap | csum_error_bitmap | meta_error_bitmap;
+ * error_bitmap = io_error_bitmap | csum_error_bitmap |
+ * meta_error_bitmap | meta_generation_bitmap;
*
* IO and csum errors can happen for both metadata and data.
*/
@@ -166,6 +168,7 @@ struct scrub_stripe {
unsigned long io_error_bitmap;
unsigned long csum_error_bitmap;
unsigned long meta_error_bitmap;
+ unsigned long meta_gen_error_bitmap;
/* For writeback (repair or replace) error reporting. */
unsigned long write_error_bitmap;
@@ -673,7 +676,7 @@ static void scrub_verify_one_metadata(struct scrub_stripe *stripe, int sector_nr
}
if (stripe->sectors[sector_nr].generation !=
btrfs_stack_header_generation(header)) {
- bitmap_set(&stripe->meta_error_bitmap, sector_nr, sectors_per_tree);
+ bitmap_set(&stripe->meta_gen_error_bitmap, sector_nr, sectors_per_tree);
bitmap_set(&stripe->error_bitmap, sector_nr, sectors_per_tree);
btrfs_warn_rl(fs_info,
"tree block %llu mirror %u has bad generation, has %llu want %llu",
@@ -685,6 +688,7 @@ static void scrub_verify_one_metadata(struct scrub_stripe *stripe, int sector_nr
bitmap_clear(&stripe->error_bitmap, sector_nr, sectors_per_tree);
bitmap_clear(&stripe->csum_error_bitmap, sector_nr, sectors_per_tree);
bitmap_clear(&stripe->meta_error_bitmap, sector_nr, sectors_per_tree);
+ bitmap_clear(&stripe->meta_gen_error_bitmap, sector_nr, sectors_per_tree);
}
static void scrub_verify_one_sector(struct scrub_stripe *stripe, int sector_nr)
@@ -973,8 +977,22 @@ static void scrub_stripe_report_errors(struct scrub_ctx *sctx,
if (__ratelimit(&rs) && dev)
scrub_print_common_warning("header error", dev, false,
stripe->logical, physical);
+ if (test_bit(sector_nr, &stripe->meta_gen_error_bitmap))
+ if (__ratelimit(&rs) && dev)
+ scrub_print_common_warning("generation error", dev, false,
+ stripe->logical, physical);
}
+ /* Update the device stats. */
+ for (int i = 0; i < stripe->init_nr_io_errors; i++)
+ btrfs_dev_stat_inc_and_print(stripe->dev, BTRFS_DEV_STAT_READ_ERRS);
+ for (int i = 0; i < stripe->init_nr_csum_errors; i++)
+ btrfs_dev_stat_inc_and_print(stripe->dev, BTRFS_DEV_STAT_CORRUPTION_ERRS);
+ /* Generation mismatch error is based on each metadata, not each block. */
+ for (int i = 0; i < stripe->init_nr_meta_gen_errors;
+ i += (fs_info->nodesize >> fs_info->sectorsize_bits))
+ btrfs_dev_stat_inc_and_print(stripe->dev, BTRFS_DEV_STAT_GENERATION_ERRS);
+
spin_lock(&sctx->stat_lock);
sctx->stat.data_extents_scrubbed += stripe->nr_data_extents;
sctx->stat.tree_extents_scrubbed += stripe->nr_meta_extents;
@@ -983,7 +1001,8 @@ static void scrub_stripe_report_errors(struct scrub_ctx *sctx,
sctx->stat.no_csum += nr_nodatacsum_sectors;
sctx->stat.read_errors += stripe->init_nr_io_errors;
sctx->stat.csum_errors += stripe->init_nr_csum_errors;
- sctx->stat.verify_errors += stripe->init_nr_meta_errors;
+ sctx->stat.verify_errors += stripe->init_nr_meta_errors +
+ stripe->init_nr_meta_gen_errors;
sctx->stat.uncorrectable_errors +=
bitmap_weight(&stripe->error_bitmap, stripe->nr_sectors);
sctx->stat.corrected_errors += nr_repaired_sectors;
@@ -1029,6 +1048,8 @@ static void scrub_stripe_read_repair_worker(struct work_struct *work)
stripe->nr_sectors);
stripe->init_nr_meta_errors = bitmap_weight(&stripe->meta_error_bitmap,
stripe->nr_sectors);
+ stripe->init_nr_meta_gen_errors = bitmap_weight(&stripe->meta_gen_error_bitmap,
+ stripe->nr_sectors);
if (bitmap_empty(&stripe->init_error_bitmap, stripe->nr_sectors))
goto out;
@@ -1143,6 +1164,9 @@ static void scrub_write_endio(struct btrfs_bio *bbio)
bitmap_set(&stripe->write_error_bitmap, sector_nr,
bio_size >> fs_info->sectorsize_bits);
spin_unlock_irqrestore(&stripe->write_error_lock, flags);
+ for (int i = 0; i < (bio_size >> fs_info->sectorsize_bits); i++)
+ btrfs_dev_stat_inc_and_print(stripe->dev,
+ BTRFS_DEV_STAT_WRITE_ERRS);
}
bio_put(&bbio->bio);
@@ -1505,10 +1529,12 @@ static void scrub_stripe_reset_bitmaps(struct scrub_stripe *stripe)
stripe->init_nr_io_errors = 0;
stripe->init_nr_csum_errors = 0;
stripe->init_nr_meta_errors = 0;
+ stripe->init_nr_meta_gen_errors = 0;
stripe->error_bitmap = 0;
stripe->io_error_bitmap = 0;
stripe->csum_error_bitmap = 0;
stripe->meta_error_bitmap = 0;
+ stripe->meta_gen_error_bitmap = 0;
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 032/356] btrfs: scrub: fix a wrong error type when metadata bytenr mismatches
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 031/356] btrfs: scrub: update device stats when an error is detected Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 033/356] rcu/cpu_stall_cputime: fix the hardirq count for x86 architecture Greg Kroah-Hartman
` (332 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit f2c19541e421b3235efc515dad88b581f00592ae ]
When the bytenr doesn't match for a metadata tree block, we will report
it as an csum error, which is incorrect and should be reported as a
metadata error instead.
Fixes: a3ddbaebc7c9 ("btrfs: scrub: introduce a helper to verify one metadata block")
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/scrub.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
index 97c17025b31e6..7632d652a1257 100644
--- a/fs/btrfs/scrub.c
+++ b/fs/btrfs/scrub.c
@@ -620,7 +620,7 @@ static void scrub_verify_one_metadata(struct scrub_stripe *stripe, int sector_nr
memcpy(on_disk_csum, header->csum, fs_info->csum_size);
if (logical != btrfs_stack_header_bytenr(header)) {
- bitmap_set(&stripe->csum_error_bitmap, sector_nr, sectors_per_tree);
+ bitmap_set(&stripe->meta_error_bitmap, sector_nr, sectors_per_tree);
bitmap_set(&stripe->error_bitmap, sector_nr, sectors_per_tree);
btrfs_warn_rl(fs_info,
"tree block %llu mirror %u has bad bytenr, has %llu want %llu",
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 033/356] rcu/cpu_stall_cputime: fix the hardirq count for x86 architecture
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 032/356] btrfs: scrub: fix a wrong error type when metadata bytenr mismatches Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 034/356] crypto: lrw - Only add ecb if it is not already there Greg Kroah-Hartman
` (331 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Yongliang Gao,
Neeraj Upadhyay, Boqun Feng, Joel Fernandes, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongliang Gao <leonylgao@tencent.com>
[ Upstream commit da6b85598af30e9fec34d82882d7e1e39f3da769 ]
When counting the number of hardirqs in the x86 architecture,
it is essential to add arch_irq_stat_cpu to ensure accuracy.
For example, a CPU loop within the rcu_read_lock function.
Before:
[ 70.910184] rcu: INFO: rcu_preempt self-detected stall on CPU
[ 70.910436] rcu: 3-....: (4999 ticks this GP) idle=***
[ 70.910711] rcu: hardirqs softirqs csw/system
[ 70.910870] rcu: number: 0 657 0
[ 70.911024] rcu: cputime: 0 0 2498 ==> 2498(ms)
[ 70.911278] rcu: (t=5001 jiffies g=3677 q=29 ncpus=8)
After:
[ 68.046132] rcu: INFO: rcu_preempt self-detected stall on CPU
[ 68.046354] rcu: 2-....: (4999 ticks this GP) idle=***
[ 68.046628] rcu: hardirqs softirqs csw/system
[ 68.046793] rcu: number: 2498 663 0
[ 68.046951] rcu: cputime: 0 0 2496 ==> 2496(ms)
[ 68.047244] rcu: (t=5000 jiffies g=3825 q=4 ncpus=8)
Fixes: be42f00b73a0 ("rcu: Add RCU stall diagnosis information")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202501090842.SfI6QPGS-lkp@intel.com/
Signed-off-by: Yongliang Gao <leonylgao@tencent.com>
Reviewed-by: Neeraj Upadhyay <Neeraj.Upadhyay@amd.com>
Link: https://lore.kernel.org/r/20250216084109.3109837-1-leonylgao@gmail.com
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/tree.c | 10 +++++++---
kernel/rcu/tree.h | 2 +-
kernel/rcu/tree_stall.h | 4 ++--
3 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
index fda08520c75c5..1fb3b7a0ed5d2 100644
--- a/kernel/rcu/tree.c
+++ b/kernel/rcu/tree.c
@@ -754,6 +754,10 @@ static int dyntick_save_progress_counter(struct rcu_data *rdp)
return 0;
}
+#ifndef arch_irq_stat_cpu
+#define arch_irq_stat_cpu(cpu) 0
+#endif
+
/*
* Returns positive if the specified CPU has passed through a quiescent state
* by virtue of being in or having passed through an dynticks idle state since
@@ -889,9 +893,9 @@ static int rcu_implicit_dynticks_qs(struct rcu_data *rdp)
rsrp->cputime_irq = kcpustat_field(kcsp, CPUTIME_IRQ, cpu);
rsrp->cputime_softirq = kcpustat_field(kcsp, CPUTIME_SOFTIRQ, cpu);
rsrp->cputime_system = kcpustat_field(kcsp, CPUTIME_SYSTEM, cpu);
- rsrp->nr_hardirqs = kstat_cpu_irqs_sum(rdp->cpu);
- rsrp->nr_softirqs = kstat_cpu_softirqs_sum(rdp->cpu);
- rsrp->nr_csw = nr_context_switches_cpu(rdp->cpu);
+ rsrp->nr_hardirqs = kstat_cpu_irqs_sum(cpu) + arch_irq_stat_cpu(cpu);
+ rsrp->nr_softirqs = kstat_cpu_softirqs_sum(cpu);
+ rsrp->nr_csw = nr_context_switches_cpu(cpu);
rsrp->jiffies = jiffies;
rsrp->gp_seq = rdp->gp_seq;
}
diff --git a/kernel/rcu/tree.h b/kernel/rcu/tree.h
index 9eb43b501ff5c..ac8cc756920dd 100644
--- a/kernel/rcu/tree.h
+++ b/kernel/rcu/tree.h
@@ -169,7 +169,7 @@ struct rcu_snap_record {
u64 cputime_irq; /* Accumulated cputime of hard irqs */
u64 cputime_softirq;/* Accumulated cputime of soft irqs */
u64 cputime_system; /* Accumulated cputime of kernel tasks */
- unsigned long nr_hardirqs; /* Accumulated number of hard irqs */
+ u64 nr_hardirqs; /* Accumulated number of hard irqs */
unsigned int nr_softirqs; /* Accumulated number of soft irqs */
unsigned long long nr_csw; /* Accumulated number of task switches */
unsigned long jiffies; /* Track jiffies value */
diff --git a/kernel/rcu/tree_stall.h b/kernel/rcu/tree_stall.h
index 11a1fac3a5898..aab91040b83b1 100644
--- a/kernel/rcu/tree_stall.h
+++ b/kernel/rcu/tree_stall.h
@@ -452,8 +452,8 @@ static void print_cpu_stat_info(int cpu)
rsr.cputime_system = kcpustat_field(kcsp, CPUTIME_SYSTEM, cpu);
pr_err("\t hardirqs softirqs csw/system\n");
- pr_err("\t number: %8ld %10d %12lld\n",
- kstat_cpu_irqs_sum(cpu) - rsrp->nr_hardirqs,
+ pr_err("\t number: %8lld %10d %12lld\n",
+ kstat_cpu_irqs_sum(cpu) + arch_irq_stat_cpu(cpu) - rsrp->nr_hardirqs,
kstat_cpu_softirqs_sum(cpu) - rsrp->nr_softirqs,
nr_context_switches_cpu(cpu) - rsrp->nr_csw);
pr_err("\tcputime: %8lld %10lld %12lld ==> %d(ms)\n",
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 034/356] crypto: lrw - Only add ecb if it is not already there
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 033/356] rcu/cpu_stall_cputime: fix the hardirq count for x86 architecture Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 035/356] crypto: xts " Greg Kroah-Hartman
` (330 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 3d73909bddc2ebb3224a8bc2e5ce00e9df70c15d ]
Only add ecb to the cipher name if it isn't already ecb.
Also use memcmp instead of strncmp since these strings are all
stored in an array of length CRYPTO_MAX_ALG_NAME.
Fixes: 700cb3f5fe75 ("crypto: lrw - Convert to skcipher")
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202505151503.d8a6cf10-lkp@intel.com
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/lrw.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/lrw.c b/crypto/lrw.c
index 59260aefed280..5536ec7bf18f1 100644
--- a/crypto/lrw.c
+++ b/crypto/lrw.c
@@ -322,7 +322,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb)
err = crypto_grab_skcipher(spawn, skcipher_crypto_instance(inst),
cipher_name, 0, mask);
- if (err == -ENOENT) {
+ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) {
err = -ENAMETOOLONG;
if (snprintf(ecb_name, CRYPTO_MAX_ALG_NAME, "ecb(%s)",
cipher_name) >= CRYPTO_MAX_ALG_NAME)
@@ -356,7 +356,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb)
/* Alas we screwed up the naming so we have to mangle the
* cipher name.
*/
- if (!strncmp(cipher_name, "ecb(", 4)) {
+ if (!memcmp(cipher_name, "ecb(", 4)) {
int len;
len = strscpy(ecb_name, cipher_name + 4, sizeof(ecb_name));
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 035/356] crypto: xts - Only add ecb if it is not already there
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 034/356] crypto: lrw - Only add ecb if it is not already there Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 036/356] crypto: sun8i-ce - move fallback ahash_request to the end of the struct Greg Kroah-Hartman
` (329 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 270b6f13454cb7f2f7058c50df64df409c5dcf55 ]
Only add ecb to the cipher name if it isn't already ecb.
Also use memcmp instead of strncmp since these strings are all
stored in an array of length CRYPTO_MAX_ALG_NAME.
Fixes: f1c131b45410 ("crypto: xts - Convert to skcipher")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/xts.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/xts.c b/crypto/xts.c
index 038f60dd512d9..97fd0fb8757c2 100644
--- a/crypto/xts.c
+++ b/crypto/xts.c
@@ -363,7 +363,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb)
err = crypto_grab_skcipher(&ctx->spawn, skcipher_crypto_instance(inst),
cipher_name, 0, mask);
- if (err == -ENOENT) {
+ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) {
err = -ENAMETOOLONG;
if (snprintf(name, CRYPTO_MAX_ALG_NAME, "ecb(%s)",
cipher_name) >= CRYPTO_MAX_ALG_NAME)
@@ -397,7 +397,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb)
/* Alas we screwed up the naming so we have to mangle the
* cipher name.
*/
- if (!strncmp(cipher_name, "ecb(", 4)) {
+ if (!memcmp(cipher_name, "ecb(", 4)) {
int len;
len = strscpy(name, cipher_name + 4, sizeof(name));
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 036/356] crypto: sun8i-ce - move fallback ahash_request to the end of the struct
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 035/356] crypto: xts " Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 037/356] kunit: Fix wrong parameter to kunit_deactivate_static_stub() Greg Kroah-Hartman
` (328 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ovidiu Panait, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
[ Upstream commit c822831b426307a6ca426621504d3c7f99765a39 ]
'struct ahash_request' has a flexible array at the end, so it must be the
last member in a struct, to avoid overwriting other struct members.
Therefore, move 'fallback_req' to the end of the 'sun8i_ce_hash_reqctx'
struct.
Fixes: 56f6d5aee88d ("crypto: sun8i-ce - support hash algorithms")
Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h
index 93d4985def87a..65cc1278ee155 100644
--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h
+++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h
@@ -293,8 +293,8 @@ struct sun8i_ce_hash_tfm_ctx {
* @flow: the flow to use for this request
*/
struct sun8i_ce_hash_reqctx {
- struct ahash_request fallback_req;
int flow;
+ struct ahash_request fallback_req; // keep at the end
};
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 037/356] kunit: Fix wrong parameter to kunit_deactivate_static_stub()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 036/356] crypto: sun8i-ce - move fallback ahash_request to the end of the struct Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 038/356] ACPICA: exserial: dont forget to handle FFixedHW opregions for reading Greg Kroah-Hartman
` (327 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tzung-Bi Shih, David Gow, Shuah Khan,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tzung-Bi Shih <tzungbi@kernel.org>
[ Upstream commit 772e50a76ee664e75581624f512df4e45582605a ]
kunit_deactivate_static_stub() accepts real_fn_addr instead of
replacement_addr. In the case, it always passes NULL to
kunit_deactivate_static_stub().
Fix it.
Link: https://lore.kernel.org/r/20250520082050.2254875-1-tzungbi@kernel.org
Fixes: e047c5eaa763 ("kunit: Expose 'static stub' API to redirect functions")
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Reviewed-by: David Gow <davidgow@google.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/kunit/static_stub.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/kunit/static_stub.c b/lib/kunit/static_stub.c
index 92b2cccd5e763..484fd85251b41 100644
--- a/lib/kunit/static_stub.c
+++ b/lib/kunit/static_stub.c
@@ -96,7 +96,7 @@ void __kunit_activate_static_stub(struct kunit *test,
/* If the replacement address is NULL, deactivate the stub. */
if (!replacement_addr) {
- kunit_deactivate_static_stub(test, replacement_addr);
+ kunit_deactivate_static_stub(test, real_fn_addr);
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 038/356] ACPICA: exserial: dont forget to handle FFixedHW opregions for reading
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 037/356] kunit: Fix wrong parameter to kunit_deactivate_static_stub() Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 039/356] tools/nolibc/types.h: fix mismatched parenthesis in minor() Greg Kroah-Hartman
` (326 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniil Tatianin, Rafael J. Wysocki,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniil Tatianin <d-tatianin@yandex-team.ru>
[ Upstream commit 0f8af0356a45547683a216e4921006a3c6a6d922 ]
The initial commit that introduced support for FFixedHW operation
regions did add a special case in the AcpiExReadSerialBus If, but
forgot to actually handle it inside the switch, so add the missing case
to prevent reads from failing with AE_AML_INVALID_SPACE_ID.
Link: https://github.com/acpica/acpica/pull/998
Fixes: ee64b827a9a ("ACPICA: Add support for FFH Opregion special context data")
Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
Link: https://patch.msgid.link/20250401184312.599962-1-d-tatianin@yandex-team.ru
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/exserial.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/acpi/acpica/exserial.c b/drivers/acpi/acpica/exserial.c
index 5241f4c01c765..89a4ac447a2be 100644
--- a/drivers/acpi/acpica/exserial.c
+++ b/drivers/acpi/acpica/exserial.c
@@ -201,6 +201,12 @@ acpi_ex_read_serial_bus(union acpi_operand_object *obj_desc,
function = ACPI_READ;
break;
+ case ACPI_ADR_SPACE_FIXED_HARDWARE:
+
+ buffer_length = ACPI_FFH_INPUT_BUFFER_SIZE;
+ function = ACPI_READ;
+ break;
+
default:
return_ACPI_STATUS(AE_AML_INVALID_SPACE_ID);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 039/356] tools/nolibc/types.h: fix mismatched parenthesis in minor()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 038/356] ACPICA: exserial: dont forget to handle FFixedHW opregions for reading Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 040/356] ASoC: tas2764: Enable main IRQs Greg Kroah-Hartman
` (325 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jemmy Wong, Willy Tarreau,
Thomas Weißschuh, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jemmy Wong <jemmywong512@gmail.com>
[ Upstream commit 9c138ac9392228835b520fd4dbb07e636b34a867 ]
Fix an imbalance where opening parentheses exceed closing ones.
Fixes: eba6d00d38e7c ("tools/nolibc/types: move makedev to types.h and make it a macro")
Signed-off-by: Jemmy Wong <jemmywong512@gmail.com>
Acked-by: Willy Tarreau <w@1wt.eu>
Link: https://lore.kernel.org/r/20250411073624.22153-1-jemmywong512@gmail.com
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/include/nolibc/types.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/include/nolibc/types.h b/tools/include/nolibc/types.h
index 8cfc4c860fa44..053ffa222ffcb 100644
--- a/tools/include/nolibc/types.h
+++ b/tools/include/nolibc/types.h
@@ -222,7 +222,7 @@ struct stat {
/* WARNING, it only deals with the 4096 first majors and 256 first minors */
#define makedev(major, minor) ((dev_t)((((major) & 0xfff) << 8) | ((minor) & 0xff)))
#define major(dev) ((unsigned int)(((dev) >> 8) & 0xfff))
-#define minor(dev) ((unsigned int)(((dev) & 0xff))
+#define minor(dev) ((unsigned int)((dev) & 0xff))
#ifndef offsetof
#define offsetof(TYPE, FIELD) ((size_t) &((TYPE *)0)->FIELD)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 040/356] ASoC: tas2764: Enable main IRQs
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 039/356] tools/nolibc/types.h: fix mismatched parenthesis in minor() Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 041/356] EDAC/skx_common: Fix general protection fault Greg Kroah-Hartman
` (324 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neal Gompa, Hector Martin,
James Calligeros, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hector Martin <marcan@marcan.st>
[ Upstream commit dd50f0e38563f15819059c923bf142200453e003 ]
IRQ handling was added in commit dae191fb957f ("ASoC: tas2764: Add IRQ
handling") however that same commit masks all interrupts coming from
the chip. Unmask the "main" interrupts so that we can see and
deal with a number of errors including clock, voltage, and current.
Fixes: dae191fb957f ("ASoC: tas2764: Add IRQ handling")
Reviewed-by: Neal Gompa <neal@gompa.dev>
Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Link: https://patch.msgid.link/20250406-apple-codec-changes-v5-4-50a00ec850a3@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/tas2764.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/tas2764.c b/sound/soc/codecs/tas2764.c
index 72d6356b89814..054c6f860675a 100644
--- a/sound/soc/codecs/tas2764.c
+++ b/sound/soc/codecs/tas2764.c
@@ -542,7 +542,7 @@ static int tas2764_codec_probe(struct snd_soc_component *component)
tas2764_reset(tas2764);
if (tas2764->irq) {
- ret = snd_soc_component_write(tas2764->component, TAS2764_INT_MASK0, 0xff);
+ ret = snd_soc_component_write(tas2764->component, TAS2764_INT_MASK0, 0x00);
if (ret < 0)
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 041/356] EDAC/skx_common: Fix general protection fault
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 040/356] ASoC: tas2764: Enable main IRQs Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 042/356] EDAC/{skx_common,i10nm}: Fix the loss of saved RRL for HBM pseudo channel 0 Greg Kroah-Hartman
` (323 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Feng Xu, Qiuxu Zhuo, Tony Luck,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
[ Upstream commit 20d2d476b3ae18041be423671a8637ed5ffd6958 ]
After loading i10nm_edac (which automatically loads skx_edac_common), if
unload only i10nm_edac, then reload it and perform error injection testing,
a general protection fault may occur:
mce: [Hardware Error]: Machine check events logged
Oops: general protection fault ...
...
Workqueue: events mce_gen_pool_process
RIP: 0010:string+0x53/0xe0
...
Call Trace:
<TASK>
? die_addr+0x37/0x90
? exc_general_protection+0x1e7/0x3f0
? asm_exc_general_protection+0x26/0x30
? string+0x53/0xe0
vsnprintf+0x23e/0x4c0
snprintf+0x4d/0x70
skx_adxl_decode+0x16a/0x330 [skx_edac_common]
skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common]
skx_mce_check_error+0x17/0x20 [skx_edac_common]
...
The issue arose was because the variable 'adxl_component_count' (inside
skx_edac_common), which counts the ADXL components, was not reset. During
the reloading of i10nm_edac, the count was incremented by the actual number
of ADXL components again, resulting in a count that was double the real
number of ADXL components. This led to an out-of-bounds reference to the
ADXL component array, causing the general protection fault above.
Fix this issue by resetting the 'adxl_component_count' in adxl_put(),
which is called during the unloading of {skx,i10nm}_edac.
Fixes: 123b15863550 ("EDAC, i10nm: make skx_common.o a separate module")
Reported-by: Feng Xu <feng.f.xu@intel.com>
Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Tested-by: Feng Xu <feng.f.xu@intel.com>
Link: https://lore.kernel.org/r/20250417150724.1170168-2-qiuxu.zhuo@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/edac/skx_common.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/edac/skx_common.c b/drivers/edac/skx_common.c
index d47f0055217e4..9e43aed72bd9f 100644
--- a/drivers/edac/skx_common.c
+++ b/drivers/edac/skx_common.c
@@ -115,6 +115,7 @@ EXPORT_SYMBOL_GPL(skx_adxl_get);
void skx_adxl_put(void)
{
+ adxl_component_count = 0;
kfree(adxl_values);
kfree(adxl_msg);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 042/356] EDAC/{skx_common,i10nm}: Fix the loss of saved RRL for HBM pseudo channel 0
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 041/356] EDAC/skx_common: Fix general protection fault Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 043/356] tools/nolibc: fix integer overflow in i{64,}toa_r() and Greg Kroah-Hartman
` (322 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qiuxu Zhuo, Tony Luck, Feng Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
[ Upstream commit eeed3e03f4261e5e381a72ae099ff00ccafbb437 ]
When enabling the retry_rd_err_log (RRL) feature during the loading of the
i10nm_edac driver with the module parameter retry_rd_err_log=2 (Linux RRL
control mode), the default values of the control bits of RRL are saved so
that they can be restored during the unloading of the driver.
In the current code, the RRL of pseudo channel 1 of HBM overwrites pseudo
channel 0 during the loading of the driver, resulting in the loss of saved
RRL for pseudo channel 0. This causes the RRL of pseudo channel 0 of HBM to
be wrongly restored with the values from pseudo channel 1 when unloading
the driver.
Fix this issue by creating two separate groups of RRL control registers
per channel to save default RRL settings of two {sub-,pseudo-}channels.
Fixes: acd4cf68fefe ("EDAC/i10nm: Retrieve and print retry_rd_err_log registers for HBM")
Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Tested-by: Feng Xu <feng.f.xu@intel.com>
Link: https://lore.kernel.org/r/20250417150724.1170168-3-qiuxu.zhuo@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/edac/i10nm_base.c | 35 +++++++++++++++++++----------------
drivers/edac/skx_common.h | 11 ++++++++---
2 files changed, 27 insertions(+), 19 deletions(-)
diff --git a/drivers/edac/i10nm_base.c b/drivers/edac/i10nm_base.c
index 67a46abe07da9..068597e8fce95 100644
--- a/drivers/edac/i10nm_base.c
+++ b/drivers/edac/i10nm_base.c
@@ -99,7 +99,7 @@ static u32 offsets_demand2_spr[] = {0x22c70, 0x22d80, 0x22f18, 0x22d58, 0x22c64,
static u32 offsets_demand_spr_hbm0[] = {0x2a54, 0x2a60, 0x2b10, 0x2a58, 0x2a5c, 0x0ee0};
static u32 offsets_demand_spr_hbm1[] = {0x2e54, 0x2e60, 0x2f10, 0x2e58, 0x2e5c, 0x0fb0};
-static void __enable_retry_rd_err_log(struct skx_imc *imc, int chan, bool enable,
+static void __enable_retry_rd_err_log(struct skx_imc *imc, int chan, bool enable, u32 *rrl_ctl,
u32 *offsets_scrub, u32 *offsets_demand,
u32 *offsets_demand2)
{
@@ -112,10 +112,10 @@ static void __enable_retry_rd_err_log(struct skx_imc *imc, int chan, bool enable
if (enable) {
/* Save default configurations */
- imc->chan[chan].retry_rd_err_log_s = s;
- imc->chan[chan].retry_rd_err_log_d = d;
+ rrl_ctl[0] = s;
+ rrl_ctl[1] = d;
if (offsets_demand2)
- imc->chan[chan].retry_rd_err_log_d2 = d2;
+ rrl_ctl[2] = d2;
s &= ~RETRY_RD_ERR_LOG_NOOVER_UC;
s |= RETRY_RD_ERR_LOG_EN;
@@ -129,25 +129,25 @@ static void __enable_retry_rd_err_log(struct skx_imc *imc, int chan, bool enable
}
} else {
/* Restore default configurations */
- if (imc->chan[chan].retry_rd_err_log_s & RETRY_RD_ERR_LOG_UC)
+ if (rrl_ctl[0] & RETRY_RD_ERR_LOG_UC)
s |= RETRY_RD_ERR_LOG_UC;
- if (imc->chan[chan].retry_rd_err_log_s & RETRY_RD_ERR_LOG_NOOVER)
+ if (rrl_ctl[0] & RETRY_RD_ERR_LOG_NOOVER)
s |= RETRY_RD_ERR_LOG_NOOVER;
- if (!(imc->chan[chan].retry_rd_err_log_s & RETRY_RD_ERR_LOG_EN))
+ if (!(rrl_ctl[0] & RETRY_RD_ERR_LOG_EN))
s &= ~RETRY_RD_ERR_LOG_EN;
- if (imc->chan[chan].retry_rd_err_log_d & RETRY_RD_ERR_LOG_UC)
+ if (rrl_ctl[1] & RETRY_RD_ERR_LOG_UC)
d |= RETRY_RD_ERR_LOG_UC;
- if (imc->chan[chan].retry_rd_err_log_d & RETRY_RD_ERR_LOG_NOOVER)
+ if (rrl_ctl[1] & RETRY_RD_ERR_LOG_NOOVER)
d |= RETRY_RD_ERR_LOG_NOOVER;
- if (!(imc->chan[chan].retry_rd_err_log_d & RETRY_RD_ERR_LOG_EN))
+ if (!(rrl_ctl[1] & RETRY_RD_ERR_LOG_EN))
d &= ~RETRY_RD_ERR_LOG_EN;
if (offsets_demand2) {
- if (imc->chan[chan].retry_rd_err_log_d2 & RETRY_RD_ERR_LOG_UC)
+ if (rrl_ctl[2] & RETRY_RD_ERR_LOG_UC)
d2 |= RETRY_RD_ERR_LOG_UC;
- if (!(imc->chan[chan].retry_rd_err_log_d2 & RETRY_RD_ERR_LOG_NOOVER))
+ if (!(rrl_ctl[2] & RETRY_RD_ERR_LOG_NOOVER))
d2 &= ~RETRY_RD_ERR_LOG_NOOVER;
- if (!(imc->chan[chan].retry_rd_err_log_d2 & RETRY_RD_ERR_LOG_EN))
+ if (!(rrl_ctl[2] & RETRY_RD_ERR_LOG_EN))
d2 &= ~RETRY_RD_ERR_LOG_EN;
}
}
@@ -161,6 +161,7 @@ static void __enable_retry_rd_err_log(struct skx_imc *imc, int chan, bool enable
static void enable_retry_rd_err_log(bool enable)
{
int i, j, imc_num, chan_num;
+ struct skx_channel *chan;
struct skx_imc *imc;
struct skx_dev *d;
@@ -175,8 +176,9 @@ static void enable_retry_rd_err_log(bool enable)
if (!imc->mbase)
continue;
+ chan = d->imc[i].chan;
for (j = 0; j < chan_num; j++)
- __enable_retry_rd_err_log(imc, j, enable,
+ __enable_retry_rd_err_log(imc, j, enable, chan[j].rrl_ctl[0],
res_cfg->offsets_scrub,
res_cfg->offsets_demand,
res_cfg->offsets_demand2);
@@ -190,12 +192,13 @@ static void enable_retry_rd_err_log(bool enable)
if (!imc->mbase || !imc->hbm_mc)
continue;
+ chan = d->imc[i].chan;
for (j = 0; j < chan_num; j++) {
- __enable_retry_rd_err_log(imc, j, enable,
+ __enable_retry_rd_err_log(imc, j, enable, chan[j].rrl_ctl[0],
res_cfg->offsets_scrub_hbm0,
res_cfg->offsets_demand_hbm0,
NULL);
- __enable_retry_rd_err_log(imc, j, enable,
+ __enable_retry_rd_err_log(imc, j, enable, chan[j].rrl_ctl[1],
res_cfg->offsets_scrub_hbm1,
res_cfg->offsets_demand_hbm1,
NULL);
diff --git a/drivers/edac/skx_common.h b/drivers/edac/skx_common.h
index 5acfef8fd3d36..2ea4d1d1fbef2 100644
--- a/drivers/edac/skx_common.h
+++ b/drivers/edac/skx_common.h
@@ -80,6 +80,9 @@
*/
#define MCACOD_EXT_MEM_ERR 0x280
+/* Max RRL register sets per {,sub-,pseudo-}channel. */
+#define NUM_RRL_SET 3
+
/*
* Each cpu socket contains some pci devices that provide global
* information, and also some that are local to each of the two
@@ -118,9 +121,11 @@ struct skx_dev {
struct skx_channel {
struct pci_dev *cdev;
struct pci_dev *edev;
- u32 retry_rd_err_log_s;
- u32 retry_rd_err_log_d;
- u32 retry_rd_err_log_d2;
+ /*
+ * Two groups of RRL control registers per channel to save default RRL
+ * settings of two {sub-,pseudo-}channels in Linux RRL control mode.
+ */
+ u32 rrl_ctl[2][NUM_RRL_SET];
struct skx_dimm {
u8 close_pg;
u8 bank_xor_enable;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 043/356] tools/nolibc: fix integer overflow in i{64,}toa_r() and
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 042/356] EDAC/{skx_common,i10nm}: Fix the loss of saved RRL for HBM pseudo channel 0 Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 044/356] spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers Greg Kroah-Hartman
` (321 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Willy Tarreau,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit 4d231a7df1a85c7572b67a4666cb73adb977fbf6 ]
In twos complement the most negative number can not be negated.
Fixes: b1c21e7d99cd ("tools/nolibc/stdlib: add i64toa() and u64toa()")
Fixes: 66c397c4d2e1 ("tools/nolibc/stdlib: replace the ltoa() function with more efficient ones")
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Acked-by: Willy Tarreau <w@1wt.eu>
Link: https://lore.kernel.org/r/20250419-nolibc-ubsan-v2-5-060b8a016917@weissschuh.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/include/nolibc/stdlib.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/include/nolibc/stdlib.h b/tools/include/nolibc/stdlib.h
index 5be9d3c7435a8..6bf62f5048faa 100644
--- a/tools/include/nolibc/stdlib.h
+++ b/tools/include/nolibc/stdlib.h
@@ -274,7 +274,7 @@ int itoa_r(long in, char *buffer)
int len = 0;
if (in < 0) {
- in = -in;
+ in = -(unsigned long)in;
*(ptr++) = '-';
len++;
}
@@ -410,7 +410,7 @@ int i64toa_r(int64_t in, char *buffer)
int len = 0;
if (in < 0) {
- in = -in;
+ in = -(uint64_t)in;
*(ptr++) = '-';
len++;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 044/356] spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 043/356] tools/nolibc: fix integer overflow in i{64,}toa_r() and Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 045/356] spi: tegra210-quad: remove redundant error handling code Greg Kroah-Hartman
` (320 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vishwaroop A, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vishwaroop A <va@nvidia.com>
[ Upstream commit dcb06c638a1174008a985849fa30fc0da7d08904 ]
This patch corrects the QSPI_COMMAND_X1_X2_X4 and QSPI_ADDRESS_X1_X2_X4
macros to properly encode the bus width for x1, x2, and x4 transfers.
Although these macros were previously incorrect, they were not being
used in the driver, so no functionality was affected.
The patch updates tegra_qspi_cmd_config() and tegra_qspi_addr_config()
function calls to use the actual bus width from the transfer, instead of
hardcoding it to 0 (which implied x1 mode). This change enables proper
support for x1, x2, and x4 data transfers by correctly configuring the
interface width for commands and addresses.
These modifications improve the QSPI driver's flexibility and prepare it
for future use cases that may require different bus widths for commands
and addresses.
Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode")
Signed-off-by: Vishwaroop A <va@nvidia.com>
Link: https://patch.msgid.link/20250416110606.2737315-2-va@nvidia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-tegra210-quad.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
index e3c236025a7b3..78b3a021e915e 100644
--- a/drivers/spi/spi-tegra210-quad.c
+++ b/drivers/spi/spi-tegra210-quad.c
@@ -134,7 +134,7 @@
#define QSPI_COMMAND_VALUE_SET(X) (((x) & 0xFF) << 0)
#define QSPI_CMB_SEQ_CMD_CFG 0x1a0
-#define QSPI_COMMAND_X1_X2_X4(x) (((x) & 0x3) << 13)
+#define QSPI_COMMAND_X1_X2_X4(x) ((((x) >> 1) & 0x3) << 13)
#define QSPI_COMMAND_X1_X2_X4_MASK (0x03 << 13)
#define QSPI_COMMAND_SDR_DDR BIT(12)
#define QSPI_COMMAND_SIZE_SET(x) (((x) & 0xFF) << 0)
@@ -147,7 +147,7 @@
#define QSPI_ADDRESS_VALUE_SET(X) (((x) & 0xFFFF) << 0)
#define QSPI_CMB_SEQ_ADDR_CFG 0x1ac
-#define QSPI_ADDRESS_X1_X2_X4(x) (((x) & 0x3) << 13)
+#define QSPI_ADDRESS_X1_X2_X4(x) ((((x) >> 1) & 0x3) << 13)
#define QSPI_ADDRESS_X1_X2_X4_MASK (0x03 << 13)
#define QSPI_ADDRESS_SDR_DDR BIT(12)
#define QSPI_ADDRESS_SIZE_SET(x) (((x) & 0xFF) << 0)
@@ -1036,10 +1036,6 @@ static u32 tegra_qspi_addr_config(bool is_ddr, u8 bus_width, u8 len)
{
u32 addr_config = 0;
- /* Extract Address configuration and value */
- is_ddr = 0; //Only SDR mode supported
- bus_width = 0; //X1 mode
-
if (is_ddr)
addr_config |= QSPI_ADDRESS_SDR_DDR;
else
@@ -1079,13 +1075,13 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
switch (transfer_phase) {
case CMD_TRANSFER:
/* X1 SDR mode */
- cmd_config = tegra_qspi_cmd_config(false, 0,
+ cmd_config = tegra_qspi_cmd_config(false, xfer->tx_nbits,
xfer->len);
cmd_value = *((const u8 *)(xfer->tx_buf));
break;
case ADDR_TRANSFER:
/* X1 SDR mode */
- addr_config = tegra_qspi_addr_config(false, 0,
+ addr_config = tegra_qspi_addr_config(false, xfer->tx_nbits,
xfer->len);
address_value = *((const u32 *)(xfer->tx_buf));
break;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 045/356] spi: tegra210-quad: remove redundant error handling code
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 044/356] spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 046/356] spi: tegra210-quad: modify chip select (CS) deactivation Greg Kroah-Hartman
` (319 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vishwaroop A, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vishwaroop A <va@nvidia.com>
[ Upstream commit 400d9f1a27cc2fceabdb1ed93eaf0b89b6d32ba5 ]
Remove unnecessary error handling code that terminated transfers and
executed delay on errors. This code was redundant as error handling is
already done at a higher level in the SPI core.
Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode")
Signed-off-by: Vishwaroop A <va@nvidia.com>
Link: https://patch.msgid.link/20250416110606.2737315-3-va@nvidia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-tegra210-quad.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
index 78b3a021e915e..7a74164cd9548 100644
--- a/drivers/spi/spi-tegra210-quad.c
+++ b/drivers/spi/spi-tegra210-quad.c
@@ -1175,10 +1175,6 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
exit:
msg->status = ret;
- if (ret < 0) {
- tegra_qspi_transfer_end(spi);
- spi_transfer_delay_exec(xfer);
- }
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 046/356] spi: tegra210-quad: modify chip select (CS) deactivation
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 045/356] spi: tegra210-quad: remove redundant error handling code Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 047/356] power: reset: at91-reset: Optimize at91_reset() Greg Kroah-Hartman
` (318 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vishwaroop A, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vishwaroop A <va@nvidia.com>
[ Upstream commit d8966b65413390d1b5b706886987caac05fbe024 ]
Modify the chip select (CS) deactivation and inter-transfer delay
execution only during the DATA_TRANSFER phase when the cs_change
flag is not set. This ensures proper CS handling and timing between
transfers while eliminating redundant operations.
Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode")
Signed-off-by: Vishwaroop A <va@nvidia.com>
Link: https://patch.msgid.link/20250416110606.2737315-4-va@nvidia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-tegra210-quad.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
index 7a74164cd9548..e9afebd724237 100644
--- a/drivers/spi/spi-tegra210-quad.c
+++ b/drivers/spi/spi-tegra210-quad.c
@@ -1159,16 +1159,16 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
ret = -EIO;
goto exit;
}
- if (!xfer->cs_change) {
- tegra_qspi_transfer_end(spi);
- spi_transfer_delay_exec(xfer);
- }
break;
default:
ret = -EINVAL;
goto exit;
}
msg->actual_length += xfer->len;
+ if (!xfer->cs_change && transfer_phase == DATA_TRANSFER) {
+ tegra_qspi_transfer_end(spi);
+ spi_transfer_delay_exec(xfer);
+ }
transfer_phase++;
}
ret = 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 047/356] power: reset: at91-reset: Optimize at91_reset()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 046/356] spi: tegra210-quad: modify chip select (CS) deactivation Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 048/356] ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type Greg Kroah-Hartman
` (317 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Shiyan, Alexandre Belloni,
Sebastian Reichel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Shiyan <eagle.alexander923@gmail.com>
[ Upstream commit 62d48983f215bf1dd48665913318101fa3414dcf ]
This patch adds a small optimization to the low-level at91_reset()
function, which includes:
- Removes the extra branch, since the following store operations
already have proper condition checks.
- Removes the definition of the clobber register r4, since it is
no longer used in the code.
Fixes: fcd0532fac2a ("power: reset: at91-reset: make at91sam9g45_restart() generic")
Signed-off-by: Alexander Shiyan <eagle.alexander923@gmail.com>
Reviewed-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/20250307053809.20245-1-eagle.alexander923@gmail.com
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/reset/at91-reset.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/power/reset/at91-reset.c b/drivers/power/reset/at91-reset.c
index aa9b012d3d00b..bafe4cc6fafdc 100644
--- a/drivers/power/reset/at91-reset.c
+++ b/drivers/power/reset/at91-reset.c
@@ -129,12 +129,11 @@ static int at91_reset(struct notifier_block *this, unsigned long mode,
" str %4, [%0, %6]\n\t"
/* Disable SDRAM1 accesses */
"1: tst %1, #0\n\t"
- " beq 2f\n\t"
" strne %3, [%1, #" __stringify(AT91_DDRSDRC_RTR) "]\n\t"
/* Power down SDRAM1 */
" strne %4, [%1, %6]\n\t"
/* Reset CPU */
- "2: str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t"
+ " str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t"
" b .\n\t"
:
@@ -145,7 +144,7 @@ static int at91_reset(struct notifier_block *this, unsigned long mode,
"r" cpu_to_le32(AT91_DDRSDRC_LPCB_POWER_DOWN),
"r" (reset->data->reset_args),
"r" (reset->ramc_lpr)
- : "r4");
+ );
return NOTIFY_DONE;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 048/356] ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 047/356] power: reset: at91-reset: Optimize at91_reset() Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 049/356] PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() Greg Kroah-Hartman
` (316 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kees Cook, Peter Ujfalusi,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 00a371adbbfb46db561db85a9d7b53b2363880a1 ]
In preparation for making the kmalloc family of allocators type aware,
we need to make sure that the returned type from the allocation matches
the type of the variable being assigned. (Before, the allocator would
always return "void *", which can be implicitly cast to any pointer type.)
The assigned type is "struct snd_sof_pipeline **", but the returned type
will be "struct snd_sof_widget **". These are the same size allocation
(pointer size) but the types don't match. Adjust the allocation type to
match the assignment.
Signed-off-by: Kees Cook <kees@kernel.org>
Fixes: 9c04363d222b ("ASoC: SOF: Introduce struct snd_sof_pipeline")
Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://patch.msgid.link/20250426062511.work.859-kees@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/ipc4-pcm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/soc/sof/ipc4-pcm.c b/sound/soc/sof/ipc4-pcm.c
index bb5df0d214e36..a29632423ccda 100644
--- a/sound/soc/sof/ipc4-pcm.c
+++ b/sound/soc/sof/ipc4-pcm.c
@@ -615,7 +615,8 @@ static int sof_ipc4_pcm_setup(struct snd_sof_dev *sdev, struct snd_sof_pcm *spcm
/* allocate memory for max number of pipeline IDs */
pipeline_list->pipelines = kcalloc(ipc4_data->max_num_pipelines,
- sizeof(struct snd_sof_widget *), GFP_KERNEL);
+ sizeof(*pipeline_list->pipelines),
+ GFP_KERNEL);
if (!pipeline_list->pipelines) {
sof_ipc4_pcm_free(sdev, spcm);
return -ENOMEM;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 049/356] PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 048/356] ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 050/356] x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() Greg Kroah-Hartman
` (315 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zijun Hu, Rafael J. Wysocki,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
[ Upstream commit f0050a3e214aa941b78ad4caf122a735a24d81a6 ]
pm_show_wakelocks() is called to generate a string when showing
attributes /sys/power/wake_(lock|unlock), but the string ends
with an unwanted space that was added back by mistake by commit
c9d967b2ce40 ("PM: wakeup: simplify the output logic of
pm_show_wakelocks()").
Remove the unwanted space.
Fixes: c9d967b2ce40 ("PM: wakeup: simplify the output logic of pm_show_wakelocks()")
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://patch.msgid.link/20250505-fix_power-v1-1-0f7f2c2f338c@quicinc.com
[ rjw: Changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/power/wakelock.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/power/wakelock.c b/kernel/power/wakelock.c
index 52571dcad768b..4e941999a53ba 100644
--- a/kernel/power/wakelock.c
+++ b/kernel/power/wakelock.c
@@ -49,6 +49,9 @@ ssize_t pm_show_wakelocks(char *buf, bool show_active)
len += sysfs_emit_at(buf, len, "%s ", wl->name);
}
+ if (len > 0)
+ --len;
+
len += sysfs_emit_at(buf, len, "\n");
mutex_unlock(&wakelocks_lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 050/356] x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 049/356] PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 051/356] PM: sleep: Print PM debug messages during hibernation Greg Kroah-Hartman
` (314 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiaqing Zhao, Borislav Petkov (AMD),
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
[ Upstream commit 824c6384e8d9275d4ec7204f3f79a4ac6bc10379 ]
When suspending, save_processor_state() calls mtrr_save_fixed_ranges()
to save fixed-range MTRRs.
On platforms without fixed-range MTRRs like the ACRN hypervisor which
has removed fixed-range MTRR emulation, accessing these MSRs will
trigger an unchecked MSR access error. Make sure fixed-range MTRRs are
supported before access to prevent such error.
Since mtrr_state.have_fixed is only set when MTRRs are present and
enabled, checking the CPU feature flag in mtrr_save_fixed_ranges() is
unnecessary.
Fixes: 3ebad5905609 ("[PATCH] x86: Save and restore the fixed-range MTRRs of the BSP when suspending")
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250509170633.3411169-2-jiaqing.zhao@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/mtrr/generic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c
index 2d6aa5d2e3d77..6839440a4b31e 100644
--- a/arch/x86/kernel/cpu/mtrr/generic.c
+++ b/arch/x86/kernel/cpu/mtrr/generic.c
@@ -582,7 +582,7 @@ static void get_fixed_ranges(mtrr_type *frs)
void mtrr_save_fixed_ranges(void *info)
{
- if (boot_cpu_has(X86_FEATURE_MTRR))
+ if (mtrr_state.have_fixed)
get_fixed_ranges(mtrr_state.fixed_ranges);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 051/356] PM: sleep: Print PM debug messages during hibernation
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 050/356] x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 052/356] ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" Greg Kroah-Hartman
` (313 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Mario Limonciello,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 1b17d4525bca3916644c41e01522df8fa0f8b90b ]
Commit cdb8c100d8a4 ("include/linux/suspend.h: Only show pm_pr_dbg
messages at suspend/resume") caused PM debug messages to only be
printed during system-wide suspend and resume in progress, but it
forgot about hibernation.
Address this by adding a check for hibernation in progress to
pm_debug_messages_should_print().
Fixes: cdb8c100d8a4 ("include/linux/suspend.h: Only show pm_pr_dbg messages at suspend/resume")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Link: https://patch.msgid.link/4998903.GXAFRqVoOG@rjwysocki.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/power/hibernate.c | 5 +++++
kernel/power/main.c | 3 ++-
kernel/power/power.h | 4 ++++
3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index c2fc58938dee5..76dcf2e28427f 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -80,6 +80,11 @@ void hibernate_release(void)
atomic_inc(&hibernate_atomic);
}
+bool hibernation_in_progress(void)
+{
+ return !atomic_read(&hibernate_atomic);
+}
+
bool hibernation_available(void)
{
return nohibernate == 0 &&
diff --git a/kernel/power/main.c b/kernel/power/main.c
index f6425ae3e8b05..a3543bd2d25af 100644
--- a/kernel/power/main.c
+++ b/kernel/power/main.c
@@ -585,7 +585,8 @@ bool pm_debug_messages_on __read_mostly;
bool pm_debug_messages_should_print(void)
{
- return pm_debug_messages_on && pm_suspend_target_state != PM_SUSPEND_ON;
+ return pm_debug_messages_on && (hibernation_in_progress() ||
+ pm_suspend_target_state != PM_SUSPEND_ON);
}
EXPORT_SYMBOL_GPL(pm_debug_messages_should_print);
diff --git a/kernel/power/power.h b/kernel/power/power.h
index a98f95e309a33..62a7cb452a4be 100644
--- a/kernel/power/power.h
+++ b/kernel/power/power.h
@@ -66,10 +66,14 @@ extern void enable_restore_image_protection(void);
static inline void enable_restore_image_protection(void) {}
#endif /* CONFIG_STRICT_KERNEL_RWX */
+extern bool hibernation_in_progress(void);
+
#else /* !CONFIG_HIBERNATION */
static inline void hibernate_reserved_size_init(void) {}
static inline void hibernate_image_size_init(void) {}
+
+static inline bool hibernation_in_progress(void) { return false; }
#endif /* !CONFIG_HIBERNATION */
#define power_attr(_name) \
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 052/356] ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions"
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 051/356] PM: sleep: Print PM debug messages during hibernation Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 053/356] spi: sh-msiof: Fix maximum DMA transfer size Greg Kroah-Hartman
` (312 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Armin Wolf, Rafael J. Wysocki,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit 8cf4fdac9bdead7bca15fc56fdecdf78d11c3ec6 ]
As specified in section 5.7.2 of the ACPI specification the feature
group string "3.0 _SCP Extensions" implies that the operating system
evaluates the _SCP control method with additional parameters.
However the ACPI thermal driver evaluates the _SCP control method
without those additional parameters, conflicting with the above
feature group string advertised to the firmware thru _OSI.
Stop advertising support for this feature string to avoid confusing
the ACPI firmware.
Fixes: e5f660ebef68 ("ACPI / osi: Collect _OSI handling into one single file")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://patch.msgid.link/20250410165456.4173-2-W_Armin@gmx.de
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/osi.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/acpi/osi.c b/drivers/acpi/osi.c
index d4405e1ca9b97..ae9620757865b 100644
--- a/drivers/acpi/osi.c
+++ b/drivers/acpi/osi.c
@@ -42,7 +42,6 @@ static struct acpi_osi_entry
osi_setup_entries[OSI_STRING_ENTRIES_MAX] __initdata = {
{"Module Device", true},
{"Processor Device", true},
- {"3.0 _SCP Extensions", true},
{"Processor Aggregator Device", true},
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 053/356] spi: sh-msiof: Fix maximum DMA transfer size
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 052/356] ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 054/356] ASoC: apple: mca: Constrain channels according to TDM mask Greg Kroah-Hartman
` (311 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit 0941d5166629cb766000530945e54b4e49680c68 ]
The maximum amount of data to transfer in a single DMA request is
calculated from the FIFO sizes (which is technically not 100% correct,
but a simplification, as it is limited by the maximum word count values
in the Transmit and Control Data Registers). However, in case there is
both data to transmit and to receive, the transmit limit is overwritten
by the receive limit.
Fix this by using the minimum applicable FIFO size instead. Move the
calculation outside the loop, so it is not repeated for each individual
DMA transfer.
As currently tx_fifo_size is always equal to rx_fifo_size, this bug had
no real impact.
Fixes: fe78d0b7691c0274 ("spi: sh-msiof: Fix FIFO size to 64 word from 256 word")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/d9961767a97758b2614f2ee8afe1bd56dc900a60.1747401908.git.geert+renesas@glider.be
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-sh-msiof.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/spi/spi-sh-msiof.c b/drivers/spi/spi-sh-msiof.c
index 6f12e4fb2e2e1..65c11909659c6 100644
--- a/drivers/spi/spi-sh-msiof.c
+++ b/drivers/spi/spi-sh-msiof.c
@@ -918,6 +918,7 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr,
void *rx_buf = t->rx_buf;
unsigned int len = t->len;
unsigned int bits = t->bits_per_word;
+ unsigned int max_wdlen = 256;
unsigned int bytes_per_word;
unsigned int words;
int n;
@@ -931,17 +932,17 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr,
if (!spi_controller_is_target(p->ctlr))
sh_msiof_spi_set_clk_regs(p, t);
+ if (tx_buf)
+ max_wdlen = min(max_wdlen, p->tx_fifo_size);
+ if (rx_buf)
+ max_wdlen = min(max_wdlen, p->rx_fifo_size);
+
while (ctlr->dma_tx && len > 15) {
/*
* DMA supports 32-bit words only, hence pack 8-bit and 16-bit
* words, with byte resp. word swapping.
*/
- unsigned int l = 0;
-
- if (tx_buf)
- l = min(round_down(len, 4), p->tx_fifo_size * 4);
- if (rx_buf)
- l = min(round_down(len, 4), p->rx_fifo_size * 4);
+ unsigned int l = min(round_down(len, 4), max_wdlen * 4);
if (bits <= 8) {
copy32 = copy_bswap32;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 054/356] ASoC: apple: mca: Constrain channels according to TDM mask
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 053/356] spi: sh-msiof: Fix maximum DMA transfer size Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 055/356] drm/vmwgfx: Add seqno waiter for sync_files Greg Kroah-Hartman
` (310 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Povišer,
James Calligeros, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Povišer <povik+lin@cutebit.org>
[ Upstream commit e717c661e2d1a660e96c40b0fe9933e23a1d7747 ]
We don't (and can't) configure the hardware correctly if the number of
channels exceeds the weight of the TDM mask. Report that constraint in
startup of FE.
Fixes: 3df5d0d97289 ("ASoC: apple: mca: Start new platform driver")
Signed-off-by: Martin Povišer <povik+lin@cutebit.org>
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Link: https://patch.msgid.link/20250518-mca-fixes-v1-1-ee1015a695f6@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/apple/mca.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/sound/soc/apple/mca.c b/sound/soc/apple/mca.c
index ce77934f3eef3..0e96caa607fb8 100644
--- a/sound/soc/apple/mca.c
+++ b/sound/soc/apple/mca.c
@@ -464,6 +464,28 @@ static int mca_configure_serdes(struct mca_cluster *cl, int serdes_unit,
return -EINVAL;
}
+static int mca_fe_startup(struct snd_pcm_substream *substream,
+ struct snd_soc_dai *dai)
+{
+ struct mca_cluster *cl = mca_dai_to_cluster(dai);
+ unsigned int mask, nchannels;
+
+ if (cl->tdm_slots) {
+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
+ mask = cl->tdm_tx_mask;
+ else
+ mask = cl->tdm_rx_mask;
+
+ nchannels = hweight32(mask);
+ } else {
+ nchannels = 2;
+ }
+
+ return snd_pcm_hw_constraint_minmax(substream->runtime,
+ SNDRV_PCM_HW_PARAM_CHANNELS,
+ 1, nchannels);
+}
+
static int mca_fe_set_tdm_slot(struct snd_soc_dai *dai, unsigned int tx_mask,
unsigned int rx_mask, int slots, int slot_width)
{
@@ -680,6 +702,7 @@ static int mca_fe_hw_params(struct snd_pcm_substream *substream,
}
static const struct snd_soc_dai_ops mca_fe_ops = {
+ .startup = mca_fe_startup,
.set_fmt = mca_fe_set_fmt,
.set_bclk_ratio = mca_set_bclk_ratio,
.set_tdm_slot = mca_fe_set_tdm_slot,
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 055/356] drm/vmwgfx: Add seqno waiter for sync_files
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 054/356] ASoC: apple: mca: Constrain channels according to TDM mask Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 056/356] drm/vc4: tests: Use return instead of assert Greg Kroah-Hartman
` (309 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Forbes, Zack Rusin, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Forbes <ian.forbes@broadcom.com>
[ Upstream commit 0039a3b35b10d9c15d3d26320532ab56cc566750 ]
Because sync_files are passive waiters they do not participate in
the processing of fences like the traditional vmw_fence_wait IOCTL.
If userspace exclusively uses sync_files for synchronization then
nothing in the kernel actually processes fence updates as interrupts
for fences are masked and ignored if the kernel does not indicate to the
SVGA device that there are active waiters.
This oversight results in a bug where the entire GUI can freeze waiting
on a sync_file that will never be signalled as we've masked the interrupts
to signal its completion. This bug is incredibly racy as any process which
interacts with the fencing code via the 3D stack can process the stuck
fences on behalf of the stuck process causing it to run again. Even a
simple app like eglinfo is enough to resume the stuck process. Usually
this bug is seen at a login screen like GDM because there are no other
3D apps running.
By adding a seqno waiter we re-enable interrupt based processing of the
dma_fences associated with the sync_file which is signalled as part of a
dma_fence_callback.
This has likely been broken since it was initially added to the kernel in
2017 but has gone unnoticed until mutter recently started using sync_files
heavily over the course of 2024 as part of their explicit sync support.
Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support")
Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250228200633.642417-1-ian.forbes@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 26 +++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index 5fef0b31c1179..b129ce873af3f 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -4083,6 +4083,23 @@ static int vmw_execbuf_tie_context(struct vmw_private *dev_priv,
return 0;
}
+/*
+ * DMA fence callback to remove a seqno_waiter
+ */
+struct seqno_waiter_rm_context {
+ struct dma_fence_cb base;
+ struct vmw_private *dev_priv;
+};
+
+static void seqno_waiter_rm_cb(struct dma_fence *f, struct dma_fence_cb *cb)
+{
+ struct seqno_waiter_rm_context *ctx =
+ container_of(cb, struct seqno_waiter_rm_context, base);
+
+ vmw_seqno_waiter_remove(ctx->dev_priv);
+ kfree(ctx);
+}
+
int vmw_execbuf_process(struct drm_file *file_priv,
struct vmw_private *dev_priv,
void __user *user_commands, void *kernel_commands,
@@ -4263,6 +4280,15 @@ int vmw_execbuf_process(struct drm_file *file_priv,
} else {
/* Link the fence with the FD created earlier */
fd_install(out_fence_fd, sync_file->file);
+ struct seqno_waiter_rm_context *ctx =
+ kmalloc(sizeof(*ctx), GFP_KERNEL);
+ ctx->dev_priv = dev_priv;
+ vmw_seqno_waiter_add(dev_priv);
+ if (dma_fence_add_callback(&fence->base, &ctx->base,
+ seqno_waiter_rm_cb) < 0) {
+ vmw_seqno_waiter_remove(dev_priv);
+ kfree(ctx);
+ }
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 056/356] drm/vc4: tests: Use return instead of assert
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 055/356] drm/vmwgfx: Add seqno waiter for sync_files Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 057/356] drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table Greg Kroah-Hartman
` (308 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maíra Canal, Maxime Ripard,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Ripard <mripard@kernel.org>
[ Upstream commit 9e26a3740cc08ef8bcdc5e5d824792cd677affce ]
The vc4_mock_atomic_add_output() and vc4_mock_atomic_del_output() assert
that the functions they are calling didn't fail. Since some of them can
return EDEADLK, we can't properly deal with it.
Since both functions are expected to return an int, and all caller check
the return value, let's just properly propagate the errors when they
occur.
Fixes: f759f5b53f1c ("drm/vc4: tests: Introduce a mocking infrastructure")
Fixes: 76ec18dc5afa ("drm/vc4: tests: Add unit test suite for the PV muxing")
Reviewed-by: Maíra Canal <mcanal@igalia.com>
Link: https://lore.kernel.org/r/20250403-drm-vc4-kunit-failures-v2-1-e09195cc8840@kernel.org
Signed-off-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vc4/tests/vc4_mock_output.c | 36 ++++++++++++++-------
1 file changed, 24 insertions(+), 12 deletions(-)
diff --git a/drivers/gpu/drm/vc4/tests/vc4_mock_output.c b/drivers/gpu/drm/vc4/tests/vc4_mock_output.c
index e70d7c3076acf..f0ddc223c1f83 100644
--- a/drivers/gpu/drm/vc4/tests/vc4_mock_output.c
+++ b/drivers/gpu/drm/vc4/tests/vc4_mock_output.c
@@ -75,24 +75,30 @@ int vc4_mock_atomic_add_output(struct kunit *test,
int ret;
encoder = vc4_find_encoder_by_type(drm, type);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, encoder);
+ if (!encoder)
+ return -ENODEV;
crtc = vc4_find_crtc_for_encoder(test, drm, encoder);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, crtc);
+ if (!crtc)
+ return -ENODEV;
output = encoder_to_vc4_dummy_output(encoder);
conn = &output->connector;
conn_state = drm_atomic_get_connector_state(state, conn);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, conn_state);
+ if (IS_ERR(conn_state))
+ return PTR_ERR(conn_state);
ret = drm_atomic_set_crtc_for_connector(conn_state, crtc);
- KUNIT_EXPECT_EQ(test, ret, 0);
+ if (ret)
+ return ret;
crtc_state = drm_atomic_get_crtc_state(state, crtc);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, crtc_state);
+ if (IS_ERR(crtc_state))
+ return PTR_ERR(crtc_state);
ret = drm_atomic_set_mode_for_crtc(crtc_state, &default_mode);
- KUNIT_EXPECT_EQ(test, ret, 0);
+ if (ret)
+ return ret;
crtc_state->active = true;
@@ -113,26 +119,32 @@ int vc4_mock_atomic_del_output(struct kunit *test,
int ret;
encoder = vc4_find_encoder_by_type(drm, type);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, encoder);
+ if (!encoder)
+ return -ENODEV;
crtc = vc4_find_crtc_for_encoder(test, drm, encoder);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, crtc);
+ if (!crtc)
+ return -ENODEV;
crtc_state = drm_atomic_get_crtc_state(state, crtc);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, crtc_state);
+ if (IS_ERR(crtc_state))
+ return PTR_ERR(crtc_state);
crtc_state->active = false;
ret = drm_atomic_set_mode_for_crtc(crtc_state, NULL);
- KUNIT_ASSERT_EQ(test, ret, 0);
+ if (ret)
+ return ret;
output = encoder_to_vc4_dummy_output(encoder);
conn = &output->connector;
conn_state = drm_atomic_get_connector_state(state, conn);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, conn_state);
+ if (IS_ERR(conn_state))
+ return PTR_ERR(conn_state);
ret = drm_atomic_set_crtc_for_connector(conn_state, NULL);
- KUNIT_ASSERT_EQ(test, ret, 0);
+ if (ret)
+ return ret;
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 057/356] drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 056/356] drm/vc4: tests: Use return instead of assert Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 058/356] media: rkvdec: Fix frame size enumeration Greg Kroah-Hartman
` (307 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Charles Han, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Han <hanchunchao@inspur.com>
[ Upstream commit 820116a39f96bdc7d426c33a804b52f53700a919 ]
The function atomctrl_initialize_mc_reg_table() and
atomctrl_initialize_mc_reg_table_v2_2() does not check the return
value of smu_atom_get_data_table(). If smu_atom_get_data_table()
fails to retrieve vram_info, it returns NULL which is later
dereferenced.
Fixes: b3892e2bb519 ("drm/amd/pp: Use atombios api directly in powerplay (v2)")
Fixes: 5f92b48cf62c ("drm/amd/pm: add mc register table initialization")
Signed-off-by: Charles Han <hanchunchao@inspur.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
index 1fbd23922082a..7e37354a03411 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
@@ -144,6 +144,10 @@ int atomctrl_initialize_mc_reg_table(
vram_info = (ATOM_VRAM_INFO_HEADER_V2_1 *)
smu_atom_get_data_table(hwmgr->adev,
GetIndexIntoMasterTable(DATA, VRAM_Info), &size, &frev, &crev);
+ if (!vram_info) {
+ pr_err("Could not retrieve the VramInfo table!");
+ return -EINVAL;
+ }
if (module_index >= vram_info->ucNumOfVRAMModule) {
pr_err("Invalid VramInfo table.");
@@ -181,6 +185,10 @@ int atomctrl_initialize_mc_reg_table_v2_2(
vram_info = (ATOM_VRAM_INFO_HEADER_V2_2 *)
smu_atom_get_data_table(hwmgr->adev,
GetIndexIntoMasterTable(DATA, VRAM_Info), &size, &frev, &crev);
+ if (!vram_info) {
+ pr_err("Could not retrieve the VramInfo table!");
+ return -EINVAL;
+ }
if (module_index >= vram_info->ucNumOfVRAMModule) {
pr_err("Invalid VramInfo table.");
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 058/356] media: rkvdec: Fix frame size enumeration
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 057/356] drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 059/356] arm64/fpsimd: Avoid RES0 bits in the SME trap handler Greg Kroah-Hartman
` (306 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Bee, Jonas Karlman,
Nicolas Dufresne, Hans Verkuil, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Karlman <jonas@kwiboo.se>
[ Upstream commit f270005b99fa19fee9a6b4006e8dee37c10f1944 ]
The VIDIOC_ENUM_FRAMESIZES ioctl should return all frame sizes (i.e.
width and height in pixels) that the device supports for the given pixel
format.
It doesn't make a lot of sense to return the frame-sizes in a stepwise
manner, which is used to enforce hardware alignments requirements for
CAPTURE buffers, for coded formats.
Instead, applications should receive an indication, about the maximum
supported frame size for that hardware decoder, via a continuous
frame-size enumeration.
Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver")
Suggested-by: Alex Bee <knaerzche@gmail.com>
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/media/rkvdec/rkvdec.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/media/rkvdec/rkvdec.c b/drivers/staging/media/rkvdec/rkvdec.c
index ac398b5a97360..a1d941b0be00b 100644
--- a/drivers/staging/media/rkvdec/rkvdec.c
+++ b/drivers/staging/media/rkvdec/rkvdec.c
@@ -213,8 +213,14 @@ static int rkvdec_enum_framesizes(struct file *file, void *priv,
if (!fmt)
return -EINVAL;
- fsize->type = V4L2_FRMSIZE_TYPE_STEPWISE;
- fsize->stepwise = fmt->frmsize;
+ fsize->type = V4L2_FRMSIZE_TYPE_CONTINUOUS;
+ fsize->stepwise.min_width = 1;
+ fsize->stepwise.max_width = fmt->frmsize.max_width;
+ fsize->stepwise.step_width = 1;
+ fsize->stepwise.min_height = 1;
+ fsize->stepwise.max_height = fmt->frmsize.max_height;
+ fsize->stepwise.step_height = 1;
+
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 059/356] arm64/fpsimd: Avoid RES0 bits in the SME trap handler
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 058/356] media: rkvdec: Fix frame size enumeration Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 060/356] arm64/fpsimd: Discard stale CPU state when handling SME traps Greg Kroah-Hartman
` (305 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Marc Zyngier,
Mark Brown, Will Deacon, Catalin Marinas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 95507570fb2f75544af69760cd5d8f48fc5c7f20 ]
The SME trap handler consumes RES0 bits from the ESR when determining
the reason for the trap, and depends upon those bits reading as zero.
This may break in future when those RES0 bits are allocated a meaning
and stop reading as zero.
For SME traps taken with ESR_ELx.EC == 0b011101, the specific reason for
the trap is indicated by ESR_ELx.ISS.SMTC ("SME Trap Code"). This field
occupies bits [2:0] of ESR_ELx.ISS, and as of ARM DDI 0487 L.a, bits
[24:3] of ESR_ELx.ISS are RES0. ESR_ELx.ISS itself occupies bits [24:0]
of ESR_ELx.
Extract the SMTC field specifically, matching the way we handle ESR_ELx
fields elsewhere, and ensuring that the handler is future-proof.
Fixes: 8bd7f91c03d8 ("arm64/sme: Implement traps and syscall handling for SME")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20250409164010.3480271-2-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/esr.h | 14 ++++++++------
arch/arm64/kernel/fpsimd.c | 2 +-
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/arch/arm64/include/asm/esr.h b/arch/arm64/include/asm/esr.h
index 1cdae1b4f03be..b04575ea3a355 100644
--- a/arch/arm64/include/asm/esr.h
+++ b/arch/arm64/include/asm/esr.h
@@ -366,12 +366,14 @@
/*
* ISS values for SME traps
*/
-
-#define ESR_ELx_SME_ISS_SME_DISABLED 0
-#define ESR_ELx_SME_ISS_ILL 1
-#define ESR_ELx_SME_ISS_SM_DISABLED 2
-#define ESR_ELx_SME_ISS_ZA_DISABLED 3
-#define ESR_ELx_SME_ISS_ZT_DISABLED 4
+#define ESR_ELx_SME_ISS_SMTC_MASK GENMASK(2, 0)
+#define ESR_ELx_SME_ISS_SMTC(esr) ((esr) & ESR_ELx_SME_ISS_SMTC_MASK)
+
+#define ESR_ELx_SME_ISS_SMTC_SME_DISABLED 0
+#define ESR_ELx_SME_ISS_SMTC_ILL 1
+#define ESR_ELx_SME_ISS_SMTC_SM_DISABLED 2
+#define ESR_ELx_SME_ISS_SMTC_ZA_DISABLED 3
+#define ESR_ELx_SME_ISS_SMTC_ZT_DISABLED 4
/* ISS field definitions for MOPS exceptions */
#define ESR_ELx_MOPS_ISS_MEM_INST (UL(1) << 24)
diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
index bd4f6c6ee0f31..9f6ea38f5189f 100644
--- a/arch/arm64/kernel/fpsimd.c
+++ b/arch/arm64/kernel/fpsimd.c
@@ -1514,7 +1514,7 @@ void do_sme_acc(unsigned long esr, struct pt_regs *regs)
* If this not a trap due to SME being disabled then something
* is being used in the wrong mode, report as SIGILL.
*/
- if (ESR_ELx_ISS(esr) != ESR_ELx_SME_ISS_SME_DISABLED) {
+ if (ESR_ELx_SME_ISS_SMTC(esr) != ESR_ELx_SME_ISS_SMTC_SME_DISABLED) {
force_signal_inject(SIGILL, ILL_ILLOPC, regs->pc, 0);
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 060/356] arm64/fpsimd: Discard stale CPU state when handling SME traps
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 059/356] arm64/fpsimd: Avoid RES0 bits in the SME trap handler Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 061/356] arm64/fpsimd: Fix merging of FPSIMD state during signal return Greg Kroah-Hartman
` (304 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Mark Brown,
Marc Zyngier, Will Deacon, Catalin Marinas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
[ Upstream commit d3eaab3c70905c5467e5c4ea403053d67505adeb ]
The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state
incorrectly, and a race with preemption can result in a task having
TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state
is stale (e.g. with SME traps enabled). This can result in warnings from
do_sme_acc() where SME traps are not expected while TIF_SME is set:
| /* With TIF_SME userspace shouldn't generate any traps */
| if (test_and_set_thread_flag(TIF_SME))
| WARN_ON(1);
This is very similar to the SVE issue we fixed in commit:
751ecf6afd6568ad ("arm64/sve: Discard stale CPU state when handling SVE traps")
The race can occur when the SME trap handler is preempted before and
after manipulating the saved FPSIMD/SVE/SME state, starting and ending on
the same CPU, e.g.
| void do_sme_acc(unsigned long esr, struct pt_regs *regs)
| {
| // Trap on CPU 0 with TIF_SME clear, SME traps enabled
| // task->fpsimd_cpu is 0.
| // per_cpu_ptr(&fpsimd_last_state, 0) is task.
|
| ...
|
| // Preempted; migrated from CPU 0 to CPU 1.
| // TIF_FOREIGN_FPSTATE is set.
|
| get_cpu_fpsimd_context();
|
| /* With TIF_SME userspace shouldn't generate any traps */
| if (test_and_set_thread_flag(TIF_SME))
| WARN_ON(1);
|
| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {
| unsigned long vq_minus_one =
| sve_vq_from_vl(task_get_sme_vl(current)) - 1;
| sme_set_vq(vq_minus_one);
|
| fpsimd_bind_task_to_cpu();
| }
|
| put_cpu_fpsimd_context();
|
| // Preempted; migrated from CPU 1 to CPU 0.
| // task->fpsimd_cpu is still 0
| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:
| // - Stale HW state is reused (with SME traps enabled)
| // - TIF_FOREIGN_FPSTATE is cleared
| // - A return to userspace skips HW state restore
| }
Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set
by calling fpsimd_flush_task_state() to detach from the saved CPU
state. This ensures that a subsequent context switch will not reuse the
stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the
new state to be reloaded from memory prior to a return to userspace.
Note: this was originallly posted as [1].
Fixes: 8bd7f91c03d8 ("arm64/sme: Implement traps and syscall handling for SME")
Reported-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/linux-arm-kernel/20241204-arm64-sme-reenable-v2-1-bae87728251d@kernel.org/
[ Rutland: rewrite commit message ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20250409164010.3480271-6-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/fpsimd.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
index 9f6ea38f5189f..3d482336c0662 100644
--- a/arch/arm64/kernel/fpsimd.c
+++ b/arch/arm64/kernel/fpsimd.c
@@ -1538,6 +1538,8 @@ void do_sme_acc(unsigned long esr, struct pt_regs *regs)
sme_set_vq(vq_minus_one);
fpsimd_bind_task_to_cpu();
+ } else {
+ fpsimd_flush_task_state(current);
}
put_cpu_fpsimd_context();
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 061/356] arm64/fpsimd: Fix merging of FPSIMD state during signal return
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 060/356] arm64/fpsimd: Discard stale CPU state when handling SME traps Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 062/356] drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() Greg Kroah-Hartman
` (303 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Marc Zyngier,
Mark Brown, Will Deacon, Catalin Marinas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit c94f2f326146a34066a0070ed90b8bc656b1842f ]
For backwards compatibility reasons, when a signal return occurs which
restores SVE state, the effective lower 128 bits of each of the SVE
vector registers are restored from the corresponding FPSIMD vector
register in the FPSIMD signal frame, overriding the values in the SVE
signal frame. This is intended to be the case regardless of streaming
mode.
To make this happen, restore_sve_fpsimd_context() uses
fpsimd_update_current_state() to merge the lower 128 bits from the
FPSIMD signal frame into the SVE register state. Unfortunately,
fpsimd_update_current_state() performs this merging dependent upon
TIF_SVE, which is not always correct for streaming SVE register state:
* When restoring non-streaming SVE register state there is no observable
problem, as the signal return code configures TIF_SVE and the saved
fp_type to match before calling fpsimd_update_current_state(), which
observes either:
- TIF_SVE set AND fp_type == FP_STATE_SVE
- TIF_SVE clear AND fp_type == FP_STATE_FPSIMD
* On systems which have SME but not SVE, TIF_SVE cannot be set. Thus the
merging will never happen for the streaming SVE register state.
* On systems which have SVE and SME, TIF_SVE can be set and cleared
independently of PSTATE.SM. Thus the merging may or may not happen for
streaming SVE register state.
As TIF_SVE can be cleared non-deterministically during syscalls
(including at the start of sigreturn()), the merging may occur
non-deterministically from the perspective of userspace.
This logic has been broken since its introduction in commit:
85ed24dad2904f7c ("arm64/sme: Implement streaming SVE signal handling")
... at which point both fpsimd_signal_preserve_current_state() and
fpsimd_update_current_state() only checked TIF SVE. When PSTATE.SM==1
and TIF_SVE was clear, signal delivery would place stale FPSIMD state
into the FPSIMD signal frame, and signal return would not merge this
into the restored register state.
Subsequently, signal delivery was fixed as part of commit:
61da7c8e2a602f66 ("arm64/signal: Don't assume that TIF_SVE means we saved SVE state")
... but signal restore was not given a corresponding fix, and when
TIF_SVE was clear, signal restore would still fail to merge the FPSIMD
state into the restored SVE register state. The 'Fixes' tag did not
indicate that this had been broken since its introduction.
Fix this by merging the FPSIMD state dependent upon the saved fp_type,
matching what we (currently) do during signal delivery.
As described above, when backporting this commit, it will also be
necessary to backport commit:
61da7c8e2a602f66 ("arm64/signal: Don't assume that TIF_SVE means we saved SVE state")
... and prior to commit:
baa8515281b30861 ("arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE")
... it will be necessary for fpsimd_signal_preserve_current_state() and
fpsimd_update_current_state() to consider both TIF_SVE and
thread_sm_enabled(¤t->thread), in place of the saved fp_type.
Fixes: 85ed24dad290 ("arm64/sme: Implement streaming SVE signal handling")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20250409164010.3480271-10-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/fpsimd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
index 3d482336c0662..b86a506467007 100644
--- a/arch/arm64/kernel/fpsimd.c
+++ b/arch/arm64/kernel/fpsimd.c
@@ -1805,7 +1805,7 @@ void fpsimd_update_current_state(struct user_fpsimd_state const *state)
get_cpu_fpsimd_context();
current->thread.uw.fpsimd_state = *state;
- if (test_thread_flag(TIF_SVE))
+ if (current->thread.fp_type == FP_STATE_SVE)
fpsimd_to_sve(current);
task_fpsimd_load();
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 062/356] drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 061/356] arm64/fpsimd: Fix merging of FPSIMD state during signal return Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 063/356] fs/ntfs3: handle hdr_first_de() return value Greg Kroah-Hartman
` (302 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Dmitry Baryshkov,
Dmitry Baryshkov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit b848cd418aebdb313364b4843f41fae82281a823 ]
If lt9611uxc_audio_init() fails, some resources still need to be released
before returning the error code.
Use the existing error handling path.
Fixes: 0cbbd5b1a012 ("drm: bridge: add support for lontium LT9611UXC bridge")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/f167608e392c6b4d7d7f6e45e3c21878feb60cbd.1744958833.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/bridge/lontium-lt9611uxc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c
index c41ffd0bc0494..d458a4f37ac8f 100644
--- a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c
+++ b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c
@@ -962,7 +962,11 @@ static int lt9611uxc_probe(struct i2c_client *client)
}
}
- return lt9611uxc_audio_init(dev, lt9611uxc);
+ ret = lt9611uxc_audio_init(dev, lt9611uxc);
+ if (ret)
+ goto err_remove_bridge;
+
+ return 0;
err_remove_bridge:
free_irq(client->irq, lt9611uxc);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 063/356] fs/ntfs3: handle hdr_first_de() return value
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 062/356] drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 064/356] watchdog: exar: Shorten identity name to fit correctly Greg Kroah-Hartman
` (301 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrey Vatoropin, Konstantin Komarov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Vatoropin <a.vatoropin@crpt.ru>
[ Upstream commit af5cab0e5b6f8edb0be51a9f47f3f620e0b4fd70 ]
The hdr_first_de() function returns a pointer to a struct NTFS_DE. This
pointer may be NULL. To handle the NULL error effectively, it is important
to implement an error handler. This will help manage potential errors
consistently.
Additionally, error handling for the return value already exists at other
points where this function is called.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/index.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index 28aae6ea1e615..191b91ffadbb2 100644
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -2184,6 +2184,10 @@ static int indx_get_entry_to_replace(struct ntfs_index *indx,
e = hdr_first_de(&n->index->ihdr);
fnd_push(fnd, n, e);
+ if (!e) {
+ err = -EINVAL;
+ goto out;
+ }
if (!de_is_last(e)) {
/*
@@ -2205,6 +2209,10 @@ static int indx_get_entry_to_replace(struct ntfs_index *indx,
n = fnd->nodes[level];
te = hdr_first_de(&n->index->ihdr);
+ if (!te) {
+ err = -EINVAL;
+ goto out;
+ }
/* Copy the candidate entry into the replacement entry buffer. */
re = kmalloc(le16_to_cpu(te->size) + sizeof(u64), GFP_NOFS);
if (!re) {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 064/356] watchdog: exar: Shorten identity name to fit correctly
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 063/356] fs/ntfs3: handle hdr_first_de() return value Greg Kroah-Hartman
@ 2025-06-17 15:22 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 065/356] m68k: mac: Fix macintosh_config for Mac II Greg Kroah-Hartman
` (300 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Kees Cook,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 8e28276a569addb8a2324439ae473848ee52b056 ]
The static initializer for struct watchdog_info::identity is too long
and gets initialized without a trailing NUL byte. Since the length
of "identity" is part of UAPI and tied to ioctls, just shorten
the name of the device. Avoids the warning seen with GCC 15's
-Wunterminated-string-initialization option:
drivers/watchdog/exar_wdt.c:224:27: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (33 chars into 32 available) [-Wunterminated-string-initialization]
224 | .identity = "Exar/MaxLinear XR28V38x Watchdog",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 81126222bd3a ("watchdog: Exar/MaxLinear XR28V38x driver")
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20250415225246.work.458-kees@kernel.org
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/exar_wdt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/watchdog/exar_wdt.c b/drivers/watchdog/exar_wdt.c
index 7c61ff3432711..c2e3bb08df899 100644
--- a/drivers/watchdog/exar_wdt.c
+++ b/drivers/watchdog/exar_wdt.c
@@ -221,7 +221,7 @@ static const struct watchdog_info exar_wdt_info = {
.options = WDIOF_KEEPALIVEPING |
WDIOF_SETTIMEOUT |
WDIOF_MAGICCLOSE,
- .identity = "Exar/MaxLinear XR28V38x Watchdog",
+ .identity = "Exar XR28V38x Watchdog",
};
static const struct watchdog_ops exar_wdt_ops = {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 065/356] m68k: mac: Fix macintosh_config for Mac II
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2025-06-17 15:22 ` [PATCH 6.6 064/356] watchdog: exar: Shorten identity name to fit correctly Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 066/356] firmware: psci: Fix refcount leak in psci_dt_init Greg Kroah-Hartman
` (299 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Thompson, Finn Thain,
Geert Uytterhoeven, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Finn Thain <fthain@linux-m68k.org>
[ Upstream commit 52ae3f5da7e5adbe3d1319573b55dac470abb83c ]
When booted on my Mac II, the kernel prints this:
Detected Macintosh model: 6
Apple Macintosh Unknown
The catch-all entry ("Unknown") is mac_data_table[0] which is only needed
in the unlikely event that the bootinfo model ID can't be matched.
When model ID is 6, the search should begin and end at mac_data_table[1].
Fix the off-by-one error that causes this problem.
Cc: Joshua Thompson <funaho@jurai.org>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Finn Thain <fthain@linux-m68k.org>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Link: https://lore.kernel.org/d0f30a551064ca4810b1c48d5a90954be80634a9.1745453246.git.fthain@linux-m68k.org
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/m68k/mac/config.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/m68k/mac/config.c b/arch/m68k/mac/config.c
index 382f656c29eae..9f5603e01a688 100644
--- a/arch/m68k/mac/config.c
+++ b/arch/m68k/mac/config.c
@@ -801,7 +801,7 @@ static void __init mac_identify(void)
}
macintosh_config = mac_data_table;
- for (m = macintosh_config; m->ident != -1; m++) {
+ for (m = &mac_data_table[1]; m->ident != -1; m++) {
if (m->ident == model) {
macintosh_config = m;
break;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 066/356] firmware: psci: Fix refcount leak in psci_dt_init
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 065/356] m68k: mac: Fix macintosh_config for Mac II Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 067/356] arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX Greg Kroah-Hartman
` (298 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Gavin Shan,
Mark Rutland, Will Deacon, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 7ff37d29fd5c27617b9767e1b8946d115cf93a1e ]
Fix a reference counter leak in psci_dt_init() where of_node_put(np) was
missing after of_find_matching_node_and_match() when np is unavailable.
Fixes: d09a0011ec0d ("drivers: psci: Allow PSCI node to be disabled")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Gavin Shan <gshan@redhat.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250318151712.28763-1-linmq006@gmail.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/psci/psci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/psci/psci.c b/drivers/firmware/psci/psci.c
index 2328ca58bba61..d6701d81cf680 100644
--- a/drivers/firmware/psci/psci.c
+++ b/drivers/firmware/psci/psci.c
@@ -759,8 +759,10 @@ int __init psci_dt_init(void)
np = of_find_matching_node_and_match(NULL, psci_of_match, &matched_np);
- if (!np || !of_device_is_available(np))
+ if (!np || !of_device_is_available(np)) {
+ of_node_put(np);
return -ENODEV;
+ }
init_fn = (psci_initcall_t)matched_np->data;
ret = init_fn(np);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 067/356] arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 066/356] firmware: psci: Fix refcount leak in psci_dt_init Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 068/356] selftests/seccomp: fix syscall_restart test for arm compat Greg Kroah-Hartman
` (297 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kornel Dulęba,
Anshuman Khandual, Will Deacon, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kornel Dulęba <korneld@google.com>
[ Upstream commit f101c56447717c595d803894ba0e215f56c6fba4 ]
When the 52-bit virtual addressing was introduced the select like
ARCH_MMAP_RND_BITS_MAX logic was never updated to account for it.
Because of that the rnd max bits knob is set to the default value of 18
when ARM64_VA_BITS=52.
Fix this by setting ARCH_MMAP_RND_BITS_MAX to the same value that would
be used if 48-bit addressing was used. Higher values can't used here
because 52-bit addressing is used only if the caller provides a hint to
mmap, with a fallback to 48-bit. The knob in question is an upper bound
for what the user can set in /proc/sys/vm/mmap_rnd_bits, which in turn
is used to determine how many random bits can be inserted into the base
address used for mmap allocations. Since 48-bit allocations are legal
with ARM64_VA_BITS=52, we need to make sure that the base address is
small enough to facilitate this.
Fixes: b6d00d47e81a ("arm64: mm: Introduce 52-bit Kernel VAs")
Signed-off-by: Kornel Dulęba <korneld@google.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Link: https://lore.kernel.org/r/20250417114754.3238273-1-korneld@google.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/Kconfig | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 658c6a61ab6fb..4ecba0690938c 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -304,9 +304,9 @@ config ARCH_MMAP_RND_BITS_MAX
default 24 if ARM64_VA_BITS=39
default 27 if ARM64_VA_BITS=42
default 30 if ARM64_VA_BITS=47
- default 29 if ARM64_VA_BITS=48 && ARM64_64K_PAGES
- default 31 if ARM64_VA_BITS=48 && ARM64_16K_PAGES
- default 33 if ARM64_VA_BITS=48
+ default 29 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52) && ARM64_64K_PAGES
+ default 31 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52) && ARM64_16K_PAGES
+ default 33 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52)
default 14 if ARM64_64K_PAGES
default 16 if ARM64_16K_PAGES
default 18
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 068/356] selftests/seccomp: fix syscall_restart test for arm compat
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 067/356] arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 069/356] drm: rcar-du: Fix memory leak in rcar_du_vsps_init() Greg Kroah-Hartman
` (296 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Neill Kapron, Kees Cook, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neill Kapron <nkapron@google.com>
[ Upstream commit 797002deed03491215a352ace891749b39741b69 ]
The inconsistencies in the systcall ABI between arm and arm-compat can
can cause a failure in the syscall_restart test due to the logic
attempting to work around the differences. The 'machine' field for an
ARM64 device running in compat mode can report 'armv8l' or 'armv8b'
which matches with the string 'arm' when only examining the first three
characters of the string.
This change adds additional validation to the workaround logic to make
sure we only take the arm path when running natively, not in arm-compat.
Fixes: 256d0afb11d6 ("selftests/seccomp: build and pass on arm64")
Signed-off-by: Neill Kapron <nkapron@google.com>
Link: https://lore.kernel.org/r/20250427094103.3488304-2-nkapron@google.com
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index cacf6507f6905..15325ca35f1e2 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -3154,12 +3154,15 @@ TEST(syscall_restart)
ret = get_syscall(_metadata, child_pid);
#if defined(__arm__)
/*
- * FIXME:
* - native ARM registers do NOT expose true syscall.
* - compat ARM registers on ARM64 DO expose true syscall.
+ * - values of utsbuf.machine include 'armv8l' or 'armb8b'
+ * for ARM64 running in compat mode.
*/
ASSERT_EQ(0, uname(&utsbuf));
- if (strncmp(utsbuf.machine, "arm", 3) == 0) {
+ if ((strncmp(utsbuf.machine, "arm", 3) == 0) &&
+ (strncmp(utsbuf.machine, "armv8l", 6) != 0) &&
+ (strncmp(utsbuf.machine, "armv8b", 6) != 0)) {
EXPECT_EQ(__NR_nanosleep, ret);
} else
#endif
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 069/356] drm: rcar-du: Fix memory leak in rcar_du_vsps_init()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 068/356] selftests/seccomp: fix syscall_restart test for arm compat Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 070/356] drm/vkms: Adjust vkms_state->active_planes allocation type Greg Kroah-Hartman
` (295 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Biju Das, Laurent Pinchart,
Tomi Valkeinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit 91e3bf09a90bb4340c0c3c51396e7531555efda4 ]
The rcar_du_vsps_init() doesn't free the np allocated by
of_parse_phandle_with_fixed_args() for the non-error case.
Fix memory leak for the non-error case.
While at it, replace the label 'error'->'done' as it applies to non-error
case as well and update the error check condition for rcar_du_vsp_init()
to avoid breakage in future, if it returns positive value.
Fixes: 3e81374e2014 ("drm: rcar-du: Support multiple sources from the same VSP")
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Link: https://lore.kernel.org/r/20231116122424.80136-1-biju.das.jz@bp.renesas.com
Signed-off-by: Tomi Valkeinen <tomi.valkeinen+renesas@ideasonboard.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c b/drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c
index 70d8ad065bfa1..4c8fe83dd6101 100644
--- a/drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c
+++ b/drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c
@@ -705,7 +705,7 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu)
ret = of_parse_phandle_with_fixed_args(np, vsps_prop_name,
cells, i, &args);
if (ret < 0)
- goto error;
+ goto done;
/*
* Add the VSP to the list or update the corresponding existing
@@ -743,13 +743,11 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu)
vsp->dev = rcdu;
ret = rcar_du_vsp_init(vsp, vsps[i].np, vsps[i].crtcs_mask);
- if (ret < 0)
- goto error;
+ if (ret)
+ goto done;
}
- return 0;
-
-error:
+done:
for (i = 0; i < ARRAY_SIZE(vsps); ++i)
of_node_put(vsps[i].np);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 070/356] drm/vkms: Adjust vkms_state->active_planes allocation type
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 069/356] drm: rcar-du: Fix memory leak in rcar_du_vsps_init() Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 071/356] drm/tegra: rgb: Fix the unbound reference count Greg Kroah-Hartman
` (294 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kees Cook, Louis Chauvet,
Louis Chauvet, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 258aebf100540d36aba910f545d4d5ddf4ecaf0b ]
In preparation for making the kmalloc family of allocators type aware,
we need to make sure that the returned type from the allocation matches
the type of the variable being assigned. (Before, the allocator would
always return "void *", which can be implicitly cast to any pointer type.)
The assigned type is "struct vkms_plane_state **", but the returned type
will be "struct drm_plane **". These are the same size (pointer size), but
the types don't match. Adjust the allocation type to match the assignment.
Signed-off-by: Kees Cook <kees@kernel.org>
Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com>
Fixes: 8b1865873651 ("drm/vkms: totally reworked crc data tracking")
Link: https://lore.kernel.org/r/20250426061431.work.304-kees@kernel.org
Signed-off-by: Louis Chauvet <contact@louischauvet.fr>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vkms/vkms_crtc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c
index 61e500b8c9da2..894c484f99e95 100644
--- a/drivers/gpu/drm/vkms/vkms_crtc.c
+++ b/drivers/gpu/drm/vkms/vkms_crtc.c
@@ -201,7 +201,7 @@ static int vkms_crtc_atomic_check(struct drm_crtc *crtc,
i++;
}
- vkms_state->active_planes = kcalloc(i, sizeof(plane), GFP_KERNEL);
+ vkms_state->active_planes = kcalloc(i, sizeof(*vkms_state->active_planes), GFP_KERNEL);
if (!vkms_state->active_planes)
return -ENOMEM;
vkms_state->num_active_planes = i;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 071/356] drm/tegra: rgb: Fix the unbound reference count
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 070/356] drm/vkms: Adjust vkms_state->active_planes allocation type Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 072/356] firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES Greg Kroah-Hartman
` (293 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Biju Das, Thierry Reding,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit 3c3642335065c3bde0742b0edc505b6ea8fdc2b3 ]
The of_get_child_by_name() increments the refcount in tegra_dc_rgb_probe,
but the driver does not decrement the refcount during unbind. Fix the
unbound reference count using devm_add_action_or_reset() helper.
Fixes: d8f4a9eda006 ("drm: Add NVIDIA Tegra20 support")
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Link: https://lore.kernel.org/r/20250205112137.36055-1-biju.das.jz@bp.renesas.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/tegra/rgb.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/tegra/rgb.c b/drivers/gpu/drm/tegra/rgb.c
index d6424abd3c45d..8930460ba6282 100644
--- a/drivers/gpu/drm/tegra/rgb.c
+++ b/drivers/gpu/drm/tegra/rgb.c
@@ -190,6 +190,11 @@ static const struct drm_encoder_helper_funcs tegra_rgb_encoder_helper_funcs = {
.atomic_check = tegra_rgb_encoder_atomic_check,
};
+static void tegra_dc_of_node_put(void *data)
+{
+ of_node_put(data);
+}
+
int tegra_dc_rgb_probe(struct tegra_dc *dc)
{
struct device_node *np;
@@ -197,7 +202,14 @@ int tegra_dc_rgb_probe(struct tegra_dc *dc)
int err;
np = of_get_child_by_name(dc->dev->of_node, "rgb");
- if (!np || !of_device_is_available(np))
+ if (!np)
+ return -ENODEV;
+
+ err = devm_add_action_or_reset(dc->dev, tegra_dc_of_node_put, np);
+ if (err < 0)
+ return err;
+
+ if (!of_device_is_available(np))
return -ENODEV;
rgb = devm_kzalloc(dc->dev, sizeof(*rgb), GFP_KERNEL);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 072/356] firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 071/356] drm/tegra: rgb: Fix the unbound reference count Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 073/356] arm64/fpsimd: Do not discard modified SVE state Greg Kroah-Hartman
` (292 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuai Xue, Huang Yiwei, Gavin Shan,
Rafael J. Wysocki, Will Deacon, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huang Yiwei <quic_hyiwei@quicinc.com>
[ Upstream commit 59529bbe642de4eb2191a541d9b4bae7eb73862e ]
SDEI usually initialize with the ACPI table, but on platforms where
ACPI is not used, the SDEI feature can still be used to handle
specific firmware calls or other customized purposes. Therefore, it
is not necessary for ARM_SDE_INTERFACE to depend on ACPI_APEI_GHES.
In commit dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES
in acpi_init()"), to make APEI ready earlier, sdei_init was moved
into acpi_ghes_init instead of being a standalone initcall, adding
ACPI_APEI_GHES dependency to ARM_SDE_INTERFACE. This restricts the
flexibility and usability of SDEI.
This patch corrects the dependency in Kconfig and splits sdei_init()
into two separate functions: sdei_init() and acpi_sdei_init().
sdei_init() will be called by arch_initcall and will only initialize
the platform driver, while acpi_sdei_init() will initialize the
device from acpi_ghes_init() when ACPI is ready. This allows the
initialization of SDEI without ACPI_APEI_GHES enabled.
Fixes: dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES in apci_init()")
Cc: Shuai Xue <xueshuai@linux.alibaba.com>
Signed-off-by: Huang Yiwei <quic_hyiwei@quicinc.com>
Reviewed-by: Shuai Xue <xueshuai@linux.alibaba.com>
Reviewed-by: Gavin Shan <gshan@redhat.com>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://lore.kernel.org/r/20250507045757.2658795-1-quic_hyiwei@quicinc.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/apei/Kconfig | 1 +
drivers/acpi/apei/ghes.c | 2 +-
drivers/firmware/Kconfig | 1 -
drivers/firmware/arm_sdei.c | 11 ++++++++---
include/linux/arm_sdei.h | 4 ++--
5 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/drivers/acpi/apei/Kconfig b/drivers/acpi/apei/Kconfig
index 6b18f8bc7be35..71e0d64a7792e 100644
--- a/drivers/acpi/apei/Kconfig
+++ b/drivers/acpi/apei/Kconfig
@@ -23,6 +23,7 @@ config ACPI_APEI_GHES
select ACPI_HED
select IRQ_WORK
select GENERIC_ALLOCATOR
+ select ARM_SDE_INTERFACE if ARM64
help
Generic Hardware Error Source provides a way to report
platform hardware errors (such as that from chipset). It
diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
index 3aadc632d7dd5..2abf20736702c 100644
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -1523,7 +1523,7 @@ void __init acpi_ghes_init(void)
{
int rc;
- sdei_init();
+ acpi_sdei_init();
if (acpi_disabled)
return;
diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig
index 3f2f22e47bfa1..8ecffdce94b16 100644
--- a/drivers/firmware/Kconfig
+++ b/drivers/firmware/Kconfig
@@ -40,7 +40,6 @@ config ARM_SCPI_POWER_DOMAIN
config ARM_SDE_INTERFACE
bool "ARM Software Delegated Exception Interface (SDEI)"
depends on ARM64
- depends on ACPI_APEI_GHES
help
The Software Delegated Exception Interface (SDEI) is an ARM
standard for registering callbacks from the platform firmware
diff --git a/drivers/firmware/arm_sdei.c b/drivers/firmware/arm_sdei.c
index 3e8051fe82965..71e2a9a89f6ad 100644
--- a/drivers/firmware/arm_sdei.c
+++ b/drivers/firmware/arm_sdei.c
@@ -1062,13 +1062,12 @@ static bool __init sdei_present_acpi(void)
return true;
}
-void __init sdei_init(void)
+void __init acpi_sdei_init(void)
{
struct platform_device *pdev;
int ret;
- ret = platform_driver_register(&sdei_driver);
- if (ret || !sdei_present_acpi())
+ if (!sdei_present_acpi())
return;
pdev = platform_device_register_simple(sdei_driver.driver.name,
@@ -1081,6 +1080,12 @@ void __init sdei_init(void)
}
}
+static int __init sdei_init(void)
+{
+ return platform_driver_register(&sdei_driver);
+}
+arch_initcall(sdei_init);
+
int sdei_event_handler(struct pt_regs *regs,
struct sdei_registered_event *arg)
{
diff --git a/include/linux/arm_sdei.h b/include/linux/arm_sdei.h
index 255701e1251b4..f652a5028b590 100644
--- a/include/linux/arm_sdei.h
+++ b/include/linux/arm_sdei.h
@@ -46,12 +46,12 @@ int sdei_unregister_ghes(struct ghes *ghes);
/* For use by arch code when CPU hotplug notifiers are not appropriate. */
int sdei_mask_local_cpu(void);
int sdei_unmask_local_cpu(void);
-void __init sdei_init(void);
+void __init acpi_sdei_init(void);
void sdei_handler_abort(void);
#else
static inline int sdei_mask_local_cpu(void) { return 0; }
static inline int sdei_unmask_local_cpu(void) { return 0; }
-static inline void sdei_init(void) { }
+static inline void acpi_sdei_init(void) { }
static inline void sdei_handler_abort(void) { }
#endif /* CONFIG_ARM_SDE_INTERFACE */
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 073/356] arm64/fpsimd: Do not discard modified SVE state
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 072/356] firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 074/356] scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops Greg Kroah-Hartman
` (291 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Marc Zyngier, Mark Brown, Will Deacon, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 398edaa12f9cf2be7902f306fc023c20e3ebd3e4 ]
Historically SVE state was discarded deterministically early in the
syscall entry path, before ptrace is notified of syscall entry. This
permitted ptrace to modify SVE state before and after the "real" syscall
logic was executed, with the modified state being retained.
This behaviour was changed by commit:
8c845e2731041f0f ("arm64/sve: Leave SVE enabled on syscall if we don't context switch")
That commit was intended to speed up workloads that used SVE by
opportunistically leaving SVE enabled when returning from a syscall.
The syscall entry logic was modified to truncate the SVE state without
disabling userspace access to SVE, and fpsimd_save_user_state() was
modified to discard userspace SVE state whenever
in_syscall(current_pt_regs()) is true, i.e. when
current_pt_regs()->syscallno != NO_SYSCALL.
Leaving SVE enabled opportunistically resulted in a couple of changes to
userspace visible behaviour which weren't described at the time, but are
logical consequences of opportunistically leaving SVE enabled:
* Signal handlers can observe the type of saved state in the signal's
sve_context record. When the kernel only tracks FPSIMD state, the 'vq'
field is 0 and there is no space allocated for register contents. When
the kernel tracks SVE state, the 'vq' field is non-zero and the
register contents are saved into the record.
As a result of the above commit, 'vq' (and the presence of SVE
register state) is non-deterministically zero or non-zero for a period
of time after a syscall. The effective register state is still
deterministic.
Hopefully no-one relies on this being deterministic. In general,
handlers for asynchronous events cannot expect a deterministic state.
* Similarly to signal handlers, ptrace requests can observe the type of
saved state in the NT_ARM_SVE and NT_ARM_SSVE regsets, as this is
exposed in the header flags. As a result of the above commit, this is
now in a non-deterministic state after a syscall. The effective
register state is still deterministic.
Hopefully no-one relies on this being deterministic. In general,
debuggers would have to handle this changing at arbitrary points
during program flow.
Discarding the SVE state within fpsimd_save_user_state() resulted in
other changes to userspace visible behaviour which are not desirable:
* A ptrace tracer can modify (or create) a tracee's SVE state at syscall
entry or syscall exit. As a result of the above commit, the tracee's
SVE state can be discarded non-deterministically after modification,
rather than being retained as it previously was.
Note that for co-operative tracer/tracee pairs, the tracer may
(re)initialise the tracee's state arbitrarily after the tracee sends
itself an initial SIGSTOP via a syscall, so this affects realistic
design patterns.
* The current_pt_regs()->syscallno field can be modified via ptrace, and
can be altered even when the tracee is not really in a syscall,
causing non-deterministic discarding to occur in situations where this
was not previously possible.
Further, using current_pt_regs()->syscallno in this way is unsound:
* There are data races between readers and writers of the
current_pt_regs()->syscallno field.
The current_pt_regs()->syscallno field is written in interruptible
task context using plain C accesses, and is read in irq/softirq
context using plain C accesses. These accesses are subject to data
races, with the usual concerns with tearing, etc.
* Writes to current_pt_regs()->syscallno are subject to compiler
reordering.
As current_pt_regs()->syscallno is written with plain C accesses,
the compiler is free to move those writes arbitrarily relative to
anything which doesn't access the same memory location.
In theory this could break signal return, where prior to restoring the
SVE state, restore_sigframe() calls forget_syscall(). If the write
were hoisted after restore of some SVE state, that state could be
discarded unexpectedly.
In practice that reordering cannot happen in the absence of LTO (as
cross compilation-unit function calls happen prevent this reordering),
and that reordering appears to be unlikely in the presence of LTO.
Additionally, since commit:
f130ac0ae4412dbe ("arm64: syscall: unmask DAIF earlier for SVCs")
... DAIF is unmasked before el0_svc_common() sets regs->syscallno to the
real syscall number. Consequently state may be saved in SVE format prior
to this point.
Considering all of the above, current_pt_regs()->syscallno should not be
used to infer whether the SVE state can be discarded. Luckily we can
instead use cpu_fp_state::to_save to track when it is safe to discard
the SVE state:
* At syscall entry, after the live SVE register state is truncated, set
cpu_fp_state::to_save to FP_STATE_FPSIMD to indicate that only the
FPSIMD portion is live and needs to be saved.
* At syscall exit, once the task's state is guaranteed to be live, set
cpu_fp_state::to_save to FP_STATE_CURRENT to indicate that TIF_SVE
must be considered to determine which state needs to be saved.
* Whenever state is modified, it must be saved+flushed prior to
manipulation. The state will be truncated if necessary when it is
saved, and reloading the state will set fp_state::to_save to
FP_STATE_CURRENT, preventing subsequent discarding.
This permits SVE state to be discarded *only* when it is known to have
been truncated (and the non-FPSIMD portions must be zero), and ensures
that SVE state is retained after it is explicitly modified.
For backporting, note that this fix depends on the following commits:
* b2482807fbd4 ("arm64/sme: Optimise SME exit on syscall entry")
* f130ac0ae441 ("arm64: syscall: unmask DAIF earlier for SVCs")
* 929fa99b1215 ("arm64/fpsimd: signal: Always save+flush state early")
Fixes: 8c845e273104 ("arm64/sve: Leave SVE enabled on syscall if we don't context switch")
Fixes: f130ac0ae441 ("arm64: syscall: unmask DAIF earlier for SVCs")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20250508132644.1395904-2-mark.rutland@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/fpsimd.h | 3 +++
arch/arm64/kernel/entry-common.c | 46 ++++++++++++++++++++++++--------
arch/arm64/kernel/fpsimd.c | 15 ++++++-----
3 files changed, 47 insertions(+), 17 deletions(-)
diff --git a/arch/arm64/include/asm/fpsimd.h b/arch/arm64/include/asm/fpsimd.h
index 7415c63b41874..c4840ea6d137f 100644
--- a/arch/arm64/include/asm/fpsimd.h
+++ b/arch/arm64/include/asm/fpsimd.h
@@ -6,6 +6,7 @@
#define __ASM_FP_H
#include <asm/errno.h>
+#include <asm/percpu.h>
#include <asm/ptrace.h>
#include <asm/processor.h>
#include <asm/sigcontext.h>
@@ -69,6 +70,8 @@ struct cpu_fp_state {
enum fp_type to_save;
};
+DECLARE_PER_CPU(struct cpu_fp_state, fpsimd_last_state);
+
extern void fpsimd_bind_state_to_cpu(struct cpu_fp_state *fp_state);
extern void fpsimd_flush_task_state(struct task_struct *target);
diff --git a/arch/arm64/kernel/entry-common.c b/arch/arm64/kernel/entry-common.c
index 0fc94207e69a8..5e8204d250b43 100644
--- a/arch/arm64/kernel/entry-common.c
+++ b/arch/arm64/kernel/entry-common.c
@@ -359,20 +359,16 @@ static bool cortex_a76_erratum_1463225_debug_handler(struct pt_regs *regs)
* As per the ABI exit SME streaming mode and clear the SVE state not
* shared with FPSIMD on syscall entry.
*/
-static inline void fp_user_discard(void)
+static inline void fpsimd_syscall_enter(void)
{
- /*
- * If SME is active then exit streaming mode. If ZA is active
- * then flush the SVE registers but leave userspace access to
- * both SVE and SME enabled, otherwise disable SME for the
- * task and fall through to disabling SVE too. This means
- * that after a syscall we never have any streaming mode
- * register state to track, if this changes the KVM code will
- * need updating.
- */
+ /* Ensure PSTATE.SM is clear, but leave PSTATE.ZA as-is. */
if (system_supports_sme())
sme_smstop_sm();
+ /*
+ * The CPU is not in streaming mode. If non-streaming SVE is not
+ * supported, there is no SVE state that needs to be discarded.
+ */
if (!system_supports_sve())
return;
@@ -382,6 +378,33 @@ static inline void fp_user_discard(void)
sve_vq_minus_one = sve_vq_from_vl(task_get_sve_vl(current)) - 1;
sve_flush_live(true, sve_vq_minus_one);
}
+
+ /*
+ * Any live non-FPSIMD SVE state has been zeroed. Allow
+ * fpsimd_save_user_state() to lazily discard SVE state until either
+ * the live state is unbound or fpsimd_syscall_exit() is called.
+ */
+ __this_cpu_write(fpsimd_last_state.to_save, FP_STATE_FPSIMD);
+}
+
+static __always_inline void fpsimd_syscall_exit(void)
+{
+ if (!system_supports_sve())
+ return;
+
+ /*
+ * The current task's user FPSIMD/SVE/SME state is now bound to this
+ * CPU. The fpsimd_last_state.to_save value is either:
+ *
+ * - FP_STATE_FPSIMD, if the state has not been reloaded on this CPU
+ * since fpsimd_syscall_enter().
+ *
+ * - FP_STATE_CURRENT, if the state has been reloaded on this CPU at
+ * any point.
+ *
+ * Reset this to FP_STATE_CURRENT to stop lazy discarding.
+ */
+ __this_cpu_write(fpsimd_last_state.to_save, FP_STATE_CURRENT);
}
UNHANDLED(el1t, 64, sync)
@@ -673,10 +696,11 @@ static void noinstr el0_svc(struct pt_regs *regs)
{
enter_from_user_mode(regs);
cortex_a76_erratum_1463225_svc_handler();
- fp_user_discard();
+ fpsimd_syscall_enter();
local_daif_restore(DAIF_PROCCTX);
do_el0_svc(regs);
exit_to_user_mode(regs);
+ fpsimd_syscall_exit();
}
static void noinstr el0_fpac(struct pt_regs *regs, unsigned long esr)
diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
index b86a506467007..a1e0cc5353fb1 100644
--- a/arch/arm64/kernel/fpsimd.c
+++ b/arch/arm64/kernel/fpsimd.c
@@ -119,7 +119,7 @@
* whatever is in the FPSIMD registers is not saved to memory, but discarded.
*/
-static DEFINE_PER_CPU(struct cpu_fp_state, fpsimd_last_state);
+DEFINE_PER_CPU(struct cpu_fp_state, fpsimd_last_state);
__ro_after_init struct vl_info vl_info[ARM64_VEC_MAX] = {
#ifdef CONFIG_ARM64_SVE
@@ -473,12 +473,15 @@ static void fpsimd_save(void)
return;
/*
- * If a task is in a syscall the ABI allows us to only
- * preserve the state shared with FPSIMD so don't bother
- * saving the full SVE state in that case.
+ * Save SVE state if it is live.
+ *
+ * The syscall ABI discards live SVE state at syscall entry. When
+ * entering a syscall, fpsimd_syscall_enter() sets to_save to
+ * FP_STATE_FPSIMD to allow the SVE state to be lazily discarded until
+ * either new SVE state is loaded+bound or fpsimd_syscall_exit() is
+ * called prior to a return to userspace.
*/
- if ((last->to_save == FP_STATE_CURRENT && test_thread_flag(TIF_SVE) &&
- !in_syscall(current_pt_regs())) ||
+ if ((last->to_save == FP_STATE_CURRENT && test_thread_flag(TIF_SVE)) ||
last->to_save == FP_STATE_SVE) {
save_sve_regs = true;
save_ffr = true;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 074/356] scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 073/356] arm64/fpsimd: Do not discard modified SVE state Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 075/356] perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create() Greg Kroah-Hartman
` (290 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kees Cook, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit d8720235d5b5cad86c1f07f65117ef2a96f8bec7 ]
Recent fixes to the randstruct GCC plugin allowed it to notice
that this structure is entirely function pointers and is therefore
subject to randomization, but doing so requires that it always use
designated initializers. Explicitly specify the "common" member as being
initialized. Silences:
drivers/scsi/qedf/qedf_main.c:702:9: error: positional initialization of field in 'struct' declared with 'designated_init' attribute [-Werror=designated-init]
702 | {
| ^
Fixes: 035f7f87b729 ("randstruct: Enable Clang support")
Link: https://lore.kernel.org/r/20250502224156.work.617-kees@kernel.org
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qedf/qedf_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
index 9a81d14aef6b9..17b19b39699a3 100644
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -699,7 +699,7 @@ static u32 qedf_get_login_failures(void *cookie)
}
static struct qed_fcoe_cb_ops qedf_cb_ops = {
- {
+ .common = {
.link_update = qedf_link_update,
.bw_update = qedf_bw_update,
.schedule_recovery_handler = qedf_schedule_recovery_handler,
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 075/356] perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 074/356] scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 076/356] drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr Greg Kroah-Hartman
` (289 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiucheng Xu, Anand Moon, Will Deacon,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anand Moon <linux.amoon@gmail.com>
[ Upstream commit 097469a2b0f12b91b4f27b9e9e4f2c46484cde30 ]
The Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly uses
smp_processor_id(), which assumes disabled preemption. This leads to kernel
warnings during module loading because meson_ddr_pmu_create() can be called
in a preemptible context.
Following kernel warning and stack trace:
[ 31.745138] [ T2289] BUG: using smp_processor_id() in preemptible [00000000] code: (udev-worker)/2289
[ 31.745154] [ T2289] caller is debug_smp_processor_id+0x28/0x38
[ 31.745172] [ T2289] CPU: 4 UID: 0 PID: 2289 Comm: (udev-worker) Tainted: GW 6.14.0-0-MANJARO-ARM #1 59519addcbca6ba8de735e151fd7b9e97aac7ff0
[ 31.745181] [ T2289] Tainted: [W]=WARN
[ 31.745183] [ T2289] Hardware name: Hardkernel ODROID-N2Plus (DT)
[ 31.745188] [ T2289] Call trace:
[ 31.745191] [ T2289] show_stack+0x28/0x40 (C)
[ 31.745199] [ T2289] dump_stack_lvl+0x4c/0x198
[ 31.745205] [ T2289] dump_stack+0x20/0x50
[ 31.745209] [ T2289] check_preemption_disabled+0xec/0xf0
[ 31.745213] [ T2289] debug_smp_processor_id+0x28/0x38
[ 31.745216] [ T2289] meson_ddr_pmu_create+0x200/0x560 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd]
[ 31.745237] [ T2289] g12_ddr_pmu_probe+0x20/0x38 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd]
[ 31.745246] [ T2289] platform_probe+0x98/0xe0
[ 31.745254] [ T2289] really_probe+0x144/0x3f8
[ 31.745258] [ T2289] __driver_probe_device+0xb8/0x180
[ 31.745261] [ T2289] driver_probe_device+0x54/0x268
[ 31.745264] [ T2289] __driver_attach+0x11c/0x288
[ 31.745267] [ T2289] bus_for_each_dev+0xfc/0x160
[ 31.745274] [ T2289] driver_attach+0x34/0x50
[ 31.745277] [ T2289] bus_add_driver+0x160/0x2b0
[ 31.745281] [ T2289] driver_register+0x78/0x120
[ 31.745285] [ T2289] __platform_driver_register+0x30/0x48
[ 31.745288] [ T2289] init_module+0x30/0xfe0 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd]
[ 31.745298] [ T2289] do_one_initcall+0x11c/0x438
[ 31.745303] [ T2289] do_init_module+0x68/0x228
[ 31.745311] [ T2289] load_module+0x118c/0x13a8
[ 31.745315] [ T2289] __arm64_sys_finit_module+0x274/0x390
[ 31.745320] [ T2289] invoke_syscall+0x74/0x108
[ 31.745326] [ T2289] el0_svc_common+0x90/0xf8
[ 31.745330] [ T2289] do_el0_svc+0x2c/0x48
[ 31.745333] [ T2289] el0_svc+0x60/0x150
[ 31.745337] [ T2289] el0t_64_sync_handler+0x80/0x118
[ 31.745341] [ T2289] el0t_64_sync+0x1b8/0x1c0
Changes replaces smp_processor_id() with raw_smp_processor_id() to
ensure safe CPU ID retrieval in preemptible contexts.
Cc: Jiucheng Xu <jiucheng.xu@amlogic.com>
Fixes: 2016e2113d35 ("perf/amlogic: Add support for Amlogic meson G12 SoC DDR PMU driver")
Signed-off-by: Anand Moon <linux.amoon@gmail.com>
Link: https://lore.kernel.org/r/20250407063206.5211-1-linux.amoon@gmail.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/perf/amlogic/meson_ddr_pmu_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/perf/amlogic/meson_ddr_pmu_core.c b/drivers/perf/amlogic/meson_ddr_pmu_core.c
index bbc7285fd934a..5f8699612a9ad 100644
--- a/drivers/perf/amlogic/meson_ddr_pmu_core.c
+++ b/drivers/perf/amlogic/meson_ddr_pmu_core.c
@@ -510,7 +510,7 @@ int meson_ddr_pmu_create(struct platform_device *pdev)
fmt_attr_fill(pmu->info.hw_info->fmt_attr);
- pmu->cpu = smp_processor_id();
+ pmu->cpu = raw_smp_processor_id();
name = devm_kasprintf(&pdev->dev, GFP_KERNEL, DDR_PERF_DEV_NAME);
if (!name)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 076/356] drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 075/356] perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create() Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 077/356] drm/mediatek: Fix kobject put for component sub-drivers Greg Kroah-Hartman
` (288 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai,
AngeloGioacchino Del Regno, Chun-Kuang Hu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 22918591fb747a6d16801e74a170cf98e886f83b ]
This driver is taking a kobject for mtk_mutex only once per mmsys
device for each drm-mediatek driver instance, differently from the
behavior with other components, but it is decrementing the kobj's
refcount in a loop and once per mmsys: this is not right and will
result in a refcount_t underflow warning when mediatek-drm returns
multiple probe deferrals in one boot (or when manually bound and
unbound).
Besides that, the refcount for mutex_dev was not decremented for
error cases in mtk_drm_bind(), causing another refcount_t warning
but this time for overflow, when the failure happens not during
driver bind but during component bind.
In order to fix one of the reasons why this is happening, remove
the put_device(xx->mutex_dev) loop from the mtk_drm_kms_init()'s
put_mutex_dev label (and drop the label) and add a single call to
correctly free the single incremented refcount of mutex_dev to
the mtk_drm_unbind() function to fix the refcount_t underflow.
Moreover, add the same call to the error cases in mtk_drm_bind()
to fix the refcount_t overflow.
Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support")
Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250403104741.71045-2-angelogioacchino.delregno@collabora.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/mediatek/mtk_drm_drv.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
index 8b41a07c3641f..108cab35ce485 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
@@ -431,7 +431,7 @@ static int mtk_drm_kms_init(struct drm_device *drm)
ret = drmm_mode_config_init(drm);
if (ret)
- goto put_mutex_dev;
+ return ret;
drm->mode_config.min_width = 64;
drm->mode_config.min_height = 64;
@@ -450,7 +450,7 @@ static int mtk_drm_kms_init(struct drm_device *drm)
drm->dev_private = private->all_drm_private[i];
ret = component_bind_all(private->all_drm_private[i]->dev, drm);
if (ret)
- goto put_mutex_dev;
+ return ret;
}
/*
@@ -532,9 +532,6 @@ static int mtk_drm_kms_init(struct drm_device *drm)
err_component_unbind:
for (i = 0; i < private->data->mmsys_dev_num; i++)
component_unbind_all(private->all_drm_private[i]->dev, drm);
-put_mutex_dev:
- for (i = 0; i < private->data->mmsys_dev_num; i++)
- put_device(private->all_drm_private[i]->mutex_dev);
return ret;
}
@@ -608,8 +605,10 @@ static int mtk_drm_bind(struct device *dev)
return 0;
drm = drm_dev_alloc(&mtk_drm_driver, dev);
- if (IS_ERR(drm))
- return PTR_ERR(drm);
+ if (IS_ERR(drm)) {
+ ret = PTR_ERR(drm);
+ goto err_put_dev;
+ }
private->drm_master = true;
drm->dev_private = private;
@@ -635,6 +634,8 @@ static int mtk_drm_bind(struct device *dev)
drm_dev_put(drm);
for (i = 0; i < private->data->mmsys_dev_num; i++)
private->all_drm_private[i]->drm = NULL;
+err_put_dev:
+ put_device(private->mutex_dev);
return ret;
}
@@ -647,6 +648,8 @@ static void mtk_drm_unbind(struct device *dev)
drm_dev_unregister(private->drm);
mtk_drm_kms_deinit(private->drm);
drm_dev_put(private->drm);
+
+ put_device(private->mutex_dev);
}
private->mtk_drm_bound = false;
private->drm_master = false;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 077/356] drm/mediatek: Fix kobject put for component sub-drivers
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 076/356] drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 078/356] drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err Greg Kroah-Hartman
` (287 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai,
AngeloGioacchino Del Regno, Chun-Kuang Hu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 80805b62ea5b95eda54c225b989f929ca0691ab0 ]
In function mtk_drm_get_all_drm_priv(), this driver is incrementing
the refcount for the sub-drivers of mediatek-drm with a call to
device_find_child() when taking a reference to all of those child
devices.
When the component bind fails multiple times this results in a
refcount_t overflow, as the reference count is never decremented:
fix that by adding a call to put_device() for all of the mmsys
devices in a loop, in error cases of mtk_drm_bind() and in the
mtk_drm_unbind() callback.
Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support")
Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250403104741.71045-3-angelogioacchino.delregno@collabora.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/mediatek/mtk_drm_drv.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
index 108cab35ce485..32d66fa75b7c4 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
@@ -635,6 +635,10 @@ static int mtk_drm_bind(struct device *dev)
for (i = 0; i < private->data->mmsys_dev_num; i++)
private->all_drm_private[i]->drm = NULL;
err_put_dev:
+ for (i = 0; i < private->data->mmsys_dev_num; i++) {
+ /* For device_find_child in mtk_drm_get_all_priv() */
+ put_device(private->all_drm_private[i]->dev);
+ }
put_device(private->mutex_dev);
return ret;
}
@@ -642,6 +646,7 @@ static int mtk_drm_bind(struct device *dev)
static void mtk_drm_unbind(struct device *dev)
{
struct mtk_drm_private *private = dev_get_drvdata(dev);
+ int i;
/* for multi mmsys dev, unregister drm dev in mmsys master */
if (private->drm_master) {
@@ -649,6 +654,10 @@ static void mtk_drm_unbind(struct device *dev)
mtk_drm_kms_deinit(private->drm);
drm_dev_put(private->drm);
+ for (i = 0; i < private->data->mmsys_dev_num; i++) {
+ /* For device_find_child in mtk_drm_get_all_priv() */
+ put_device(private->all_drm_private[i]->dev);
+ }
put_device(private->mutex_dev);
}
private->mtk_drm_bound = false;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 078/356] drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 077/356] drm/mediatek: Fix kobject put for component sub-drivers Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 079/356] xen/x86: fix initial memory balloon target Greg Kroah-Hartman
` (286 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai,
AngeloGioacchino Del Regno, Chun-Kuang Hu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 94c933716567084bfb9e79dcd81eb2b2308e84e1 ]
When calling component_bind_all(), if a component that is included
in the list fails, all of those that have been successfully bound
will be unbound, but this driver has two components lists for two
actual devices, as in, each mmsys instance has its own components
list.
In case mmsys0 (or actually vdosys0) is able to bind all of its
components, but the secondary one fails, all of the components of
the first are kept bound, while the ones of mmsys1/vdosys1 are
correctly cleaned up.
This is not right because, in case of a failure, the components
are re-bound for all of the mmsys/vdosys instances without caring
about the ones that were previously left in a bound state.
Fix that by calling component_unbind_all() on all of the previous
component masters that succeeded binding all subdevices when any
of the other masters errors out.
Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support")
Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250403104741.71045-4-angelogioacchino.delregno@collabora.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/mediatek/mtk_drm_drv.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
index 32d66fa75b7c4..ef4fa70119de1 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
@@ -449,8 +449,11 @@ static int mtk_drm_kms_init(struct drm_device *drm)
for (i = 0; i < private->data->mmsys_dev_num; i++) {
drm->dev_private = private->all_drm_private[i];
ret = component_bind_all(private->all_drm_private[i]->dev, drm);
- if (ret)
+ if (ret) {
+ while (--i >= 0)
+ component_unbind_all(private->all_drm_private[i]->dev, drm);
return ret;
+ }
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 079/356] xen/x86: fix initial memory balloon target
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 078/356] drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 080/356] wifi: ath11k: fix node corruption in ar->arvifs list Greg Kroah-Hartman
` (285 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John, Roger Pau Monné,
Juergen Gross, Marek Marczykowski-Górecki, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roger Pau Monne <roger.pau@citrix.com>
[ Upstream commit 74287971dbb3fe322bb316afd9e7fb5807e23bee ]
When adding extra memory regions as ballooned pages also adjust the balloon
target, otherwise when the balloon driver is started it will populate
memory to match the target value and consume all the extra memory regions
added.
This made the usage of the Xen `dom0_mem=,max:` command line parameter for
dom0 not work as expected, as the target won't be adjusted and when the
balloon is started it will populate memory straight to the 'max:' value.
It would equally affect domUs that have memory != maxmem.
Kernels built with CONFIG_XEN_UNPOPULATED_ALLOC are not affected, because
the extra memory regions are consumed by the unpopulated allocation driver,
and then balloon_add_regions() becomes a no-op.
Reported-by: John <jw@nuclearfallout.net>
Fixes: 87af633689ce ('x86/xen: fix balloon target initialization for PVH dom0')
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Message-ID: <20250514080427.28129-1-roger.pau@citrix.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/xen/balloon.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
index b0b52fa8fba6d..204ec1bcbd526 100644
--- a/drivers/xen/balloon.c
+++ b/drivers/xen/balloon.c
@@ -696,15 +696,18 @@ static int __init balloon_add_regions(void)
/*
* Extra regions are accounted for in the physmap, but need
- * decreasing from current_pages to balloon down the initial
- * allocation, because they are already accounted for in
- * total_pages.
+ * decreasing from current_pages and target_pages to balloon
+ * down the initial allocation, because they are already
+ * accounted for in total_pages.
*/
- if (extra_pfn_end - start_pfn >= balloon_stats.current_pages) {
+ pages = extra_pfn_end - start_pfn;
+ if (pages >= balloon_stats.current_pages ||
+ pages >= balloon_stats.target_pages) {
WARN(1, "Extra pages underflow current target");
return -ERANGE;
}
- balloon_stats.current_pages -= extra_pfn_end - start_pfn;
+ balloon_stats.current_pages -= pages;
+ balloon_stats.target_pages -= pages;
}
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 080/356] wifi: ath11k: fix node corruption in ar->arvifs list
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 079/356] xen/x86: fix initial memory balloon target Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 081/356] IB/cm: use rwlock for MAD agent lock Greg Kroah-Hartman
` (284 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stone Zhang, Jeff Johnson,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stone Zhang <quic_stonez@quicinc.com>
[ Upstream commit 31e98e277ae47f56632e4d663b1d4fd12ba33ea8 ]
In current WLAN recovery code flow, ath11k_core_halt() only
reinitializes the "arvifs" list head. This will cause the
list node immediately following the list head to become an
invalid list node. Because the prev of that node still points
to the list head "arvifs", but the next of the list head "arvifs"
no longer points to that list node.
When a WLAN recovery occurs during the execution of a vif
removal, and it happens before the spin_lock_bh(&ar->data_lock)
in ath11k_mac_op_remove_interface(), list_del() will detect the
previously mentioned situation, thereby triggering a kernel panic.
The fix is to remove and reinitialize all vif list nodes from the
list head "arvifs" during WLAN halt. The reinitialization is to make
the list nodes valid, ensuring that the list_del() in
ath11k_mac_op_remove_interface() can execute normally.
Call trace:
__list_del_entry_valid_or_report+0xb8/0xd0
ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k]
drv_remove_interface+0x48/0x194 [mac80211]
ieee80211_do_stop+0x6e0/0x844 [mac80211]
ieee80211_stop+0x44/0x17c [mac80211]
__dev_close_many+0xac/0x150
__dev_change_flags+0x194/0x234
dev_change_flags+0x24/0x6c
devinet_ioctl+0x3a0/0x670
inet_ioctl+0x200/0x248
sock_do_ioctl+0x60/0x118
sock_ioctl+0x274/0x35c
__arm64_sys_ioctl+0xac/0xf0
invoke_syscall+0x48/0x114
...
Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Signed-off-by: Stone Zhang <quic_stonez@quicinc.com>
Link: https://patch.msgid.link/20250320053145.3445187-1-quic_stonez@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index fc7c4564a715c..f9870ba651d8f 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -1742,6 +1742,7 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab)
void ath11k_core_halt(struct ath11k *ar)
{
struct ath11k_base *ab = ar->ab;
+ struct list_head *pos, *n;
lockdep_assert_held(&ar->conf_mutex);
@@ -1756,7 +1757,12 @@ void ath11k_core_halt(struct ath11k *ar)
rcu_assign_pointer(ab->pdevs_active[ar->pdev_idx], NULL);
synchronize_rcu();
- INIT_LIST_HEAD(&ar->arvifs);
+
+ spin_lock_bh(&ar->data_lock);
+ list_for_each_safe(pos, n, &ar->arvifs)
+ list_del_init(pos);
+ spin_unlock_bh(&ar->data_lock);
+
idr_init(&ar->txmgmt_idr);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 081/356] IB/cm: use rwlock for MAD agent lock
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 080/356] wifi: ath11k: fix node corruption in ar->arvifs list Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 082/356] selftests/bpf: Fix bpf_nf selftest failure Greg Kroah-Hartman
` (283 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacob Moroni, Eric Dumazet,
Zhu Yanjun, Jason Gunthorpe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacob Moroni <jmoroni@google.com>
[ Upstream commit 4dab26bed543584577b64b36aadb8b5b165bf44f ]
In workloads where there are many processes establishing connections using
RDMA CM in parallel (large scale MPI), there can be heavy contention for
mad_agent_lock in cm_alloc_msg.
This contention can occur while inside of a spin_lock_irq region, leading
to interrupts being disabled for extended durations on many
cores. Furthermore, it leads to the serialization of rdma_create_ah calls,
which has negative performance impacts for NICs which are capable of
processing multiple address handle creations in parallel.
The end result is the machine becoming unresponsive, hung task warnings,
netdev TX timeouts, etc.
Since the lock appears to be only for protection from cm_remove_one, it
can be changed to a rwlock to resolve these issues.
Reproducer:
Server:
for i in $(seq 1 512); do
ucmatose -c 32 -p $((i + 5000)) &
done
Client:
for i in $(seq 1 512); do
ucmatose -c 32 -p $((i + 5000)) -s 10.2.0.52 &
done
Fixes: 76039ac9095f ("IB/cm: Protect cm_dev, cm_ports and mad_agent with kref and lock")
Link: https://patch.msgid.link/r/20250220175612.2763122-1-jmoroni@google.com
Signed-off-by: Jacob Moroni <jmoroni@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/cm.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
index 07fb8d3c037f0..d45e3909dafe1 100644
--- a/drivers/infiniband/core/cm.c
+++ b/drivers/infiniband/core/cm.c
@@ -166,7 +166,7 @@ struct cm_port {
struct cm_device {
struct kref kref;
struct list_head list;
- spinlock_t mad_agent_lock;
+ rwlock_t mad_agent_lock;
struct ib_device *ib_device;
u8 ack_delay;
int going_down;
@@ -284,7 +284,7 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv)
if (!cm_id_priv->av.port)
return ERR_PTR(-EINVAL);
- spin_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ read_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
mad_agent = cm_id_priv->av.port->mad_agent;
if (!mad_agent) {
m = ERR_PTR(-EINVAL);
@@ -315,7 +315,7 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv)
m->context[0] = cm_id_priv;
out:
- spin_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ read_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
return m;
}
@@ -1294,10 +1294,10 @@ static __be64 cm_form_tid(struct cm_id_private *cm_id_priv)
if (!cm_id_priv->av.port)
return cpu_to_be64(low_tid);
- spin_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ read_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
if (cm_id_priv->av.port->mad_agent)
hi_tid = ((u64)cm_id_priv->av.port->mad_agent->hi_tid) << 32;
- spin_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ read_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
return cpu_to_be64(hi_tid | low_tid);
}
@@ -4374,7 +4374,7 @@ static int cm_add_one(struct ib_device *ib_device)
return -ENOMEM;
kref_init(&cm_dev->kref);
- spin_lock_init(&cm_dev->mad_agent_lock);
+ rwlock_init(&cm_dev->mad_agent_lock);
cm_dev->ib_device = ib_device;
cm_dev->ack_delay = ib_device->attrs.local_ca_ack_delay;
cm_dev->going_down = 0;
@@ -4490,9 +4490,9 @@ static void cm_remove_one(struct ib_device *ib_device, void *client_data)
* The above ensures no call paths from the work are running,
* the remaining paths all take the mad_agent_lock.
*/
- spin_lock(&cm_dev->mad_agent_lock);
+ write_lock(&cm_dev->mad_agent_lock);
port->mad_agent = NULL;
- spin_unlock(&cm_dev->mad_agent_lock);
+ write_unlock(&cm_dev->mad_agent_lock);
ib_unregister_mad_agent(mad_agent);
ib_port_unregister_client_groups(ib_device, i,
cm_counter_groups);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 082/356] selftests/bpf: Fix bpf_nf selftest failure
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 081/356] IB/cm: use rwlock for MAD agent lock Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 083/356] bpf: fix ktls panic with sockmap Greg Kroah-Hartman
` (282 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Saket Kumar Bhaskar, Andrii Nakryiko,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Saket Kumar Bhaskar <skb99@linux.ibm.com>
[ Upstream commit 967e8def1100cb4b08c28a54d27ce69563fdf281 ]
For systems with missing iptables-legacy tool this selftest fails.
Add check to find if iptables-legacy tool is available and skip the
test if the tool is missing.
Fixes: de9c8d848d90 ("selftests/bpf: S/iptables/iptables-legacy/ in the bpf_nf and xdp_synproxy test")
Signed-off-by: Saket Kumar Bhaskar <skb99@linux.ibm.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250409095633.33653-1-skb99@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/prog_tests/bpf_nf.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c
index b30ff6b3b81ae..f80660c00a1a7 100644
--- a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c
+++ b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c
@@ -63,6 +63,12 @@ static void test_bpf_nf_ct(int mode)
.repeat = 1,
);
+ if (SYS_NOFAIL("iptables-legacy --version")) {
+ fprintf(stdout, "Missing required iptables-legacy tool\n");
+ test__skip();
+ return;
+ }
+
skel = test_bpf_nf__open_and_load();
if (!ASSERT_OK_PTR(skel, "test_bpf_nf__open_and_load"))
return;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 083/356] bpf: fix ktls panic with sockmap
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 082/356] selftests/bpf: Fix bpf_nf selftest failure Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 084/356] bpf, sockmap: fix duplicated data transmission Greg Kroah-Hartman
` (281 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, John Fastabend,
Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 54a3ecaeeeae8176da8badbd7d72af1017032c39 ]
[ 2172.936997] ------------[ cut here ]------------
[ 2172.936999] kernel BUG at lib/iov_iter.c:629!
......
[ 2172.944996] PKRU: 55555554
[ 2172.945155] Call Trace:
[ 2172.945299] <TASK>
[ 2172.945428] ? die+0x36/0x90
[ 2172.945601] ? do_trap+0xdd/0x100
[ 2172.945795] ? iov_iter_revert+0x178/0x180
[ 2172.946031] ? iov_iter_revert+0x178/0x180
[ 2172.946267] ? do_error_trap+0x7d/0x110
[ 2172.946499] ? iov_iter_revert+0x178/0x180
[ 2172.946736] ? exc_invalid_op+0x50/0x70
[ 2172.946961] ? iov_iter_revert+0x178/0x180
[ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20
[ 2172.947446] ? iov_iter_revert+0x178/0x180
[ 2172.947683] ? iov_iter_revert+0x5c/0x180
[ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840
[ 2172.948206] tls_sw_sendmsg+0x52/0x80
[ 2172.948420] ? inet_sendmsg+0x1f/0x70
[ 2172.948634] __sys_sendto+0x1cd/0x200
[ 2172.948848] ? find_held_lock+0x2b/0x80
[ 2172.949072] ? syscall_trace_enter+0x140/0x270
[ 2172.949330] ? __lock_release.isra.0+0x5e/0x170
[ 2172.949595] ? find_held_lock+0x2b/0x80
[ 2172.949817] ? syscall_trace_enter+0x140/0x270
[ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190
[ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0
[ 2172.951036] __x64_sys_sendto+0x24/0x30
[ 2172.951382] do_syscall_64+0x90/0x170
......
After calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase,
e.g., when the BPF program executes bpf_msg_push_data().
If the BPF program sets cork_bytes and sg.size is smaller than cork_bytes,
it will return -ENOSPC and attempt to roll back to the non-zero copy
logic. However, during rollback, msg->msg_iter is reset, but since
msg_pl->sg.size has been increased, subsequent executions will exceed the
actual size of msg_iter.
'''
iov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size);
'''
The changes in this commit are based on the following considerations:
1. When cork_bytes is set, rolling back to non-zero copy logic is
pointless and can directly go to zero-copy logic.
2. We can not calculate the correct number of bytes to revert msg_iter.
Assume the original data is "abcdefgh" (8 bytes), and after 3 pushes
by the BPF program, it becomes 11-byte data: "abc?de?fgh?".
Then, we set cork_bytes to 6, which means the first 6 bytes have been
processed, and the remaining 5 bytes "?fgh?" will be cached until the
length meets the cork_bytes requirement.
However, some data in "?fgh?" is not within 'sg->msg_iter'
(but in msg_pl instead), especially the data "?" we pushed.
So it doesn't seem as simple as just reverting through an offset of
msg_iter.
3. For non-TLS sockets in tcp_bpf_sendmsg, when a "cork" situation occurs,
the user-space send() doesn't return an error, and the returned length is
the same as the input length parameter, even if some data is cached.
Additionally, I saw that the current non-zero-copy logic for handling
corking is written as:
'''
line 1177
else if (ret != -EAGAIN) {
if (ret == -ENOSPC)
ret = 0;
goto send_end;
'''
So it's ok to just return 'copied' without error when a "cork" situation
occurs.
Fixes: fcb14cb1bdac ("new iov_iter flavour - ITER_UBUF")
Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/r/20250219052015.274405-2-jiayuan.chen@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_sw.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 6e30fe879d538..bf445a518883a 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1120,9 +1120,13 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg,
num_async++;
else if (ret == -ENOMEM)
goto wait_for_memory;
- else if (ctx->open_rec && ret == -ENOSPC)
+ else if (ctx->open_rec && ret == -ENOSPC) {
+ if (msg_pl->cork_bytes) {
+ ret = 0;
+ goto send_end;
+ }
goto rollback_iter;
- else if (ret != -EAGAIN)
+ } else if (ret != -EAGAIN)
goto send_end;
}
continue;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 084/356] bpf, sockmap: fix duplicated data transmission
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 083/356] bpf: fix ktls panic with sockmap Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 085/356] bpf, sockmap: Fix panic when calling skb_linearize Greg Kroah-Hartman
` (280 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Alexei Starovoitov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 3b4f14b794287be137ea2c6158765d1ea1e018a4 ]
In the !ingress path under sk_psock_handle_skb(), when sending data to the
remote under snd_buf limitations, partial skb data might be transmitted.
Although we preserved the partial transmission state (offset/length), the
state wasn't properly consumed during retries. This caused the retry path
to resend the entire skb data instead of continuing from the previous
offset, resulting in data overlap at the receiver side.
Fixes: 405df89dd52c ("bpf, sockmap: Improved check for empty queue")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://lore.kernel.org/r/20250407142234.47591-3-jiayuan.chen@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skmsg.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index b9b941c487c8a..c284c8a3d6792 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -655,11 +655,6 @@ static void sk_psock_backlog(struct work_struct *work)
int ret;
mutex_lock(&psock->work_mutex);
- if (unlikely(state->len)) {
- len = state->len;
- off = state->off;
- }
-
while ((skb = skb_peek(&psock->ingress_skb))) {
len = skb->len;
off = 0;
@@ -669,6 +664,13 @@ static void sk_psock_backlog(struct work_struct *work)
off = stm->offset;
len = stm->full_len;
}
+
+ /* Resume processing from previous partial state */
+ if (unlikely(state->len)) {
+ len = state->len;
+ off = state->off;
+ }
+
ingress = skb_bpf_ingress(skb);
skb_bpf_redirect_clear(skb);
do {
@@ -696,6 +698,8 @@ static void sk_psock_backlog(struct work_struct *work)
len -= ret;
} while (len);
+ /* The entire skb sent, clear state */
+ sk_psock_skb_state(psock, state, 0, 0);
skb = skb_dequeue(&psock->ingress_skb);
kfree_skb(skb);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 085/356] bpf, sockmap: Fix panic when calling skb_linearize
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 084/356] bpf, sockmap: fix duplicated data transmission Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 086/356] wifi: ath12k: Fix WMI tag for EHT rate in peer assoc Greg Kroah-Hartman
` (279 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Alexei Starovoitov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e ]
The panic can be reproduced by executing the command:
./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000
Then a kernel panic was captured:
'''
[ 657.460555] kernel BUG at net/core/skbuff.c:2178!
[ 657.462680] Tainted: [W]=WARN
[ 657.463287] Workqueue: events sk_psock_backlog
...
[ 657.469610] <TASK>
[ 657.469738] ? die+0x36/0x90
[ 657.469916] ? do_trap+0x1d0/0x270
[ 657.470118] ? pskb_expand_head+0x612/0xf40
[ 657.470376] ? pskb_expand_head+0x612/0xf40
[ 657.470620] ? do_error_trap+0xa3/0x170
[ 657.470846] ? pskb_expand_head+0x612/0xf40
[ 657.471092] ? handle_invalid_op+0x2c/0x40
[ 657.471335] ? pskb_expand_head+0x612/0xf40
[ 657.471579] ? exc_invalid_op+0x2d/0x40
[ 657.471805] ? asm_exc_invalid_op+0x1a/0x20
[ 657.472052] ? pskb_expand_head+0xd1/0xf40
[ 657.472292] ? pskb_expand_head+0x612/0xf40
[ 657.472540] ? lock_acquire+0x18f/0x4e0
[ 657.472766] ? find_held_lock+0x2d/0x110
[ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10
[ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470
[ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10
[ 657.473826] __pskb_pull_tail+0xfd/0x1d20
[ 657.474062] ? __kasan_slab_alloc+0x4e/0x90
[ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510
[ 657.475392] ? __kasan_kmalloc+0xaa/0xb0
[ 657.476010] sk_psock_backlog+0x5cf/0xd70
[ 657.476637] process_one_work+0x858/0x1a20
'''
The panic originates from the assertion BUG_ON(skb_shared(skb)) in
skb_linearize(). A previous commit(see Fixes tag) introduced skb_get()
to avoid race conditions between skb operations in the backlog and skb
release in the recvmsg path. However, this caused the panic to always
occur when skb_linearize is executed.
The "--rx-strp 100000" parameter forces the RX path to use the strparser
module which aggregates data until it reaches 100KB before calling sockmap
logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize.
To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue.
'''
sk_psock_backlog:
sk_psock_handle_skb
skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue'
sk_psock_skb_ingress____________
↓
|
| → sk_psock_skb_ingress_self
| sk_psock_skb_ingress_enqueue
sk_psock_verdict_apply_________________↑ skb_linearize
'''
Note that for verdict_apply path, the skb_get operation is unnecessary so
we add 'take_ref' param to control it's behavior.
Fixes: a454d84ee20b ("bpf, sockmap: Fix skb refcnt race after locking changes")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://lore.kernel.org/r/20250407142234.47591-4-jiayuan.chen@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skmsg.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index c284c8a3d6792..c7edf77fd6fde 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -529,16 +529,22 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
u32 off, u32 len,
struct sk_psock *psock,
struct sock *sk,
- struct sk_msg *msg)
+ struct sk_msg *msg,
+ bool take_ref)
{
int num_sge, copied;
+ /* skb_to_sgvec will fail when the total number of fragments in
+ * frag_list and frags exceeds MAX_MSG_FRAGS. For example, the
+ * caller may aggregate multiple skbs.
+ */
num_sge = skb_to_sgvec(skb, msg->sg.data, off, len);
if (num_sge < 0) {
/* skb linearize may fail with ENOMEM, but lets simply try again
* later if this happens. Under memory pressure we don't want to
* drop the skb. We need to linearize the skb so that the mapping
* in skb_to_sgvec can not error.
+ * Note that skb_linearize requires the skb not to be shared.
*/
if (skb_linearize(skb))
return -EAGAIN;
@@ -555,7 +561,7 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
msg->sg.start = 0;
msg->sg.size = copied;
msg->sg.end = num_sge;
- msg->skb = skb;
+ msg->skb = take_ref ? skb_get(skb) : skb;
sk_psock_queue_msg(psock, msg);
sk_psock_data_ready(sk, psock);
@@ -563,7 +569,7 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
}
static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb,
- u32 off, u32 len);
+ u32 off, u32 len, bool take_ref);
static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
u32 off, u32 len)
@@ -577,7 +583,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
* correctly.
*/
if (unlikely(skb->sk == sk))
- return sk_psock_skb_ingress_self(psock, skb, off, len);
+ return sk_psock_skb_ingress_self(psock, skb, off, len, true);
msg = sk_psock_create_ingress_msg(sk, skb);
if (!msg)
return -EAGAIN;
@@ -589,7 +595,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
* into user buffers.
*/
skb_set_owner_r(skb, sk);
- err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg);
+ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg, true);
if (err < 0)
kfree(msg);
return err;
@@ -600,7 +606,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
* because the skb is already accounted for here.
*/
static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb,
- u32 off, u32 len)
+ u32 off, u32 len, bool take_ref)
{
struct sk_msg *msg = alloc_sk_msg(GFP_ATOMIC);
struct sock *sk = psock->sk;
@@ -609,7 +615,7 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb
if (unlikely(!msg))
return -EAGAIN;
skb_set_owner_r(skb, sk);
- err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg);
+ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg, take_ref);
if (err < 0)
kfree(msg);
return err;
@@ -618,18 +624,13 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb
static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb,
u32 off, u32 len, bool ingress)
{
- int err = 0;
-
if (!ingress) {
if (!sock_writeable(psock->sk))
return -EAGAIN;
return skb_send_sock(psock->sk, skb, off, len);
}
- skb_get(skb);
- err = sk_psock_skb_ingress(psock, skb, off, len);
- if (err < 0)
- kfree_skb(skb);
- return err;
+
+ return sk_psock_skb_ingress(psock, skb, off, len);
}
static void sk_psock_skb_state(struct sk_psock *psock,
@@ -1017,7 +1018,7 @@ static int sk_psock_verdict_apply(struct sk_psock *psock, struct sk_buff *skb,
off = stm->offset;
len = stm->full_len;
}
- err = sk_psock_skb_ingress_self(psock, skb, off, len);
+ err = sk_psock_skb_ingress_self(psock, skb, off, len, false);
}
if (err < 0) {
spin_lock_bh(&psock->ingress_lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 086/356] wifi: ath12k: Fix WMI tag for EHT rate in peer assoc
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 085/356] bpf, sockmap: Fix panic when calling skb_linearize Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 087/356] f2fs: fix to do sanity check on sbi->total_valid_block_count Greg Kroah-Hartman
` (278 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ramya Gnanasekar, Jeff Johnson,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ramya Gnanasekar <ramya.gnanasekar@oss.qualcomm.com>
[ Upstream commit 1a0e65750b55d2cf5de4a9bf7d6d55718784bdb7 ]
Incorrect WMI tag is used for EHT rate update from host to firmware
while encoding peer assoc WMI.
Correct the WMI tag used for EHT rate update from WMI_TAG_HE_RATE_SET
to the proper tag. This ensures firmware does not mistakenly update HE rate during parsing.
Found during code review. Compile tested only.
Fixes: 5b70ec6036c1 ("wifi: ath12k: add WMI support for EHT peer")
Signed-off-by: Ramya Gnanasekar <ramya.gnanasekar@oss.qualcomm.com>
Link: https://patch.msgid.link/20250409152341.944628-1-ramya.gnanasekar@oss.qualcomm.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/wmi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index d87d5980325e8..a96bf261a3f75 100644
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -2066,7 +2066,7 @@ int ath12k_wmi_send_peer_assoc_cmd(struct ath12k *ar,
for (i = 0; i < arg->peer_eht_mcs_count; i++) {
eht_mcs = ptr;
- eht_mcs->tlv_header = ath12k_wmi_tlv_cmd_hdr(WMI_TAG_HE_RATE_SET,
+ eht_mcs->tlv_header = ath12k_wmi_tlv_cmd_hdr(WMI_TAG_EHT_RATE_SET,
sizeof(*eht_mcs));
eht_mcs->rx_mcs_set = cpu_to_le32(arg->peer_eht_rx_mcs_set[i]);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 087/356] f2fs: fix to do sanity check on sbi->total_valid_block_count
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 086/356] wifi: ath12k: Fix WMI tag for EHT rate in peer assoc Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 088/356] net: ncsi: Fix GCPS 64-bit member variables Greg Kroah-Hartman
` (277 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8b376a77b2f364097fbe, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 05872a167c2cab80ef186ef23cc34a6776a1a30c ]
syzbot reported a f2fs bug as below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/f2fs.h:2521!
RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521
Call Trace:
f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695
truncate_dnode+0x417/0x740 fs/f2fs/node.c:973
truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014
f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197
f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810
f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838
f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888
f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112
notify_change+0xbca/0xe90 fs/attr.c:552
do_truncate+0x222/0x310 fs/open.c:65
handle_truncate fs/namei.c:3466 [inline]
do_open fs/namei.c:3849 [inline]
path_openat+0x2e4f/0x35d0 fs/namei.c:4004
do_filp_open+0x284/0x4e0 fs/namei.c:4031
do_sys_openat2+0x12b/0x1d0 fs/open.c:1429
do_sys_open fs/open.c:1444 [inline]
__do_sys_creat fs/open.c:1522 [inline]
__se_sys_creat fs/open.c:1516 [inline]
__x64_sys_creat+0x124/0x170 fs/open.c:1516
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
The reason is: in fuzzed image, sbi->total_valid_block_count is
inconsistent w/ mapped blocks indexed by inode, so, we should
not trigger panic for such case, instead, let's print log and
set fsck flag.
Fixes: 39a53e0ce0df ("f2fs: add superblock and major in-memory structure")
Reported-by: syzbot+8b376a77b2f364097fbe@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/67f3c0b2.050a0220.396535.0547.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/f2fs.h | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index 5f6f159be456e..911c4c64d729d 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -2474,8 +2474,14 @@ static inline void dec_valid_block_count(struct f2fs_sb_info *sbi,
blkcnt_t sectors = count << F2FS_LOG_SECTORS_PER_BLOCK;
spin_lock(&sbi->stat_lock);
- f2fs_bug_on(sbi, sbi->total_valid_block_count < (block_t) count);
- sbi->total_valid_block_count -= (block_t)count;
+ if (unlikely(sbi->total_valid_block_count < count)) {
+ f2fs_warn(sbi, "Inconsistent total_valid_block_count:%u, ino:%lu, count:%u",
+ sbi->total_valid_block_count, inode->i_ino, count);
+ sbi->total_valid_block_count = 0;
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ } else {
+ sbi->total_valid_block_count -= count;
+ }
if (sbi->reserved_blocks &&
sbi->current_reserved_blocks < sbi->reserved_blocks)
sbi->current_reserved_blocks = min(sbi->reserved_blocks,
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 088/356] net: ncsi: Fix GCPS 64-bit member variables
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 087/356] f2fs: fix to do sanity check on sbi->total_valid_block_count Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 089/356] libbpf: Fix buffer overflow in bpf_object__init_prog Greg Kroah-Hartman
` (276 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hari Kalavakunta, Paul Fertser,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
[ Upstream commit e8a1bd8344054ce27bebf59f48e3f6bc10bc419b ]
Correct Get Controller Packet Statistics (GCPS) 64-bit wide member
variables, as per DSP0222 v1.0.0 and forward specs. The Driver currently
collects these stats, but they are yet to be exposed to the user.
Therefore, no user impact.
Statistics fixes:
Total Bytes Received (byte range 28..35)
Total Bytes Transmitted (byte range 36..43)
Total Unicast Packets Received (byte range 44..51)
Total Multicast Packets Received (byte range 52..59)
Total Broadcast Packets Received (byte range 60..67)
Total Unicast Packets Transmitted (byte range 68..75)
Total Multicast Packets Transmitted (byte range 76..83)
Total Broadcast Packets Transmitted (byte range 84..91)
Valid Bytes Received (byte range 204..11)
Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
Reviewed-by: Paul Fertser <fercerpav@gmail.com>
Link: https://patch.msgid.link/20250410012309.1343-1-kalavakunta.hari.prasad@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ncsi/internal.h | 21 ++++++++++-----------
net/ncsi/ncsi-pkt.h | 23 +++++++++++------------
net/ncsi/ncsi-rsp.c | 21 ++++++++++-----------
3 files changed, 31 insertions(+), 34 deletions(-)
diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
index 4e0842df5234e..2c260f33b55cc 100644
--- a/net/ncsi/internal.h
+++ b/net/ncsi/internal.h
@@ -143,16 +143,15 @@ struct ncsi_channel_vlan_filter {
};
struct ncsi_channel_stats {
- u32 hnc_cnt_hi; /* Counter cleared */
- u32 hnc_cnt_lo; /* Counter cleared */
- u32 hnc_rx_bytes; /* Rx bytes */
- u32 hnc_tx_bytes; /* Tx bytes */
- u32 hnc_rx_uc_pkts; /* Rx UC packets */
- u32 hnc_rx_mc_pkts; /* Rx MC packets */
- u32 hnc_rx_bc_pkts; /* Rx BC packets */
- u32 hnc_tx_uc_pkts; /* Tx UC packets */
- u32 hnc_tx_mc_pkts; /* Tx MC packets */
- u32 hnc_tx_bc_pkts; /* Tx BC packets */
+ u64 hnc_cnt; /* Counter cleared */
+ u64 hnc_rx_bytes; /* Rx bytes */
+ u64 hnc_tx_bytes; /* Tx bytes */
+ u64 hnc_rx_uc_pkts; /* Rx UC packets */
+ u64 hnc_rx_mc_pkts; /* Rx MC packets */
+ u64 hnc_rx_bc_pkts; /* Rx BC packets */
+ u64 hnc_tx_uc_pkts; /* Tx UC packets */
+ u64 hnc_tx_mc_pkts; /* Tx MC packets */
+ u64 hnc_tx_bc_pkts; /* Tx BC packets */
u32 hnc_fcs_err; /* FCS errors */
u32 hnc_align_err; /* Alignment errors */
u32 hnc_false_carrier; /* False carrier detection */
@@ -181,7 +180,7 @@ struct ncsi_channel_stats {
u32 hnc_tx_1023_frames; /* Tx 512-1023 bytes frames */
u32 hnc_tx_1522_frames; /* Tx 1024-1522 bytes frames */
u32 hnc_tx_9022_frames; /* Tx 1523-9022 bytes frames */
- u32 hnc_rx_valid_bytes; /* Rx valid bytes */
+ u64 hnc_rx_valid_bytes; /* Rx valid bytes */
u32 hnc_rx_runt_pkts; /* Rx error runt packets */
u32 hnc_rx_jabber_pkts; /* Rx error jabber packets */
u32 ncsi_rx_cmds; /* Rx NCSI commands */
diff --git a/net/ncsi/ncsi-pkt.h b/net/ncsi/ncsi-pkt.h
index f2f3b5c1b9412..24edb27379724 100644
--- a/net/ncsi/ncsi-pkt.h
+++ b/net/ncsi/ncsi-pkt.h
@@ -252,16 +252,15 @@ struct ncsi_rsp_gp_pkt {
/* Get Controller Packet Statistics */
struct ncsi_rsp_gcps_pkt {
struct ncsi_rsp_pkt_hdr rsp; /* Response header */
- __be32 cnt_hi; /* Counter cleared */
- __be32 cnt_lo; /* Counter cleared */
- __be32 rx_bytes; /* Rx bytes */
- __be32 tx_bytes; /* Tx bytes */
- __be32 rx_uc_pkts; /* Rx UC packets */
- __be32 rx_mc_pkts; /* Rx MC packets */
- __be32 rx_bc_pkts; /* Rx BC packets */
- __be32 tx_uc_pkts; /* Tx UC packets */
- __be32 tx_mc_pkts; /* Tx MC packets */
- __be32 tx_bc_pkts; /* Tx BC packets */
+ __be64 cnt; /* Counter cleared */
+ __be64 rx_bytes; /* Rx bytes */
+ __be64 tx_bytes; /* Tx bytes */
+ __be64 rx_uc_pkts; /* Rx UC packets */
+ __be64 rx_mc_pkts; /* Rx MC packets */
+ __be64 rx_bc_pkts; /* Rx BC packets */
+ __be64 tx_uc_pkts; /* Tx UC packets */
+ __be64 tx_mc_pkts; /* Tx MC packets */
+ __be64 tx_bc_pkts; /* Tx BC packets */
__be32 fcs_err; /* FCS errors */
__be32 align_err; /* Alignment errors */
__be32 false_carrier; /* False carrier detection */
@@ -290,11 +289,11 @@ struct ncsi_rsp_gcps_pkt {
__be32 tx_1023_frames; /* Tx 512-1023 bytes frames */
__be32 tx_1522_frames; /* Tx 1024-1522 bytes frames */
__be32 tx_9022_frames; /* Tx 1523-9022 bytes frames */
- __be32 rx_valid_bytes; /* Rx valid bytes */
+ __be64 rx_valid_bytes; /* Rx valid bytes */
__be32 rx_runt_pkts; /* Rx error runt packets */
__be32 rx_jabber_pkts; /* Rx error jabber packets */
__be32 checksum; /* Checksum */
-};
+} __packed __aligned(4);
/* Get NCSI Statistics */
struct ncsi_rsp_gns_pkt {
diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index 4a8ce2949faea..8668888c5a2f9 100644
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -926,16 +926,15 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr)
/* Update HNC's statistics */
ncs = &nc->stats;
- ncs->hnc_cnt_hi = ntohl(rsp->cnt_hi);
- ncs->hnc_cnt_lo = ntohl(rsp->cnt_lo);
- ncs->hnc_rx_bytes = ntohl(rsp->rx_bytes);
- ncs->hnc_tx_bytes = ntohl(rsp->tx_bytes);
- ncs->hnc_rx_uc_pkts = ntohl(rsp->rx_uc_pkts);
- ncs->hnc_rx_mc_pkts = ntohl(rsp->rx_mc_pkts);
- ncs->hnc_rx_bc_pkts = ntohl(rsp->rx_bc_pkts);
- ncs->hnc_tx_uc_pkts = ntohl(rsp->tx_uc_pkts);
- ncs->hnc_tx_mc_pkts = ntohl(rsp->tx_mc_pkts);
- ncs->hnc_tx_bc_pkts = ntohl(rsp->tx_bc_pkts);
+ ncs->hnc_cnt = be64_to_cpu(rsp->cnt);
+ ncs->hnc_rx_bytes = be64_to_cpu(rsp->rx_bytes);
+ ncs->hnc_tx_bytes = be64_to_cpu(rsp->tx_bytes);
+ ncs->hnc_rx_uc_pkts = be64_to_cpu(rsp->rx_uc_pkts);
+ ncs->hnc_rx_mc_pkts = be64_to_cpu(rsp->rx_mc_pkts);
+ ncs->hnc_rx_bc_pkts = be64_to_cpu(rsp->rx_bc_pkts);
+ ncs->hnc_tx_uc_pkts = be64_to_cpu(rsp->tx_uc_pkts);
+ ncs->hnc_tx_mc_pkts = be64_to_cpu(rsp->tx_mc_pkts);
+ ncs->hnc_tx_bc_pkts = be64_to_cpu(rsp->tx_bc_pkts);
ncs->hnc_fcs_err = ntohl(rsp->fcs_err);
ncs->hnc_align_err = ntohl(rsp->align_err);
ncs->hnc_false_carrier = ntohl(rsp->false_carrier);
@@ -964,7 +963,7 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr)
ncs->hnc_tx_1023_frames = ntohl(rsp->tx_1023_frames);
ncs->hnc_tx_1522_frames = ntohl(rsp->tx_1522_frames);
ncs->hnc_tx_9022_frames = ntohl(rsp->tx_9022_frames);
- ncs->hnc_rx_valid_bytes = ntohl(rsp->rx_valid_bytes);
+ ncs->hnc_rx_valid_bytes = be64_to_cpu(rsp->rx_valid_bytes);
ncs->hnc_rx_runt_pkts = ntohl(rsp->rx_runt_pkts);
ncs->hnc_rx_jabber_pkts = ntohl(rsp->rx_jabber_pkts);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 089/356] libbpf: Fix buffer overflow in bpf_object__init_prog
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 088/356] net: ncsi: Fix GCPS 64-bit member variables Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 090/356] xfrm: Use xdo.dev instead of xdo.real_dev Greg Kroah-Hartman
` (275 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, lmarch2, Viktor Malik,
Andrii Nakryiko, Shung-Hsi Yu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viktor Malik <vmalik@redhat.com>
[ Upstream commit ee684de5c1b0ac01821320826baec7da93f3615b ]
As shown in [1], it is possible to corrupt a BPF ELF file such that
arbitrary BPF instructions are loaded by libbpf. This can be done by
setting a symbol (BPF program) section offset to a large (unsigned)
number such that <section start + symbol offset> overflows and points
before the section data in the memory.
Consider the situation below where:
- prog_start = sec_start + symbol_offset <-- size_t overflow here
- prog_end = prog_start + prog_size
prog_start sec_start prog_end sec_end
| | | |
v v v v
.....................|################################|............
The report in [1] also provides a corrupted BPF ELF which can be used as
a reproducer:
$ readelf -S crash
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
...
[ 2] uretprobe.mu[...] PROGBITS 0000000000000000 00000040
0000000000000068 0000000000000000 AX 0 0 8
$ readelf -s crash
Symbol table '.symtab' contains 8 entries:
Num: Value Size Type Bind Vis Ndx Name
...
6: ffffffffffffffb8 104 FUNC GLOBAL DEFAULT 2 handle_tp
Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will
point before the actual memory where section 2 is allocated.
This is also reported by AddressSanitizer:
=================================================================
==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490
READ of size 104 at 0x7c7302fe0000 thread T0
#0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76)
#1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856
#2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928
#3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930
#4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067
#5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090
#6 0x000000400c16 in main /poc/poc.c:8
#7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4)
#8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667)
#9 0x000000400b34 in _start (/poc/poc+0x400b34)
0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8)
allocated by thread T0 here:
#0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b)
#1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600)
#2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018)
#3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740
The problem here is that currently, libbpf only checks that the program
end is within the section bounds. There used to be a check
`while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was
removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program
sections to support overriden weak functions").
Add a check for detecting the overflow of `sec_off + prog_sz` to
bpf_object__init_prog to fix this issue.
[1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions")
Reported-by: lmarch2 <2524158037@qq.com>
Signed-off-by: Viktor Malik <vmalik@redhat.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Reviewed-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
Link: https://lore.kernel.org/bpf/20250415155014.397603-1-vmalik@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/libbpf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index fa2abe56e845d..ca764ed3aaa91 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -838,7 +838,7 @@ bpf_object__add_programs(struct bpf_object *obj, Elf_Data *sec_data,
return -LIBBPF_ERRNO__FORMAT;
}
- if (sec_off + prog_sz > sec_sz) {
+ if (sec_off + prog_sz > sec_sz || sec_off + prog_sz < sec_off) {
pr_warn("sec '%s': program at offset %zu crosses section boundary\n",
sec_name, sec_off);
return -LIBBPF_ERRNO__FORMAT;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 090/356] xfrm: Use xdo.dev instead of xdo.real_dev
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 089/356] libbpf: Fix buffer overflow in bpf_object__init_prog Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 091/356] wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT Greg Kroah-Hartman
` (274 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Ratiu, Leon Romanovsky,
Nikolay Aleksandrov, Steffen Klassert, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Ratiu <cratiu@nvidia.com>
[ Upstream commit 25ac138f58e7d5c8bffa31e8891418d2819180c4 ]
The policy offload struct was reused from the state offload and
real_dev was copied from dev, but it was never set to anything else.
Simplify the code by always using xdo.dev for policies.
Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 2 +-
net/xfrm/xfrm_device.c | 2 --
net/xfrm/xfrm_state.c | 2 --
3 files changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index 463c23ae0ad1e..5161bf51fa110 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -1093,7 +1093,7 @@ mlx5e_ipsec_build_accel_pol_attrs(struct mlx5e_ipsec_pol_entry *pol_entry,
static int mlx5e_xfrm_add_policy(struct xfrm_policy *x,
struct netlink_ext_ack *extack)
{
- struct net_device *netdev = x->xdo.real_dev;
+ struct net_device *netdev = x->xdo.dev;
struct mlx5e_ipsec_pol_entry *pol_entry;
struct mlx5e_priv *priv;
int err;
diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index 04dc0c8a83707..7188d3592dde4 100644
--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -371,7 +371,6 @@ int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
xdo->dev = dev;
netdev_tracker_alloc(dev, &xdo->dev_tracker, GFP_ATOMIC);
- xdo->real_dev = dev;
xdo->type = XFRM_DEV_OFFLOAD_PACKET;
switch (dir) {
case XFRM_POLICY_IN:
@@ -393,7 +392,6 @@ int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
err = dev->xfrmdev_ops->xdo_dev_policy_add(xp, extack);
if (err) {
xdo->dev = NULL;
- xdo->real_dev = NULL;
xdo->type = XFRM_DEV_OFFLOAD_UNSPECIFIED;
xdo->dir = 0;
netdev_put(dev, &xdo->dev_tracker);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 86029cf5358c7..d2bd5bddfb05d 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1326,7 +1326,6 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
xso->type = XFRM_DEV_OFFLOAD_PACKET;
xso->dir = xdo->dir;
xso->dev = xdo->dev;
- xso->real_dev = xdo->real_dev;
xso->flags = XFRM_DEV_OFFLOAD_FLAG_ACQ;
netdev_hold(xso->dev, &xso->dev_tracker, GFP_ATOMIC);
error = xso->dev->xfrmdev_ops->xdo_dev_state_add(x, NULL);
@@ -1334,7 +1333,6 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
xso->dir = 0;
netdev_put(xso->dev, &xso->dev_tracker);
xso->dev = NULL;
- xso->real_dev = NULL;
xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED;
x->km.state = XFRM_STATE_DEAD;
to_put = x;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 091/356] wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 090/356] xfrm: Use xdo.dev instead of xdo.real_dev Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 092/356] wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally Greg Kroah-Hartman
` (273 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhen XIN, Martin Blumenstingl,
Ping-Ke Shih, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhen XIN <zhen.xin@nokia-sbell.com>
[ Upstream commit b2effcdc237979dcc533d446a792fc54fd0e1213 ]
The rtw88-sdio do not work in AP mode due to the lack of TX status report
for management frames.
Map the management frames to queue TX_DESC_QSEL_MGMT, which enables the
chip to generate TX reports for these frames
Tested-on: rtl8723ds
Fixes: 65371a3f14e7 ("wifi: rtw88: sdio: Add HCI implementation for SDIO based chipsets")
Signed-off-by: Zhen XIN <zhen.xin@nokia-sbell.com>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250410154217.1849977-3-zhen.xin@nokia-sbell.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw88/sdio.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c
index 9043569935796..4df04579e2e7a 100644
--- a/drivers/net/wireless/realtek/rtw88/sdio.c
+++ b/drivers/net/wireless/realtek/rtw88/sdio.c
@@ -718,10 +718,7 @@ static u8 rtw_sdio_get_tx_qsel(struct rtw_dev *rtwdev, struct sk_buff *skb,
case RTW_TX_QUEUE_H2C:
return TX_DESC_QSEL_H2C;
case RTW_TX_QUEUE_MGMT:
- if (rtw_chip_wcpu_11n(rtwdev))
- return TX_DESC_QSEL_HIGH;
- else
- return TX_DESC_QSEL_MGMT;
+ return TX_DESC_QSEL_MGMT;
case RTW_TX_QUEUE_HI0:
return TX_DESC_QSEL_HIGH;
default:
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 092/356] wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 091/356] wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 093/356] wifi: rtw88: do not ignore hardware read error during DPK Greg Kroah-Hartman
` (272 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhen XIN, Martin Blumenstingl,
Ping-Ke Shih, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhen XIN <zhen.xin@nokia-sbell.com>
[ Upstream commit fc5f5a0ec463ae6a07850428bd3082947e01d276 ]
The rtw88-sdio do not work in AP mode due to the lack of TX status report
for management frames.
Make the invocation of rtw_sdio_indicate_tx_status unconditional and cover
all packet queues
Tested-on: rtl8723ds
Fixes: 65371a3f14e7 ("wifi: rtw88: sdio: Add HCI implementation for SDIO based chipsets")
Signed-off-by: Zhen XIN <zhen.xin@nokia-sbell.com>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250410154217.1849977-2-zhen.xin@nokia-sbell.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw88/sdio.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c
index 4df04579e2e7a..832a427279b40 100644
--- a/drivers/net/wireless/realtek/rtw88/sdio.c
+++ b/drivers/net/wireless/realtek/rtw88/sdio.c
@@ -1223,10 +1223,7 @@ static void rtw_sdio_process_tx_queue(struct rtw_dev *rtwdev,
return;
}
- if (queue <= RTW_TX_QUEUE_VO)
- rtw_sdio_indicate_tx_status(rtwdev, skb);
- else
- dev_kfree_skb_any(skb);
+ rtw_sdio_indicate_tx_status(rtwdev, skb);
}
static void rtw_sdio_tx_handler(struct work_struct *work)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 093/356] wifi: rtw88: do not ignore hardware read error during DPK
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 092/356] wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 094/356] wifi: ath12k: Add MSDU length validation for TKIP MIC error Greg Kroah-Hartman
` (271 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ping-Ke Shih, Dmitry Antipov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 20d3c19bd8f9b498173c198eadf54580c8caa336 ]
In 'rtw8822c_dpk_cal_coef1()', do not ignore error returned
by 'check_hw_ready()' but issue a warning to denote possible
DPK issue. Compile tested only.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 5227c2ee453d ("rtw88: 8822c: add SW DPK support")
Suggested-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250415090720.194048-1-dmantipov@yandex.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822c.c b/drivers/net/wireless/realtek/rtw88/rtw8822c.c
index 3fe5c70ce731b..f9b2527fbeee5 100644
--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c
+++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c
@@ -3991,7 +3991,8 @@ static void rtw8822c_dpk_cal_coef1(struct rtw_dev *rtwdev)
rtw_write32(rtwdev, REG_NCTL0, 0x00001148);
rtw_write32(rtwdev, REG_NCTL0, 0x00001149);
- check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55);
+ if (!check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55))
+ rtw_warn(rtwdev, "DPK stuck, performance may be suboptimal");
rtw_write8(rtwdev, 0x1b10, 0x0);
rtw_write32_mask(rtwdev, REG_NCTL0, BIT_SUBPAGE, 0x0000000c);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 094/356] wifi: ath12k: Add MSDU length validation for TKIP MIC error
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 093/356] wifi: rtw88: do not ignore hardware read error during DPK Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 095/356] wifi: ath12k: fix node corruption in ar->arvifs list Greg Kroah-Hartman
` (270 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, P Praneesh,
Nithyanantham Paramasivam, Vasanthakumar Thiagarajan,
Jeff Johnson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: P Praneesh <quic_ppranees@quicinc.com>
[ Upstream commit 763216fe6c5df95d122c71ef34c342427c987820 ]
In the WBM error path, while processing TKIP MIC errors, MSDU length
is fetched from the hal_rx_desc's msdu_end. This MSDU length is
directly passed to skb_put() without validation. In stress test
scenarios, the WBM error ring may receive invalid descriptors, which
could lead to an invalid MSDU length.
To fix this, add a check to drop the skb when the calculated MSDU
length is greater than the skb size.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
Signed-off-by: P Praneesh <quic_ppranees@quicinc.com>
Signed-off-by: Nithyanantham Paramasivam <nithyanantham.paramasivam@oss.qualcomm.com>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Link: https://patch.msgid.link/20250416021903.3178962-1-nithyanantham.paramasivam@oss.qualcomm.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/dp_rx.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c
index 8d9315038a75e..56dda76d066c3 100644
--- a/drivers/net/wireless/ath/ath12k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath12k/dp_rx.c
@@ -3683,6 +3683,15 @@ static bool ath12k_dp_rx_h_tkip_mic_err(struct ath12k *ar, struct sk_buff *msdu,
l3pad_bytes = ath12k_dp_rx_h_l3pad(ab, desc);
msdu_len = ath12k_dp_rx_h_msdu_len(ab, desc);
+
+ if ((hal_rx_desc_sz + l3pad_bytes + msdu_len) > DP_RX_BUFFER_SIZE) {
+ ath12k_dbg(ab, ATH12K_DBG_DATA,
+ "invalid msdu len in tkip mic err %u\n", msdu_len);
+ ath12k_dbg_dump(ab, ATH12K_DBG_DATA, NULL, "", desc,
+ sizeof(*desc));
+ return true;
+ }
+
skb_put(msdu, hal_rx_desc_sz + l3pad_bytes + msdu_len);
skb_pull(msdu, hal_rx_desc_sz + l3pad_bytes);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 095/356] wifi: ath12k: fix node corruption in ar->arvifs list
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 094/356] wifi: ath12k: Add MSDU length validation for TKIP MIC error Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 096/356] RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h Greg Kroah-Hartman
` (269 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maharaja Kennadyrajan,
Vasanthakumar Thiagarajan, Jeff Johnson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maharaja Kennadyrajan <maharaja.kennadyrajan@oss.qualcomm.com>
[ Upstream commit 823435bd23108d6f8be89ea2d025c0e2e3769c51 ]
In current WLAN recovery code flow, ath12k_core_halt() only reinitializes
the "arvifs" list head. This will cause the list node immediately following
the list head to become an invalid list node. Because the prev of that node
still points to the list head "arvifs", but the next of the list head
"arvifs" no longer points to that list node.
When a WLAN recovery occurs during the execution of a vif removal, and it
happens before the spin_lock_bh(&ar->data_lock) in
ath12k_mac_vdev_delete(), list_del() will detect the previously mentioned
situation, thereby triggering a kernel panic.
The fix is to remove and reinitialize all vif list nodes from the list head
"arvifs" during WLAN halt. The reinitialization is to make the list nodes
valid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute
normally.
Call trace:
__list_del_entry_valid_or_report+0xd4/0x100 (P)
ath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k]
ath12k_scan_vdev_clean_work+0x40/0x164 [ath12k]
cfg80211_wiphy_work+0xfc/0x100
process_one_work+0x164/0x2d0
worker_thread+0x254/0x380
kthread+0xfc/0x100
ret_from_fork+0x10/0x20
The change is mostly copied from the ath11k patch:
https://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
Signed-off-by: Maharaja Kennadyrajan <maharaja.kennadyrajan@oss.qualcomm.com>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Link: https://patch.msgid.link/20250416021724.2162519-1-maharaja.kennadyrajan@oss.qualcomm.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath12k/core.c b/drivers/net/wireless/ath/ath12k/core.c
index 3df8059d55129..1b07a183aaedc 100644
--- a/drivers/net/wireless/ath/ath12k/core.c
+++ b/drivers/net/wireless/ath/ath12k/core.c
@@ -657,6 +657,7 @@ static int ath12k_core_reconfigure_on_crash(struct ath12k_base *ab)
void ath12k_core_halt(struct ath12k *ar)
{
+ struct list_head *pos, *n;
struct ath12k_base *ab = ar->ab;
lockdep_assert_held(&ar->conf_mutex);
@@ -671,7 +672,12 @@ void ath12k_core_halt(struct ath12k *ar)
rcu_assign_pointer(ab->pdevs_active[ar->pdev_idx], NULL);
synchronize_rcu();
- INIT_LIST_HEAD(&ar->arvifs);
+
+ spin_lock_bh(&ar->data_lock);
+ list_for_each_safe(pos, n, &ar->arvifs)
+ list_del_init(pos);
+ spin_unlock_bh(&ar->data_lock);
+
idr_init(&ar->txmgmt_idr);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 096/356] RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 095/356] wifi: ath12k: fix node corruption in ar->arvifs list Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 097/356] scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk Greg Kroah-Hartman
` (268 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxian Huang, Leon Romanovsky,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxian Huang <huangjunxian6@hisilicon.com>
[ Upstream commit 2b11d33de23262cb20d1dcb24b586dbb8f54d463 ]
hns_roce_hw_v2.h has a direct dependency on hnae3.h due to the
inline function hns_roce_write64(), but it doesn't include this
header currently. This leads to that files including
hns_roce_hw_v2.h must also include hnae3.h to avoid compilation
errors, even if they themselves don't really rely on hnae3.h.
This doesn't make sense, hns_roce_hw_v2.h should include hnae3.h
directly.
Fixes: d3743fa94ccd ("RDMA/hns: Fix the chip hanging caused by sending doorbell during reset")
Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
Link: https://patch.msgid.link/20250421132750.1363348-6-huangjunxian6@hisilicon.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_ah.c | 1 -
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 -
drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 +
drivers/infiniband/hw/hns/hns_roce_main.c | 1 -
drivers/infiniband/hw/hns/hns_roce_restrack.c | 1 -
5 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_ah.c b/drivers/infiniband/hw/hns/hns_roce_ah.c
index 3df032ddda189..e99890e0c8c37 100644
--- a/drivers/infiniband/hw/hns/hns_roce_ah.c
+++ b/drivers/infiniband/hw/hns/hns_roce_ah.c
@@ -33,7 +33,6 @@
#include <linux/pci.h>
#include <rdma/ib_addr.h>
#include <rdma/ib_cache.h>
-#include "hnae3.h"
#include "hns_roce_device.h"
#include "hns_roce_hw_v2.h"
diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
index aded0a7f42838..9d23d4b5c1285 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
@@ -42,7 +42,6 @@
#include <rdma/ib_umem.h>
#include <rdma/uverbs_ioctl.h>
-#include "hnae3.h"
#include "hns_roce_common.h"
#include "hns_roce_device.h"
#include "hns_roce_cmd.h"
diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
index b8e17721f6fde..7875283eb9d63 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
@@ -34,6 +34,7 @@
#define _HNS_ROCE_HW_V2_H
#include <linux/bitops.h>
+#include "hnae3.h"
#define HNS_ROCE_V2_MAX_RC_INL_INN_SZ 32
#define HNS_ROCE_V2_MTT_ENTRY_SZ 64
diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
index a7e4c951f8fe4..5f39a25064d10 100644
--- a/drivers/infiniband/hw/hns/hns_roce_main.c
+++ b/drivers/infiniband/hw/hns/hns_roce_main.c
@@ -37,7 +37,6 @@
#include <rdma/ib_smi.h>
#include <rdma/ib_user_verbs.h>
#include <rdma/ib_cache.h>
-#include "hnae3.h"
#include "hns_roce_common.h"
#include "hns_roce_device.h"
#include "hns_roce_hem.h"
diff --git a/drivers/infiniband/hw/hns/hns_roce_restrack.c b/drivers/infiniband/hw/hns/hns_roce_restrack.c
index 081a01de30553..1fb5e24683647 100644
--- a/drivers/infiniband/hw/hns/hns_roce_restrack.c
+++ b/drivers/infiniband/hw/hns/hns_roce_restrack.c
@@ -4,7 +4,6 @@
#include <rdma/rdma_cm.h>
#include <rdma/restrack.h>
#include <uapi/rdma/rdma_netlink.h>
-#include "hnae3.h"
#include "hns_roce_common.h"
#include "hns_roce_device.h"
#include "hns_roce_hw_v2.h"
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 097/356] scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 096/356] RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 098/356] libbpf: Remove sample_period init in perf_buffer Greg Kroah-Hartman
` (267 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yihang Li, Martin K. Petersen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yihang Li <liyihang9@huawei.com>
[ Upstream commit e4d953ca557e02edd3aed7390043e1b8ad1c9723 ]
In commit 21c7e972475e ("scsi: hisi_sas: Disable SATA disk phy for severe
I_T nexus reset failure"), if the softreset fails upon certain
conditions, the PHY connected to the disk is disabled directly. Manual
recovery is required, which is inconvenient for users in actual use.
In addition, SATA disks do not support simultaneous connection of multiple
hosts. Therefore, when multiple controllers are connected to a SATA disk
at the same time, the controller which is connected later failed to issue
an ATA softreset to the SATA disk. As a result, the PHY associated with
the disk is disabled and cannot be automatically recovered.
Now that, we will not focus on the execution result of softreset. No
matter whether the execution is successful or not, we will directly carry
out I_T_nexus_reset.
Fixes: 21c7e972475e ("scsi: hisi_sas: Disable SATA disk phy for severe I_T nexus reset failure")
Signed-off-by: Yihang Li <liyihang9@huawei.com>
Link: https://lore.kernel.org/r/20250414080845.1220997-4-liyihang9@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hisi_sas/hisi_sas_main.c | 29 +++++----------------------
1 file changed, 5 insertions(+), 24 deletions(-)
diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index 7e64661d215bd..3ad58250bf6b2 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -1844,33 +1844,14 @@ static int hisi_sas_I_T_nexus_reset(struct domain_device *device)
}
hisi_sas_dereg_device(hisi_hba, device);
- rc = hisi_sas_debug_I_T_nexus_reset(device);
- if (rc == TMF_RESP_FUNC_COMPLETE && dev_is_sata(device)) {
- struct sas_phy *local_phy;
-
+ if (dev_is_sata(device)) {
rc = hisi_sas_softreset_ata_disk(device);
- switch (rc) {
- case -ECOMM:
- rc = -ENODEV;
- break;
- case TMF_RESP_FUNC_FAILED:
- case -EMSGSIZE:
- case -EIO:
- local_phy = sas_get_local_phy(device);
- rc = sas_phy_enable(local_phy, 0);
- if (!rc) {
- local_phy->enabled = 0;
- dev_err(dev, "Disabled local phy of ATA disk %016llx due to softreset fail (%d)\n",
- SAS_ADDR(device->sas_addr), rc);
- rc = -ENODEV;
- }
- sas_put_local_phy(local_phy);
- break;
- default:
- break;
- }
+ if (rc == TMF_RESP_FUNC_FAILED)
+ dev_err(dev, "ata disk %016llx reset (%d)\n",
+ SAS_ADDR(device->sas_addr), rc);
}
+ rc = hisi_sas_debug_I_T_nexus_reset(device);
if ((rc == TMF_RESP_FUNC_COMPLETE) || (rc == -ENODEV))
hisi_sas_release_task(hisi_hba, device);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 098/356] libbpf: Remove sample_period init in perf_buffer
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 097/356] scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 099/356] Use thread-safe function pointer in libbpf_print Greg Kroah-Hartman
` (266 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tao Chen, Andrii Nakryiko, Jiri Olsa,
Namhyung Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tao Chen <chen.dylane@linux.dev>
[ Upstream commit 64821d25f05ac468d435e61669ae745ce5a633ea ]
It seems that sample_period is not used in perf buffer. Actually, only
wakeup_events are meaningful to enable events aggregation for wakeup notification.
Remove sample_period setting code to avoid confusion.
Fixes: fb84b8224655 ("libbpf: add perf buffer API")
Signed-off-by: Tao Chen <chen.dylane@linux.dev>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Link: https://lore.kernel.org/bpf/20250423163901.2983689-1-chen.dylane@linux.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/libbpf.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index ca764ed3aaa91..18e96375dc319 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -12453,7 +12453,6 @@ struct perf_buffer *perf_buffer__new(int map_fd, size_t page_cnt,
attr.config = PERF_COUNT_SW_BPF_OUTPUT;
attr.type = PERF_TYPE_SOFTWARE;
attr.sample_type = PERF_SAMPLE_RAW;
- attr.sample_period = sample_period;
attr.wakeup_events = sample_period;
p.attr = &attr;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 099/356] Use thread-safe function pointer in libbpf_print
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 098/356] libbpf: Remove sample_period init in perf_buffer Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 100/356] iommu: Protect against overflow in iommu_pgsize() Greg Kroah-Hartman
` (265 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Wiepert, Andrii Nakryiko,
Mykyta Yatsenko, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Wiepert <jonathan.wiepert@gmail.com>
[ Upstream commit 91dbac4076537b464639953c055c460d2bdfc7ea ]
This patch fixes a thread safety bug where libbpf_print uses the
global variable storing the print function pointer rather than the local
variable that had the print function set via __atomic_load_n.
Fixes: f1cb927cdb62 ("libbpf: Ensure print callback usage is thread-safe")
Signed-off-by: Jonathan Wiepert <jonathan.wiepert@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
Link: https://lore.kernel.org/bpf/20250424221457.793068-1-jonathan.wiepert@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/libbpf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 18e96375dc319..5dc2e55553358 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -246,7 +246,7 @@ void libbpf_print(enum libbpf_print_level level, const char *format, ...)
old_errno = errno;
va_start(args, format);
- __libbpf_pr(level, format, args);
+ print_fn(level, format, args);
va_end(args);
errno = old_errno;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 100/356] iommu: Protect against overflow in iommu_pgsize()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 099/356] Use thread-safe function pointer in libbpf_print Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 101/356] bonding: assign random address if device address is same as bond Greg Kroah-Hartman
` (264 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Lu Baolu,
Joerg Roedel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
[ Upstream commit e586e22974d2b7acbef3c6c3e01b2d5ce69efe33 ]
On a 32 bit system calling:
iommu_map(0, 0x40000000)
When using the AMD V1 page table type with a domain->pgsize of 0xfffff000
causes iommu_pgsize() to miscalculate a result of:
size=0x40000000 count=2
count should be 1. This completely corrupts the mapping process.
This is because the final test to adjust the pagesize malfunctions when
the addition overflows. Use check_add_overflow() to prevent this.
Fixes: b1d99dc5f983 ("iommu: Hook up '->unmap_pages' driver callback")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Link: https://lore.kernel.org/r/0-v1-3ad28fc2e3a3+163327-iommu_overflow_pgsize_jgg@nvidia.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/iommu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index f2b3a4e2e54fc..3fa5699b9ff19 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -2382,6 +2382,7 @@ static size_t iommu_pgsize(struct iommu_domain *domain, unsigned long iova,
unsigned int pgsize_idx, pgsize_idx_next;
unsigned long pgsizes;
size_t offset, pgsize, pgsize_next;
+ size_t offset_end;
unsigned long addr_merge = paddr | iova;
/* Page sizes supported by the hardware and small enough for @size */
@@ -2422,7 +2423,8 @@ static size_t iommu_pgsize(struct iommu_domain *domain, unsigned long iova,
* If size is big enough to accommodate the larger page, reduce
* the number of smaller pages.
*/
- if (offset + pgsize_next <= size)
+ if (!check_add_overflow(offset, pgsize_next, &offset_end) &&
+ offset_end <= size)
size = offset;
out_set_count:
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 101/356] bonding: assign random address if device address is same as bond
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 100/356] iommu: Protect against overflow in iommu_pgsize() Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 102/356] f2fs: clean up w/ fscrypt_is_bounce_page() Greg Kroah-Hartman
` (263 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Jay Vosburgh,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 5c3bf6cba7911f470afd748606be5c03a9512fcc ]
This change addresses a MAC address conflict issue in failover scenarios,
similar to the problem described in commit a951bc1e6ba5 ("bonding: correct
the MAC address for 'follow' fail_over_mac policy").
In fail_over_mac=follow mode, the bonding driver expects the formerly active
slave to swap MAC addresses with the newly active slave during failover.
However, under certain conditions, two slaves may end up with the same MAC
address, which breaks this policy:
1) ip link set eth0 master bond0
-> bond0 adopts eth0's MAC address (MAC0).
2) ip link set eth1 master bond0
-> eth1 is added as a backup with its own MAC (MAC1).
3) ip link set eth0 nomaster
-> eth0 is released and restores its MAC (MAC0).
-> eth1 becomes the active slave, and bond0 assigns MAC0 to eth1.
4) ip link set eth0 master bond0
-> eth0 is re-added to bond0, now both eth0 and eth1 have MAC0.
This results in a MAC address conflict and violates the expected behavior
of the failover policy.
To fix this, we assign a random MAC address to any newly added slave if
its current MAC address matches that of the bond. The original (permanent)
MAC address is saved and will be restored when the device is released
from the bond.
This ensures that each slave has a unique MAC address during failover
transitions, preserving the integrity of the fail_over_mac=follow policy.
Fixes: 3915c1e8634a ("bonding: Add "follow" option to fail_over_mac")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Acked-by: Jay Vosburgh <jv@jvosburgh.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 56c241246d1af..85ab692571627 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2040,15 +2040,26 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
* set the master's mac address to that of the first slave
*/
memcpy(ss.__data, bond_dev->dev_addr, bond_dev->addr_len);
- ss.ss_family = slave_dev->type;
- res = dev_set_mac_address(slave_dev, (struct sockaddr *)&ss,
- extack);
- if (res) {
- slave_err(bond_dev, slave_dev, "Error %d calling set_mac_address\n", res);
- goto err_restore_mtu;
- }
+ } else if (bond->params.fail_over_mac == BOND_FOM_FOLLOW &&
+ BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP &&
+ memcmp(slave_dev->dev_addr, bond_dev->dev_addr, bond_dev->addr_len) == 0) {
+ /* Set slave to random address to avoid duplicate mac
+ * address in later fail over.
+ */
+ eth_random_addr(ss.__data);
+ } else {
+ goto skip_mac_set;
}
+ ss.ss_family = slave_dev->type;
+ res = dev_set_mac_address(slave_dev, (struct sockaddr *)&ss, extack);
+ if (res) {
+ slave_err(bond_dev, slave_dev, "Error %d calling set_mac_address\n", res);
+ goto err_restore_mtu;
+ }
+
+skip_mac_set:
+
/* set no_addrconf flag before open to prevent IPv6 addrconf */
slave_dev->priv_flags |= IFF_NO_ADDRCONF;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 102/356] f2fs: clean up w/ fscrypt_is_bounce_page()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 101/356] bonding: assign random address if device address is same as bond Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 103/356] f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed() Greg Kroah-Hartman
` (262 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 0c708e35cf26449ca317fcbfc274704660b6d269 ]
Just cleanup, no logic changes.
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/data.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index acd0764b0286c..5a3fa2f887a79 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -54,7 +54,7 @@ bool f2fs_is_cp_guaranteed(struct page *page)
struct inode *inode;
struct f2fs_sb_info *sbi;
- if (!mapping)
+ if (fscrypt_is_bounce_page(page))
return false;
inode = mapping->host;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 103/356] f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 102/356] f2fs: clean up w/ fscrypt_is_bounce_page() Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 104/356] libbpf: Use proper errno value in linker Greg Kroah-Hartman
` (261 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Prusakowski, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit aa1be8dd64163eca4dde7fd2557eb19927a06a47 ]
Jan Prusakowski reported a f2fs bug as below:
f2fs/007 will hang kernel during testing w/ below configs:
kernel 6.12.18 (from pixel-kernel/android16-6.12)
export MKFS_OPTIONS="-O encrypt -O extra_attr -O project_quota -O quota"
export F2FS_MOUNT_OPTIONS="test_dummy_encryption,discard,fsync_mode=nobarrier,reserve_root=32768,checkpoint_merge,atgc"
cat /proc/<umount_proc_id>/stack
f2fs_wait_on_all_pages+0xa3/0x130
do_checkpoint+0x40c/0x5d0
f2fs_write_checkpoint+0x258/0x550
kill_f2fs_super+0x14f/0x190
deactivate_locked_super+0x30/0xb0
cleanup_mnt+0xba/0x150
task_work_run+0x59/0xa0
syscall_exit_to_user_mode+0x12d/0x130
do_syscall_64+0x57/0x110
entry_SYSCALL_64_after_hwframe+0x76/0x7e
cat /sys/kernel/debug/f2fs/status
- IO_W (CP: -256, Data: 256, Flush: ( 0 0 1), Discard: ( 0 0)) cmd: 0 undiscard: 0
CP IOs reference count becomes negative.
The root cause is:
After 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block
migration"), we will tag page w/ gcing flag for raw page of cluster
during its migration.
However, if the inode is both encrypted and compressed, during
ioc_decompress(), it will tag page w/ gcing flag, and it increase
F2FS_WB_DATA reference count:
- f2fs_write_multi_page
- f2fs_write_raw_page
- f2fs_write_single_page
- do_write_page
- f2fs_submit_page_write
- WB_DATA_TYPE(bio_page, fio->compressed_page)
: bio_page is encrypted, so mapping is NULL, and fio->compressed_page
is NULL, it returns F2FS_WB_DATA
- inc_page_count(.., F2FS_WB_DATA)
Then, during end_io(), it decrease F2FS_WB_CP_DATA reference count:
- f2fs_write_end_io
- f2fs_compress_write_end_io
- fscrypt_pagecache_folio
: get raw page from encrypted page
- WB_DATA_TYPE(&folio->page, false)
: raw page has gcing flag, it returns F2FS_WB_CP_DATA
- dec_page_count(.., F2FS_WB_CP_DATA)
In order to fix this issue, we need to detect gcing flag in raw page
in f2fs_is_cp_guaranteed().
Fixes: 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block migration")
Reported-by: Jan Prusakowski <jprusakowski@google.com>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/data.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index 5a3fa2f887a79..a123bb26acd8b 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -55,7 +55,7 @@ bool f2fs_is_cp_guaranteed(struct page *page)
struct f2fs_sb_info *sbi;
if (fscrypt_is_bounce_page(page))
- return false;
+ return page_private_gcing(fscrypt_pagecache_page(page));
inode = mapping->host;
sbi = F2FS_I_SB(inode);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 104/356] libbpf: Use proper errno value in linker
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 103/356] f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed() Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 105/356] bpf: Allow XDP dev-bound programs to perform XDP_REDIRECT into maps Greg Kroah-Hartman
` (260 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anton Protopopov, Andrii Nakryiko,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Protopopov <a.s.protopopov@gmail.com>
[ Upstream commit 358b1c0f56ebb6996fcec7dcdcf6bae5dcbc8b6c ]
Return values of the linker_append_sec_data() and the
linker_append_elf_relos() functions are propagated all the
way up to users of libbpf API. In some error cases these
functions return -1 which will be seen as -EPERM from user's
point of view. Instead, return a more reasonable -EINVAL.
Fixes: faf6ed321cf6 ("libbpf: Add BPF static linker APIs")
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250430120820.2262053-1-a.s.protopopov@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/linker.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
index a3a190d13db8a..e1b3136643aa8 100644
--- a/tools/lib/bpf/linker.c
+++ b/tools/lib/bpf/linker.c
@@ -1187,7 +1187,7 @@ static int linker_append_sec_data(struct bpf_linker *linker, struct src_obj *obj
} else {
if (!secs_match(dst_sec, src_sec)) {
pr_warn("ELF sections %s are incompatible\n", src_sec->sec_name);
- return -1;
+ return -EINVAL;
}
/* "license" and "version" sections are deduped */
@@ -2034,7 +2034,7 @@ static int linker_append_elf_relos(struct bpf_linker *linker, struct src_obj *ob
}
} else if (!secs_match(dst_sec, src_sec)) {
pr_warn("sections %s are not compatible\n", src_sec->sec_name);
- return -1;
+ return -EINVAL;
}
/* shdr->sh_link points to SYMTAB */
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 105/356] bpf: Allow XDP dev-bound programs to perform XDP_REDIRECT into maps
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 104/356] libbpf: Use proper errno value in linker Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 106/356] netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it Greg Kroah-Hartman
` (259 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Martin KaFai Lau,
Stanislav Fomichev, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 714070c4cb7a10ff57450a618a936775f3036245 ]
In the current implementation if the program is dev-bound to a specific
device, it will not be possible to perform XDP_REDIRECT into a DEVMAP
or CPUMAP even if the program is running in the driver NAPI context and
it is not attached to any map entry. This seems in contrast with the
explanation available in bpf_prog_map_compatible routine.
Fix the issue introducing __bpf_prog_map_compatible utility routine in
order to avoid bpf_prog_is_dev_bound() check running bpf_check_tail_call()
at program load time (bpf_prog_select_runtime()).
Continue forbidding to attach a dev-bound program to XDP maps
(BPF_MAP_TYPE_PROG_ARRAY, BPF_MAP_TYPE_DEVMAP and BPF_MAP_TYPE_CPUMAP).
Fixes: 3d76a4d3d4e59 ("bpf: XDP metadata RX kfuncs")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/core.c | 27 ++++++++++++++++-----------
1 file changed, 16 insertions(+), 11 deletions(-)
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 81fd1bb994164..3f140b7527cfc 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2258,8 +2258,8 @@ static unsigned int __bpf_prog_ret0_warn(const void *ctx,
}
#endif
-bool bpf_prog_map_compatible(struct bpf_map *map,
- const struct bpf_prog *fp)
+static bool __bpf_prog_map_compatible(struct bpf_map *map,
+ const struct bpf_prog *fp)
{
enum bpf_prog_type prog_type = resolve_prog_type(fp);
bool ret;
@@ -2268,14 +2268,6 @@ bool bpf_prog_map_compatible(struct bpf_map *map,
if (fp->kprobe_override)
return false;
- /* XDP programs inserted into maps are not guaranteed to run on
- * a particular netdev (and can run outside driver context entirely
- * in the case of devmap and cpumap). Until device checks
- * are implemented, prohibit adding dev-bound programs to program maps.
- */
- if (bpf_prog_is_dev_bound(aux))
- return false;
-
spin_lock(&map->owner.lock);
if (!map->owner.type) {
/* There's no owner yet where we could check for
@@ -2309,6 +2301,19 @@ bool bpf_prog_map_compatible(struct bpf_map *map,
return ret;
}
+bool bpf_prog_map_compatible(struct bpf_map *map, const struct bpf_prog *fp)
+{
+ /* XDP programs inserted into maps are not guaranteed to run on
+ * a particular netdev (and can run outside driver context entirely
+ * in the case of devmap and cpumap). Until device checks
+ * are implemented, prohibit adding dev-bound programs to program maps.
+ */
+ if (bpf_prog_is_dev_bound(fp->aux))
+ return false;
+
+ return __bpf_prog_map_compatible(map, fp);
+}
+
static int bpf_check_tail_call(const struct bpf_prog *fp)
{
struct bpf_prog_aux *aux = fp->aux;
@@ -2321,7 +2326,7 @@ static int bpf_check_tail_call(const struct bpf_prog *fp)
if (!map_type_contains_progs(map))
continue;
- if (!bpf_prog_map_compatible(map, fp)) {
+ if (!__bpf_prog_map_compatible(map, fp)) {
ret = -EINVAL;
goto out;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 106/356] netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 105/356] bpf: Allow XDP dev-bound programs to perform XDP_REDIRECT into maps Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 107/356] netfilter: nft_quota: match correctly when the quota just depleted Greg Kroah-Hartman
` (258 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huajian Yang, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huajian Yang <huajianyang@asrmicro.com>
[ Upstream commit aa04c6f45b9224b949aa35d4fa5f8d0ba07b23d4 ]
The config NF_CONNTRACK_BRIDGE will change the bridge forwarding for
fragmented packets.
The original bridge does not know that it is a fragmented packet and
forwards it directly, after NF_CONNTRACK_BRIDGE is enabled, function
nf_br_ip_fragment and br_ip6_fragment will check the headroom.
In original br_forward, insufficient headroom of skb may indeed exist,
but there's still a way to save the skb in the device driver after
dev_queue_xmit.So droping the skb will change the original bridge
forwarding in some cases.
Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system")
Signed-off-by: Huajian Yang <huajianyang@asrmicro.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/nf_conntrack_bridge.c | 12 ++++++------
net/ipv6/netfilter.c | 12 ++++++------
2 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
index 4fbfbafdfa027..4b4a396d97225 100644
--- a/net/bridge/netfilter/nf_conntrack_bridge.c
+++ b/net/bridge/netfilter/nf_conntrack_bridge.c
@@ -60,19 +60,19 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk,
struct ip_fraglist_iter iter;
struct sk_buff *frag;
- if (first_len - hlen > mtu ||
- skb_headroom(skb) < ll_rs)
+ if (first_len - hlen > mtu)
goto blackhole;
- if (skb_cloned(skb))
+ if (skb_cloned(skb) ||
+ skb_headroom(skb) < ll_rs)
goto slow_path;
skb_walk_frags(skb, frag) {
- if (frag->len > mtu ||
- skb_headroom(frag) < hlen + ll_rs)
+ if (frag->len > mtu)
goto blackhole;
- if (skb_shared(frag))
+ if (skb_shared(frag) ||
+ skb_headroom(frag) < hlen + ll_rs)
goto slow_path;
}
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 7c4af48d529e1..606aae4e78a9a 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -163,20 +163,20 @@ int br_ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
struct ip6_fraglist_iter iter;
struct sk_buff *frag2;
- if (first_len - hlen > mtu ||
- skb_headroom(skb) < (hroom + sizeof(struct frag_hdr)))
+ if (first_len - hlen > mtu)
goto blackhole;
- if (skb_cloned(skb))
+ if (skb_cloned(skb) ||
+ skb_headroom(skb) < (hroom + sizeof(struct frag_hdr)))
goto slow_path;
skb_walk_frags(skb, frag2) {
- if (frag2->len > mtu ||
- skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr)))
+ if (frag2->len > mtu)
goto blackhole;
/* Partially cloned skb? */
- if (skb_shared(frag2))
+ if (skb_shared(frag2) ||
+ skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr)))
goto slow_path;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 107/356] netfilter: nft_quota: match correctly when the quota just depleted
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 106/356] netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 108/356] RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Greg Kroah-Hartman
` (257 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhongqiu Duan, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
[ Upstream commit bfe7cfb65c753952735c3eed703eba9a8b96a18d ]
The xt_quota compares skb length with remaining quota, but the nft_quota
compares it with consumed bytes.
The xt_quota can match consumed bytes up to quota at maximum. But the
nft_quota break match when consumed bytes equal to quota.
i.e., nft_quota match consumed bytes in [0, quota - 1], not [0, quota].
Fixes: 795595f68d6c ("netfilter: nft_quota: dump consumed quota")
Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_quota.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c
index 9b2d7463d3d32..df0798da2329b 100644
--- a/net/netfilter/nft_quota.c
+++ b/net/netfilter/nft_quota.c
@@ -19,10 +19,16 @@ struct nft_quota {
};
static inline bool nft_overquota(struct nft_quota *priv,
- const struct sk_buff *skb)
+ const struct sk_buff *skb,
+ bool *report)
{
- return atomic64_add_return(skb->len, priv->consumed) >=
- atomic64_read(&priv->quota);
+ u64 consumed = atomic64_add_return(skb->len, priv->consumed);
+ u64 quota = atomic64_read(&priv->quota);
+
+ if (report)
+ *report = consumed >= quota;
+
+ return consumed > quota;
}
static inline bool nft_quota_invert(struct nft_quota *priv)
@@ -34,7 +40,7 @@ static inline void nft_quota_do_eval(struct nft_quota *priv,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
- if (nft_overquota(priv, pkt->skb) ^ nft_quota_invert(priv))
+ if (nft_overquota(priv, pkt->skb, NULL) ^ nft_quota_invert(priv))
regs->verdict.code = NFT_BREAK;
}
@@ -51,13 +57,13 @@ static void nft_quota_obj_eval(struct nft_object *obj,
const struct nft_pktinfo *pkt)
{
struct nft_quota *priv = nft_obj_data(obj);
- bool overquota;
+ bool overquota, report;
- overquota = nft_overquota(priv, pkt->skb);
+ overquota = nft_overquota(priv, pkt->skb, &report);
if (overquota ^ nft_quota_invert(priv))
regs->verdict.code = NFT_BREAK;
- if (overquota &&
+ if (report &&
!test_and_set_bit(NFT_QUOTA_DEPLETED_BIT, &priv->flags))
nft_obj_notify(nft_net(pkt), obj->key.table, obj, 0, 0,
NFT_MSG_NEWOBJ, 0, nft_pf(pkt), 0, GFP_ATOMIC);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 108/356] RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 107/356] netfilter: nft_quota: match correctly when the quota just depleted Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 109/356] bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ Greg Kroah-Hartman
` (256 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Patrisious Haddad, Leon Romanovsky,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Patrisious Haddad <phaddad@nvidia.com>
[ Upstream commit 5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6 ]
Upon RQ destruction if the firmware command fails which is the
last resource to be destroyed some SW resources were already cleaned
regardless of the failure.
Now properly rollback the object to its original state upon such failure.
In order to avoid a use-after free in case someone tries to destroy the
object again, which results in the following kernel trace:
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148
Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE)
CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0xf4/0x148
lr : refcount_warn_saturate+0xf4/0x148
sp : ffff80008b81b7e0
x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001
x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00
x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000
x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006
x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f
x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78
x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90
x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff
x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600
Call trace:
refcount_warn_saturate+0xf4/0x148
mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib]
mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib]
mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib]
ib_destroy_wq_user+0x30/0xc0 [ib_core]
uverbs_free_wq+0x28/0x58 [ib_uverbs]
destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs]
uverbs_destroy_uobject+0x48/0x240 [ib_uverbs]
__uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs]
uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs]
ib_uverbs_close+0x2c/0x100 [ib_uverbs]
__fput+0xd8/0x2f0
__fput_sync+0x50/0x70
__arm64_sys_close+0x40/0x90
invoke_syscall.constprop.0+0x74/0xd0
do_el0_svc+0x48/0xe8
el0_svc+0x44/0x1d0
el0t_64_sync_handler+0x120/0x130
el0t_64_sync+0x1a4/0x1a8
Fixes: e2013b212f9f ("net/mlx5_core: Add RQ and SQ event handling")
Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
Link: https://patch.msgid.link/3181433ccdd695c63560eeeb3f0c990961732101.1745839855.git.leon@kernel.org
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/mlx5/qpc.c | 30 ++++++++++++++++++++++++++++--
include/linux/mlx5/driver.h | 1 +
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/mlx5/qpc.c b/drivers/infiniband/hw/mlx5/qpc.c
index d9cf6982d645e..9de9bea1025e2 100644
--- a/drivers/infiniband/hw/mlx5/qpc.c
+++ b/drivers/infiniband/hw/mlx5/qpc.c
@@ -21,8 +21,10 @@ mlx5_get_rsc(struct mlx5_qp_table *table, u32 rsn)
spin_lock_irqsave(&table->lock, flags);
common = radix_tree_lookup(&table->tree, rsn);
- if (common)
+ if (common && !common->invalid)
refcount_inc(&common->refcount);
+ else
+ common = NULL;
spin_unlock_irqrestore(&table->lock, flags);
@@ -178,6 +180,18 @@ static int create_resource_common(struct mlx5_ib_dev *dev,
return 0;
}
+static void modify_resource_common_state(struct mlx5_ib_dev *dev,
+ struct mlx5_core_qp *qp,
+ bool invalid)
+{
+ struct mlx5_qp_table *table = &dev->qp_table;
+ unsigned long flags;
+
+ spin_lock_irqsave(&table->lock, flags);
+ qp->common.invalid = invalid;
+ spin_unlock_irqrestore(&table->lock, flags);
+}
+
static void destroy_resource_common(struct mlx5_ib_dev *dev,
struct mlx5_core_qp *qp)
{
@@ -604,8 +618,20 @@ int mlx5_core_create_rq_tracked(struct mlx5_ib_dev *dev, u32 *in, int inlen,
int mlx5_core_destroy_rq_tracked(struct mlx5_ib_dev *dev,
struct mlx5_core_qp *rq)
{
+ int ret;
+
+ /* The rq destruction can be called again in case it fails, hence we
+ * mark the common resource as invalid and only once FW destruction
+ * is completed successfully we actually destroy the resources.
+ */
+ modify_resource_common_state(dev, rq, true);
+ ret = destroy_rq_tracked(dev, rq->qpn, rq->uid);
+ if (ret) {
+ modify_resource_common_state(dev, rq, false);
+ return ret;
+ }
destroy_resource_common(dev, rq);
- return destroy_rq_tracked(dev, rq->qpn, rq->uid);
+ return 0;
}
static void destroy_sq_tracked(struct mlx5_ib_dev *dev, u32 sqn, u16 uid)
diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
index 69d844b34da0d..696a2227869fb 100644
--- a/include/linux/mlx5/driver.h
+++ b/include/linux/mlx5/driver.h
@@ -390,6 +390,7 @@ struct mlx5_core_rsc_common {
enum mlx5_res_type res;
refcount_t refcount;
struct completion free;
+ bool invalid;
};
struct mlx5_uars_page {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 109/356] bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 108/356] RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 110/356] tracing: Move histogram trigger variables from stack to per CPU structure Greg Kroah-Hartman
` (255 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anton Protopopov, Andrii Nakryiko,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Protopopov <a.s.protopopov@gmail.com>
[ Upstream commit 41d4ce6df3f4945341ec509a840cc002a413b6cc ]
With the latest LLVM bpf selftests build will fail with
the following error message:
progs/profiler.inc.h:710:31: error: default initialization of an object of type 'typeof ((parent_task)->real_cred->uid.val)' (aka 'const unsigned int') leaves the object uninitialized and is incompatible with C++ [-Werror,-Wdefault-const-init-unsafe]
710 | proc_exec_data->parent_uid = BPF_CORE_READ(parent_task, real_cred, uid.val);
| ^
tools/testing/selftests/bpf/tools/include/bpf/bpf_core_read.h:520:35: note: expanded from macro 'BPF_CORE_READ'
520 | ___type((src), a, ##__VA_ARGS__) __r; \
| ^
This happens because BPF_CORE_READ (and other macro) declare the
variable __r using the ___type macro which can inherit const modifier
from intermediate types.
Fix this by using __typeof_unqual__, when supported. (And when it
is not supported, the problem shouldn't appear, as older compilers
haven't complained.)
Fixes: 792001f4f7aa ("libbpf: Add user-space variants of BPF_CORE_READ() family of macros")
Fixes: a4b09a9ef945 ("libbpf: Add non-CO-RE variants of BPF_CORE_READ() macro family")
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250502193031.3522715-1-a.s.protopopov@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/bpf_core_read.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h
index e2b9e8415c044..b3fc384595a9f 100644
--- a/tools/lib/bpf/bpf_core_read.h
+++ b/tools/lib/bpf/bpf_core_read.h
@@ -312,7 +312,13 @@ enum bpf_enum_value_kind {
#define ___arrow10(a, b, c, d, e, f, g, h, i, j) a->b->c->d->e->f->g->h->i->j
#define ___arrow(...) ___apply(___arrow, ___narg(__VA_ARGS__))(__VA_ARGS__)
+#if defined(__clang__) && (__clang_major__ >= 19)
+#define ___type(...) __typeof_unqual__(___arrow(__VA_ARGS__))
+#elif defined(__GNUC__) && (__GNUC__ >= 14)
+#define ___type(...) __typeof_unqual__(___arrow(__VA_ARGS__))
+#else
#define ___type(...) typeof(___arrow(__VA_ARGS__))
+#endif
#define ___read(read_fn, dst, src_type, src, accessor) \
read_fn((void *)(dst), sizeof(*(dst)), &((src_type)(src))->accessor)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 110/356] tracing: Move histogram trigger variables from stack to per CPU structure
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 109/356] bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 111/356] clk: qcom: camcc-sm6350: Add *_wait_val values for GDSCs Greg Kroah-Hartman
` (254 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers, Tom Zanussi,
Masami Hiramatsu (Google), Steven Rostedt (Google), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit 7ab0fc61ce73040f89b12d76a8279995ec283541 ]
The histogram trigger has three somewhat large arrays on the kernel stack:
unsigned long entries[HIST_STACKTRACE_DEPTH];
u64 var_ref_vals[TRACING_MAP_VARS_MAX];
char compound_key[HIST_KEY_SIZE_MAX];
Checking the function event_hist_trigger() stack frame size, it currently
uses 816 bytes for its stack frame due to these variables!
Instead, allocate a per CPU structure that holds these arrays for each
context level (normal, softirq, irq and NMI). That is, each CPU will have
4 of these structures. This will be allocated when the first histogram
trigger is enabled and freed when the last is disabled. When the
histogram callback triggers, it will request this structure. The request
will disable preemption, get the per CPU structure at the index of the
per CPU variable, and increment that variable.
The callback will use the arrays in this structure to perform its work and
then release the structure. That in turn will simply decrement the per CPU
index and enable preemption.
Moving the variables from the kernel stack to the per CPU structure brings
the stack frame of event_hist_trigger() down to just 112 bytes.
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Tom Zanussi <zanussi@kernel.org>
Link: https://lore.kernel.org/20250407123851.74ea8d58@gandalf.local.home
Fixes: 067fe038e70f6 ("tracing: Add variable reference handling to hist triggers")
Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events_hist.c | 120 +++++++++++++++++++++++++++----
1 file changed, 105 insertions(+), 15 deletions(-)
diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index e6f9cbc622c75..29fcd8787344f 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -5257,17 +5257,94 @@ hist_trigger_actions(struct hist_trigger_data *hist_data,
}
}
+/*
+ * The hist_pad structure is used to save information to create
+ * a histogram from the histogram trigger. It's too big to store
+ * on the stack, so when the histogram trigger is initialized
+ * a percpu array of 4 hist_pad structures is allocated.
+ * This will cover every context from normal, softirq, irq and NMI
+ * in the very unlikely event that a tigger happens at each of
+ * these contexts and interrupts a currently active trigger.
+ */
+struct hist_pad {
+ unsigned long entries[HIST_STACKTRACE_DEPTH];
+ u64 var_ref_vals[TRACING_MAP_VARS_MAX];
+ char compound_key[HIST_KEY_SIZE_MAX];
+};
+
+static struct hist_pad __percpu *hist_pads;
+static DEFINE_PER_CPU(int, hist_pad_cnt);
+static refcount_t hist_pad_ref;
+
+/* One hist_pad for every context (normal, softirq, irq, NMI) */
+#define MAX_HIST_CNT 4
+
+static int alloc_hist_pad(void)
+{
+ lockdep_assert_held(&event_mutex);
+
+ if (refcount_read(&hist_pad_ref)) {
+ refcount_inc(&hist_pad_ref);
+ return 0;
+ }
+
+ hist_pads = __alloc_percpu(sizeof(struct hist_pad) * MAX_HIST_CNT,
+ __alignof__(struct hist_pad));
+ if (!hist_pads)
+ return -ENOMEM;
+
+ refcount_set(&hist_pad_ref, 1);
+ return 0;
+}
+
+static void free_hist_pad(void)
+{
+ lockdep_assert_held(&event_mutex);
+
+ if (!refcount_dec_and_test(&hist_pad_ref))
+ return;
+
+ free_percpu(hist_pads);
+ hist_pads = NULL;
+}
+
+static struct hist_pad *get_hist_pad(void)
+{
+ struct hist_pad *hist_pad;
+ int cnt;
+
+ if (WARN_ON_ONCE(!hist_pads))
+ return NULL;
+
+ preempt_disable();
+
+ hist_pad = per_cpu_ptr(hist_pads, smp_processor_id());
+
+ if (this_cpu_read(hist_pad_cnt) == MAX_HIST_CNT) {
+ preempt_enable();
+ return NULL;
+ }
+
+ cnt = this_cpu_inc_return(hist_pad_cnt) - 1;
+
+ return &hist_pad[cnt];
+}
+
+static void put_hist_pad(void)
+{
+ this_cpu_dec(hist_pad_cnt);
+ preempt_enable();
+}
+
static void event_hist_trigger(struct event_trigger_data *data,
struct trace_buffer *buffer, void *rec,
struct ring_buffer_event *rbe)
{
struct hist_trigger_data *hist_data = data->private_data;
bool use_compound_key = (hist_data->n_keys > 1);
- unsigned long entries[HIST_STACKTRACE_DEPTH];
- u64 var_ref_vals[TRACING_MAP_VARS_MAX];
- char compound_key[HIST_KEY_SIZE_MAX];
struct tracing_map_elt *elt = NULL;
struct hist_field *key_field;
+ struct hist_pad *hist_pad;
u64 field_contents;
void *key = NULL;
unsigned int i;
@@ -5275,12 +5352,18 @@ static void event_hist_trigger(struct event_trigger_data *data,
if (unlikely(!rbe))
return;
- memset(compound_key, 0, hist_data->key_size);
+ hist_pad = get_hist_pad();
+ if (!hist_pad)
+ return;
+
+ memset(hist_pad->compound_key, 0, hist_data->key_size);
for_each_hist_key_field(i, hist_data) {
key_field = hist_data->fields[i];
if (key_field->flags & HIST_FIELD_FL_STACKTRACE) {
+ unsigned long *entries = hist_pad->entries;
+
memset(entries, 0, HIST_STACKTRACE_SIZE);
if (key_field->field) {
unsigned long *stack, n_entries;
@@ -5304,26 +5387,31 @@ static void event_hist_trigger(struct event_trigger_data *data,
}
if (use_compound_key)
- add_to_key(compound_key, key, key_field, rec);
+ add_to_key(hist_pad->compound_key, key, key_field, rec);
}
if (use_compound_key)
- key = compound_key;
+ key = hist_pad->compound_key;
if (hist_data->n_var_refs &&
- !resolve_var_refs(hist_data, key, var_ref_vals, false))
- return;
+ !resolve_var_refs(hist_data, key, hist_pad->var_ref_vals, false))
+ goto out;
elt = tracing_map_insert(hist_data->map, key);
if (!elt)
- return;
+ goto out;
- hist_trigger_elt_update(hist_data, elt, buffer, rec, rbe, var_ref_vals);
+ hist_trigger_elt_update(hist_data, elt, buffer, rec, rbe, hist_pad->var_ref_vals);
- if (resolve_var_refs(hist_data, key, var_ref_vals, true))
- hist_trigger_actions(hist_data, elt, buffer, rec, rbe, key, var_ref_vals);
+ if (resolve_var_refs(hist_data, key, hist_pad->var_ref_vals, true)) {
+ hist_trigger_actions(hist_data, elt, buffer, rec, rbe,
+ key, hist_pad->var_ref_vals);
+ }
hist_poll_wakeup();
+
+ out:
+ put_hist_pad();
}
static void hist_trigger_stacktrace_print(struct seq_file *m,
@@ -6168,6 +6256,9 @@ static int event_hist_trigger_init(struct event_trigger_data *data)
{
struct hist_trigger_data *hist_data = data->private_data;
+ if (alloc_hist_pad() < 0)
+ return -ENOMEM;
+
if (!data->ref && hist_data->attrs->name)
save_named_trigger(hist_data->attrs->name, data);
@@ -6212,6 +6303,7 @@ static void event_hist_trigger_free(struct event_trigger_data *data)
destroy_hist_data(hist_data);
}
+ free_hist_pad();
}
static struct event_trigger_ops event_hist_trigger_ops = {
@@ -6227,9 +6319,7 @@ static int event_hist_trigger_named_init(struct event_trigger_data *data)
save_named_trigger(data->named_data->name, data);
- event_hist_trigger_init(data->named_data);
-
- return 0;
+ return event_hist_trigger_init(data->named_data);
}
static void event_hist_trigger_named_free(struct event_trigger_data *data)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 111/356] clk: qcom: camcc-sm6350: Add *_wait_val values for GDSCs
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 110/356] tracing: Move histogram trigger variables from stack to per CPU structure Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 112/356] clk: qcom: dispcc-sm6350: " Greg Kroah-Hartman
` (253 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Taniya Das,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit e7b1c13280ad866f3b935f6c658713c41db61635 ]
Compared to the msm-4.19 driver the mainline GDSC driver always sets the
bits for en_rest, en_few & clk_dis, and if those values are not set
per-GDSC in the respective driver then the default value from the GDSC
driver is used. The downstream driver only conditionally sets
clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree.
Correct this situation by explicitly setting those values. For all GDSCs
the reset value of those bits are used.
Fixes: 80f5451d9a7c ("clk: qcom: Add camera clock controller driver for SM6350")
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-1-1f252d9c5e4e@fairphone.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/camcc-sm6350.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/drivers/clk/qcom/camcc-sm6350.c b/drivers/clk/qcom/camcc-sm6350.c
index acba9f99d960c..eca36bd3ba5c9 100644
--- a/drivers/clk/qcom/camcc-sm6350.c
+++ b/drivers/clk/qcom/camcc-sm6350.c
@@ -1694,6 +1694,9 @@ static struct clk_branch camcc_sys_tmr_clk = {
static struct gdsc bps_gdsc = {
.gdscr = 0x6004,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0xf,
.pd = {
.name = "bps_gdsc",
},
@@ -1703,6 +1706,9 @@ static struct gdsc bps_gdsc = {
static struct gdsc ipe_0_gdsc = {
.gdscr = 0x7004,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0xf,
.pd = {
.name = "ipe_0_gdsc",
},
@@ -1712,6 +1718,9 @@ static struct gdsc ipe_0_gdsc = {
static struct gdsc ife_0_gdsc = {
.gdscr = 0x9004,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0xf,
.pd = {
.name = "ife_0_gdsc",
},
@@ -1720,6 +1729,9 @@ static struct gdsc ife_0_gdsc = {
static struct gdsc ife_1_gdsc = {
.gdscr = 0xa004,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0xf,
.pd = {
.name = "ife_1_gdsc",
},
@@ -1728,6 +1740,9 @@ static struct gdsc ife_1_gdsc = {
static struct gdsc ife_2_gdsc = {
.gdscr = 0xb004,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0xf,
.pd = {
.name = "ife_2_gdsc",
},
@@ -1736,6 +1751,9 @@ static struct gdsc ife_2_gdsc = {
static struct gdsc titan_top_gdsc = {
.gdscr = 0x14004,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0xf,
.pd = {
.name = "titan_top_gdsc",
},
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 112/356] clk: qcom: dispcc-sm6350: Add *_wait_val values for GDSCs
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 111/356] clk: qcom: camcc-sm6350: Add *_wait_val values for GDSCs Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 113/356] clk: qcom: gcc-sm6350: " Greg Kroah-Hartman
` (252 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Taniya Das,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit 673989d27123618afab56df1143a75454178b4ae ]
Compared to the msm-4.19 driver the mainline GDSC driver always sets the
bits for en_rest, en_few & clk_dis, and if those values are not set
per-GDSC in the respective driver then the default value from the GDSC
driver is used. The downstream driver only conditionally sets
clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree.
Correct this situation by explicitly setting those values. For all GDSCs
the reset value of those bits are used.
Fixes: 837519775f1d ("clk: qcom: Add display clock controller driver for SM6350")
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-2-1f252d9c5e4e@fairphone.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sm6350.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/clk/qcom/dispcc-sm6350.c b/drivers/clk/qcom/dispcc-sm6350.c
index ddacb4f76eca5..ea98a63746f0f 100644
--- a/drivers/clk/qcom/dispcc-sm6350.c
+++ b/drivers/clk/qcom/dispcc-sm6350.c
@@ -680,6 +680,9 @@ static struct clk_branch disp_cc_xo_clk = {
static struct gdsc mdss_gdsc = {
.gdscr = 0x1004,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0xf,
.pd = {
.name = "mdss_gdsc",
},
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 113/356] clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 112/356] clk: qcom: dispcc-sm6350: " Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 114/356] clk: qcom: gpucc-sm6350: " Greg Kroah-Hartman
` (251 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Taniya Das,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit afdfd829a99e467869e3ca1955fb6c6e337c340a ]
Compared to the msm-4.19 driver the mainline GDSC driver always sets the
bits for en_rest, en_few & clk_dis, and if those values are not set
per-GDSC in the respective driver then the default value from the GDSC
driver is used. The downstream driver only conditionally sets
clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree.
Correct this situation by explicitly setting those values. For all GDSCs
the reset value of those bits are used.
Fixes: 131abae905df ("clk: qcom: Add SM6350 GCC driver")
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-3-1f252d9c5e4e@fairphone.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-sm6350.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/clk/qcom/gcc-sm6350.c b/drivers/clk/qcom/gcc-sm6350.c
index 428cd99dcdcbe..4031613c6236f 100644
--- a/drivers/clk/qcom/gcc-sm6350.c
+++ b/drivers/clk/qcom/gcc-sm6350.c
@@ -2320,6 +2320,9 @@ static struct clk_branch gcc_video_xo_clk = {
static struct gdsc usb30_prim_gdsc = {
.gdscr = 0x1a004,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0xf,
.pd = {
.name = "usb30_prim_gdsc",
},
@@ -2328,6 +2331,9 @@ static struct gdsc usb30_prim_gdsc = {
static struct gdsc ufs_phy_gdsc = {
.gdscr = 0x3a004,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0xf,
.pd = {
.name = "ufs_phy_gdsc",
},
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 114/356] clk: qcom: gpucc-sm6350: Add *_wait_val values for GDSCs
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 113/356] clk: qcom: gcc-sm6350: " Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 115/356] clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() Greg Kroah-Hartman
` (250 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Taniya Das,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit d988b0b866c2aeb23aa74022b5bbd463165a7a33 ]
Compared to the msm-4.19 driver the mainline GDSC driver always sets the
bits for en_rest, en_few & clk_dis, and if those values are not set
per-GDSC in the respective driver then the default value from the GDSC
driver is used. The downstream driver only conditionally sets
clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree.
Correct this situation by explicitly setting those values. For all GDSCs
the reset value of those bits are used, with the exception of
gpu_cx_gdsc which has an explicit value (qcom,clk-dis-wait-val = <8>).
Fixes: 013804a727a0 ("clk: qcom: Add GPU clock controller driver for SM6350")
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-4-1f252d9c5e4e@fairphone.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gpucc-sm6350.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/clk/qcom/gpucc-sm6350.c b/drivers/clk/qcom/gpucc-sm6350.c
index 0bcbba2a29436..86c8ad5b55bac 100644
--- a/drivers/clk/qcom/gpucc-sm6350.c
+++ b/drivers/clk/qcom/gpucc-sm6350.c
@@ -412,6 +412,9 @@ static struct clk_branch gpu_cc_gx_vsense_clk = {
static struct gdsc gpu_cx_gdsc = {
.gdscr = 0x106c,
.gds_hw_ctrl = 0x1540,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0x8,
.pd = {
.name = "gpu_cx_gdsc",
},
@@ -422,6 +425,9 @@ static struct gdsc gpu_cx_gdsc = {
static struct gdsc gpu_gx_gdsc = {
.gdscr = 0x100c,
.clamp_io_ctrl = 0x1508,
+ .en_rest_wait_val = 0x2,
+ .en_few_wait_val = 0x2,
+ .clk_dis_wait_val = 0x2,
.pd = {
.name = "gpu_gx_gdsc",
.power_on = gdsc_gx_do_nothing_enable,
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 115/356] clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 114/356] clk: qcom: gpucc-sm6350: " Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 116/356] efi/libstub: Describe missing out parameter in efi_load_initrd Greg Kroah-Hartman
` (249 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, Dave Stevenson,
Stefan Wahren, Stephen Boyd, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit 73c46d9a93d071ca69858dea3f569111b03e549e ]
devm_kasprintf() returns NULL when memory allocation fails. Currently,
raspberrypi_clk_register() does not check for this case, which results
in a NULL pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
Fixes: 93d2725affd6 ("clk: bcm: rpi: Discover the firmware clocks")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Link: https://lore.kernel.org/r/20250402020513.42628-1-bsdhenrymartin@gmail.com
Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/bcm/clk-raspberrypi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c
index 4d411408e4afe..cc4ca336ac13a 100644
--- a/drivers/clk/bcm/clk-raspberrypi.c
+++ b/drivers/clk/bcm/clk-raspberrypi.c
@@ -271,6 +271,8 @@ static struct clk_hw *raspberrypi_clk_register(struct raspberrypi_clk *rpi,
init.name = devm_kasprintf(rpi->dev, GFP_KERNEL,
"fw-clk-%s",
rpi_firmware_clk_names[id]);
+ if (!init.name)
+ return ERR_PTR(-ENOMEM);
init.ops = &raspberrypi_firmware_clk_ops;
init.flags = CLK_GET_RATE_NOCACHE;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 116/356] efi/libstub: Describe missing out parameter in efi_load_initrd
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 115/356] clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 117/356] tracing: Rename event_trigger_alloc() to trigger_data_alloc() Greg Kroah-Hartman
` (248 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans Zhang, Ard Biesheuvel,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Zhang <18255117159@163.com>
[ Upstream commit c8e1927e7f7d63721e32ec41d27ccb0eb1a1b0fc ]
The function efi_load_initrd() had a documentation warning due to
the missing description for the 'out' parameter. Add the parameter
description to the kernel-doc comment to resolve the warning and
improve API documentation.
Fixes the following compiler warning:
drivers/firmware/efi/libstub/efi-stub-helper.c:611: warning: Function parameter or struct member 'out' not described in 'efi_load_initrd'
Fixes: f4dc7fffa987 ("efi: libstub: unify initrd loading between architectures")
Signed-off-by: Hans Zhang <18255117159@163.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/efi/libstub/efi-stub-helper.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
index 3dc2f9aaf08db..492d09b6048bd 100644
--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
+++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
@@ -561,6 +561,7 @@ efi_status_t efi_load_initrd_cmdline(efi_loaded_image_t *image,
* @image: EFI loaded image protocol
* @soft_limit: preferred address for loading the initrd
* @hard_limit: upper limit address for loading the initrd
+ * @out: pointer to store the address of the initrd table
*
* Return: status code
*/
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 117/356] tracing: Rename event_trigger_alloc() to trigger_data_alloc()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 116/356] efi/libstub: Describe missing out parameter in efi_load_initrd Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 118/356] tracing: Fix error handling in event_trigger_parse() Greg Kroah-Hartman
` (247 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mark Rutland,
Mathieu Desnoyers, Andrew Morton, Tom Zanussi,
Steven Rostedt (Google), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit f2947c4b7d0f235621c5daf78aecfbd6e22c05e5 ]
The function event_trigger_alloc() creates an event_trigger_data
descriptor and states that it needs to be freed via event_trigger_free().
This is incorrect, it needs to be freed by trigger_data_free() as
event_trigger_free() adds ref counting.
Rename event_trigger_alloc() to trigger_data_alloc() and state that it
needs to be freed via trigger_data_free(). This naming convention
was introducing bugs.
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Tom Zanussi <zanussi@kernel.org>
Link: https://lore.kernel.org/20250507145455.776436410@goodmis.org
Fixes: 86599dbe2c527 ("tracing: Add helper functions to simplify event_command.parse() callback handling")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace.h | 8 +++-----
kernel/trace/trace_events_hist.c | 2 +-
kernel/trace/trace_events_trigger.c | 16 ++++++++--------
3 files changed, 12 insertions(+), 14 deletions(-)
diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
index faf892aecdf49..e3afb830fbcc7 100644
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -1643,6 +1643,9 @@ extern int event_enable_register_trigger(char *glob,
extern void event_enable_unregister_trigger(char *glob,
struct event_trigger_data *test,
struct trace_event_file *file);
+extern struct event_trigger_data *
+trigger_data_alloc(struct event_command *cmd_ops, char *cmd, char *param,
+ void *private_data);
extern void trigger_data_free(struct event_trigger_data *data);
extern int event_trigger_init(struct event_trigger_data *data);
extern int trace_event_trigger_enable_disable(struct trace_event_file *file,
@@ -1669,11 +1672,6 @@ extern bool event_trigger_check_remove(const char *glob);
extern bool event_trigger_empty_param(const char *param);
extern int event_trigger_separate_filter(char *param_and_filter, char **param,
char **filter, bool param_required);
-extern struct event_trigger_data *
-event_trigger_alloc(struct event_command *cmd_ops,
- char *cmd,
- char *param,
- void *private_data);
extern int event_trigger_parse_num(char *trigger,
struct event_trigger_data *trigger_data);
extern int event_trigger_set_filter(struct event_command *cmd_ops,
diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index 29fcd8787344f..88985aefb71ff 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -6806,7 +6806,7 @@ static int event_hist_trigger_parse(struct event_command *cmd_ops,
return PTR_ERR(hist_data);
}
- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, hist_data);
+ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, hist_data);
if (!trigger_data) {
ret = -ENOMEM;
goto out_free;
diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
index 2c233c0d38fa9..4c92def8b1143 100644
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -809,7 +809,7 @@ int event_trigger_separate_filter(char *param_and_filter, char **param,
}
/**
- * event_trigger_alloc - allocate and init event_trigger_data for a trigger
+ * trigger_data_alloc - allocate and init event_trigger_data for a trigger
* @cmd_ops: The event_command operations for the trigger
* @cmd: The cmd string
* @param: The param string
@@ -820,14 +820,14 @@ int event_trigger_separate_filter(char *param_and_filter, char **param,
* trigger_ops to assign to the event_trigger_data. @private_data can
* also be passed in and associated with the event_trigger_data.
*
- * Use event_trigger_free() to free an event_trigger_data object.
+ * Use trigger_data_free() to free an event_trigger_data object.
*
* Return: The trigger_data object success, NULL otherwise
*/
-struct event_trigger_data *event_trigger_alloc(struct event_command *cmd_ops,
- char *cmd,
- char *param,
- void *private_data)
+struct event_trigger_data *trigger_data_alloc(struct event_command *cmd_ops,
+ char *cmd,
+ char *param,
+ void *private_data)
{
struct event_trigger_data *trigger_data;
struct event_trigger_ops *trigger_ops;
@@ -994,7 +994,7 @@ event_trigger_parse(struct event_command *cmd_ops,
return ret;
ret = -ENOMEM;
- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, file);
+ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, file);
if (!trigger_data)
goto out;
@@ -1787,7 +1787,7 @@ int event_enable_trigger_parse(struct event_command *cmd_ops,
enable_data->enable = enable;
enable_data->file = event_enable_file;
- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, enable_data);
+ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, enable_data);
if (!trigger_data) {
kfree(enable_data);
goto out;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 118/356] tracing: Fix error handling in event_trigger_parse()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 117/356] tracing: Rename event_trigger_alloc() to trigger_data_alloc() Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 119/356] ktls, sockmap: Fix missing uncharge operation Greg Kroah-Hartman
` (246 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mark Rutland,
Andrew Morton, Mathieu Desnoyers, Tom Zanussi, Miaoqian Lin,
Steven Rostedt (Google), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit c5dd28e7fb4f63475b50df4f58311df92939d011 ]
According to trigger_data_alloc() doc, trigger_data_free() should be
used to free an event_trigger_data object. This fixes a mismatch introduced
when kzalloc was replaced with trigger_data_alloc without updating
the corresponding deallocation calls.
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Tom Zanussi <zanussi@kernel.org>
Link: https://lore.kernel.org/20250507145455.944453325@goodmis.org
Link: https://lore.kernel.org/20250318112737.4174-1-linmq006@gmail.com
Fixes: e1f187d09e11 ("tracing: Have existing event_command.parse() implementations use helpers")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
[ SDR: Changed event_trigger_alloc/free() to trigger_data_alloc/free() ]
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events_trigger.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
index 4c92def8b1143..fe079ff82ef1b 100644
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -1000,7 +1000,7 @@ event_trigger_parse(struct event_command *cmd_ops,
if (remove) {
event_trigger_unregister(cmd_ops, file, glob+1, trigger_data);
- kfree(trigger_data);
+ trigger_data_free(trigger_data);
ret = 0;
goto out;
}
@@ -1027,7 +1027,7 @@ event_trigger_parse(struct event_command *cmd_ops,
out_free:
event_trigger_reset_filter(cmd_ops, trigger_data);
- kfree(trigger_data);
+ trigger_data_free(trigger_data);
goto out;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 119/356] ktls, sockmap: Fix missing uncharge operation
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 118/356] tracing: Fix error handling in event_trigger_parse() Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 120/356] libbpf: Use proper errno value in nlattr Greg Kroah-Hartman
` (245 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cong Wang, Jiayuan Chen,
Martin KaFai Lau, John Fastabend, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 79f0c39ae7d3dc628c01b02f23ca5d01f9875040 ]
When we specify apply_bytes, we divide the msg into multiple segments,
each with a length of 'send', and every time we send this part of the data
using tcp_bpf_sendmsg_redir(), we use sk_msg_return_zero() to uncharge the
memory of the specified 'send' size.
However, if the first segment of data fails to send, for example, the
peer's buffer is full, we need to release all of the msg. When releasing
the msg, we haven't uncharged the memory of the subsequent segments.
This modification does not make significant logical changes, but only
fills in the missing uncharge places.
This issue has existed all along, until it was exposed after we added the
apply test in test_sockmap:
commit 3448ad23b34e ("selftests/bpf: Add apply_bytes test to test_txmsg_redir_wait_sndmem in test_sockmap")
Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
Closes: https://lore.kernel.org/bpf/aAmIi0vlycHtbXeb@pop-os.localdomain/T/#t
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Link: https://lore.kernel.org/r/20250425060015.6968-2-jiayuan.chen@linux.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_sw.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index bf445a518883a..4a9a3aed5d6d4 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -908,6 +908,13 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
&msg_redir, send, flags);
lock_sock(sk);
if (err < 0) {
+ /* Regardless of whether the data represented by
+ * msg_redir is sent successfully, we have already
+ * uncharged it via sk_msg_return_zero(). The
+ * msg->sg.size represents the remaining unprocessed
+ * data, which needs to be uncharged here.
+ */
+ sk_mem_uncharge(sk, msg->sg.size);
*copied -= sk_msg_free_nocharge(sk, &msg_redir);
msg->sg.size = 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 120/356] libbpf: Use proper errno value in nlattr
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 119/356] ktls, sockmap: Fix missing uncharge operation Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 121/356] pinctrl: at91: Fix possible out-of-boundary access Greg Kroah-Hartman
` (244 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Nakryiko, Anton Protopopov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Protopopov <a.s.protopopov@gmail.com>
[ Upstream commit fd5fd538a1f4b34cee6823ba0ddda2f7a55aca96 ]
Return value of the validate_nla() function can be propagated all the
way up to users of libbpf API. In case of error this libbpf version
of validate_nla returns -1 which will be seen as -EPERM from user's
point of view. Instead, return a more reasonable -EINVAL.
Fixes: bbf48c18ee0c ("libbpf: add error reporting in XDP")
Suggested-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250510182011.2246631-1-a.s.protopopov@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/nlattr.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c
index 975e265eab3bf..06663f9ea581f 100644
--- a/tools/lib/bpf/nlattr.c
+++ b/tools/lib/bpf/nlattr.c
@@ -63,16 +63,16 @@ static int validate_nla(struct nlattr *nla, int maxtype,
minlen = nla_attr_minlen[pt->type];
if (libbpf_nla_len(nla) < minlen)
- return -1;
+ return -EINVAL;
if (pt->maxlen && libbpf_nla_len(nla) > pt->maxlen)
- return -1;
+ return -EINVAL;
if (pt->type == LIBBPF_NLA_STRING) {
char *data = libbpf_nla_data(nla);
if (data[libbpf_nla_len(nla) - 1] != '\0')
- return -1;
+ return -EINVAL;
}
return 0;
@@ -118,19 +118,18 @@ int libbpf_nla_parse(struct nlattr *tb[], int maxtype, struct nlattr *head,
if (policy) {
err = validate_nla(nla, maxtype, policy);
if (err < 0)
- goto errout;
+ return err;
}
- if (tb[type])
+ if (tb[type]) {
pr_warn("Attribute of type %#x found multiple times in message, "
"previous attribute is being ignored.\n", type);
+ }
tb[type] = nla;
}
- err = 0;
-errout:
- return err;
+ return 0;
}
/**
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 121/356] pinctrl: at91: Fix possible out-of-boundary access
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 120/356] libbpf: Use proper errno value in nlattr Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 122/356] bpf: Fix WARN() in get_bpf_raw_tp_regs Greg Kroah-Hartman
` (243 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Linus Walleij,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 762ef7d1e6eefad9896560bfcb9bcf7f1b6df9c1 ]
at91_gpio_probe() doesn't check that given OF alias is not available or
something went wrong when trying to get it. This might have consequences
when accessing gpio_chips array with that value as an index. Note, that
BUG() can be compiled out and hence won't actually perform the required
checks.
Fixes: 6732ae5cb47c ("ARM: at91: add pinctrl support")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Closes: https://lore.kernel.org/r/202505052343.UHF1Zo93-lkp@intel.com/
Link: https://lore.kernel.org/20250508200807.1384558-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-at91.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c
index d7b66928a4e50..3c09f743b68c2 100644
--- a/drivers/pinctrl/pinctrl-at91.c
+++ b/drivers/pinctrl/pinctrl-at91.c
@@ -1825,12 +1825,16 @@ static int at91_gpio_probe(struct platform_device *pdev)
struct at91_gpio_chip *at91_chip = NULL;
struct gpio_chip *chip;
struct pinctrl_gpio_range *range;
+ int alias_idx;
int ret = 0;
int irq, i;
- int alias_idx = of_alias_get_id(np, "gpio");
uint32_t ngpio;
char **names;
+ alias_idx = of_alias_get_id(np, "gpio");
+ if (alias_idx < 0)
+ return alias_idx;
+
BUG_ON(alias_idx >= ARRAY_SIZE(gpio_chips));
if (gpio_chips[alias_idx])
return dev_err_probe(dev, -EBUSY, "%d slot is occupied.\n", alias_idx);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 122/356] bpf: Fix WARN() in get_bpf_raw_tp_regs
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 121/356] pinctrl: at91: Fix possible out-of-boundary access Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 123/356] clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz Greg Kroah-Hartman
` (242 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+45b0c89a0fc7ae8dbadc,
Alexei Starovoitov, Tao Chen, Andrii Nakryiko, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tao Chen <chen.dylane@linux.dev>
[ Upstream commit 3880cdbed1c4607e378f58fa924c5d6df900d1d3 ]
syzkaller reported an issue:
WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861
Modules linked in:
CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861
RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c
RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005
RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003
R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004
R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900
FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline]
bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931
bpf_prog_ec3b2eefa702d8d3+0x43/0x47
bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]
bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405
__bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47
__traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47
__do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
__mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35
__mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
mmap_read_trylock include/linux/mmap_lock.h:204 [inline]
stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157
__bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483
____bpf_get_stack kernel/bpf/stackmap.c:499 [inline]
bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496
____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline]
bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931
bpf_prog_ec3b2eefa702d8d3+0x43/0x47
Tracepoint like trace_mmap_lock_acquire_returned may cause nested call
as the corner case show above, which will be resolved with more general
method in the future. As a result, WARN_ON_ONCE will be triggered. As
Alexei suggested, remove the WARN_ON_ONCE first.
Fixes: 9594dc3c7e71 ("bpf: fix nested bpf tracepoints with per-cpu data")
Reported-by: syzbot+45b0c89a0fc7ae8dbadc@syzkaller.appspotmail.com
Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Tao Chen <chen.dylane@linux.dev>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250513042747.757042-1-chen.dylane@linux.dev
Closes: https://lore.kernel.org/bpf/8bc2554d-1052-4922-8832-e0078a033e1d@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/bpf_trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 97f660a8ddc73..8903db0b59602 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -1834,7 +1834,7 @@ static struct pt_regs *get_bpf_raw_tp_regs(void)
struct bpf_raw_tp_regs *tp_regs = this_cpu_ptr(&bpf_raw_tp_regs);
int nest_level = this_cpu_inc_return(bpf_raw_tp_nest_level);
- if (WARN_ON_ONCE(nest_level > ARRAY_SIZE(tp_regs->regs))) {
+ if (nest_level > ARRAY_SIZE(tp_regs->regs)) {
this_cpu_dec(bpf_raw_tp_nest_level);
return ERR_PTR(-EBUSY);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 123/356] clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 122/356] bpf: Fix WARN() in get_bpf_raw_tp_regs Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 124/356] s390/bpf: Store backchain even for leaf progs Greg Kroah-Hartman
` (241 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Konrad Dybcio,
Bryan ODonoghue, Vincent Knecht, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Knecht <vincent.knecht@mailoo.org>
[ Upstream commit 9e7acf70cf6aa7b22f67d911f50a8cd510e8fb00 ]
Fix mclk0 & mclk1 parent map to use correct GPLL6 configuration and
freq_tbl to use GPLL6 instead of GPLL0 so that they tick at 24 MHz.
Fixes: 1664014e4679 ("clk: qcom: gcc-msm8939: Add MSM8939 Generic Clock Controller")
Suggested-by: Stephan Gerhold <stephan@gerhold.net>
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Vincent Knecht <vincent.knecht@mailoo.org>
Link: https://lore.kernel.org/r/20250414-gcc-msm8939-fixes-mclk-v2-resend2-v2-1-5ddcf572a6de@mailoo.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-msm8939.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/qcom/gcc-msm8939.c b/drivers/clk/qcom/gcc-msm8939.c
index b45f97c07eeb6..e4a44377b75f7 100644
--- a/drivers/clk/qcom/gcc-msm8939.c
+++ b/drivers/clk/qcom/gcc-msm8939.c
@@ -432,7 +432,7 @@ static const struct parent_map gcc_xo_gpll0_gpll1a_gpll6_sleep_map[] = {
{ P_XO, 0 },
{ P_GPLL0, 1 },
{ P_GPLL1_AUX, 2 },
- { P_GPLL6, 2 },
+ { P_GPLL6, 3 },
{ P_SLEEP_CLK, 6 },
};
@@ -1100,7 +1100,7 @@ static struct clk_rcg2 jpeg0_clk_src = {
};
static const struct freq_tbl ftbl_gcc_camss_mclk0_1_clk[] = {
- F(24000000, P_GPLL0, 1, 1, 45),
+ F(24000000, P_GPLL6, 1, 1, 45),
F(66670000, P_GPLL0, 12, 0, 0),
{ }
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 124/356] s390/bpf: Store backchain even for leaf progs
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 123/356] clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz Greg Kroah-Hartman
@ 2025-06-17 15:23 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 125/356] wifi: rtw88: fix the para buffer size to avoid reading out of bounds Greg Kroah-Hartman
` (240 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilya Leoshkevich, Alexei Starovoitov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Leoshkevich <iii@linux.ibm.com>
[ Upstream commit 5f55f2168432298f5a55294831ab6a76a10cb3c3 ]
Currently a crash in a leaf prog (caused by a bug) produces the
following call trace:
[<000003ff600ebf00>] bpf_prog_6df0139e1fbf2789_fentry+0x20/0x78
[<0000000000000000>] 0x0
This is because leaf progs do not store backchain. Fix by making all
progs do it. This is what GCC and Clang-generated code does as well.
Now the call trace looks like this:
[<000003ff600eb0f2>] bpf_prog_6df0139e1fbf2789_fentry+0x2a/0x80
[<000003ff600ed096>] bpf_trampoline_201863462940+0x96/0xf4
[<000003ff600e3a40>] bpf_prog_05f379658fdd72f2_classifier_0+0x58/0xc0
[<000003ffe0aef070>] bpf_test_run+0x210/0x390
[<000003ffe0af0dc2>] bpf_prog_test_run_skb+0x25a/0x668
[<000003ffe038a90e>] __sys_bpf+0xa46/0xdb0
[<000003ffe038ad0c>] __s390x_sys_bpf+0x44/0x50
[<000003ffe0defea8>] __do_syscall+0x150/0x280
[<000003ffe0e01d5c>] system_call+0x74/0x98
Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Link: https://lore.kernel.org/r/20250512122717.54878-1-iii@linux.ibm.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/net/bpf_jit_comp.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
index 62ee557d4b499..a40c7ff91caf0 100644
--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -587,17 +587,15 @@ static void bpf_jit_prologue(struct bpf_jit *jit, struct bpf_prog *fp,
}
/* Setup stack and backchain */
if (is_first_pass(jit) || (jit->seen & SEEN_STACK)) {
- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC))
- /* lgr %w1,%r15 (backchain) */
- EMIT4(0xb9040000, REG_W1, REG_15);
+ /* lgr %w1,%r15 (backchain) */
+ EMIT4(0xb9040000, REG_W1, REG_15);
/* la %bfp,STK_160_UNUSED(%r15) (BPF frame pointer) */
EMIT4_DISP(0x41000000, BPF_REG_FP, REG_15, STK_160_UNUSED);
/* aghi %r15,-STK_OFF */
EMIT4_IMM(0xa70b0000, REG_15, -(STK_OFF + stack_depth));
- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC))
- /* stg %w1,152(%r15) (backchain) */
- EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0,
- REG_15, 152);
+ /* stg %w1,152(%r15) (backchain) */
+ EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0,
+ REG_15, 152);
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 125/356] wifi: rtw88: fix the para buffer size to avoid reading out of bounds
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2025-06-17 15:23 ` [PATCH 6.6 124/356] s390/bpf: Store backchain even for leaf progs Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 126/356] iommu: remove duplicate selection of DMAR_TABLE Greg Kroah-Hartman
` (239 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Kodanev, Ping-Ke Shih,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
[ Upstream commit 4c2c372de2e108319236203cce6de44d70ae15cd ]
Set the size to 6 instead of 2, since 'para' array is passed to
'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads
5 bytes:
void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)
{
...
SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);
SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));
...
SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));
Detected using the static analysis tool - Svace.
Fixes: 4136214f7c46 ("rtw88: add BT co-existence support")
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250513121304.124141-1-aleksei.kodanev@bell-sw.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw88/coex.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw88/coex.c b/drivers/net/wireless/realtek/rtw88/coex.c
index d35f26919806a..c45c7b596ffe9 100644
--- a/drivers/net/wireless/realtek/rtw88/coex.c
+++ b/drivers/net/wireless/realtek/rtw88/coex.c
@@ -309,7 +309,7 @@ static void rtw_coex_tdma_timer_base(struct rtw_dev *rtwdev, u8 type)
{
struct rtw_coex *coex = &rtwdev->coex;
struct rtw_coex_stat *coex_stat = &coex->stat;
- u8 para[2] = {0};
+ u8 para[6] = {};
u8 times;
u16 tbtt_interval = coex_stat->wl_beacon_interval;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 126/356] iommu: remove duplicate selection of DMAR_TABLE
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 125/356] wifi: rtw88: fix the para buffer size to avoid reading out of bounds Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 127/356] wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event Greg Kroah-Hartman
` (238 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rolf Eike Beer, Lu Baolu,
Joerg Roedel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rolf Eike Beer <eb@emlix.com>
[ Upstream commit 9548feff840a05d61783e6316d08ed37e115f3b1 ]
This is already done in intel/Kconfig.
Fixes: 70bad345e622 ("iommu: Fix compilation without CONFIG_IOMMU_INTEL")
Signed-off-by: Rolf Eike Beer <eb@emlix.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Link: https://lore.kernel.org/r/2232605.Mh6RI2rZIc@devpool92.emlix.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/Kconfig | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/iommu/Kconfig b/drivers/iommu/Kconfig
index d57c5adf932e3..20aa5ed80aa38 100644
--- a/drivers/iommu/Kconfig
+++ b/drivers/iommu/Kconfig
@@ -191,7 +191,6 @@ source "drivers/iommu/iommufd/Kconfig"
config IRQ_REMAP
bool "Support for Interrupt Remapping"
depends on X86_64 && X86_IO_APIC && PCI_MSI && ACPI
- select DMAR_TABLE if INTEL_IOMMU
help
Supports Interrupt remapping for IO-APIC and MSI devices.
To use x2apic mode in the CPU's which support x2APIC enhancements or
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 127/356] wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 126/356] iommu: remove duplicate selection of DMAR_TABLE Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 128/356] hisi_acc_vfio_pci: fix XQE dma address error Greg Kroah-Hartman
` (237 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rajat Soni, Raj Kumar Bhagat,
Jeff Johnson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rajat Soni <quic_rajson@quicinc.com>
[ Upstream commit 89142d34d5602c7447827beb181fa06eb08b9d5c ]
Currently, in ath12k_service_ready_ext_event(), svc_rdy_ext.mac_phy_caps
is not freed in the failure case, causing a memory leak. The following
trace is observed in kmemleak:
unreferenced object 0xffff8b3eb5789c00 (size 1024):
comm "softirq", pid 0, jiffies 4294942577
hex dump (first 32 bytes):
00 00 00 00 01 00 00 00 00 00 00 00 7b 00 00 10 ............{...
01 00 00 00 00 00 00 00 01 00 00 00 1f 38 00 00 .............8..
backtrace (crc 44e1c357):
__kmalloc_noprof+0x30b/0x410
ath12k_wmi_mac_phy_caps_parse+0x84/0x100 [ath12k]
ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]
ath12k_wmi_svc_rdy_ext_parse+0x308/0x4c0 [ath12k]
ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]
ath12k_service_ready_ext_event.isra.0+0x44/0xd0 [ath12k]
ath12k_wmi_op_rx+0x2eb/0xd70 [ath12k]
ath12k_htc_rx_completion_handler+0x1f4/0x330 [ath12k]
ath12k_ce_recv_process_cb+0x218/0x300 [ath12k]
ath12k_pci_ce_workqueue+0x1b/0x30 [ath12k]
process_one_work+0x219/0x680
bh_worker+0x198/0x1f0
tasklet_action+0x13/0x30
handle_softirqs+0xca/0x460
__irq_exit_rcu+0xbe/0x110
irq_exit_rcu+0x9/0x30
Free svc_rdy_ext.mac_phy_caps in the error case to fix this memory leak.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
Signed-off-by: Rajat Soni <quic_rajson@quicinc.com>
Signed-off-by: Raj Kumar Bhagat <quic_rajkbhag@quicinc.com>
Link: https://patch.msgid.link/20250430-wmi-mem-leak-v1-1-fcc9b49c2ddc@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/wmi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index a96bf261a3f75..a0ac2f350934f 100644
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -4128,6 +4128,7 @@ static int ath12k_service_ready_ext_event(struct ath12k_base *ab,
return 0;
err:
+ kfree(svc_rdy_ext.mac_phy_caps);
ath12k_wmi_free_dbring_caps(ab);
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 128/356] hisi_acc_vfio_pci: fix XQE dma address error
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 127/356] wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 129/356] hisi_acc_vfio_pci: add eq and aeq interruption restore Greg Kroah-Hartman
` (236 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Longfang Liu, Shameer Kolothum,
Alex Williamson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Longfang Liu <liulongfang@huawei.com>
[ Upstream commit 8bb7170c5a055ea17c6857c256ee73c10ff872eb ]
The dma addresses of EQE and AEQE are wrong after migration and
results in guest kernel-mode encryption services failure.
Comparing the definition of hardware registers, we found that
there was an error when the data read from the register was
combined into an address. Therefore, the address combination
sequence needs to be corrected.
Even after fixing the above problem, we still have an issue
where the Guest from an old kernel can get migrated to
new kernel and may result in wrong data.
In order to ensure that the address is correct after migration,
if an old magic number is detected, the dma address needs to be
updated.
Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration")
Signed-off-by: Longfang Liu <liulongfang@huawei.com>
Reviewed-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
Link: https://lore.kernel.org/r/20250510081155.55840-2-liulongfang@huawei.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 41 ++++++++++++++++---
.../vfio/pci/hisilicon/hisi_acc_vfio_pci.h | 14 ++++++-
2 files changed, 47 insertions(+), 8 deletions(-)
diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
index 4d27465c8f1a8..d09e7d295625d 100644
--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
@@ -350,6 +350,32 @@ static int vf_qm_func_stop(struct hisi_qm *qm)
return hisi_qm_mb(qm, QM_MB_CMD_PAUSE_QM, 0, 0, 0);
}
+static int vf_qm_version_check(struct acc_vf_data *vf_data, struct device *dev)
+{
+ switch (vf_data->acc_magic) {
+ case ACC_DEV_MAGIC_V2:
+ if (vf_data->major_ver != ACC_DRV_MAJOR_VER) {
+ dev_info(dev, "migration driver version<%u.%u> not match!\n",
+ vf_data->major_ver, vf_data->minor_ver);
+ return -EINVAL;
+ }
+ break;
+ case ACC_DEV_MAGIC_V1:
+ /* Correct dma address */
+ vf_data->eqe_dma = vf_data->qm_eqc_dw[QM_XQC_ADDR_HIGH];
+ vf_data->eqe_dma <<= QM_XQC_ADDR_OFFSET;
+ vf_data->eqe_dma |= vf_data->qm_eqc_dw[QM_XQC_ADDR_LOW];
+ vf_data->aeqe_dma = vf_data->qm_aeqc_dw[QM_XQC_ADDR_HIGH];
+ vf_data->aeqe_dma <<= QM_XQC_ADDR_OFFSET;
+ vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[QM_XQC_ADDR_LOW];
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
static int vf_qm_check_match(struct hisi_acc_vf_core_device *hisi_acc_vdev,
struct hisi_acc_vf_migration_file *migf)
{
@@ -363,7 +389,8 @@ static int vf_qm_check_match(struct hisi_acc_vf_core_device *hisi_acc_vdev,
if (migf->total_length < QM_MATCH_SIZE || hisi_acc_vdev->match_done)
return 0;
- if (vf_data->acc_magic != ACC_DEV_MAGIC) {
+ ret = vf_qm_version_check(vf_data, dev);
+ if (ret) {
dev_err(dev, "failed to match ACC_DEV_MAGIC\n");
return -EINVAL;
}
@@ -418,7 +445,9 @@ static int vf_qm_get_match_data(struct hisi_acc_vf_core_device *hisi_acc_vdev,
int vf_id = hisi_acc_vdev->vf_id;
int ret;
- vf_data->acc_magic = ACC_DEV_MAGIC;
+ vf_data->acc_magic = ACC_DEV_MAGIC_V2;
+ vf_data->major_ver = ACC_DRV_MAJOR_VER;
+ vf_data->minor_ver = ACC_DRV_MINOR_VER;
/* Save device id */
vf_data->dev_id = hisi_acc_vdev->vf_dev->device;
@@ -516,12 +545,12 @@ static int vf_qm_state_save(struct hisi_acc_vf_core_device *hisi_acc_vdev,
return -EINVAL;
/* Every reg is 32 bit, the dma address is 64 bit. */
- vf_data->eqe_dma = vf_data->qm_eqc_dw[1];
+ vf_data->eqe_dma = vf_data->qm_eqc_dw[QM_XQC_ADDR_HIGH];
vf_data->eqe_dma <<= QM_XQC_ADDR_OFFSET;
- vf_data->eqe_dma |= vf_data->qm_eqc_dw[0];
- vf_data->aeqe_dma = vf_data->qm_aeqc_dw[1];
+ vf_data->eqe_dma |= vf_data->qm_eqc_dw[QM_XQC_ADDR_LOW];
+ vf_data->aeqe_dma = vf_data->qm_aeqc_dw[QM_XQC_ADDR_HIGH];
vf_data->aeqe_dma <<= QM_XQC_ADDR_OFFSET;
- vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[0];
+ vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[QM_XQC_ADDR_LOW];
/* Through SQC_BT/CQC_BT to get sqc and cqc address */
ret = qm_get_sqc(vf_qm, &vf_data->sqc_dma);
diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h
index dcabfeec6ca19..f1d8fe86b6eb2 100644
--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h
+++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h
@@ -38,6 +38,9 @@
#define QM_REG_ADDR_OFFSET 0x0004
#define QM_XQC_ADDR_OFFSET 32U
+#define QM_XQC_ADDR_LOW 0x1
+#define QM_XQC_ADDR_HIGH 0x2
+
#define QM_VF_AEQ_INT_MASK 0x0004
#define QM_VF_EQ_INT_MASK 0x000c
#define QM_IFC_INT_SOURCE_V 0x0020
@@ -49,10 +52,15 @@
#define QM_EQC_DW0 0X8000
#define QM_AEQC_DW0 0X8020
+#define ACC_DRV_MAJOR_VER 1
+#define ACC_DRV_MINOR_VER 0
+
+#define ACC_DEV_MAGIC_V1 0XCDCDCDCDFEEDAACC
+#define ACC_DEV_MAGIC_V2 0xAACCFEEDDECADEDE
+
struct acc_vf_data {
#define QM_MATCH_SIZE offsetofend(struct acc_vf_data, qm_rsv_state)
/* QM match information */
-#define ACC_DEV_MAGIC 0XCDCDCDCDFEEDAACC
u64 acc_magic;
u32 qp_num;
u32 dev_id;
@@ -60,7 +68,9 @@ struct acc_vf_data {
u32 qp_base;
u32 vf_qm_state;
/* QM reserved match information */
- u32 qm_rsv_state[3];
+ u16 major_ver;
+ u16 minor_ver;
+ u32 qm_rsv_state[2];
/* QM RW regs */
u32 aeq_int_mask;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 129/356] hisi_acc_vfio_pci: add eq and aeq interruption restore
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 128/356] hisi_acc_vfio_pci: fix XQE dma address error Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 130/356] hisi_acc_vfio_pci: bugfix live migration function without VF device driver Greg Kroah-Hartman
` (235 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Longfang Liu, Shameer Kolothum,
Alex Williamson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Longfang Liu <liulongfang@huawei.com>
[ Upstream commit 3495cec0787721ba7a9d5c19d0bbb66d182de584 ]
In order to ensure that the task packets of the accelerator
device are not lost during the migration process, it is necessary
to send an EQ and AEQ command to the device after the live migration
is completed and to update the completion position of the task queue.
Let the device recheck the completed tasks data and if there are
uncollected packets, device resend a task completion interrupt
to the software.
Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration")
Signed-off-by: Longfang Liu <liulongfang@huawei.com>
Reviewed-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
Link: https://lore.kernel.org/r/20250510081155.55840-3-liulongfang@huawei.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
index d09e7d295625d..521f969e1c608 100644
--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
@@ -470,6 +470,19 @@ static int vf_qm_get_match_data(struct hisi_acc_vf_core_device *hisi_acc_vdev,
return 0;
}
+static void vf_qm_xeqc_save(struct hisi_qm *qm,
+ struct hisi_acc_vf_migration_file *migf)
+{
+ struct acc_vf_data *vf_data = &migf->vf_data;
+ u16 eq_head, aeq_head;
+
+ eq_head = vf_data->qm_eqc_dw[0] & 0xFFFF;
+ qm_db(qm, 0, QM_DOORBELL_CMD_EQ, eq_head, 0);
+
+ aeq_head = vf_data->qm_aeqc_dw[0] & 0xFFFF;
+ qm_db(qm, 0, QM_DOORBELL_CMD_AEQ, aeq_head, 0);
+}
+
static int vf_qm_load_data(struct hisi_acc_vf_core_device *hisi_acc_vdev,
struct hisi_acc_vf_migration_file *migf)
{
@@ -566,6 +579,9 @@ static int vf_qm_state_save(struct hisi_acc_vf_core_device *hisi_acc_vdev,
}
migf->total_length = sizeof(struct acc_vf_data);
+ /* Save eqc and aeqc interrupt information */
+ vf_qm_xeqc_save(vf_qm, migf);
+
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 130/356] hisi_acc_vfio_pci: bugfix live migration function without VF device driver
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 129/356] hisi_acc_vfio_pci: add eq and aeq interruption restore Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 131/356] wifi: ath9k_htc: Abort software beacon handling if disabled Greg Kroah-Hartman
` (234 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Longfang Liu, Shameer Kolothum,
Alex Williamson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Longfang Liu <liulongfang@huawei.com>
[ Upstream commit 2777a40998deb36f96b6afc48bd397cf58a4edf0 ]
If the VF device driver is not loaded in the Guest OS and we attempt to
perform device data migration, the address of the migrated data will
be NULL.
The live migration recovery operation on the destination side will
access a null address value, which will cause access errors.
Therefore, live migration of VMs without added VF device drivers
does not require device data migration.
In addition, when the queue address data obtained by the destination
is empty, device queue recovery processing will not be performed.
Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration")
Signed-off-by: Longfang Liu <liulongfang@huawei.com>
Reviewed-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
Link: https://lore.kernel.org/r/20250510081155.55840-6-liulongfang@huawei.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 22 +++++++++++++------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
index 521f969e1c608..712b178c42aae 100644
--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
@@ -426,13 +426,6 @@ static int vf_qm_check_match(struct hisi_acc_vf_core_device *hisi_acc_vdev,
return -EINVAL;
}
- ret = qm_write_regs(vf_qm, QM_VF_STATE, &vf_data->vf_qm_state, 1);
- if (ret) {
- dev_err(dev, "failed to write QM_VF_STATE\n");
- return ret;
- }
-
- hisi_acc_vdev->vf_qm_state = vf_data->vf_qm_state;
hisi_acc_vdev->match_done = true;
return 0;
}
@@ -498,6 +491,20 @@ static int vf_qm_load_data(struct hisi_acc_vf_core_device *hisi_acc_vdev,
if (migf->total_length < sizeof(struct acc_vf_data))
return -EINVAL;
+ if (!vf_data->eqe_dma || !vf_data->aeqe_dma ||
+ !vf_data->sqc_dma || !vf_data->cqc_dma) {
+ dev_info(dev, "resume dma addr is NULL!\n");
+ hisi_acc_vdev->vf_qm_state = QM_NOT_READY;
+ return 0;
+ }
+
+ ret = qm_write_regs(qm, QM_VF_STATE, &vf_data->vf_qm_state, 1);
+ if (ret) {
+ dev_err(dev, "failed to write QM_VF_STATE\n");
+ return -EINVAL;
+ }
+ hisi_acc_vdev->vf_qm_state = vf_data->vf_qm_state;
+
qm->eqe_dma = vf_data->eqe_dma;
qm->aeqe_dma = vf_data->aeqe_dma;
qm->sqc_dma = vf_data->sqc_dma;
@@ -1397,6 +1404,7 @@ static int hisi_acc_vfio_pci_migrn_init_dev(struct vfio_device *core_vdev)
hisi_acc_vdev->vf_id = pci_iov_vf_id(pdev) + 1;
hisi_acc_vdev->pf_qm = pf_qm;
hisi_acc_vdev->vf_dev = pdev;
+ hisi_acc_vdev->vf_qm_state = QM_NOT_READY;
mutex_init(&hisi_acc_vdev->state_mutex);
core_vdev->migration_flags = VFIO_MIGRATION_STOP_COPY | VFIO_MIGRATION_PRE_COPY;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 131/356] wifi: ath9k_htc: Abort software beacon handling if disabled
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 130/356] hisi_acc_vfio_pci: bugfix live migration function without VF device driver Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 132/356] scsi: ufs: mcq: Delete ufshcd_release_scsi_cmd() in ufshcd_mcq_abort() Greg Kroah-Hartman
` (233 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robert Morris,
Toke Høiland-Jørgensen, Jeff Johnson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Toke Høiland-Jørgensen <toke@toke.dk>
[ Upstream commit ac4e317a95a1092b5da5b9918b7118759342641c ]
A malicious USB device can send a WMI_SWBA_EVENTID event from an
ath9k_htc-managed device before beaconing has been enabled. This causes
a device-by-zero error in the driver, leading to either a crash or an
out of bounds read.
Prevent this by aborting the handling in ath9k_htc_swba() if beacons are
not enabled.
Reported-by: Robert Morris <rtm@csail.mit.edu>
Closes: https://lore.kernel.org/r/88967.1743099372@localhost
Fixes: 832f6a18fc2a ("ath9k_htc: Add beacon slots")
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Link: https://patch.msgid.link/20250402112217.58533-1-toke@toke.dk
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
index 533471e694007..18c7654bc539d 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
@@ -290,6 +290,9 @@ void ath9k_htc_swba(struct ath9k_htc_priv *priv,
struct ath_common *common = ath9k_hw_common(priv->ah);
int slot;
+ if (!priv->cur_beacon_conf.enable_beacon)
+ return;
+
if (swba->beacon_pending != 0) {
priv->beacon.bmisscnt++;
if (priv->beacon.bmisscnt > BSTUCK_THRESHOLD) {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 132/356] scsi: ufs: mcq: Delete ufshcd_release_scsi_cmd() in ufshcd_mcq_abort()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 131/356] wifi: ath9k_htc: Abort software beacon handling if disabled Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 133/356] kernfs: Relax constraint in draining guard Greg Kroah-Hartman
` (232 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ping.gao, Peter Wang,
Bart Van Assche, Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: ping.gao <ping.gao@samsung.com>
[ Upstream commit 53755903b9357e69b2dd6a02fafbb1e30c741895 ]
After UFS_ABORT_TASK has been processed successfully, the host will
generate MCQ IRQ for ABORT TAG with response OCS_ABORTED. This results in
ufshcd_compl_one_cqe() calling ufshcd_release_scsi_cmd().
But ufshcd_mcq_abort() already calls ufshcd_release_scsi_cmd(), resulting
in __ufshcd_release() being called twice. This means
hba->clk_gating.active_reqs will be decreased twice, making it go
negative.
Delete ufshcd_release_scsi_cmd() in ufshcd_mcq_abort().
Fixes: f1304d442077 ("scsi: ufs: mcq: Added ufshcd_mcq_abort()")
Signed-off-by: ping.gao <ping.gao@samsung.com>
Link: https://lore.kernel.org/r/20250516083812.3894396-1-ping.gao@samsung.com
Reviewed-by: Peter Wang <peter.wang@mediatek.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufs-mcq.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c
index 411109a5ebbff..14864cfc24223 100644
--- a/drivers/ufs/core/ufs-mcq.c
+++ b/drivers/ufs/core/ufs-mcq.c
@@ -629,7 +629,6 @@ int ufshcd_mcq_abort(struct scsi_cmnd *cmd)
int tag = scsi_cmd_to_rq(cmd)->tag;
struct ufshcd_lrb *lrbp = &hba->lrb[tag];
struct ufs_hw_queue *hwq;
- unsigned long flags;
int err;
/* Skip task abort in case previous aborts failed and report failure */
@@ -668,10 +667,5 @@ int ufshcd_mcq_abort(struct scsi_cmnd *cmd)
return FAILED;
}
- spin_lock_irqsave(&hwq->cq_lock, flags);
- if (ufshcd_cmd_inflight(lrbp->cmd))
- ufshcd_release_scsi_cmd(hba, lrbp);
- spin_unlock_irqrestore(&hwq->cq_lock, flags);
-
return SUCCESS;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 133/356] kernfs: Relax constraint in draining guard
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 132/356] scsi: ufs: mcq: Delete ufshcd_release_scsi_cmd() in ufshcd_mcq_abort() Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 134/356] wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() Greg Kroah-Hartman
` (231 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ridong, Michal Koutný,
Tejun Heo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Koutný <mkoutny@suse.com>
[ Upstream commit 071d8e4c2a3b0999a9b822e2eb8854784a350f8a ]
The active reference lifecycle provides the break/unbreak mechanism but
the active reference is not truly active after unbreak -- callers don't
use it afterwards but it's important for proper pairing of kn->active
counting. Assuming this mechanism is in place, the WARN check in
kernfs_should_drain_open_files() is too sensitive -- it may transiently
catch those (rightful) callers between
kernfs_unbreak_active_protection() and kernfs_put_active() as found out by Chen
Ridong:
kernfs_remove_by_name_ns kernfs_get_active // active=1
__kernfs_remove // active=0x80000002
kernfs_drain ...
wait_event
//waiting (active == 0x80000001)
kernfs_break_active_protection
// active = 0x80000001
// continue
kernfs_unbreak_active_protection
// active = 0x80000002
...
kernfs_should_drain_open_files
// warning occurs
kernfs_put_active
To avoid the false positives (mind panic_on_warn) remove the check altogether.
(This is meant as quick fix, I think active reference break/unbreak may be
simplified with larger rework.)
Fixes: bdb2fd7fc56e1 ("kernfs: Skip kernfs_drain_open_files() more aggressively")
Link: https://lore.kernel.org/r/kmmrseckjctb4gxcx2rdminrjnq2b4ipf7562nvfd432ld5v5m@2byj5eedkb2o/
Cc: Chen Ridong <chenridong@huawei.com>
Signed-off-by: Michal Koutný <mkoutny@suse.com>
Acked-by: Tejun Heo <tj@kernel.org>
Link: https://lore.kernel.org/r/20250505121201.879823-1-mkoutny@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/kernfs/dir.c | 5 +++--
fs/kernfs/file.c | 3 ++-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
index b068ed32d7b32..f6e2a4523f7e6 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -1560,8 +1560,9 @@ void kernfs_break_active_protection(struct kernfs_node *kn)
* invoked before finishing the kernfs operation. Note that while this
* function restores the active reference, it doesn't and can't actually
* restore the active protection - @kn may already or be in the process of
- * being removed. Once kernfs_break_active_protection() is invoked, that
- * protection is irreversibly gone for the kernfs operation instance.
+ * being drained and removed. Once kernfs_break_active_protection() is
+ * invoked, that protection is irreversibly gone for the kernfs operation
+ * instance.
*
* While this function may be called at any point after
* kernfs_break_active_protection() is invoked, its most useful location
diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
index 332d08d2fe0d5..6b90fea6cca20 100644
--- a/fs/kernfs/file.c
+++ b/fs/kernfs/file.c
@@ -820,8 +820,9 @@ bool kernfs_should_drain_open_files(struct kernfs_node *kn)
/*
* @kn being deactivated guarantees that @kn->attr.open can't change
* beneath us making the lockless test below safe.
+ * Callers post kernfs_unbreak_active_protection may be counted in
+ * kn->active by now, do not WARN_ON because of them.
*/
- WARN_ON_ONCE(atomic_read(&kn->active) != KN_DEACTIVATED_BIAS);
rcu_read_lock();
on = rcu_dereference(kn->attr.open);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 134/356] wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 133/356] kernfs: Relax constraint in draining guard Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 135/356] wifi: mt76: mt7996: set EHT max ampdu length capability Greg Kroah-Hartman
` (230 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, Felix Fietkau,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit efb95439c1477bbc955cacd0179c35e7861b437c ]
devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init()
does not check for this case, which results in a NULL pointer
dereference.
Prevent null pointer dereference in mt7915_mmio_wed_init().
Fixes: 4f831d18d12d ("wifi: mt76: mt7915: enable WED RX support")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Link: https://patch.msgid.link/20250407061900.85317-1-bsdhenrymartin@gmail.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7915/mmio.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mmio.c b/drivers/net/wireless/mediatek/mt76/mt7915/mmio.c
index 7db436d908a39..f4850c6daeb72 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mmio.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mmio.c
@@ -755,6 +755,9 @@ int mt7915_mmio_wed_init(struct mt7915_dev *dev, void *pdev_ptr,
wed->wlan.base = devm_ioremap(dev->mt76.dev,
pci_resource_start(pci_dev, 0),
pci_resource_len(pci_dev, 0));
+ if (!wed->wlan.base)
+ return -ENOMEM;
+
wed->wlan.phy_base = pci_resource_start(pci_dev, 0);
wed->wlan.wpdma_int = pci_resource_start(pci_dev, 0) +
MT_INT_WED_SOURCE_CSR;
@@ -782,6 +785,9 @@ int mt7915_mmio_wed_init(struct mt7915_dev *dev, void *pdev_ptr,
wed->wlan.bus_type = MTK_WED_BUS_AXI;
wed->wlan.base = devm_ioremap(dev->mt76.dev, res->start,
resource_size(res));
+ if (!wed->wlan.base)
+ return -ENOMEM;
+
wed->wlan.phy_base = res->start;
wed->wlan.wpdma_int = res->start + MT_INT_SOURCE_CSR;
wed->wlan.wpdma_mask = res->start + MT_INT_MASK_CSR;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 135/356] wifi: mt76: mt7996: set EHT max ampdu length capability
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 134/356] wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 136/356] wifi: mt76: mt7996: fix RX buffer size of MCU event Greg Kroah-Hartman
` (229 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Chiu, Shayne Chen,
Felix Fietkau, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chiu <chui-hao.chiu@mediatek.com>
[ Upstream commit 8b2f574845e33d02e7fbad2d3192a8b717567afa ]
Set the max AMPDU length in the EHT MAC CAP. Without this patch, the
peer station cannot obtain the correct capability, which prevents
achieving peak throughput on the 2 GHz band.
Fixes: 1816ad9381e0 ("wifi: mt76: mt7996: add max mpdu len capability")
Signed-off-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
Link: https://patch.msgid.link/20250515032952.1653494-3-shayne.chen@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/init.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/init.c b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
index 0a701dcb8a92c..375a3d6f4b384 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
@@ -735,6 +735,9 @@ mt7996_init_eht_caps(struct mt7996_phy *phy, enum nl80211_band band,
u8_encode_bits(IEEE80211_EHT_MAC_CAP0_MAX_MPDU_LEN_11454,
IEEE80211_EHT_MAC_CAP0_MAX_MPDU_LEN_MASK);
+ eht_cap_elem->mac_cap_info[1] |=
+ IEEE80211_EHT_MAC_CAP1_MAX_AMPDU_LEN_MASK;
+
eht_cap_elem->phy_cap_info[0] =
IEEE80211_EHT_PHY_CAP0_NDP_4_EHT_LFT_32_GI |
IEEE80211_EHT_PHY_CAP0_SU_BEAMFORMER |
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 136/356] wifi: mt76: mt7996: fix RX buffer size of MCU event
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 135/356] wifi: mt76: mt7996: set EHT max ampdu length capability Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 137/356] netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy Greg Kroah-Hartman
` (228 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Chiu, Shayne Chen,
Felix Fietkau, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shayne Chen <shayne.chen@mediatek.com>
[ Upstream commit 42cb27af34de4acf680606fad2c1f2932110591f ]
Some management frames are first processed by the firmware and then
passed to the driver through the MCU event rings. In CONNAC3, event rings
do not support scatter-gather and have a size limitation of 2048 bytes.
If a packet sized between 1728 and 2048 bytes arrives from an event ring,
the ring will hang because the driver attempts to use scatter-gather to
process it.
To fix this, include the size of struct skb_shared_info in the MCU RX
buffer size to prevent scatter-gather from being used for event skb in
mt76_dma_rx_fill_buf().
Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
Co-developed-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Signed-off-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
Link: https://patch.msgid.link/20250515032952.1653494-7-shayne.chen@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/dma.c | 4 ++--
drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 3 +++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/dma.c b/drivers/net/wireless/mediatek/mt76/mt7996/dma.c
index 586e247a1e064..04c9fd0e6b002 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/dma.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/dma.c
@@ -300,7 +300,7 @@ int mt7996_dma_init(struct mt7996_dev *dev)
ret = mt76_queue_alloc(dev, &dev->mt76.q_rx[MT_RXQ_MCU],
MT_RXQ_ID(MT_RXQ_MCU),
MT7996_RX_MCU_RING_SIZE,
- MT_RX_BUF_SIZE,
+ MT7996_RX_MCU_BUF_SIZE,
MT_RXQ_RING_BASE(MT_RXQ_MCU));
if (ret)
return ret;
@@ -309,7 +309,7 @@ int mt7996_dma_init(struct mt7996_dev *dev)
ret = mt76_queue_alloc(dev, &dev->mt76.q_rx[MT_RXQ_MCU_WA],
MT_RXQ_ID(MT_RXQ_MCU_WA),
MT7996_RX_MCU_RING_SIZE_WA,
- MT_RX_BUF_SIZE,
+ MT7996_RX_MCU_BUF_SIZE,
MT_RXQ_RING_BASE(MT_RXQ_MCU_WA));
if (ret)
return ret;
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
index 25bb365612314..7d2074e2b635e 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
@@ -27,6 +27,9 @@
#define MT7996_RX_RING_SIZE 1536
#define MT7996_RX_MCU_RING_SIZE 512
#define MT7996_RX_MCU_RING_SIZE_WA 1024
+/* scatter-gather of mcu event is not supported in connac3 */
+#define MT7996_RX_MCU_BUF_SIZE (2048 + \
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)))
#define MT7996_FIRMWARE_WA "mediatek/mt7996/mt7996_wa.bin"
#define MT7996_FIRMWARE_WM "mediatek/mt7996/mt7996_wm.bin"
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 137/356] netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 136/356] wifi: mt76: mt7996: fix RX buffer size of MCU event Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 138/356] vfio/type1: Fix error unwind in migration dirty bitmap allocation Greg Kroah-Hartman
` (227 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 8b53f46eb430fe5b42d485873b85331d2de2c469 ]
With a VRF, ipv4 and ipv6 FIB expression behave differently.
fib daddr . iif oif
Will return the input interface name for ipv4, but the real device
for ipv6. Example:
If VRF device name is tvrf and real (incoming) device is veth0.
First round is ok, both ipv4 and ipv6 will yield 'veth0'.
But in the second round (incoming device will be set to "tvrf"), ipv4
will yield "tvrf" whereas ipv6 returns "veth0" for the second round too.
This makes ipv6 behave like ipv4.
A followup patch will add a test case for this, without this change
it will fail with:
get element inet t fibif6iif { tvrf . dead:1::99 . tvrf }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FAIL: did not find tvrf . dead:1::99 . tvrf in fibif6iif
Alternatively we could either not do anything at all or change
ipv4 to also return the lower/real device, however, nft (userspace)
doc says "iif: if fib lookup provides a route then check its output
interface is identical to the packets input interface." which is what
the nft fib ipv4 behaviour is.
Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/netfilter/nft_fib_ipv6.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c
index c9f1634b3838a..a89ce0fbfe4b1 100644
--- a/net/ipv6/netfilter/nft_fib_ipv6.c
+++ b/net/ipv6/netfilter/nft_fib_ipv6.c
@@ -158,6 +158,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
{
const struct nft_fib *priv = nft_expr_priv(expr);
int noff = skb_network_offset(pkt->skb);
+ const struct net_device *found = NULL;
const struct net_device *oif = NULL;
u32 *dest = ®s->data[priv->dreg];
struct ipv6hdr *iph, _iph;
@@ -202,11 +203,15 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL))
goto put_rt_err;
- if (oif && oif != rt->rt6i_idev->dev &&
- l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) != oif->ifindex)
- goto put_rt_err;
+ if (!oif) {
+ found = rt->rt6i_idev->dev;
+ } else {
+ if (oif == rt->rt6i_idev->dev ||
+ l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == oif->ifindex)
+ found = oif;
+ }
- nft_fib_store_result(dest, priv, rt->rt6i_idev->dev);
+ nft_fib_store_result(dest, priv, found);
put_rt_err:
ip6_rt_put(rt);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 138/356] vfio/type1: Fix error unwind in migration dirty bitmap allocation
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 137/356] netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 139/356] Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() Greg Kroah-Hartman
` (226 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li RongQing, Alex Williamson,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li RongQing <lirongqing@baidu.com>
[ Upstream commit 4518e5a60c7fbf0cdff393c2681db39d77b4f87e ]
When setting up dirty page tracking at the vfio IOMMU backend for
device migration, if an error is encountered allocating a tracking
bitmap, the unwind loop fails to free previously allocated tracking
bitmaps. This occurs because the wrong loop index is used to
generate the tracking object. This results in unintended memory
usage for the life of the current DMA mappings where bitmaps were
successfully allocated.
Use the correct loop index to derive the tracking object for
freeing during unwind.
Fixes: d6a4c185660c ("vfio iommu: Implementation of ioctl for dirty pages tracking")
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Link: https://lore.kernel.org/r/20250521034647.2877-1-lirongqing@baidu.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/vfio_iommu_type1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index eacd6ec04de5a..5fe7aed3672ee 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -294,7 +294,7 @@ static int vfio_dma_bitmap_alloc_all(struct vfio_iommu *iommu, size_t pgsize)
struct rb_node *p;
for (p = rb_prev(n); p; p = rb_prev(p)) {
- struct vfio_dma *dma = rb_entry(n,
+ struct vfio_dma *dma = rb_entry(p,
struct vfio_dma, node);
vfio_dma_bitmap_free(dma);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 139/356] Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 138/356] vfio/type1: Fix error unwind in migration dirty bitmap allocation Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 140/356] bpf, sockmap: Avoid using sk_socket after free when sending Greg Kroah-Hartman
` (225 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov,
Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 3bb88524b7d030160bb3c9b35f928b2778092111 ]
In 'mgmt_mesh_foreach()', iterate over mesh commands
rather than generic mgmt ones. Compile tested only.
Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/mgmt_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index 0115f783bde80..17e32605d9b00 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -321,7 +321,7 @@ void mgmt_mesh_foreach(struct hci_dev *hdev,
{
struct mgmt_mesh_tx *mesh_tx, *tmp;
- list_for_each_entry_safe(mesh_tx, tmp, &hdev->mgmt_pending, list) {
+ list_for_each_entry_safe(mesh_tx, tmp, &hdev->mesh_pending, list) {
if (!sk || mesh_tx->sk == sk)
cb(mesh_tx, data);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 140/356] bpf, sockmap: Avoid using sk_socket after free when sending
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 139/356] Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 141/356] netfilter: nft_tunnel: fix geneve_opt dump Greg Kroah-Hartman
` (224 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Luczaj, Jiayuan Chen,
Martin KaFai Lau, John Fastabend, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 8259eb0e06d8f64c700f5fbdb28a5c18e10de291 ]
The sk->sk_socket is not locked or referenced in backlog thread, and
during the call to skb_send_sock(), there is a race condition with
the release of sk_socket. All types of sockets(tcp/udp/unix/vsock)
will be affected.
Race conditions:
'''
CPU0 CPU1
backlog::skb_send_sock
sendmsg_unlocked
sock_sendmsg
sock_sendmsg_nosec
close(fd):
...
ops->release() -> sock_map_close()
sk_socket->ops = NULL
free(socket)
sock->ops->sendmsg
^
panic here
'''
The ref of psock become 0 after sock_map_close() executed.
'''
void sock_map_close()
{
...
if (likely(psock)) {
...
// !! here we remove psock and the ref of psock become 0
sock_map_remove_links(sk, psock)
psock = sk_psock_get(sk);
if (unlikely(!psock))
goto no_psock; <=== Control jumps here via goto
...
cancel_delayed_work_sync(&psock->work); <=== not executed
sk_psock_put(sk, psock);
...
}
'''
Based on the fact that we already wait for the workqueue to finish in
sock_map_close() if psock is held, we simply increase the psock
reference count to avoid race conditions.
With this patch, if the backlog thread is running, sock_map_close() will
wait for the backlog thread to complete and cancel all pending work.
If no backlog running, any pending work that hasn't started by then will
fail when invoked by sk_psock_get(), as the psock reference count have
been zeroed, and sk_psock_drop() will cancel all jobs via
cancel_delayed_work_sync().
In summary, we require synchronization to coordinate the backlog thread
and close() thread.
The panic I catched:
'''
Workqueue: events sk_psock_backlog
RIP: 0010:sock_sendmsg+0x21d/0x440
RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001
...
Call Trace:
<TASK>
? die_addr+0x40/0xa0
? exc_general_protection+0x14c/0x230
? asm_exc_general_protection+0x26/0x30
? sock_sendmsg+0x21d/0x440
? sock_sendmsg+0x3e0/0x440
? __pfx_sock_sendmsg+0x10/0x10
__skb_send_sock+0x543/0xb70
sk_psock_backlog+0x247/0xb80
...
'''
Fixes: 4b4647add7d3 ("sock_map: avoid race between sock_map_close and sk_psock_put")
Reported-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/r/20250516141713.291150-1-jiayuan.chen@linux.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skmsg.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index c7edf77fd6fde..2076db464e936 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -655,6 +655,13 @@ static void sk_psock_backlog(struct work_struct *work)
bool ingress;
int ret;
+ /* Increment the psock refcnt to synchronize with close(fd) path in
+ * sock_map_close(), ensuring we wait for backlog thread completion
+ * before sk_socket freed. If refcnt increment fails, it indicates
+ * sock_map_close() completed with sk_socket potentially already freed.
+ */
+ if (!sk_psock_get(psock->sk))
+ return;
mutex_lock(&psock->work_mutex);
while ((skb = skb_peek(&psock->ingress_skb))) {
len = skb->len;
@@ -706,6 +713,7 @@ static void sk_psock_backlog(struct work_struct *work)
}
end:
mutex_unlock(&psock->work_mutex);
+ sk_psock_put(psock->sk, psock);
}
struct sk_psock *sk_psock_init(struct sock *sk, int node)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 141/356] netfilter: nft_tunnel: fix geneve_opt dump
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 140/356] bpf, sockmap: Avoid using sk_socket after free when sending Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 142/356] RISC-V: KVM: lock the correct mp_state during reset Greg Kroah-Hartman
` (223 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 22a9613de4c29d7d0770bfb8a5a9d73eb8df7dad ]
When dumping a nft_tunnel with more than one geneve_opt configured the
netlink attribute hierarchy should be as follow:
NFTA_TUNNEL_KEY_OPTS
|
|--NFTA_TUNNEL_KEY_OPTS_GENEVE
| |
| |--NFTA_TUNNEL_KEY_GENEVE_CLASS
| |--NFTA_TUNNEL_KEY_GENEVE_TYPE
| |--NFTA_TUNNEL_KEY_GENEVE_DATA
|
|--NFTA_TUNNEL_KEY_OPTS_GENEVE
| |
| |--NFTA_TUNNEL_KEY_GENEVE_CLASS
| |--NFTA_TUNNEL_KEY_GENEVE_TYPE
| |--NFTA_TUNNEL_KEY_GENEVE_DATA
|
|--NFTA_TUNNEL_KEY_OPTS_GENEVE
...
Otherwise, userspace tools won't be able to fetch the geneve options
configured correctly.
Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_tunnel.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index d499eb3f4f297..3e3ae29dde335 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -617,10 +617,10 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
struct geneve_opt *opt;
int offset = 0;
- inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE);
- if (!inner)
- goto failure;
while (opts->len > offset) {
+ inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE);
+ if (!inner)
+ goto failure;
opt = (struct geneve_opt *)(opts->u.data + offset);
if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS,
opt->opt_class) ||
@@ -630,8 +630,8 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
opt->length * 4, opt->opt_data))
goto inner_failure;
offset += sizeof(*opt) + opt->length * 4;
+ nla_nest_end(skb, inner);
}
- nla_nest_end(skb, inner);
}
nla_nest_end(skb, nest);
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 142/356] RISC-V: KVM: lock the correct mp_state during reset
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 141/356] netfilter: nft_tunnel: fix geneve_opt dump Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 143/356] net: usb: aqc111: fix error handling of usbnet read calls Greg Kroah-Hartman
` (222 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Radim Krčmář,
Anup Patel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Radim Krčmář <rkrcmar@ventanamicro.com>
[ Upstream commit 7917be170928189fefad490d1a1237fdfa6b856f ]
Currently, the kvm_riscv_vcpu_sbi_system_reset() function locks
vcpu->arch.mp_state_lock when updating tmp->arch.mp_state.mp_state
which is incorrect hence fix it.
Fixes: 2121cadec45a ("RISCV: KVM: Introduce mp_state_lock to avoid lock inversion")
Signed-off-by: Radim Krčmář <rkrcmar@ventanamicro.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20250523104725.2894546-4-rkrcmar@ventanamicro.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/kvm/vcpu_sbi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/kvm/vcpu_sbi.c b/arch/riscv/kvm/vcpu_sbi.c
index be43278109f4e..a71d33cd81d3d 100644
--- a/arch/riscv/kvm/vcpu_sbi.c
+++ b/arch/riscv/kvm/vcpu_sbi.c
@@ -103,9 +103,9 @@ void kvm_riscv_vcpu_sbi_system_reset(struct kvm_vcpu *vcpu,
struct kvm_vcpu *tmp;
kvm_for_each_vcpu(i, tmp, vcpu->kvm) {
- spin_lock(&vcpu->arch.mp_state_lock);
+ spin_lock(&tmp->arch.mp_state_lock);
WRITE_ONCE(tmp->arch.mp_state.mp_state, KVM_MP_STATE_STOPPED);
- spin_unlock(&vcpu->arch.mp_state_lock);
+ spin_unlock(&tmp->arch.mp_state_lock);
}
kvm_make_all_cpus_request(vcpu->kvm, KVM_REQ_SLEEP);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 143/356] net: usb: aqc111: fix error handling of usbnet read calls
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 142/356] RISC-V: KVM: lock the correct mp_state during reset Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 144/356] RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work Greg Kroah-Hartman
` (221 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3b6b9ff7b80430020c7b,
Nikita Zhandarovich, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
[ Upstream commit 405b0d610745fb5e84fc2961d9b960abb9f3d107 ]
Syzkaller, courtesy of syzbot, identified an error (see report [1]) in
aqc111 driver, caused by incomplete sanitation of usb read calls'
results. This problem is quite similar to the one fixed in commit
920a9fa27e78 ("net: asix: add proper error handling of usb read errors").
For instance, usbnet_read_cmd() may read fewer than 'size' bytes,
even if the caller expected the full amount, and aqc111_read_cmd()
will not check its result properly. As [1] shows, this may lead
to MAC address in aqc111_bind() being only partly initialized,
triggering KMSAN warnings.
Fix the issue by verifying that the number of bytes read is
as expected and not less.
[1] Partial syzbot report:
BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x4d1/0xd90 drivers/base/dd.c:658
__driver_probe_device+0x268/0x380 drivers/base/dd.c:800
...
Uninit was stored to memory at:
dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582
__dev_addr_set include/linux/netdevice.h:4874 [inline]
eth_hw_addr_set include/linux/etherdevice.h:325 [inline]
aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717
usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
...
Uninit was stored to memory at:
ether_addr_copy include/linux/etherdevice.h:305 [inline]
aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline]
aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713
usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
...
Local variable buf.i created at:
aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline]
aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713
usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
Reported-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3b6b9ff7b80430020c7b
Tested-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com
Fixes: df2d59a2ab6c ("net: usb: aqc111: Add support for getting and setting of MAC address")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Link: https://patch.msgid.link/20250520113240.2369438-1-n.zhandarovich@fintech.ru
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/aqc111.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
index 284375f662f1e..04d5573123bec 100644
--- a/drivers/net/usb/aqc111.c
+++ b/drivers/net/usb/aqc111.c
@@ -30,10 +30,13 @@ static int aqc111_read_cmd_nopm(struct usbnet *dev, u8 cmd, u16 value,
ret = usbnet_read_cmd_nopm(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR |
USB_RECIP_DEVICE, value, index, data, size);
- if (unlikely(ret < 0))
+ if (unlikely(ret < size)) {
+ ret = ret < 0 ? ret : -ENODATA;
+
netdev_warn(dev->net,
"Failed to read(0x%x) reg index 0x%04x: %d\n",
cmd, index, ret);
+ }
return ret;
}
@@ -46,10 +49,13 @@ static int aqc111_read_cmd(struct usbnet *dev, u8 cmd, u16 value,
ret = usbnet_read_cmd(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR |
USB_RECIP_DEVICE, value, index, data, size);
- if (unlikely(ret < 0))
+ if (unlikely(ret < size)) {
+ ret = ret < 0 ? ret : -ENODATA;
+
netdev_warn(dev->net,
"Failed to read(0x%x) reg index 0x%04x: %d\n",
cmd, index, ret);
+ }
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 144/356] RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 143/356] net: usb: aqc111: fix error handling of usbnet read calls Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 145/356] net: lan966x: Fix 1-step timestamping over ipv4 or ipv6 Greg Kroah-Hartman
` (220 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jack Morgenstein, Feng Liu,
Vlad Dumitrescu, Leon Romanovsky, Sharath Srinivasan, Kalesh AP,
Jason Gunthorpe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jack Morgenstein <jackm@nvidia.com>
[ Upstream commit 92a251c3df8ea1991cd9fe00f1ab0cfce18d7711 ]
The cited commit fixed a crash when cma_netevent_callback was called for
a cma_id while work on that id from a previous call had not yet started.
The work item was re-initialized in the second call, which corrupted the
work item currently in the work queue.
However, it left a problem when queue_work fails (because the item is
still pending in the work queue from a previous call). In this case,
cma_id_put (which is called in the work handler) is therefore not
called. This results in a userspace process hang (zombie process).
Fix this by calling cma_id_put() if queue_work fails.
Fixes: 45f5dcdd0497 ("RDMA/cma: Fix workqueue crash in cma_netevent_work_handler")
Link: https://patch.msgid.link/r/4f3640b501e48d0166f312a64fdadf72b059bd04.1747827103.git.leon@kernel.org
Signed-off-by: Jack Morgenstein <jackm@nvidia.com>
Signed-off-by: Feng Liu <feliu@nvidia.com>
Reviewed-by: Vlad Dumitrescu <vdumitrescu@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Reviewed-by: Sharath Srinivasan <sharath.srinivasan@oracle.com>
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/cma.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index 348527cf1e7bf..a5ceae2e075ad 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -5215,7 +5215,8 @@ static int cma_netevent_callback(struct notifier_block *self,
neigh->ha, ETH_ALEN))
continue;
cma_id_get(current_id);
- queue_work(cma_wq, ¤t_id->id.net_work);
+ if (!queue_work(cma_wq, ¤t_id->id.net_work))
+ cma_id_put(current_id);
}
out:
spin_unlock_irqrestore(&id_table_lock, flags);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 145/356] net: lan966x: Fix 1-step timestamping over ipv4 or ipv6
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 144/356] RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 146/356] bpf: Avoid __bpf_prog_ret0_warn when jit fails Greg Kroah-Hartman
` (219 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Horatiu Vultur, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit 57ee9584fd8606deef66d7b65fa4dcf94f6843aa ]
When enabling 1-step timestamping for ptp frames that are over udpv4 or
udpv6 then the inserted timestamp is added at the wrong offset in the
frame, meaning that will modify the frame at the wrong place, so the
frame will be malformed.
To fix this, the HW needs to know which kind of frame it is to know
where to insert the timestamp. For that there is a field in the IFH that
says the PDU_TYPE, which can be NONE which is the default value,
IPV4 or IPV6. Therefore make sure to set the PDU_TYPE so the HW knows
where to insert the timestamp.
Like I mention before the issue is not seen with L2 frames because by
default the PDU_TYPE has a value of 0, which represents the L2 frames.
Fixes: 77eecf25bd9d2f ("net: lan966x: Update extraction/injection for timestamping")
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Link: https://patch.msgid.link/20250521124159.2713525-1-horatiu.vultur@microchip.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/microchip/lan966x/lan966x_main.c | 6 +++
.../ethernet/microchip/lan966x/lan966x_main.h | 5 ++
.../ethernet/microchip/lan966x/lan966x_ptp.c | 49 ++++++++++++++-----
3 files changed, 47 insertions(+), 13 deletions(-)
diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
index c3f6c10bc2393..05f6c92275830 100644
--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
+++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
@@ -353,6 +353,11 @@ static void lan966x_ifh_set_rew_op(void *ifh, u64 rew_op)
lan966x_ifh_set(ifh, rew_op, IFH_POS_REW_CMD, IFH_WID_REW_CMD);
}
+static void lan966x_ifh_set_oam_type(void *ifh, u64 oam_type)
+{
+ lan966x_ifh_set(ifh, oam_type, IFH_POS_PDU_TYPE, IFH_WID_PDU_TYPE);
+}
+
static void lan966x_ifh_set_timestamp(void *ifh, u64 timestamp)
{
lan966x_ifh_set(ifh, timestamp, IFH_POS_TIMESTAMP, IFH_WID_TIMESTAMP);
@@ -380,6 +385,7 @@ static netdev_tx_t lan966x_port_xmit(struct sk_buff *skb,
return err;
lan966x_ifh_set_rew_op(ifh, LAN966X_SKB_CB(skb)->rew_op);
+ lan966x_ifh_set_oam_type(ifh, LAN966X_SKB_CB(skb)->pdu_type);
lan966x_ifh_set_timestamp(ifh, LAN966X_SKB_CB(skb)->ts_id);
}
diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
index caa9e0533c96b..b65d58a1552b5 100644
--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
+++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
@@ -74,6 +74,10 @@
#define IFH_REW_OP_ONE_STEP_PTP 0x3
#define IFH_REW_OP_TWO_STEP_PTP 0x4
+#define IFH_PDU_TYPE_NONE 0
+#define IFH_PDU_TYPE_IPV4 7
+#define IFH_PDU_TYPE_IPV6 8
+
#define FDMA_RX_DCB_MAX_DBS 1
#define FDMA_TX_DCB_MAX_DBS 1
#define FDMA_DCB_INFO_DATAL(x) ((x) & GENMASK(15, 0))
@@ -306,6 +310,7 @@ struct lan966x_phc {
struct lan966x_skb_cb {
u8 rew_op;
+ u8 pdu_type;
u16 ts_id;
unsigned long jiffies;
};
diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c b/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c
index 63905bb5a63a8..87e5e81d40dc6 100644
--- a/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c
+++ b/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c
@@ -322,34 +322,55 @@ void lan966x_ptp_hwtstamp_get(struct lan966x_port *port,
*cfg = phc->hwtstamp_config;
}
-static int lan966x_ptp_classify(struct lan966x_port *port, struct sk_buff *skb)
+static void lan966x_ptp_classify(struct lan966x_port *port, struct sk_buff *skb,
+ u8 *rew_op, u8 *pdu_type)
{
struct ptp_header *header;
u8 msgtype;
int type;
- if (port->ptp_tx_cmd == IFH_REW_OP_NOOP)
- return IFH_REW_OP_NOOP;
+ if (port->ptp_tx_cmd == IFH_REW_OP_NOOP) {
+ *rew_op = IFH_REW_OP_NOOP;
+ *pdu_type = IFH_PDU_TYPE_NONE;
+ return;
+ }
type = ptp_classify_raw(skb);
- if (type == PTP_CLASS_NONE)
- return IFH_REW_OP_NOOP;
+ if (type == PTP_CLASS_NONE) {
+ *rew_op = IFH_REW_OP_NOOP;
+ *pdu_type = IFH_PDU_TYPE_NONE;
+ return;
+ }
header = ptp_parse_header(skb, type);
- if (!header)
- return IFH_REW_OP_NOOP;
+ if (!header) {
+ *rew_op = IFH_REW_OP_NOOP;
+ *pdu_type = IFH_PDU_TYPE_NONE;
+ return;
+ }
- if (port->ptp_tx_cmd == IFH_REW_OP_TWO_STEP_PTP)
- return IFH_REW_OP_TWO_STEP_PTP;
+ if (type & PTP_CLASS_L2)
+ *pdu_type = IFH_PDU_TYPE_NONE;
+ if (type & PTP_CLASS_IPV4)
+ *pdu_type = IFH_PDU_TYPE_IPV4;
+ if (type & PTP_CLASS_IPV6)
+ *pdu_type = IFH_PDU_TYPE_IPV6;
+
+ if (port->ptp_tx_cmd == IFH_REW_OP_TWO_STEP_PTP) {
+ *rew_op = IFH_REW_OP_TWO_STEP_PTP;
+ return;
+ }
/* If it is sync and run 1 step then set the correct operation,
* otherwise run as 2 step
*/
msgtype = ptp_get_msgtype(header, type);
- if ((msgtype & 0xf) == 0)
- return IFH_REW_OP_ONE_STEP_PTP;
+ if ((msgtype & 0xf) == 0) {
+ *rew_op = IFH_REW_OP_ONE_STEP_PTP;
+ return;
+ }
- return IFH_REW_OP_TWO_STEP_PTP;
+ *rew_op = IFH_REW_OP_TWO_STEP_PTP;
}
static void lan966x_ptp_txtstamp_old_release(struct lan966x_port *port)
@@ -374,10 +395,12 @@ int lan966x_ptp_txtstamp_request(struct lan966x_port *port,
{
struct lan966x *lan966x = port->lan966x;
unsigned long flags;
+ u8 pdu_type;
u8 rew_op;
- rew_op = lan966x_ptp_classify(port, skb);
+ lan966x_ptp_classify(port, skb, &rew_op, &pdu_type);
LAN966X_SKB_CB(skb)->rew_op = rew_op;
+ LAN966X_SKB_CB(skb)->pdu_type = pdu_type;
if (rew_op != IFH_REW_OP_TWO_STEP_PTP)
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 146/356] bpf: Avoid __bpf_prog_ret0_warn when jit fails
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 145/356] net: lan966x: Fix 1-step timestamping over ipv4 or ipv6 Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 147/356] net: phy: clear phydev->devlink when the link is deleted Greg Kroah-Hartman
` (218 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+0903f6d7f285e41cdf10,
KaFai Wan, Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: KaFai Wan <mannkafai@gmail.com>
[ Upstream commit 86bc9c742426a16b52a10ef61f5b721aecca2344 ]
syzkaller reported an issue:
WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
Modules linked in:
CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39
RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
Call Trace:
<TASK>
bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105
...
When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable.
This issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set
and bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog,
but jit failed due to FAULT_INJECTION. As a result, incorrectly
treats the program as valid, when the program runs it calls
`__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1).
Reported-by: syzbot+0903f6d7f285e41cdf10@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/bpf/6816e34e.a70a0220.254cdc.002c.GAE@google.com
Fixes: fa9dd599b4da ("bpf: get rid of pure_initcall dependency to enable jits")
Signed-off-by: KaFai Wan <mannkafai@gmail.com>
Link: https://lore.kernel.org/r/20250526133358.2594176-1-mannkafai@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 3f140b7527cfc..5eaaf95048abc 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2364,7 +2364,7 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err)
/* In case of BPF to BPF calls, verifier did all the prep
* work with regards to JITing, etc.
*/
- bool jit_needed = false;
+ bool jit_needed = fp->jit_requested;
if (fp->bpf_func)
goto finalize;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 147/356] net: phy: clear phydev->devlink when the link is deleted
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 146/356] bpf: Avoid __bpf_prog_ret0_warn when jit fails Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 148/356] net: phy: fix up const issues in to_mdio_device() and to_phy_device() Greg Kroah-Hartman
` (217 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei Fang, Andrew Lunn,
Florian Fainelli, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit 0795b05a59b1371b18ffbf09d385296b12e9f5d5 ]
There is a potential crash issue when disabling and re-enabling the
network port. When disabling the network port, phy_detach() calls
device_link_del() to remove the device link, but it does not clear
phydev->devlink, so phydev->devlink is not a NULL pointer. Then the
network port is re-enabled, but if phy_attach_direct() fails before
calling device_link_add(), the code jumps to the "error" label and
calls phy_detach(). Since phydev->devlink retains the old value from
the previous attach/detach cycle, device_link_del() uses the old value,
which accesses a NULL pointer and causes a crash. The simplified crash
log is as follows.
[ 24.702421] Call trace:
[ 24.704856] device_link_put_kref+0x20/0x120
[ 24.709124] device_link_del+0x30/0x48
[ 24.712864] phy_detach+0x24/0x168
[ 24.716261] phy_attach_direct+0x168/0x3a4
[ 24.720352] phylink_fwnode_phy_connect+0xc8/0x14c
[ 24.725140] phylink_of_phy_connect+0x1c/0x34
Therefore, phydev->devlink needs to be cleared when the device link is
deleted.
Fixes: bc66fa87d4fd ("net: phy: Add link between phy dev and mac dev")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250523083759.3741168-1-wei.fang@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/phy_device.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index ec2a3d16b1a2d..cde0e80474a1d 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -1806,8 +1806,10 @@ void phy_detach(struct phy_device *phydev)
struct module *ndev_owner = NULL;
struct mii_bus *bus;
- if (phydev->devlink)
+ if (phydev->devlink) {
device_link_del(phydev->devlink);
+ phydev->devlink = NULL;
+ }
if (phydev->sysfs_links) {
if (dev)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 148/356] net: phy: fix up const issues in to_mdio_device() and to_phy_device()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 147/356] net: phy: clear phydev->devlink when the link is deleted Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 149/356] net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy Greg Kroah-Hartman
` (216 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Lobakin, Andrew Lunn,
Heiner Kallweit, Russell King, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit e9cb929670a1e98b592b30f03f06e9e20110f318 ]
Both to_mdio_device() and to_phy_device() "throw away" the const pointer
attribute passed to them and return a non-const pointer, which generally
is not a good thing overall. Fix this up by using container_of_const()
which was designed for this very problem.
Cc: Alexander Lobakin <alobakin@pm.me>
Cc: Andrew Lunn <andrew@lunn.ch>
Cc: Heiner Kallweit <hkallweit1@gmail.com>
Cc: Russell King <linux@armlinux.org.uk>
Fixes: 7eab14de73a8 ("mdio, phy: fix -Wshadow warnings triggered by nested container_of()")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2025052246-conduit-glory-8fc9@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/mdio.h | 5 +----
include/linux/phy.h | 5 +----
2 files changed, 2 insertions(+), 8 deletions(-)
diff --git a/include/linux/mdio.h b/include/linux/mdio.h
index 8fa23bdcedbf9..0bca1a960853f 100644
--- a/include/linux/mdio.h
+++ b/include/linux/mdio.h
@@ -44,10 +44,7 @@ struct mdio_device {
unsigned int reset_deassert_delay;
};
-static inline struct mdio_device *to_mdio_device(const struct device *dev)
-{
- return container_of(dev, struct mdio_device, dev);
-}
+#define to_mdio_device(__dev) container_of_const(__dev, struct mdio_device, dev)
/* struct mdio_driver_common: Common to all MDIO drivers */
struct mdio_driver_common {
diff --git a/include/linux/phy.h b/include/linux/phy.h
index 5aa30ee998104..a57e799b1de18 100644
--- a/include/linux/phy.h
+++ b/include/linux/phy.h
@@ -766,10 +766,7 @@ struct phy_device {
/* Generic phy_device::dev_flags */
#define PHY_F_NO_IRQ 0x80000000
-static inline struct phy_device *to_phy_device(const struct device *dev)
-{
- return container_of(to_mdio_device(dev), struct phy_device, mdio);
-}
+#define to_phy_device(__dev) container_of_const(to_mdio_device(__dev), struct phy_device, mdio)
/**
* struct phy_tdr_config - Configuration of a TDR raw test
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 149/356] net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 148/356] net: phy: fix up const issues in to_mdio_device() and to_phy_device() Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 150/356] net: phy: mscc: Fix memory leak when using one step timestamping Greg Kroah-Hartman
` (215 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thangaraj Samynathan, Andrew Lunn,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thangaraj Samynathan <thangaraj.s@microchip.com>
[ Upstream commit 68927eb52d0af04863584930db06075d2610e194 ]
rename the function to lan743x_hw_reset_phy to better describe it
operation.
Fixes: 23f0703c125be ("lan743x: Add main source files for new lan743x driver")
Signed-off-by: Thangaraj Samynathan <thangaraj.s@microchip.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250526053048.287095-2-thangaraj.s@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microchip/lan743x_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c
index f971d60484f06..781440d5756f3 100644
--- a/drivers/net/ethernet/microchip/lan743x_main.c
+++ b/drivers/net/ethernet/microchip/lan743x_main.c
@@ -1373,7 +1373,7 @@ static int lan743x_mac_set_mtu(struct lan743x_adapter *adapter, int new_mtu)
}
/* PHY */
-static int lan743x_phy_reset(struct lan743x_adapter *adapter)
+static int lan743x_hw_reset_phy(struct lan743x_adapter *adapter)
{
u32 data;
@@ -1407,7 +1407,7 @@ static void lan743x_phy_update_flowcontrol(struct lan743x_adapter *adapter,
static int lan743x_phy_init(struct lan743x_adapter *adapter)
{
- return lan743x_phy_reset(adapter);
+ return lan743x_hw_reset_phy(adapter);
}
static void lan743x_phy_link_status_change(struct net_device *netdev)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 150/356] net: phy: mscc: Fix memory leak when using one step timestamping
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 149/356] net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 151/356] octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback Greg Kroah-Hartman
` (214 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Horatiu Vultur, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit 846992645b25ec4253167e3f931e4597eb84af56 ]
Fix memory leak when running one-step timestamping. When running
one-step sync timestamping, the HW is configured to insert the TX time
into the frame, so there is no reason to keep the skb anymore. As in
this case the HW will never generate an interrupt to say that the frame
was timestamped, then the frame will never released.
Fix this by freeing the frame in case of one-step timestamping.
Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Link: https://patch.msgid.link/20250522115722.2827199-1-horatiu.vultur@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mscc/mscc_ptp.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
index cf728bfd83e22..af44b01f3d383 100644
--- a/drivers/net/phy/mscc/mscc_ptp.c
+++ b/drivers/net/phy/mscc/mscc_ptp.c
@@ -1165,18 +1165,24 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts,
container_of(mii_ts, struct vsc8531_private, mii_ts);
if (!vsc8531->ptp->configured)
- return;
+ goto out;
- if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF) {
- kfree_skb(skb);
- return;
- }
+ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF)
+ goto out;
+
+ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_ONESTEP_SYNC)
+ if (ptp_msg_is_sync(skb, type))
+ goto out;
skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
mutex_lock(&vsc8531->ts_lock);
__skb_queue_tail(&vsc8531->ptp->tx_queue, skb);
mutex_unlock(&vsc8531->ts_lock);
+ return;
+
+out:
+ kfree_skb(skb);
}
static bool vsc85xx_rxtstamp(struct mii_timestamper *mii_ts,
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 151/356] octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 150/356] net: phy: mscc: Fix memory leak when using one step timestamping Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 152/356] calipso: Dont call calipso functions for AF_INET sk Greg Kroah-Hartman
` (213 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hariprasad Kelam, Simon Horman,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hariprasad Kelam <hkelam@marvell.com>
[ Upstream commit 67af4ec948e8ce3ea53a9cf614d01fddf172e56d ]
This patch addresses below issues,
1. Active traffic on the leaf node must be stopped before its send queue
is reassigned to the parent. This patch resolves the issue by marking
the node as 'Inner'.
2. During a system reboot, the interface receives TC_HTB_LEAF_DEL
and TC_HTB_LEAF_DEL_LAST callbacks to delete its HTB queues.
In the case of TC_HTB_LEAF_DEL_LAST, although the same send queue
is reassigned to the parent, the current logic still attempts to update
the real number of queues, leadning to below warnings
New queues can't be registered after device unregistration.
WARNING: CPU: 0 PID: 6475 at net/core/net-sysfs.c:1714
netdev_queue_update_kobjects+0x1e4/0x200
Fixes: 5e6808b4c68d ("octeontx2-pf: Add support for HTB offload")
Signed-off-by: Hariprasad Kelam <hkelam@marvell.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250522115842.1499666-1-hkelam@marvell.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/qos.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/qos.c b/drivers/net/ethernet/marvell/octeontx2/nic/qos.c
index 37db19584c143..92861f102590f 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/qos.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/qos.c
@@ -1560,6 +1560,7 @@ static int otx2_qos_leaf_del_last(struct otx2_nic *pfvf, u16 classid, bool force
if (!node->is_static)
dwrr_del_node = true;
+ WRITE_ONCE(node->qid, OTX2_QOS_QID_INNER);
/* destroy the leaf node */
otx2_qos_disable_sq(pfvf, qid);
otx2_qos_destroy_node(pfvf, node);
@@ -1604,9 +1605,6 @@ static int otx2_qos_leaf_del_last(struct otx2_nic *pfvf, u16 classid, bool force
}
kfree(new_cfg);
- /* update tx_real_queues */
- otx2_qos_update_tx_netdev_queues(pfvf);
-
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 152/356] calipso: Dont call calipso functions for AF_INET sk.
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 151/356] octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 153/356] net: openvswitch: Fix the dead loop of MPLS parse Greg Kroah-Hartman
` (212 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzkaller, John Cheung,
Kuniyuki Iwashima, Paul Moore, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 6e9f2df1c550ead7cecb3e450af1105735020c92 ]
syzkaller reported a null-ptr-deref in txopt_get(). [0]
The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo,
so struct ipv6_pinfo was NULL there.
However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6
is always set in inet6_create(), meaning the socket was not IPv6 one.
The root cause is missing validation in netlbl_conn_setattr().
netlbl_conn_setattr() switches branches based on struct
sockaddr.sa_family, which is passed from userspace. However,
netlbl_conn_setattr() does not check if the address family matches
the socket.
The syzkaller must have called connect() for an IPv6 address on
an IPv4 socket.
We have a proper validation in tcp_v[46]_connect(), but
security_socket_connect() is called in the earlier stage.
Let's copy the validation to netlbl_conn_setattr().
[0]:
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:txopt_get include/net/ipv6.h:390 [inline]
RIP: 0010:
Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00
RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c
RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070
RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e
R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00
R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80
FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0
PKRU: 80000000
Call Trace:
<TASK>
calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557
netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177
selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569
selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline]
selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615
selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931
security_socket_connect+0x50/0xa0 security/security.c:4598
__sys_connect_file+0xa4/0x190 net/socket.c:2067
__sys_connect+0x12c/0x170 net/socket.c:2088
__do_sys_connect net/socket.c:2098 [inline]
__se_sys_connect net/socket.c:2095 [inline]
__x64_sys_connect+0x73/0xb0 net/socket.c:2095
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f901b61a12d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d
RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003
RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000
</TASK>
Modules linked in:
Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Reported-by: John Cheung <john.cs.hey@gmail.com>
Closes: https://lore.kernel.org/netdev/CAP=Rh=M1LzunrcQB1fSGauMrJrhL6GGps5cPAKzHJXj6GQV+-g@mail.gmail.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Link: https://patch.msgid.link/20250522221858.91240-1-kuniyu@amazon.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlabel/netlabel_kapi.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 27511c90a26f4..75b645c1928db 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -1140,6 +1140,9 @@ int netlbl_conn_setattr(struct sock *sk,
break;
#if IS_ENABLED(CONFIG_IPV6)
case AF_INET6:
+ if (sk->sk_family != AF_INET6)
+ return -EAFNOSUPPORT;
+
addr6 = (struct sockaddr_in6 *)addr;
entry = netlbl_domhsh_getentry_af6(secattr->domain,
&addr6->sin6_addr);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 153/356] net: openvswitch: Fix the dead loop of MPLS parse
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 152/356] calipso: Dont call calipso functions for AF_INET sk Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 154/356] net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames Greg Kroah-Hartman
` (211 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Faicker Mo, Ilya Maximets,
Aaron Conole, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Faicker Mo <faicker.mo@zenlayer.com>
[ Upstream commit 0bdc924bfb319fb10d1113cbf091fc26fb7b1f99 ]
The unexpected MPLS packet may not end with the bottom label stack.
When there are many stacks, The label count value has wrapped around.
A dead loop occurs, soft lockup/CPU stuck finally.
stack backtrace:
UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26
index -1 is out of range for type '__be32 [3]'
CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu
Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021
Call Trace:
<IRQ>
show_stack+0x52/0x5c
dump_stack_lvl+0x4a/0x63
dump_stack+0x10/0x16
ubsan_epilogue+0x9/0x36
__ubsan_handle_out_of_bounds.cold+0x44/0x49
key_extract_l3l4+0x82a/0x840 [openvswitch]
? kfree_skbmem+0x52/0xa0
key_extract+0x9c/0x2b0 [openvswitch]
ovs_flow_key_extract+0x124/0x350 [openvswitch]
ovs_vport_receive+0x61/0xd0 [openvswitch]
? kernel_init_free_pages.part.0+0x4a/0x70
? get_page_from_freelist+0x353/0x540
netdev_port_receive+0xc4/0x180 [openvswitch]
? netdev_port_receive+0x180/0x180 [openvswitch]
netdev_frame_hook+0x1f/0x40 [openvswitch]
__netif_receive_skb_core.constprop.0+0x23a/0xf00
__netif_receive_skb_list_core+0xfa/0x240
netif_receive_skb_list_internal+0x18e/0x2a0
napi_complete_done+0x7a/0x1c0
bnxt_poll+0x155/0x1c0 [bnxt_en]
__napi_poll+0x30/0x180
net_rx_action+0x126/0x280
? bnxt_msix+0x67/0x80 [bnxt_en]
handle_softirqs+0xda/0x2d0
irq_exit_rcu+0x96/0xc0
common_interrupt+0x8e/0xa0
</IRQ>
Fixes: fbdcdd78da7c ("Change in Openvswitch to support MPLS label depth of 3 in ingress direction")
Signed-off-by: Faicker Mo <faicker.mo@zenlayer.com>
Acked-by: Ilya Maximets <i.maximets@ovn.org>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/259D3404-575D-4A6D-B263-1DF59A67CF89@zenlayer.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/flow.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 8a848ce72e291..b80bd3a907739 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -788,7 +788,7 @@ static int key_extract_l3l4(struct sk_buff *skb, struct sw_flow_key *key)
memset(&key->ipv4, 0, sizeof(key->ipv4));
}
} else if (eth_p_mpls(key->eth.type)) {
- u8 label_count = 1;
+ size_t label_count = 1;
memset(&key->mpls, 0, sizeof(key->mpls));
skb_set_inner_network_header(skb, skb->mac_len);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 154/356] net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 153/356] net: openvswitch: Fix the dead loop of MPLS parse Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 155/356] f2fs: use d_inode(dentry) cleanup dentry->d_inode Greg Kroah-Hartman
` (210 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Horatiu Vultur, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit 57a92d14659df3e7e7e0052358c8cc68bbbc3b5e ]
We have noticed that when PHY timestamping is enabled, L2 frames seems
to be modified by changing two 2 bytes with a value of 0. The place were
these 2 bytes seems to be random(or I couldn't find a pattern). In most
of the cases the userspace can ignore these frames but if for example
those 2 bytes are in the correction field there is nothing to do. This
seems to happen when configuring the HW for IPv4 even that the flow is
not enabled.
These 2 bytes correspond to the UDPv4 checksum and once we don't enable
clearing the checksum when using L2 frames then the frame doesn't seem
to be changed anymore.
Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Link: https://patch.msgid.link/20250523082716.2935895-1-horatiu.vultur@microchip.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mscc/mscc_ptp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
index af44b01f3d383..7e7ce79eadffb 100644
--- a/drivers/net/phy/mscc/mscc_ptp.c
+++ b/drivers/net/phy/mscc/mscc_ptp.c
@@ -943,7 +943,9 @@ static int vsc85xx_ip1_conf(struct phy_device *phydev, enum ts_blk blk,
/* UDP checksum offset in IPv4 packet
* according to: https://tools.ietf.org/html/rfc768
*/
- val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26) | IP1_NXT_PROT_UDP_CHKSUM_CLEAR;
+ val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26);
+ if (enable)
+ val |= IP1_NXT_PROT_UDP_CHKSUM_CLEAR;
vsc85xx_ts_write_csr(phydev, blk, MSCC_ANA_IP1_NXT_PROT_UDP_CHKSUM,
val);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 155/356] f2fs: use d_inode(dentry) cleanup dentry->d_inode
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 154/356] net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 156/356] f2fs: fix to correct check conditions in f2fs_cross_rename Greg Kroah-Hartman
` (209 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhiguo Niu, Chao Yu, Jaegeuk Kim,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhiguo Niu <zhiguo.niu@unisoc.com>
[ Upstream commit a6c397a31f58a1d577c2c8d04b624e9baa31951c ]
no logic changes.
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/namei.c | 8 ++++----
fs/f2fs/super.c | 4 ++--
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
index 2e08e1fdf485c..58ab04aff6bff 100644
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -411,7 +411,7 @@ static int f2fs_link(struct dentry *old_dentry, struct inode *dir,
if (is_inode_flag_set(dir, FI_PROJ_INHERIT) &&
(!projid_eq(F2FS_I(dir)->i_projid,
- F2FS_I(old_dentry->d_inode)->i_projid)))
+ F2FS_I(inode)->i_projid)))
return -EXDEV;
err = f2fs_dquot_initialize(dir);
@@ -905,7 +905,7 @@ static int f2fs_rename(struct mnt_idmap *idmap, struct inode *old_dir,
if (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
(!projid_eq(F2FS_I(new_dir)->i_projid,
- F2FS_I(old_dentry->d_inode)->i_projid)))
+ F2FS_I(old_inode)->i_projid)))
return -EXDEV;
/*
@@ -1101,10 +1101,10 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry,
if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
!projid_eq(F2FS_I(new_dir)->i_projid,
- F2FS_I(old_dentry->d_inode)->i_projid)) ||
+ F2FS_I(old_inode)->i_projid)) ||
(is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
!projid_eq(F2FS_I(old_dir)->i_projid,
- F2FS_I(new_dentry->d_inode)->i_projid)))
+ F2FS_I(new_inode)->i_projid)))
return -EXDEV;
err = f2fs_dquot_initialize(old_dir);
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 4cc87921aac3e..6b3cafbe98672 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1849,9 +1849,9 @@ static int f2fs_statfs(struct dentry *dentry, struct kstatfs *buf)
buf->f_fsid = u64_to_fsid(id);
#ifdef CONFIG_QUOTA
- if (is_inode_flag_set(dentry->d_inode, FI_PROJ_INHERIT) &&
+ if (is_inode_flag_set(d_inode(dentry), FI_PROJ_INHERIT) &&
sb_has_quota_limits_enabled(sb, PRJQUOTA)) {
- f2fs_statfs_project(sb, F2FS_I(dentry->d_inode)->i_projid, buf);
+ f2fs_statfs_project(sb, F2FS_I(d_inode(dentry))->i_projid, buf);
}
#endif
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 156/356] f2fs: fix to correct check conditions in f2fs_cross_rename
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 155/356] f2fs: use d_inode(dentry) cleanup dentry->d_inode Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 157/356] arm64: dts: qcom: sdm845-starqltechn: remove wifi Greg Kroah-Hartman
` (208 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhiguo Niu, Chao Yu, Jaegeuk Kim,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhiguo Niu <zhiguo.niu@unisoc.com>
[ Upstream commit 9883494c45a13dc88d27dde4f988c04823b42a2f ]
Should be "old_dir" here.
Fixes: 5c57132eaf52 ("f2fs: support project quota")
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
index 58ab04aff6bff..4d6f0a6365fe1 100644
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -1102,7 +1102,7 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry,
if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
!projid_eq(F2FS_I(new_dir)->i_projid,
F2FS_I(old_inode)->i_projid)) ||
- (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
+ (is_inode_flag_set(old_dir, FI_PROJ_INHERIT) &&
!projid_eq(F2FS_I(old_dir)->i_projid,
F2FS_I(new_inode)->i_projid)))
return -EXDEV;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 157/356] arm64: dts: qcom: sdm845-starqltechn: remove wifi
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 156/356] f2fs: fix to correct check conditions in f2fs_cross_rename Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 158/356] arm64: dts: qcom: sdm845-starqltechn: fix usb regulator mistake Greg Kroah-Hartman
` (207 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dzmitry Sankouski,
Bryan ODonoghue, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dzmitry Sankouski <dsankouski@gmail.com>
[ Upstream commit 2d3dd4b237638853b8a99353401ab8d88a6afb6c ]
Starqltechn has broadcom chip for wifi, so sdm845 wifi part
can be disabled.
Fixes: d711b22eee55 ("arm64: dts: qcom: starqltechn: add initial device tree for starqltechn")
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Signed-off-by: Dzmitry Sankouski <dsankouski@gmail.com>
Fixes: d711b22eee55 ("arm64: dts: qcom: starqltechn: add initial device tree for starqltechn")
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Link: https://lore.kernel.org/r/20250225-starqltechn_integration_upstream-v9-2-a5d80375cb66@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts | 8 --------
1 file changed, 8 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
index d37a433130b98..6fc30fd1262b8 100644
--- a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
+++ b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
@@ -418,14 +418,6 @@
status = "okay";
};
-&wifi {
- vdd-0.8-cx-mx-supply = <&vreg_l5a_0p8>;
- vdd-1.8-xo-supply = <&vreg_l7a_1p8>;
- vdd-1.3-rfa-supply = <&vreg_l17a_1p3>;
- vdd-3.3-ch0-supply = <&vreg_l25a_3p3>;
- status = "okay";
-};
-
&tlmm {
gpio-reserved-ranges = <0 4>, <27 4>, <81 4>, <85 4>;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 158/356] arm64: dts: qcom: sdm845-starqltechn: fix usb regulator mistake
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 157/356] arm64: dts: qcom: sdm845-starqltechn: remove wifi Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 159/356] arm64: dts: qcom: sdm845-starqltechn: refactor node order Greg Kroah-Hartman
` (206 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dzmitry Sankouski,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dzmitry Sankouski <dsankouski@gmail.com>
[ Upstream commit 242e4126ee007b95765c21a9d74651fdcf221f2b ]
Usb regulator was wrongly pointed to vreg_l1a_0p875.
However, on starqltechn it's powered from vreg_l5a_0p8.
Fixes: d711b22eee55 ("arm64: dts: qcom: starqltechn: add initial device tree for starqltechn")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Dzmitry Sankouski <dsankouski@gmail.com>
Link: https://lore.kernel.org/r/20250225-starqltechn_integration_upstream-v9-3-a5d80375cb66@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
index 6fc30fd1262b8..f3f2b25883d81 100644
--- a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
+++ b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
@@ -135,8 +135,6 @@
vdda_sp_sensor:
vdda_ufs1_core:
vdda_ufs2_core:
- vdda_usb1_ss_core:
- vdda_usb2_ss_core:
vreg_l1a_0p875: ldo1 {
regulator-min-microvolt = <880000>;
regulator-max-microvolt = <880000>;
@@ -157,6 +155,7 @@
regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
};
+ vdda_usb1_ss_core:
vdd_wcss_cx:
vdd_wcss_mx:
vdda_wcss_pll:
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 159/356] arm64: dts: qcom: sdm845-starqltechn: refactor node order
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 158/356] arm64: dts: qcom: sdm845-starqltechn: fix usb regulator mistake Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 160/356] arm64: dts: qcom: sdm845-starqltechn: remove excess reserved gpios Greg Kroah-Hartman
` (205 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dzmitry Sankouski, Bjorn Andersson,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dzmitry Sankouski <dsankouski@gmail.com>
[ Upstream commit cba1dd3d851ebc1b6c5ae4000208a9753320694b ]
Fixes: d711b22eee55 ("arm64: dts: qcom: starqltechn: add initial device tree for starqltechn")
Signed-off-by: Dzmitry Sankouski <dsankouski@gmail.com>
Link: https://lore.kernel.org/r/20250225-starqltechn_integration_upstream-v9-4-a5d80375cb66@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
index f3f2b25883d81..8a0d63bd594b3 100644
--- a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
+++ b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
@@ -382,8 +382,8 @@
};
&sdhc_2 {
- pinctrl-names = "default";
pinctrl-0 = <&sdc2_clk_state &sdc2_cmd_state &sdc2_data_state &sd_card_det_n_state>;
+ pinctrl-names = "default";
cd-gpios = <&tlmm 126 GPIO_ACTIVE_LOW>;
vmmc-supply = <&vreg_l21a_2p95>;
vqmmc-supply = <&vddpx_2>;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 160/356] arm64: dts: qcom: sdm845-starqltechn: remove excess reserved gpios
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 159/356] arm64: dts: qcom: sdm845-starqltechn: refactor node order Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 161/356] arm64: dts: qcom: sm8350: Reenable crypto & cryptobam Greg Kroah-Hartman
` (204 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dzmitry Sankouski,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dzmitry Sankouski <dsankouski@gmail.com>
[ Upstream commit fb5fce873b952f8b1c5f7edcabcc8611ef45ea7a ]
Starqltechn has 2 reserved gpio ranges <27 4>, <85 4>.
<27 4> is spi for eSE(embedded Secure Element).
<85 4> is spi for fingerprint.
Remove excess reserved gpio regions.
Fixes: d711b22eee55 ("arm64: dts: qcom: starqltechn: add initial device tree for starqltechn")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Dzmitry Sankouski <dsankouski@gmail.com>
Link: https://lore.kernel.org/r/20250225-starqltechn_integration_upstream-v9-5-a5d80375cb66@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
index 8a0d63bd594b3..5948b401165ce 100644
--- a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
+++ b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
@@ -418,7 +418,8 @@
};
&tlmm {
- gpio-reserved-ranges = <0 4>, <27 4>, <81 4>, <85 4>;
+ gpio-reserved-ranges = <27 4>, /* SPI (eSE - embedded Secure Element) */
+ <85 4>; /* SPI (fingerprint reader) */
sdc2_clk_state: sdc2-clk-state {
pins = "sdc2_clk";
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 161/356] arm64: dts: qcom: sm8350: Reenable crypto & cryptobam
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 160/356] arm64: dts: qcom: sdm845-starqltechn: remove excess reserved gpios Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 162/356] arm64: dts: qcom: sm8250: Fix CPU7 opp table Greg Kroah-Hartman
` (203 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Stephan Gerhold,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit 75eefd474469abf95aa9ef6da8161d69f86b98b4 ]
When num-channels and qcom,num-ees is not provided in devicetree, the
driver will try to read these values from the registers during probe but
this fails if the interconnect is not on and then crashes the system.
So we can provide these properties in devicetree (queried after patching
BAM driver to enable the necessary interconnect) so we can probe
cryptobam without reading registers and then also use the QCE as
expected.
Fixes: 4d29db204361 ("arm64: dts: qcom: sm8350: fix BAM DMA crash and reboot")
Fixes: f1040a7fe8f0 ("arm64: dts: qcom: sm8350: Add Crypto Engine support")
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Link: https://lore.kernel.org/r/20250212-bam-dma-fixes-v1-1-f560889e65d8@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8350.dtsi | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8350.dtsi b/arch/arm64/boot/dts/qcom/sm8350.dtsi
index 5376c0a00fab6..215782b1970df 100644
--- a/arch/arm64/boot/dts/qcom/sm8350.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8350.dtsi
@@ -1754,11 +1754,11 @@
interrupts = <GIC_SPI 272 IRQ_TYPE_LEVEL_HIGH>;
#dma-cells = <1>;
qcom,ee = <0>;
+ qcom,num-ees = <4>;
+ num-channels = <16>;
qcom,controlled-remotely;
iommus = <&apps_smmu 0x594 0x0011>,
<&apps_smmu 0x596 0x0011>;
- /* FIXME: Probing BAM DMA causes some abort and system hang */
- status = "fail";
};
crypto: crypto@1dfa000 {
@@ -1770,8 +1770,6 @@
<&apps_smmu 0x596 0x0011>;
interconnects = <&aggre2_noc MASTER_CRYPTO 0 &mc_virt SLAVE_EBI1 0>;
interconnect-names = "memory";
- /* FIXME: dependency BAM DMA is disabled */
- status = "disabled";
};
ipa: ipa@1e40000 {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 162/356] arm64: dts: qcom: sm8250: Fix CPU7 opp table
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 161/356] arm64: dts: qcom: sm8350: Reenable crypto & cryptobam Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 163/356] arm64: dts: qcom: sc8280xp-x13s: Drop duplicate DMIC supplies Greg Kroah-Hartman
` (202 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xilin Wu, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xilin Wu <wuxilin123@gmail.com>
[ Upstream commit 28f997b89967afdc0855d8aa7538b251fb44f654 ]
There is a typo in cpu7_opp9. Fix it to get rid of the following
errors.
[ 0.198043] cpu cpu7: Voltage update failed freq=1747200
[ 0.198052] cpu cpu7: failed to update OPP for freq=1747200
Fixes: 8e0e8016cb79 ("arm64: dts: qcom: sm8250: Add CPU opp tables")
Signed-off-by: Xilin Wu <wuxilin123@gmail.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250308-fix-sm8250-cpufreq-v1-1-8a0226721399@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi
index 21bbffc4e5a28..c9a7d1b75c658 100644
--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi
@@ -601,7 +601,7 @@
};
cpu7_opp9: opp-1747200000 {
- opp-hz = /bits/ 64 <1708800000>;
+ opp-hz = /bits/ 64 <1747200000>;
opp-peak-kBps = <5412000 42393600>;
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 163/356] arm64: dts: qcom: sc8280xp-x13s: Drop duplicate DMIC supplies
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 162/356] arm64: dts: qcom: sm8250: Fix CPU7 opp table Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 164/356] ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select Greg Kroah-Hartman
` (201 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Bjorn Andersson,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
[ Upstream commit a2e617f4e6981aa514a569e927f90b0d39bb31b2 ]
The WCD938x codec provides two controls for each of the MIC_BIASn outputs:
- "MIC BIASn" enables an internal regulator to generate the output
with a configurable voltage (qcom,micbiasN-microvolt).
- "VA MIC BIASn" enables "pull-up mode" that bypasses the internal
regulator and directly outputs fixed 1.8V from the VDD_PX pin.
This is intended for low-power VA (voice activation) use cases.
The audio-routing setup for the ThinkPad X13s currently specifies both
as power supplies for the DMICs, but only one of them can be active
at the same time. In practice, only the internal regulator is used
with the current setup because the driver prefers it over pull-up mode.
Make this more clear by dropping the redundant routes to the pull-up
"VA MIC BIASn" supply. There is no functional difference except that we
skip briefly switching to pull-up mode when shutting down the microphone.
Fixes: 2e498f35c385 ("arm64: dts: qcom: sc8280xp-x13s: fix va dmic dai links and routing")
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Link: https://lore.kernel.org/r/20241203-x1e80100-va-mic-bias-v1-1-0dfd4d9b492c@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts | 3 ---
1 file changed, 3 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts b/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts
index 5c2894fcfa4a0..5498e84bfead0 100644
--- a/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts
+++ b/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts
@@ -985,9 +985,6 @@
"VA DMIC0", "MIC BIAS1",
"VA DMIC1", "MIC BIAS1",
"VA DMIC2", "MIC BIAS3",
- "VA DMIC0", "VA MIC BIAS1",
- "VA DMIC1", "VA MIC BIAS1",
- "VA DMIC2", "VA MIC BIAS3",
"TX SWR_ADC1", "ADC2_OUTPUT";
wcd-playback-dai-link {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 164/356] ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 163/356] arm64: dts: qcom: sc8280xp-x13s: Drop duplicate DMIC supplies Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 165/356] ARM: dts: at91: at91sam9263: fix NAND chip selects Greg Kroah-Hartman
` (200 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Claudiu Beznea,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 67ba341e57ab158423818ed33bfa1c40eb0e5e7e ]
Dataflash did not work on my board. After checking schematics and using
the proper GPIO, it works now. Also, make it active low to avoid:
flash@0 enforce active low on GPIO handle
Fixes: 2432d201468d ("ARM: at91: dt: usb-a9263: add dataflash support")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Link: https://lore.kernel.org/r/20250404112742.67416-2-wsa+renesas@sang-engineering.com
Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/microchip/usb_a9263.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/microchip/usb_a9263.dts b/arch/arm/boot/dts/microchip/usb_a9263.dts
index 45745915b2e16..25c643067b2ec 100644
--- a/arch/arm/boot/dts/microchip/usb_a9263.dts
+++ b/arch/arm/boot/dts/microchip/usb_a9263.dts
@@ -58,7 +58,7 @@
};
spi0: spi@fffa4000 {
- cs-gpios = <&pioB 15 GPIO_ACTIVE_HIGH>;
+ cs-gpios = <&pioA 5 GPIO_ACTIVE_LOW>;
status = "okay";
flash@0 {
compatible = "atmel,at45", "atmel,dataflash";
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 165/356] ARM: dts: at91: at91sam9263: fix NAND chip selects
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 164/356] ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 166/356] arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power domains Greg Kroah-Hartman
` (199 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Alexandre Belloni,
Claudiu Beznea, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit c72ede1c24be689733bcd2233a3a56f2478429c8 ]
NAND did not work on my USB-A9263. I discovered that the offending
commit converted the PIO bank for chip selects wrongly, so all A9263
boards need to be fixed.
Fixes: 1004a2977bdc ("ARM: dts: at91: Switch to the new NAND bindings")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/20250402210446.5972-2-wsa+renesas@sang-engineering.com
Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/microchip/at91sam9263ek.dts | 2 +-
arch/arm/boot/dts/microchip/tny_a9263.dts | 2 +-
arch/arm/boot/dts/microchip/usb_a9263.dts | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm/boot/dts/microchip/at91sam9263ek.dts b/arch/arm/boot/dts/microchip/at91sam9263ek.dts
index ce8baff6a9f4e..e42e1a75a715d 100644
--- a/arch/arm/boot/dts/microchip/at91sam9263ek.dts
+++ b/arch/arm/boot/dts/microchip/at91sam9263ek.dts
@@ -152,7 +152,7 @@
nand@3 {
reg = <0x3 0x0 0x800000>;
rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>;
- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>;
+ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>;
nand-bus-width = <8>;
nand-ecc-mode = "soft";
nand-on-flash-bbt;
diff --git a/arch/arm/boot/dts/microchip/tny_a9263.dts b/arch/arm/boot/dts/microchip/tny_a9263.dts
index 62b7d9f9a926c..c8b6318aaa838 100644
--- a/arch/arm/boot/dts/microchip/tny_a9263.dts
+++ b/arch/arm/boot/dts/microchip/tny_a9263.dts
@@ -64,7 +64,7 @@
nand@3 {
reg = <0x3 0x0 0x800000>;
rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>;
- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>;
+ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>;
nand-bus-width = <8>;
nand-ecc-mode = "soft";
nand-on-flash-bbt;
diff --git a/arch/arm/boot/dts/microchip/usb_a9263.dts b/arch/arm/boot/dts/microchip/usb_a9263.dts
index 25c643067b2ec..454176ce6d3ff 100644
--- a/arch/arm/boot/dts/microchip/usb_a9263.dts
+++ b/arch/arm/boot/dts/microchip/usb_a9263.dts
@@ -84,7 +84,7 @@
nand@3 {
reg = <0x3 0x0 0x800000>;
rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>;
- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>;
+ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>;
nand-bus-width = <8>;
nand-ecc-mode = "soft";
nand-on-flash-bbt;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 166/356] arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power domains
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 165/356] ARM: dts: at91: at91sam9263: fix NAND chip selects Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 167/356] arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect GPIO Greg Kroah-Hartman
` (198 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai,
AngeloGioacchino Del Regno, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 394f29033324e2317bfd6a7ed99b9a60832b36a2 ]
By hardware, the first and second core of the video decoder IP
need the VDEC_SOC to be powered up in order to be able to be
accessed (both internally, by firmware, and externally, by the
kernel).
Similarly, for the video encoder IP, the second core needs the
first core to be powered up in order to be accessible.
Fix that by reparenting the VDEC1/2 power domains to be children
of VDEC0 (VDEC_SOC), and the VENC1 to be a child of VENC0.
Fixes: 2b515194bf0c ("arm64: dts: mt8195: Add power domains controller")
Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
Link: https://lore.kernel.org/r/20250402090615.25871-3-angelogioacchino.delregno@collabora.com
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt8195.dtsi | 50 +++++++++++++-----------
1 file changed, 27 insertions(+), 23 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
index 7ba30209ba9a9..22604d3abde3b 100644
--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
@@ -617,22 +617,6 @@
#size-cells = <0>;
#power-domain-cells = <1>;
- power-domain@MT8195_POWER_DOMAIN_VDEC1 {
- reg = <MT8195_POWER_DOMAIN_VDEC1>;
- clocks = <&vdecsys CLK_VDEC_LARB1>;
- clock-names = "vdec1-0";
- mediatek,infracfg = <&infracfg_ao>;
- #power-domain-cells = <0>;
- };
-
- power-domain@MT8195_POWER_DOMAIN_VENC_CORE1 {
- reg = <MT8195_POWER_DOMAIN_VENC_CORE1>;
- clocks = <&vencsys_core1 CLK_VENC_CORE1_LARB>;
- clock-names = "venc1-larb";
- mediatek,infracfg = <&infracfg_ao>;
- #power-domain-cells = <0>;
- };
-
power-domain@MT8195_POWER_DOMAIN_VDOSYS0 {
reg = <MT8195_POWER_DOMAIN_VDOSYS0>;
clocks = <&topckgen CLK_TOP_CFG_VDO0>,
@@ -678,15 +662,25 @@
clocks = <&vdecsys_soc CLK_VDEC_SOC_LARB1>;
clock-names = "vdec0-0";
mediatek,infracfg = <&infracfg_ao>;
+ #address-cells = <1>;
+ #size-cells = <0>;
#power-domain-cells = <0>;
- };
- power-domain@MT8195_POWER_DOMAIN_VDEC2 {
- reg = <MT8195_POWER_DOMAIN_VDEC2>;
- clocks = <&vdecsys_core1 CLK_VDEC_CORE1_LARB1>;
- clock-names = "vdec2-0";
- mediatek,infracfg = <&infracfg_ao>;
- #power-domain-cells = <0>;
+ power-domain@MT8195_POWER_DOMAIN_VDEC1 {
+ reg = <MT8195_POWER_DOMAIN_VDEC1>;
+ clocks = <&vdecsys CLK_VDEC_LARB1>;
+ clock-names = "vdec1-0";
+ mediatek,infracfg = <&infracfg_ao>;
+ #power-domain-cells = <0>;
+ };
+
+ power-domain@MT8195_POWER_DOMAIN_VDEC2 {
+ reg = <MT8195_POWER_DOMAIN_VDEC2>;
+ clocks = <&vdecsys_core1 CLK_VDEC_CORE1_LARB1>;
+ clock-names = "vdec2-0";
+ mediatek,infracfg = <&infracfg_ao>;
+ #power-domain-cells = <0>;
+ };
};
power-domain@MT8195_POWER_DOMAIN_VENC {
@@ -694,7 +688,17 @@
clocks = <&vencsys CLK_VENC_LARB>;
clock-names = "venc0-larb";
mediatek,infracfg = <&infracfg_ao>;
+ #address-cells = <1>;
+ #size-cells = <0>;
#power-domain-cells = <0>;
+
+ power-domain@MT8195_POWER_DOMAIN_VENC_CORE1 {
+ reg = <MT8195_POWER_DOMAIN_VENC_CORE1>;
+ clocks = <&vencsys_core1 CLK_VENC_CORE1_LARB>;
+ clock-names = "venc1-larb";
+ mediatek,infracfg = <&infracfg_ao>;
+ #power-domain-cells = <0>;
+ };
};
power-domain@MT8195_POWER_DOMAIN_VDOSYS1 {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 167/356] arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect GPIO
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 166/356] arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power domains Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 168/356] arm64: dts: imx8mm-beacon: Fix RTC capacitive load Greg Kroah-Hartman
` (197 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Minnekhanov, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Minnekhanov <alexeymin@postmarketos.org>
[ Upstream commit 2eca6af66709de0d1ba14cdf8b6d200a1337a3a2 ]
During initial porting these cd-gpios were missed. Having card detect is
beneficial because driver does not need to do polling every second and it
can just use IRQ. SD card detection in U-Boot is also fixed by this.
Fixes: cf85e9aee210 ("arm64: dts: qcom: sdm660-xiaomi-lavender: Add eMMC and SD")
Signed-off-by: Alexey Minnekhanov <alexeymin@postmarketos.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250415130101.1429281-1-alexeymin@postmarketos.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
index 3c47410ba94c0..ec4245bbfffaf 100644
--- a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
+++ b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
@@ -404,6 +404,8 @@
&sdhc_2 {
status = "okay";
+ cd-gpios = <&tlmm 54 GPIO_ACTIVE_HIGH>;
+
vmmc-supply = <&vreg_l5b_2p95>;
vqmmc-supply = <&vreg_l2b_2p95>;
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 168/356] arm64: dts: imx8mm-beacon: Fix RTC capacitive load
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 167/356] arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect GPIO Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 169/356] arm64: dts: imx8mn-beacon: " Greg Kroah-Hartman
` (196 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adam Ford, Shawn Guo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adam Ford <aford173@gmail.com>
[ Upstream commit 2e98d456666d63f897ba153210bcef9d78ba0f3a ]
Although not noticeable when used every day, the RTC appears to drift when
left to sit over time. This is due to the capacitive load not being
properly set. Fix RTC drift by correcting the capacitive load setting
from 7000 to 12500, which matches the actual hardware configuration.
Fixes: 593816fa2f35 ("arm64: dts: imx: Add Beacon i.MX8m-Mini development kit")
Signed-off-by: Adam Ford <aford173@gmail.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
index f264102bdb274..8ab0e45f2ad31 100644
--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
@@ -231,6 +231,7 @@
rtc: rtc@51 {
compatible = "nxp,pcf85263";
reg = <0x51>;
+ quartz-load-femtofarads = <12500>;
};
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 169/356] arm64: dts: imx8mn-beacon: Fix RTC capacitive load
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 168/356] arm64: dts: imx8mm-beacon: Fix RTC capacitive load Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 170/356] arm64: dts: imx8mp-beacon: " Greg Kroah-Hartman
` (195 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adam Ford, Frank Li, Shawn Guo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adam Ford <aford173@gmail.com>
[ Upstream commit c3f03bec30efd5082b55876846d57b5d17dae7b9 ]
Although not noticeable when used every day, the RTC appears to drift when
left to sit over time. This is due to the capacitive load not being
properly set. Fix RTC drift by correcting the capacitive load setting
from 7000 to 12500, which matches the actual hardware configuration.
Fixes: 36ca3c8ccb53 ("arm64: dts: imx: Add Beacon i.MX8M Nano development kit")
Signed-off-by: Adam Ford <aford173@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
index 90073b16536f4..1760062e6ffcf 100644
--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
@@ -240,6 +240,7 @@
rtc: rtc@51 {
compatible = "nxp,pcf85263";
reg = <0x51>;
+ quartz-load-femtofarads = <12500>;
};
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 170/356] arm64: dts: imx8mp-beacon: Fix RTC capacitive load
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 169/356] arm64: dts: imx8mn-beacon: " Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 171/356] arm64: dts: imx8mm-beacon: Set SAI5 MCLK direction to output for HDMI audio Greg Kroah-Hartman
` (194 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adam Ford, Frank Li, Shawn Guo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adam Ford <aford173@gmail.com>
[ Upstream commit 6821ee17537938e919e8b86a541aae451f73165b ]
Although not noticeable when used every day, the RTC appears to drift when
left to sit over time. This is due to the capacitive load not being
properly set. Fix RTC drift by correcting the capacitive load setting
from 7000 to 12500, which matches the actual hardware configuration.
Fixes: 25a5ccdce767 ("arm64: dts: freescale: Introduce imx8mp-beacon-kit")
Signed-off-by: Adam Ford <aford173@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-beacon-som.dtsi | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-beacon-som.dtsi
index e5da908047808..24380f8a00850 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-beacon-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-beacon-som.dtsi
@@ -192,6 +192,7 @@
rtc: rtc@51 {
compatible = "nxp,pcf85263";
reg = <0x51>;
+ quartz-load-femtofarads = <12500>;
};
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 171/356] arm64: dts: imx8mm-beacon: Set SAI5 MCLK direction to output for HDMI audio
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 170/356] arm64: dts: imx8mp-beacon: " Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 172/356] arm64: dts: imx8mn-beacon: " Greg Kroah-Hartman
` (193 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adam Ford, Frank Li, Shawn Guo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adam Ford <aford173@gmail.com>
[ Upstream commit 8c716f80dfe8cd6ed9a2696847cea1affeeff6ff ]
The HDMI bridge chip fails to generate an audio source due to the SAI5
master clock (MCLK) direction not being set to output. This prevents proper
clocking of the HDMI audio interface.
Add the `fsl,sai-mclk-direction-output` property to the SAI5 node to ensure
the MCLK is driven by the SoC, resolving the HDMI sound issue.
Fixes: 8ad7d14d99f3 ("arm64: dts: imx8mm-beacon: Add HDMI video with sound")
Signed-off-by: Adam Ford <aford173@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mm-beacon-kit.dts | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-kit.dts b/arch/arm64/boot/dts/freescale/imx8mm-beacon-kit.dts
index 905c98cb080d2..a6e6860bf0184 100644
--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-kit.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-kit.dts
@@ -124,6 +124,7 @@
assigned-clock-parents = <&clk IMX8MM_AUDIO_PLL1_OUT>;
assigned-clock-rates = <24576000>;
#sound-dai-cells = <0>;
+ fsl,sai-mclk-direction-output;
status = "okay";
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 172/356] arm64: dts: imx8mn-beacon: Set SAI5 MCLK direction to output for HDMI audio
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 171/356] arm64: dts: imx8mm-beacon: Set SAI5 MCLK direction to output for HDMI audio Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 173/356] arm64: dts: mediatek: mt6357: Drop regulator-fixed compatibles Greg Kroah-Hartman
` (192 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adam Ford, Frank Li, Shawn Guo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adam Ford <aford173@gmail.com>
[ Upstream commit a747c4dd2a60c4d0179b372032a4b98548135096 ]
The HDMI bridge chip fails to generate an audio source due to the SAI5
master clock (MCLK) direction not being set to output. This prevents proper
clocking of the HDMI audio interface.
Add the `fsl,sai-mclk-direction-output` property to the SAI5 node to ensure
the MCLK is driven by the SoC, resolving the HDMI sound issue.
Fixes: 1d6880ceef43 ("arm64: dts: imx8mn-beacon: Add HDMI video with sound")
Signed-off-by: Adam Ford <aford173@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mn-beacon-kit.dts | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-kit.dts b/arch/arm64/boot/dts/freescale/imx8mn-beacon-kit.dts
index 35b8d2060cd99..dfa08be33a4f2 100644
--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-kit.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-kit.dts
@@ -126,6 +126,7 @@
assigned-clock-parents = <&clk IMX8MN_AUDIO_PLL1_OUT>;
assigned-clock-rates = <24576000>;
#sound-dai-cells = <0>;
+ fsl,sai-mclk-direction-output;
status = "okay";
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 173/356] arm64: dts: mediatek: mt6357: Drop regulator-fixed compatibles
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 172/356] arm64: dts: imx8mn-beacon: " Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 174/356] arm64: dts: mt6359: Add missing compatible property to regulators node Greg Kroah-Hartman
` (191 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nícolas F . R . A . Prado,
AngeloGioacchino Del Regno, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
[ Upstream commit d77e89b7b03fb945b4353f2dcc4a70b34baa7bcb ]
Some of the regulators in the MT6357 PMIC dtsi have compatible set to
regulator-fixed, even though they don't serve any purpose: all those
regulators are handled as a whole by the mt6357-regulator driver. In
fact this is the only dtsi in this family of chips where this is the
case: mt6359 and mt6358 don't have any such compatibles.
A side-effect caused by this is that the DT kselftest, which is supposed
to identify nodes with compatibles that can be probed, but haven't,
shows these nodes as failures.
Remove the useless compatibles to move the dtsi in line with the others
in its family and fix the DT kselftest failures.
Fixes: 55749bb478f8 ("arm64: dts: mediatek: add mt6357 device-tree")
Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
Link: https://lore.kernel.org/r/20250502-mt6357-regulator-fixed-compatibles-removal-v1-1-a582c16743fe@collabora.com
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt6357.dtsi | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt6357.dtsi b/arch/arm64/boot/dts/mediatek/mt6357.dtsi
index 5fafa842d312f..dca4e5c3d8e21 100644
--- a/arch/arm64/boot/dts/mediatek/mt6357.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt6357.dtsi
@@ -60,7 +60,6 @@
};
mt6357_vfe28_reg: ldo-vfe28 {
- compatible = "regulator-fixed";
regulator-name = "vfe28";
regulator-min-microvolt = <2800000>;
regulator-max-microvolt = <2800000>;
@@ -75,7 +74,6 @@
};
mt6357_vrf18_reg: ldo-vrf18 {
- compatible = "regulator-fixed";
regulator-name = "vrf18";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
@@ -83,7 +81,6 @@
};
mt6357_vrf12_reg: ldo-vrf12 {
- compatible = "regulator-fixed";
regulator-name = "vrf12";
regulator-min-microvolt = <1200000>;
regulator-max-microvolt = <1200000>;
@@ -112,7 +109,6 @@
};
mt6357_vcn28_reg: ldo-vcn28 {
- compatible = "regulator-fixed";
regulator-name = "vcn28";
regulator-min-microvolt = <2800000>;
regulator-max-microvolt = <2800000>;
@@ -120,7 +116,6 @@
};
mt6357_vcn18_reg: ldo-vcn18 {
- compatible = "regulator-fixed";
regulator-name = "vcn18";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
@@ -142,7 +137,6 @@
};
mt6357_vcamio_reg: ldo-vcamio18 {
- compatible = "regulator-fixed";
regulator-name = "vcamio";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
@@ -175,7 +169,6 @@
};
mt6357_vaux18_reg: ldo-vaux18 {
- compatible = "regulator-fixed";
regulator-name = "vaux18";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
@@ -183,7 +176,6 @@
};
mt6357_vaud28_reg: ldo-vaud28 {
- compatible = "regulator-fixed";
regulator-name = "vaud28";
regulator-min-microvolt = <2800000>;
regulator-max-microvolt = <2800000>;
@@ -191,7 +183,6 @@
};
mt6357_vio28_reg: ldo-vio28 {
- compatible = "regulator-fixed";
regulator-name = "vio28";
regulator-min-microvolt = <2800000>;
regulator-max-microvolt = <2800000>;
@@ -199,7 +190,6 @@
};
mt6357_vio18_reg: ldo-vio18 {
- compatible = "regulator-fixed";
regulator-name = "vio18";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 174/356] arm64: dts: mt6359: Add missing compatible property to regulators node
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 173/356] arm64: dts: mediatek: mt6357: Drop regulator-fixed compatibles Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 175/356] arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply Greg Kroah-Hartman
` (190 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julien Massot,
AngeloGioacchino Del Regno, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julien Massot <julien.massot@collabora.com>
[ Upstream commit 1fe38d2a19950fa6dbc384ee8967c057aef9faf4 ]
The 'compatible' property is required by the
'mfd/mediatek,mt6397.yaml' binding. Add it to fix the following
dtb-check error:
mediatek/mt8395-radxa-nio-12l.dtb: pmic: regulators:
'compatible' is a required property
Fixes: 3b7d143be4b7 ("arm64: dts: mt6359: add PMIC MT6359 related nodes")
Signed-off-by: Julien Massot <julien.massot@collabora.com>
Link: https://lore.kernel.org/r/20250505-mt8395-dtb-errors-v1-3-9c4714dcdcdb@collabora.com
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt6359.dtsi | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/boot/dts/mediatek/mt6359.dtsi b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
index 8e1b8c85c6ede..57af3e7899841 100644
--- a/arch/arm64/boot/dts/mediatek/mt6359.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
@@ -18,6 +18,8 @@
};
regulators {
+ compatible = "mediatek,mt6359-regulator";
+
mt6359_vs1_buck_reg: buck_vs1 {
regulator-name = "vs1";
regulator-min-microvolt = <800000>;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 175/356] arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 174/356] arm64: dts: mt6359: Add missing compatible property to regulators node Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 176/356] arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning Greg Kroah-Hartman
` (189 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Minnekhanov, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Minnekhanov <alexeymin@postmarketos.org>
[ Upstream commit dbf62a117a1b7f605a98dd1fd1fd6c85ec324ea0 ]
Fixes the following dtbs check error:
phy@c012000: 'vdda-pll-supply' is a required property
Fixes: e5d3e752b050e ("arm64: dts: qcom: sdm660-xiaomi-lavender: Add USB")
Signed-off-by: Alexey Minnekhanov <alexeymin@postmarketos.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250504115120.1432282-3-alexeymin@postmarketos.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
index ec4245bbfffaf..8221da390e1aa 100644
--- a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
+++ b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
@@ -107,6 +107,7 @@
status = "okay";
vdd-supply = <&vreg_l1b_0p925>;
+ vdda-pll-supply = <&vreg_l10a_1p8>;
vdda-phy-dpdm-supply = <&vreg_l7b_3p125>;
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 176/356] arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 175/356] arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 177/356] arm64: dts: rockchip: Update eMMC for NanoPi R5 series Greg Kroah-Hartman
` (188 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Minnekhanov, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Minnekhanov <alexeymin@postmarketos.org>
[ Upstream commit f5110806b41eaa0eb0ab1bf2787876a580c6246c ]
If you remove clocks property, you should remove clock-names, too.
Fixes warning with dtbs check:
'clocks' is a dependency of 'clock-names'
Fixes: 34279d6e3f32c ("arm64: dts: qcom: sdm660: Add initial Inforce IFC6560 board support")
Signed-off-by: Alexey Minnekhanov <alexeymin@postmarketos.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250504115120.1432282-4-alexeymin@postmarketos.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts b/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts
index 2ed39d402d3f6..d687cfadee6a1 100644
--- a/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts
+++ b/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts
@@ -155,6 +155,7 @@
* BAM DMA interconnects support is in place.
*/
/delete-property/ clocks;
+ /delete-property/ clock-names;
};
&blsp1_uart2 {
@@ -167,6 +168,7 @@
* BAM DMA interconnects support is in place.
*/
/delete-property/ clocks;
+ /delete-property/ clock-names;
};
&blsp2_uart1 {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 177/356] arm64: dts: rockchip: Update eMMC for NanoPi R5 series
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 176/356] arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 178/356] arm64: tegra: Drop remaining serial clock-names and reset-names Greg Kroah-Hartman
` (187 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Robinson, Diederik de Haas,
Heiko Stuebner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Robinson <pbrobinson@gmail.com>
[ Upstream commit 8eca9e979a1efbcc3d090f6eb3f4da621e7c87e0 ]
Add the 3.3v and 1.8v regulators that are connected to
the eMMC on the R5 series devices, as well as adding the
eMMC data strobe, and enable eMMC HS200 mode as the
Foresee FEMDNN0xxG-A3A55 modules support it.
Fixes: c8ec73b05a95d ("arm64: dts: rockchip: create common dtsi for NanoPi R5 series")
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
Reviewed-by: Diederik de Haas <didi.debian@cknow.org>
Link: https://lore.kernel.org/r/20250506222531.625157-1-pbrobinson@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi b/arch/arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi
index 93189f8306400..c30354268c8f5 100644
--- a/arch/arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi
@@ -486,9 +486,12 @@
&sdhci {
bus-width = <8>;
max-frequency = <200000000>;
+ mmc-hs200-1_8v;
non-removable;
pinctrl-names = "default";
- pinctrl-0 = <&emmc_bus8 &emmc_clk &emmc_cmd>;
+ pinctrl-0 = <&emmc_bus8 &emmc_clk &emmc_cmd &emmc_datastrobe>;
+ vmmc-supply = <&vcc_3v3>;
+ vqmmc-supply = <&vcc_1v8>;
status = "okay";
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 178/356] arm64: tegra: Drop remaining serial clock-names and reset-names
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 177/356] arm64: dts: rockchip: Update eMMC for NanoPi R5 series Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 179/356] arm64: dts: ti: k3-j721e-common-proc-board: Enable OSPI1 on J721E Greg Kroah-Hartman
` (186 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aaron Kling, Thierry Reding,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Kling <webgeek1234@gmail.com>
[ Upstream commit 4cd763297c2203c6ba587d7d4a9105f96597b998 ]
The referenced commit only removed some of the names, missing all that
weren't in use at the time. The commit removes the rest.
Fixes: 71de0a054d0e ("arm64: tegra: Drop serial clock-names and reset-names")
Signed-off-by: Aaron Kling <webgeek1234@gmail.com>
Link: https://lore.kernel.org/r/20250428-tegra-serial-fixes-v1-1-4f47c5d85bf6@gmail.com
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/nvidia/tegra186.dtsi | 12 ------------
arch/arm64/boot/dts/nvidia/tegra194.dtsi | 12 ------------
2 files changed, 24 deletions(-)
diff --git a/arch/arm64/boot/dts/nvidia/tegra186.dtsi b/arch/arm64/boot/dts/nvidia/tegra186.dtsi
index 2b3bb5d0af17b..f0b7949df92c0 100644
--- a/arch/arm64/boot/dts/nvidia/tegra186.dtsi
+++ b/arch/arm64/boot/dts/nvidia/tegra186.dtsi
@@ -621,9 +621,7 @@
reg-shift = <2>;
interrupts = <GIC_SPI 113 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&bpmp TEGRA186_CLK_UARTB>;
- clock-names = "serial";
resets = <&bpmp TEGRA186_RESET_UARTB>;
- reset-names = "serial";
status = "disabled";
};
@@ -633,9 +631,7 @@
reg-shift = <2>;
interrupts = <GIC_SPI 115 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&bpmp TEGRA186_CLK_UARTD>;
- clock-names = "serial";
resets = <&bpmp TEGRA186_RESET_UARTD>;
- reset-names = "serial";
status = "disabled";
};
@@ -645,9 +641,7 @@
reg-shift = <2>;
interrupts = <GIC_SPI 116 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&bpmp TEGRA186_CLK_UARTE>;
- clock-names = "serial";
resets = <&bpmp TEGRA186_RESET_UARTE>;
- reset-names = "serial";
status = "disabled";
};
@@ -657,9 +651,7 @@
reg-shift = <2>;
interrupts = <GIC_SPI 117 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&bpmp TEGRA186_CLK_UARTF>;
- clock-names = "serial";
resets = <&bpmp TEGRA186_RESET_UARTF>;
- reset-names = "serial";
status = "disabled";
};
@@ -1236,9 +1228,7 @@
reg-shift = <2>;
interrupts = <GIC_SPI 114 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&bpmp TEGRA186_CLK_UARTC>;
- clock-names = "serial";
resets = <&bpmp TEGRA186_RESET_UARTC>;
- reset-names = "serial";
status = "disabled";
};
@@ -1248,9 +1238,7 @@
reg-shift = <2>;
interrupts = <GIC_SPI 118 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&bpmp TEGRA186_CLK_UARTG>;
- clock-names = "serial";
resets = <&bpmp TEGRA186_RESET_UARTG>;
- reset-names = "serial";
status = "disabled";
};
diff --git a/arch/arm64/boot/dts/nvidia/tegra194.dtsi b/arch/arm64/boot/dts/nvidia/tegra194.dtsi
index 33f92b77cd9d9..c369507747851 100644
--- a/arch/arm64/boot/dts/nvidia/tegra194.dtsi
+++ b/arch/arm64/boot/dts/nvidia/tegra194.dtsi
@@ -766,9 +766,7 @@
reg-shift = <2>;
interrupts = <GIC_SPI 115 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&bpmp TEGRA194_CLK_UARTD>;
- clock-names = "serial";
resets = <&bpmp TEGRA194_RESET_UARTD>;
- reset-names = "serial";
status = "disabled";
};
@@ -778,9 +776,7 @@
reg-shift = <2>;
interrupts = <GIC_SPI 116 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&bpmp TEGRA194_CLK_UARTE>;
- clock-names = "serial";
resets = <&bpmp TEGRA194_RESET_UARTE>;
- reset-names = "serial";
status = "disabled";
};
@@ -790,9 +786,7 @@
reg-shift = <2>;
interrupts = <GIC_SPI 117 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&bpmp TEGRA194_CLK_UARTF>;
- clock-names = "serial";
resets = <&bpmp TEGRA194_RESET_UARTF>;
- reset-names = "serial";
status = "disabled";
};
@@ -817,9 +811,7 @@
reg-shift = <2>;
interrupts = <GIC_SPI 207 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&bpmp TEGRA194_CLK_UARTH>;
- clock-names = "serial";
resets = <&bpmp TEGRA194_RESET_UARTH>;
- reset-names = "serial";
status = "disabled";
};
@@ -1616,9 +1608,7 @@
reg-shift = <2>;
interrupts = <GIC_SPI 114 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&bpmp TEGRA194_CLK_UARTC>;
- clock-names = "serial";
resets = <&bpmp TEGRA194_RESET_UARTC>;
- reset-names = "serial";
status = "disabled";
};
@@ -1628,9 +1618,7 @@
reg-shift = <2>;
interrupts = <GIC_SPI 118 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&bpmp TEGRA194_CLK_UARTG>;
- clock-names = "serial";
resets = <&bpmp TEGRA194_RESET_UARTG>;
- reset-names = "serial";
status = "disabled";
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 179/356] arm64: dts: ti: k3-j721e-common-proc-board: Enable OSPI1 on J721E
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 178/356] arm64: tegra: Drop remaining serial clock-names and reset-names Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 180/356] Squashfs: check return result of sb_min_blocksize Greg Kroah-Hartman
` (185 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Prasanth Babu Mantena,
Nishanth Menon, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prasanth Babu Mantena <p-mantena@ti.com>
[ Upstream commit 6b8deb2ff0d31848c43a73f6044e69ba9276b3ec ]
J721E SoM has MT25QU512AB Serial NOR flash connected to
OSPI1 controller. Enable ospi1 node in device tree.
Fixes: 73676c480b72 ("arm64: dts: ti: k3-j721e: Enable OSPI nodes at the board level")
Signed-off-by: Prasanth Babu Mantena <p-mantena@ti.com>
Link: https://lore.kernel.org/r/20250507050701.3007209-1-p-mantena@ti.com
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts b/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts
index fe5207ac7d85d..90ae8e948671d 100644
--- a/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts
+++ b/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts
@@ -557,6 +557,7 @@
&ospi1 {
pinctrl-names = "default";
pinctrl-0 = <&mcu_fss0_ospi1_pins_default>;
+ status = "okay";
flash@0 {
compatible = "jedec,spi-nor";
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 180/356] Squashfs: check return result of sb_min_blocksize
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 179/356] arm64: dts: ti: k3-j721e-common-proc-board: Enable OSPI1 on J721E Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 181/356] ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery Greg Kroah-Hartman
` (184 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+65761fc25a137b9c8c6e,
Phillip Lougher, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phillip Lougher <phillip@squashfs.org.uk>
[ Upstream commit 734aa85390ea693bb7eaf2240623d41b03705c84 ]
Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug.
Syzkaller forks multiple processes which after mounting the Squashfs
filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000).
Now if this ioctl occurs at the same time another process is in the
process of mounting a Squashfs filesystem on /dev/loop0, the failure
occurs. When this happens the following code in squashfs_fill_super()
fails.
----
msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
msblk->devblksize_log2 = ffz(~msblk->devblksize);
----
sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0.
As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2
is set to 64.
This subsequently causes the
UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36
shift exponent 64 is too large for 64-bit type 'u64' (aka
'unsigned long long')
This commit adds a check for a 0 return by sb_min_blocksize().
Link: https://lkml.kernel.org/r/20250409024747.876480-1-phillip@squashfs.org.uk
Fixes: 0aa666190509 ("Squashfs: super block operations")
Reported-by: syzbot+65761fc25a137b9c8c6e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/67f0dd7a.050a0220.0a13.0230.GAE@google.com/
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/squashfs/super.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c
index 22e812808e5cf..3a27d4268b3c4 100644
--- a/fs/squashfs/super.c
+++ b/fs/squashfs/super.c
@@ -202,6 +202,11 @@ static int squashfs_fill_super(struct super_block *sb, struct fs_context *fc)
msblk->panic_on_errors = (opts->errors == Opt_errors_panic);
msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
+ if (!msblk->devblksize) {
+ errorf(fc, "squashfs: unable to set blocksize\n");
+ return -EINVAL;
+ }
+
msblk->devblksize_log2 = ffz(~msblk->devblksize);
mutex_init(&msblk->meta_index_mutex);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 181/356] ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 180/356] Squashfs: check return result of sb_min_blocksize Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 182/356] nilfs2: add pointer check for nilfs_direct_propagate() Greg Kroah-Hartman
` (183 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Murad Masimov, Jan Kara, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Murad Masimov <m.masimov@mt-integration.ru>
[ Upstream commit cdc3ed3035d0fe934aa1d9b78ce256752fd3bb7d ]
If ocfs2_finish_quota_recovery() exits due to an error before passing all
rc_list elements to ocfs2_recover_local_quota_file() then it can lead to a
memory leak as rc_list may still contain elements that have to be freed.
Release all memory allocated by ocfs2_add_recovery_chunk() using
ocfs2_free_quota_recovery() instead of kfree().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Link: https://lkml.kernel.org/r/20250402065628.706359-2-m.masimov@mt-integration.ru
Fixes: 2205363dce74 ("ocfs2: Implement quota recovery")
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/quota_local.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c
index 0ca8975a1df47..c7bda48b5fb21 100644
--- a/fs/ocfs2/quota_local.c
+++ b/fs/ocfs2/quota_local.c
@@ -671,7 +671,7 @@ int ocfs2_finish_quota_recovery(struct ocfs2_super *osb,
break;
}
out:
- kfree(rec);
+ ocfs2_free_quota_recovery(rec);
return status;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 182/356] nilfs2: add pointer check for nilfs_direct_propagate()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 181/356] ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 183/356] nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() Greg Kroah-Hartman
` (182 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Liang, Ryusuke Konishi,
Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
[ Upstream commit f43f02429295486059605997bc43803527d69791 ]
Patch series "nilfs2: improve sanity checks in dirty state propagation".
This fixes one missed check for block mapping anomalies and one improper
return of an error code during a preparation step for log writing, thereby
improving checking for filesystem corruption on writeback.
This patch (of 2):
In nilfs_direct_propagate(), the printer get from nilfs_direct_get_ptr()
need to be checked to ensure it is not an invalid pointer.
If the pointer value obtained by nilfs_direct_get_ptr() is
NILFS_BMAP_INVALID_PTR, means that the metadata (in this case, i_bmap in
the nilfs_inode_info struct) that should point to the data block at the
buffer head of the argument is corrupted and the data block is orphaned,
meaning that the file system has lost consistency.
Add a value check and return -EINVAL when it is an invalid pointer.
Link: https://lkml.kernel.org/r/20250428173808.6452-1-konishi.ryusuke@gmail.com
Link: https://lkml.kernel.org/r/20250428173808.6452-2-konishi.ryusuke@gmail.com
Fixes: 36a580eb489f ("nilfs2: direct block mapping")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/direct.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/nilfs2/direct.c b/fs/nilfs2/direct.c
index 893ab36824cc2..2d8dc6b35b547 100644
--- a/fs/nilfs2/direct.c
+++ b/fs/nilfs2/direct.c
@@ -273,6 +273,9 @@ static int nilfs_direct_propagate(struct nilfs_bmap *bmap,
dat = nilfs_bmap_get_dat(bmap);
key = nilfs_bmap_data_get_key(bmap, bh);
ptr = nilfs_direct_get_ptr(bmap, key);
+ if (ptr == NILFS_BMAP_INVALID_PTR)
+ return -EINVAL;
+
if (!buffer_nilfs_volatile(bh)) {
oldreq.pr_entry_nr = ptr;
newreq.pr_entry_nr = ptr;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 183/356] nilfs2: do not propagate ENOENT error from nilfs_btree_propagate()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 182/356] nilfs2: add pointer check for nilfs_direct_propagate() Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 184/356] bus: fsl-mc: fix double-free on mc_dev Greg Kroah-Hartman
` (181 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi, Wentao Liang,
Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
[ Upstream commit 8e39fbb1edbb4ec9d7c1124f403877fc167fcecd ]
In preparation for writing logs, in nilfs_btree_propagate(), which makes
parent and ancestor node blocks dirty starting from a modified data block
or b-tree node block, if the starting block does not belong to the b-tree,
i.e. is isolated, nilfs_btree_do_lookup() called within the function
fails with -ENOENT.
In this case, even though -ENOENT is an internal code, it is propagated to
the log writer via nilfs_bmap_propagate() and may be erroneously returned
to system calls such as fsync().
Fix this issue by changing the error code to -EINVAL in this case, and
having the bmap layer detect metadata corruption and convert the error
code appropriately.
Link: https://lkml.kernel.org/r/20250428173808.6452-3-konishi.ryusuke@gmail.com
Fixes: 1f5abe7e7dbc ("nilfs2: replace BUG_ON and BUG calls triggerable from ioctl")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/btree.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
index dbd27a44632fa..5e70a3478afe0 100644
--- a/fs/nilfs2/btree.c
+++ b/fs/nilfs2/btree.c
@@ -2094,11 +2094,13 @@ static int nilfs_btree_propagate(struct nilfs_bmap *btree,
ret = nilfs_btree_do_lookup(btree, path, key, NULL, level + 1, 0);
if (ret < 0) {
- if (unlikely(ret == -ENOENT))
+ if (unlikely(ret == -ENOENT)) {
nilfs_crit(btree->b_inode->i_sb,
"writing node/leaf block does not appear in b-tree (ino=%lu) at key=%llu, level=%d",
btree->b_inode->i_ino,
(unsigned long long)key, level);
+ ret = -EINVAL;
+ }
goto out;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 184/356] bus: fsl-mc: fix double-free on mc_dev
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 183/356] nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() Greg Kroah-Hartman
@ 2025-06-17 15:24 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 185/356] dt-bindings: vendor-prefixes: Add Liontron name Greg Kroah-Hartman
` (180 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ioana Ciornei, Christophe Leroy,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ioana Ciornei <ioana.ciornei@nxp.com>
[ Upstream commit d694bf8a9acdbd061596f3e7549bc8cb70750a60 ]
The blamed commit tried to simplify how the deallocations are done but,
in the process, introduced a double-free on the mc_dev variable.
In case the MC device is a DPRC, a new mc_bus is allocated and the
mc_dev variable is just a reference to one of its fields. In this
circumstance, on the error path only the mc_bus should be freed.
This commit introduces back the following checkpatch warning which is a
false-positive.
WARNING: kfree(NULL) is safe and this check is probably not required
+ if (mc_bus)
+ kfree(mc_bus);
Fixes: a042fbed0290 ("staging: fsl-mc: simplify couple of deallocations")
Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Link: https://lore.kernel.org/r/20250408105814.2837951-2-ioana.ciornei@nxp.com
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/fsl-mc/fsl-mc-bus.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c
index 2f6d5002e43d5..b405ee330af1f 100644
--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
+++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
@@ -905,8 +905,10 @@ int fsl_mc_device_add(struct fsl_mc_obj_desc *obj_desc,
error_cleanup_dev:
kfree(mc_dev->regions);
- kfree(mc_bus);
- kfree(mc_dev);
+ if (mc_bus)
+ kfree(mc_bus);
+ else
+ kfree(mc_dev);
return error;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 185/356] dt-bindings: vendor-prefixes: Add Liontron name
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2025-06-17 15:24 ` [PATCH 6.6 184/356] bus: fsl-mc: fix double-free on mc_dev Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 186/356] ARM: dts: qcom: apq8064: add missing clocks to the timer node Greg Kroah-Hartman
` (179 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andre Przywara, Rob Herring (Arm),
Chen-Yu Tsai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andre Przywara <andre.przywara@arm.com>
[ Upstream commit 9baa27a2e9fc746143ab686b6dbe2d515284a4c5 ]
Liontron is a company based in Shenzen, China, making industrial
development boards and embedded computers, mostly using Rockchip and
Allwinner SoCs.
Add their name to the list of vendors.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Acked-by: Rob Herring (Arm) <robh@kernel.org>
Link: https://patch.msgid.link/20250505164729.18175-2-andre.przywara@arm.com
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/devicetree/bindings/vendor-prefixes.yaml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Documentation/devicetree/bindings/vendor-prefixes.yaml b/Documentation/devicetree/bindings/vendor-prefixes.yaml
index dc275ab60e534..7376a924e9aca 100644
--- a/Documentation/devicetree/bindings/vendor-prefixes.yaml
+++ b/Documentation/devicetree/bindings/vendor-prefixes.yaml
@@ -773,6 +773,8 @@ patternProperties:
description: Linux-specific binding
"^linx,.*":
description: Linx Technologies
+ "^liontron,.*":
+ description: Shenzhen Liontron Technology Co., Ltd
"^liteon,.*":
description: LITE-ON Technology Corp.
"^litex,.*":
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 186/356] ARM: dts: qcom: apq8064: add missing clocks to the timer node
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 185/356] dt-bindings: vendor-prefixes: Add Liontron name Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 187/356] ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device Greg Kroah-Hartman
` (178 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 4b0eb149df58b6750cd8113e5ee5b3ac7cc51743 ]
In order to fix DT schema warning and describe hardware properly, add
missing sleep clock to the timer node.
Fixes: f335b8af4fd5 ("ARM: dts: qcom: Add initial APQ8064 SoC and IFC6410 board device trees")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250318-fix-nexus-4-v2-6-bcedd1406790@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/qcom/qcom-apq8064.dtsi | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi
index 950adb63af701..06251aba80d88 100644
--- a/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi
+++ b/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi
@@ -343,6 +343,8 @@
<1 3 0x301>;
reg = <0x0200a000 0x100>;
clock-frequency = <27000000>;
+ clocks = <&sleep_clk>;
+ clock-names = "sleep";
cpu-offset = <0x80000>;
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 187/356] ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 186/356] ARM: dts: qcom: apq8064: add missing clocks to the timer node Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 188/356] arm64: defconfig: mediatek: enable PHY drivers Greg Kroah-Hartman
` (177 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 325c6a441ae1f8fcb1db9bb945b8bdbd3142141e ]
Follow up the expected way of describing the SFPB hwspinlock and merge
hwspinlock node into corresponding syscon node, fixing several dt-schema
warnings.
Fixes: 24a9baf933dc ("ARM: dts: qcom: apq8064: Add hwmutex and SMEM nodes")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250318-fix-nexus-4-v2-7-bcedd1406790@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/qcom/qcom-apq8064.dtsi | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi
index 06251aba80d88..b8f160cfe8e15 100644
--- a/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi
+++ b/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi
@@ -213,12 +213,6 @@
};
};
- sfpb_mutex: hwmutex {
- compatible = "qcom,sfpb-mutex";
- syscon = <&sfpb_wrapper_mutex 0x604 0x4>;
- #hwlock-cells = <1>;
- };
-
smem {
compatible = "qcom,smem";
memory-region = <&smem_region>;
@@ -322,9 +316,10 @@
pinctrl-0 = <&ps_hold>;
};
- sfpb_wrapper_mutex: syscon@1200000 {
- compatible = "syscon";
- reg = <0x01200000 0x8000>;
+ sfpb_mutex: hwmutex@1200600 {
+ compatible = "qcom,sfpb-mutex";
+ reg = <0x01200600 0x100>;
+ #hwlock-cells = <1>;
};
intc: interrupt-controller@2000000 {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 188/356] arm64: defconfig: mediatek: enable PHY drivers
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 187/356] ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 189/356] arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou Greg Kroah-Hartman
` (176 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nícolas F . R . A . Prado,
Vignesh Raman, AngeloGioacchino Del Regno, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vignesh Raman <vignesh.raman@collabora.com>
[ Upstream commit f52cd248d844f9451858992f924988ac413fdc7e ]
The mediatek display driver fails to probe on mt8173-elm-hana and
mt8183-kukui-jacuzzi-juniper-sku16 in v6.14-rc4 due to missing PHY
configurations.
Commit 924d66011f24 ("drm/mediatek: stop selecting foreign drivers")
stopped selecting the MediaTek PHY drivers, requiring them to be
explicitly enabled in defconfig.
Enable the following PHY drivers for MediaTek platforms:
CONFIG_PHY_MTK_HDMI=m for HDMI display
CONFIG_PHY_MTK_MIPI_DSI=m for DSI display
CONFIG_PHY_MTK_DP=m for DP display
Fixes: 924d66011f24 ("drm/mediatek: stop selecting foreign drivers")
Reviewed-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
Signed-off-by: Vignesh Raman <vignesh.raman@collabora.com>
Link: https://lore.kernel.org/r/20250512131933.1247830-1-vignesh.raman@collabora.com
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/configs/defconfig | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig
index 60af93c04b45a..a4fc913d1e494 100644
--- a/arch/arm64/configs/defconfig
+++ b/arch/arm64/configs/defconfig
@@ -1412,6 +1412,9 @@ CONFIG_PHY_HISTB_COMBPHY=y
CONFIG_PHY_HISI_INNO_USB2=y
CONFIG_PHY_MVEBU_CP110_COMPHY=y
CONFIG_PHY_MTK_TPHY=y
+CONFIG_PHY_MTK_HDMI=m
+CONFIG_PHY_MTK_MIPI_DSI=m
+CONFIG_PHY_MTK_DP=m
CONFIG_PHY_QCOM_EDP=m
CONFIG_PHY_QCOM_EUSB2_REPEATER=m
CONFIG_PHY_QCOM_PCIE2=m
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 189/356] arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 188/356] arm64: defconfig: mediatek: enable PHY drivers Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 190/356] arm64: dts: renesas: white-hawk-ard-audio: Fix TPU0 groups Greg Kroah-Hartman
` (175 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quentin Schulz, Lukasz Czechowski,
Heiko Stuebner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quentin Schulz <quentin.schulz@cherry.de>
[ Upstream commit febd8c6ab52c683b447fe22fc740918c86feae43 ]
The u2phy0_host port is the part of the USB PHY0 (namely the
HOST0_DP/DM lanes) which routes directly to the USB2.0 HOST
controller[1]. The other lanes of the PHY are routed to the USB3.0 OTG
controller (dwc3), which we do use.
The HOST0_DP/DM lanes aren't routed on RK3399 Puma so let's simply
disable the USB2.0 controllers.
USB3 OTG has been known to be unstable on RK3399 Puma Haikou for a
while, one of the recurring issues being that only USB2 is detected and
not USB3 in host mode. Reading the justification above and seeing that
we are keeping u2phy0_host in the Haikou carrierboard DTS probably may
have bothered you since it should be changed to u2phy0_otg. The issue is
that if it's switched to that, USB OTG on Haikou is entirely broken. I
have checked the routing in the Gerber file, the lanes are going to the
expected ball pins (that is, NOT HOST0_DP/DM).
u2phy0_host is for sure the wrong part of the PHY to use, but it's the
only one that works at the moment for that board so keep it until we
figure out what exactly is broken.
No intended functional change.
[1] https://rockchip.fr/Rockchip%20RK3399%20TRM%20V1.3%20Part2.pdf
Chapter 2 USB2.0 PHY
Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM")
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Lukasz Czechowski <lukasz.czechowski@thaumatec.com>
Link: https://lore.kernel.org/r/20250425-onboard_usb_dev-v2-5-4a76a474a010@thaumatec.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 --------
1 file changed, 8 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
index 115c14c0a3c68..396a6636073b5 100644
--- a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
@@ -251,14 +251,6 @@
status = "okay";
};
-&usb_host0_ehci {
- status = "okay";
-};
-
-&usb_host0_ohci {
- status = "okay";
-};
-
&vopb {
status = "okay";
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 190/356] arm64: dts: renesas: white-hawk-ard-audio: Fix TPU0 groups
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 189/356] arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 191/356] arm64: dts: mt6359: Rename RTC node to match binding expectations Greg Kroah-Hartman
` (174 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thuan Nguyen, Duy Nguyen,
Geert Uytterhoeven, Kuninori Morimoto, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thuan Nguyen <thuan.nguyen-hong@banvien.com.vn>
[ Upstream commit 652eea251dd852f02cef6223f367220acb3d1867 ]
White Hawk ARD audio uses a clock generated by the TPU, but commit
3d144ef10a44 ("pinctrl: renesas: r8a779g0: Fix TPU suffixes") renamed
pin group "tpu_to0_a" to "tpu_to0_b". Update DTS accordingly otherwise
the sound driver does not receive a clock signal.
Fixes: 3d144ef10a448f89 ("pinctrl: renesas: r8a779g0: Fix TPU suffixes")
Signed-off-by: Thuan Nguyen <thuan.nguyen-hong@banvien.com.vn>
Signed-off-by: Duy Nguyen <duy.nguyen.rh@renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/TYCPR01MB8740608B675365215ADB0374B49CA@TYCPR01MB8740.jpnprd01.prod.outlook.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../boot/dts/renesas/r8a779g0-white-hawk-ard-audio-da7212.dtso | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/renesas/r8a779g0-white-hawk-ard-audio-da7212.dtso b/arch/arm64/boot/dts/renesas/r8a779g0-white-hawk-ard-audio-da7212.dtso
index e6f53377ecd90..99f62574bc3c2 100644
--- a/arch/arm64/boot/dts/renesas/r8a779g0-white-hawk-ard-audio-da7212.dtso
+++ b/arch/arm64/boot/dts/renesas/r8a779g0-white-hawk-ard-audio-da7212.dtso
@@ -108,7 +108,7 @@
};
tpu0_pins: tpu0 {
- groups = "tpu_to0_a";
+ groups = "tpu_to0_b";
function = "tpu";
};
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 191/356] arm64: dts: mt6359: Rename RTC node to match binding expectations
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 190/356] arm64: dts: renesas: white-hawk-ard-audio: Fix TPU0 groups Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 192/356] ARM: aspeed: Dont select SRAM Greg Kroah-Hartman
` (173 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julien Massot,
AngeloGioacchino Del Regno, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julien Massot <julien.massot@collabora.com>
[ Upstream commit cfe035d8662cfbd6edff9bd89c4b516bbb34c350 ]
Rename the node 'mt6359rtc' to 'rtc', as required by the binding.
Fix the following dtb-check error:
mediatek/mt8395-radxa-nio-12l.dtb: pmic: 'mt6359rtc' do not match
any of the regexes: 'pinctrl-[0-9]+'
Fixes: 3b7d143be4b7 ("arm64: dts: mt6359: add PMIC MT6359 related nodes")
Signed-off-by: Julien Massot <julien.massot@collabora.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20250514-mt8395-dtb-errors-v2-3-d67b9077c59a@collabora.com
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt6359.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt6359.dtsi b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
index 57af3e7899841..779d6dfb55c00 100644
--- a/arch/arm64/boot/dts/mediatek/mt6359.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
@@ -298,7 +298,7 @@
};
};
- mt6359rtc: mt6359rtc {
+ mt6359rtc: rtc {
compatible = "mediatek,mt6358-rtc";
};
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 192/356] ARM: aspeed: Dont select SRAM
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 191/356] arm64: dts: mt6359: Rename RTC node to match binding expectations Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 193/356] soc: aspeed: lpc: Fix impossible judgment condition Greg Kroah-Hartman
` (172 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joel Stanley, Andrew Jeffery,
Arnd Bergmann, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joel Stanley <joel@jms.id.au>
[ Upstream commit e4f59f873c3ffe2a0150e11115a83e2dfb671dbf ]
The ASPEED devices have SRAM, but don't require it for basic function
(or any function; there's no known users of the driver).
Fixes: 8c2ed9bcfbeb ("arm: Add Aspeed machine")
Signed-off-by: Joel Stanley <joel@jms.id.au>
Link: https://patch.msgid.link/20250115103942.421429-1-joel@jms.id.au
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-aspeed/Kconfig | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/arm/mach-aspeed/Kconfig b/arch/arm/mach-aspeed/Kconfig
index 080019aa6fcd8..fcf287edd0e5e 100644
--- a/arch/arm/mach-aspeed/Kconfig
+++ b/arch/arm/mach-aspeed/Kconfig
@@ -2,7 +2,6 @@
menuconfig ARCH_ASPEED
bool "Aspeed BMC architectures"
depends on (CPU_LITTLE_ENDIAN && ARCH_MULTI_V5) || ARCH_MULTI_V6 || ARCH_MULTI_V7
- select SRAM
select WATCHDOG
select ASPEED_WATCHDOG
select MFD_SYSCON
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 193/356] soc: aspeed: lpc: Fix impossible judgment condition
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 192/356] ARM: aspeed: Dont select SRAM Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 194/356] soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() Greg Kroah-Hartman
` (171 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Su Hui, Dan Carpenter,
Andrew Jeffery, Arnd Bergmann, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Su Hui <suhui@nfschina.com>
[ Upstream commit d9f0a97e859bdcef51f9c187b1eb712eb13fd3ff ]
smatch error:
drivers/soc/aspeed/aspeed-lpc-snoop.c:169
aspeed_lpc_snoop_config_irq() warn: platform_get_irq() does not return zero
platform_get_irq() return non-zero IRQ number or negative error code,
change '!lpc_snoop->irq' to 'lpc_snoop->irq < 0' to fix this.
Fixes: 9f4f9ae81d0a ("drivers/misc: add Aspeed LPC snoop driver")
Signed-off-by: Su Hui <suhui@nfschina.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/20231027020703.1231875-1-suhui@nfschina.com
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/aspeed/aspeed-lpc-snoop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c
index 773dbcbc03a6c..8cb3a0b4692cf 100644
--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
+++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
@@ -166,7 +166,7 @@ static int aspeed_lpc_snoop_config_irq(struct aspeed_lpc_snoop *lpc_snoop,
int rc;
lpc_snoop->irq = platform_get_irq(pdev, 0);
- if (!lpc_snoop->irq)
+ if (lpc_snoop->irq < 0)
return -ENODEV;
rc = devm_request_irq(dev, lpc_snoop->irq,
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 194/356] soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 193/356] soc: aspeed: lpc: Fix impossible judgment condition Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 195/356] fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() Greg Kroah-Hartman
` (170 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, Andrew Jeffery,
Arnd Bergmann, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit f1706e0e1a74b095cbc60375b9b1e6205f5f4c98 ]
devm_kasprintf() returns NULL when memory allocation fails. Currently,
aspeed_lpc_enable_snoop() does not check for this case, which results in a
NULL pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Link: https://patch.msgid.link/20250401074647.21300-1-bsdhenrymartin@gmail.com
[arj: Fix Fixes: tag to use subject from 3772e5da4454]
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/aspeed/aspeed-lpc-snoop.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c
index 8cb3a0b4692cf..0f2ffee321dd9 100644
--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
+++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
@@ -200,11 +200,15 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
lpc_snoop->chan[channel].miscdev.minor = MISC_DYNAMIC_MINOR;
lpc_snoop->chan[channel].miscdev.name =
devm_kasprintf(dev, GFP_KERNEL, "%s%d", DEVICE_NAME, channel);
+ if (!lpc_snoop->chan[channel].miscdev.name) {
+ rc = -ENOMEM;
+ goto err_free_fifo;
+ }
lpc_snoop->chan[channel].miscdev.fops = &snoop_fops;
lpc_snoop->chan[channel].miscdev.parent = dev;
rc = misc_register(&lpc_snoop->chan[channel].miscdev);
if (rc)
- return rc;
+ goto err_free_fifo;
/* Enable LPC snoop channel at requested port */
switch (channel) {
@@ -221,7 +225,8 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
hicrb_en = HICRB_ENSNP1D;
break;
default:
- return -EINVAL;
+ rc = -EINVAL;
+ goto err_misc_deregister;
}
regmap_update_bits(lpc_snoop->regmap, HICR5, hicr5_en, hicr5_en);
@@ -231,6 +236,12 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
regmap_update_bits(lpc_snoop->regmap, HICRB,
hicrb_en, hicrb_en);
+ return 0;
+
+err_misc_deregister:
+ misc_deregister(&lpc_snoop->chan[channel].miscdev);
+err_free_fifo:
+ kfifo_free(&lpc_snoop->chan[channel].fifo);
return rc;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 195/356] fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 194/356] soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 196/356] randstruct: gcc-plugin: Remove bogus void member Greg Kroah-Hartman
` (169 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sergey Shtylyov, Helge Deller,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Shtylyov <s.shtylyov@omp.ru>
[ Upstream commit 3f6dae09fc8c306eb70fdfef70726e1f154e173a ]
In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000,
cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's
then passed to fb_cvt_hperiod(), where it's used as a divider -- division
by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to
avoid such overflow...
Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.
Fixes: 96fe6a2109db ("[PATCH] fbdev: Add VESA Coordinated Video Timings (CVT) support")
Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/core/fbcvt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/core/fbcvt.c b/drivers/video/fbdev/core/fbcvt.c
index 64843464c6613..cd3821bd82e56 100644
--- a/drivers/video/fbdev/core/fbcvt.c
+++ b/drivers/video/fbdev/core/fbcvt.c
@@ -312,7 +312,7 @@ int fb_find_mode_cvt(struct fb_videomode *mode, int margins, int rb)
cvt.f_refresh = cvt.refresh;
cvt.interlace = 1;
- if (!cvt.xres || !cvt.yres || !cvt.refresh) {
+ if (!cvt.xres || !cvt.yres || !cvt.refresh || cvt.f_refresh > INT_MAX) {
printk(KERN_INFO "fbcvt: Invalid input parameters\n");
return 1;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 196/356] randstruct: gcc-plugin: Remove bogus void member
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 195/356] fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 197/356] randstruct: gcc-plugin: Fix attribute addition Greg Kroah-Hartman
` (168 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dr. David Alan Gilbert, Mark Brown,
WangYuli, Kees Cook, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit e136a4062174a9a8d1c1447ca040ea81accfa6a8 ]
When building the randomized replacement tree of struct members, the
randstruct GCC plugin would insert, as the first member, a 0-sized void
member. This appears as though it was done to catch non-designated
("unnamed") static initializers, which wouldn't be stable since they
depend on the original struct layout order.
This was accomplished by having the side-effect of the "void member"
tripping an assert in GCC internals (count_type_elements) if the member
list ever needed to be counted (e.g. for figuring out the order of members
during a non-designated initialization), which would catch impossible type
(void) in the struct:
security/landlock/fs.c: In function ‘hook_file_ioctl_common’:
security/landlock/fs.c:1745:61: internal compiler error: in count_type_elements, at expr.cc:7075
1745 | .u.op = &(struct lsm_ioctlop_audit) {
| ^
static HOST_WIDE_INT
count_type_elements (const_tree type, bool for_ctor_p)
{
switch (TREE_CODE (type))
...
case VOID_TYPE:
default:
gcc_unreachable ();
}
}
However this is a redundant safety measure since randstruct uses the
__designated_initializer attribute both internally and within the
__randomized_layout attribute macro so that this would be enforced
by the compiler directly even when randstruct was not enabled (via
-Wdesignated-init).
A recent change in Landlock ended up tripping the same member counting
routine when using a full-struct copy initializer as part of an anonymous
initializer. This, however, is a false positive as the initializer is
copying between identical structs (and hence identical layouts). The
"path" member is "struct path", a randomized struct, and is being copied
to from another "struct path", the "f_path" member:
landlock_log_denial(landlock_cred(file->f_cred), &(struct landlock_request) {
.type = LANDLOCK_REQUEST_FS_ACCESS,
.audit = {
.type = LSM_AUDIT_DATA_IOCTL_OP,
.u.op = &(struct lsm_ioctlop_audit) {
.path = file->f_path,
.cmd = cmd,
},
},
...
As can be seen with the coming randstruct KUnit test, there appears to
be no behavioral problems with this kind of initialization when the void
member is removed from the randstruct GCC plugin, so remove it.
Reported-by: "Dr. David Alan Gilbert" <linux@treblig.org>
Closes: https://lore.kernel.org/lkml/Z_PRaKx7q70MKgCA@gallifrey/
Reported-by: Mark Brown <broonie@kernel.org>
Closes: https://lore.kernel.org/lkml/20250407-kbuild-disable-gcc-plugins-v1-1-5d46ae583f5e@kernel.org/
Reported-by: WangYuli <wangyuli@uniontech.com>
Closes: https://lore.kernel.org/lkml/337D5D4887277B27+3c677db3-a8b9-47f0-93a4-7809355f1381@uniontech.com/
Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin")
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/gcc-plugins/randomize_layout_plugin.c | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)
diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
index 746ff2d272f25..bb8c6631971db 100644
--- a/scripts/gcc-plugins/randomize_layout_plugin.c
+++ b/scripts/gcc-plugins/randomize_layout_plugin.c
@@ -348,29 +348,13 @@ static int relayout_struct(tree type)
shuffle(type, (tree *)newtree, shuffle_length);
- /*
- * set up a bogus anonymous struct field designed to error out on unnamed struct initializers
- * as gcc provides no other way to detect such code
- */
- list = make_node(FIELD_DECL);
- TREE_CHAIN(list) = newtree[0];
- TREE_TYPE(list) = void_type_node;
- DECL_SIZE(list) = bitsize_zero_node;
- DECL_NONADDRESSABLE_P(list) = 1;
- DECL_FIELD_BIT_OFFSET(list) = bitsize_zero_node;
- DECL_SIZE_UNIT(list) = size_zero_node;
- DECL_FIELD_OFFSET(list) = size_zero_node;
- DECL_CONTEXT(list) = type;
- // to satisfy the constify plugin
- TREE_READONLY(list) = 1;
-
for (i = 0; i < num_fields - 1; i++)
TREE_CHAIN(newtree[i]) = newtree[i+1];
TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE;
main_variant = TYPE_MAIN_VARIANT(type);
for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) {
- TYPE_FIELDS(variant) = list;
+ TYPE_FIELDS(variant) = newtree[0];
TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant));
TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant));
TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant));
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 197/356] randstruct: gcc-plugin: Fix attribute addition
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 196/356] randstruct: gcc-plugin: Remove bogus void member Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 198/356] perf build: Warn when libdebuginfod devel files are not available Greg Kroah-Hartman
` (167 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thiago Jung Bauermann, Ingo Saitz,
Kees Cook, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit f39f18f3c3531aa802b58a20d39d96e82eb96c14 ]
Based on changes in the 2021 public version of the randstruct
out-of-tree GCC plugin[1], more carefully update the attributes on
resulting decls, to avoid tripping checks in GCC 15's
comptypes_check_enum_int() when it has been configured with
"--enable-checking=misc":
arch/arm64/kernel/kexec_image.c:132:14: internal compiler error: in comptypes_check_enum_int, at c/c-typeck.cc:1519
132 | const struct kexec_file_ops kexec_image_ops = {
| ^~~~~~~~~~~~~~
internal_error(char const*, ...), at gcc/gcc/diagnostic-global-context.cc:517
fancy_abort(char const*, int, char const*), at gcc/gcc/diagnostic.cc:1803
comptypes_check_enum_int(tree_node*, tree_node*, bool*), at gcc/gcc/c/c-typeck.cc:1519
...
Link: https://archive.org/download/grsecurity/grsecurity-3.1-5.10.41-202105280954.patch.gz [1]
Reported-by: Thiago Jung Bauermann <thiago.bauermann@linaro.org>
Closes: https://github.com/KSPP/linux/issues/367
Closes: https://lore.kernel.org/lkml/20250530000646.104457-1-thiago.bauermann@linaro.org/
Reported-by: Ingo Saitz <ingo@hannover.ccc.de>
Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104745
Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin")
Tested-by: Thiago Jung Bauermann <thiago.bauermann@linaro.org>
Link: https://lore.kernel.org/r/20250530221824.work.623-kees@kernel.org
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/gcc-plugins/gcc-common.h | 32 +++++++++++++++++++
scripts/gcc-plugins/randomize_layout_plugin.c | 22 ++++++-------
2 files changed, 43 insertions(+), 11 deletions(-)
diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h
index 1ae39b9f4a95e..90e83d62adb54 100644
--- a/scripts/gcc-plugins/gcc-common.h
+++ b/scripts/gcc-plugins/gcc-common.h
@@ -128,6 +128,38 @@ static inline tree build_const_char_string(int len, const char *str)
return cstr;
}
+static inline void __add_type_attr(tree type, const char *attr, tree args)
+{
+ tree oldattr;
+
+ if (type == NULL_TREE)
+ return;
+ oldattr = lookup_attribute(attr, TYPE_ATTRIBUTES(type));
+ if (oldattr != NULL_TREE) {
+ gcc_assert(TREE_VALUE(oldattr) == args || TREE_VALUE(TREE_VALUE(oldattr)) == TREE_VALUE(args));
+ return;
+ }
+
+ TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type));
+ TYPE_ATTRIBUTES(type) = tree_cons(get_identifier(attr), args, TYPE_ATTRIBUTES(type));
+}
+
+static inline void add_type_attr(tree type, const char *attr, tree args)
+{
+ tree main_variant = TYPE_MAIN_VARIANT(type);
+
+ __add_type_attr(TYPE_CANONICAL(type), attr, args);
+ __add_type_attr(TYPE_CANONICAL(main_variant), attr, args);
+ __add_type_attr(main_variant, attr, args);
+
+ for (type = TYPE_NEXT_VARIANT(main_variant); type; type = TYPE_NEXT_VARIANT(type)) {
+ if (!lookup_attribute(attr, TYPE_ATTRIBUTES(type)))
+ TYPE_ATTRIBUTES(type) = TYPE_ATTRIBUTES(main_variant);
+
+ __add_type_attr(TYPE_CANONICAL(type), attr, args);
+ }
+}
+
#define PASS_INFO(NAME, REF, ID, POS) \
struct register_pass_info NAME##_pass_info = { \
.pass = make_##NAME##_pass(), \
diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
index bb8c6631971db..e70eef049ada6 100644
--- a/scripts/gcc-plugins/randomize_layout_plugin.c
+++ b/scripts/gcc-plugins/randomize_layout_plugin.c
@@ -77,6 +77,9 @@ static tree handle_randomize_layout_attr(tree *node, tree name, tree args, int f
if (TYPE_P(*node)) {
type = *node;
+ } else if (TREE_CODE(*node) == FIELD_DECL) {
+ *no_add_attrs = false;
+ return NULL_TREE;
} else {
gcc_assert(TREE_CODE(*node) == TYPE_DECL);
type = TREE_TYPE(*node);
@@ -352,15 +355,14 @@ static int relayout_struct(tree type)
TREE_CHAIN(newtree[i]) = newtree[i+1];
TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE;
+ add_type_attr(type, "randomize_performed", NULL_TREE);
+ add_type_attr(type, "designated_init", NULL_TREE);
+ if (has_flexarray)
+ add_type_attr(type, "has_flexarray", NULL_TREE);
+
main_variant = TYPE_MAIN_VARIANT(type);
- for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) {
+ for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant))
TYPE_FIELDS(variant) = newtree[0];
- TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant));
- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant));
- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant));
- if (has_flexarray)
- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("has_flexarray"), NULL_TREE, TYPE_ATTRIBUTES(type));
- }
/*
* force a re-layout of the main variant
@@ -428,10 +430,8 @@ static void randomize_type(tree type)
if (lookup_attribute("randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type))) || is_pure_ops_struct(type))
relayout_struct(type);
- for (variant = TYPE_MAIN_VARIANT(type); variant; variant = TYPE_NEXT_VARIANT(variant)) {
- TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type));
- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("randomize_considered"), NULL_TREE, TYPE_ATTRIBUTES(type));
- }
+ add_type_attr(type, "randomize_considered", NULL_TREE);
+
#ifdef __DEBUG_PLUGIN
fprintf(stderr, "Marking randomize_considered on struct %s\n", ORIG_TYPE_NAME(type));
#ifdef __DEBUG_VERBOSE
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 198/356] perf build: Warn when libdebuginfod devel files are not available
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 197/356] randstruct: gcc-plugin: Fix attribute addition Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 199/356] perf ui browser hists: Set actions->thread before calling do_zoom_thread() Greg Kroah-Hartman
` (166 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ingo Molnar, Adrian Hunter,
Dmitriy Vyukov, Howard Chu, Ian Rogers, Jiri Olsa, Kan Liang,
Namhyung Kim, Peter Zijlstra, Frank Ch. Eigler,
Arnaldo Carvalho de Melo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit 4fce4b91fd1aabb326c46e237eb4b19ab72598f8 ]
While working on 'perf version --build-options' I noticed that:
$ perf version --build-options
perf version 6.15.rc1.g312a07a00d31
aio: [ on ] # HAVE_AIO_SUPPORT
bpf: [ on ] # HAVE_LIBBPF_SUPPORT
bpf_skeletons: [ on ] # HAVE_BPF_SKEL
debuginfod: [ OFF ] # HAVE_DEBUGINFOD_SUPPORT
<SNIP>
And looking at tools/perf/Makefile.config I also noticed that it is not
opt-in, meaning we will attempt to build with it in all normal cases.
So add the usual warning at build time to let the user know that
something recommended is missing, now we see:
Makefile.config:563: No elfutils/debuginfod.h found, no debuginfo server support, please install elfutils-debuginfod-client-devel or equivalent
And after following the recommendation:
$ perf check feature debuginfod
debuginfod: [ on ] # HAVE_DEBUGINFOD_SUPPORT
$ ldd ~/bin/perf | grep debuginfo
libdebuginfod.so.1 => /lib64/libdebuginfod.so.1 (0x00007fee5cf5f000)
$
With this feature on several perf tools will fetch what is needed and
not require all the contents of the debuginfo packages, for instance:
# rpm -qa | grep kernel-debuginfo
# pahole --running_kernel_vmlinux
pahole: couldn't find a vmlinux that matches the running kernel
HINT: Maybe you're inside a container or missing a debuginfo package?
#
# perf trace -e open* perf probe --vars icmp_rcv
0.000 ( 0.005 ms): perf/97391 openat(dfd: CWD, filename: "/etc/ld.so.cache", flags: RDONLY|CLOEXEC) = 3
0.014 ( 0.004 ms): perf/97391 openat(dfd: CWD, filename: "/lib64/libm.so.6", flags: RDONLY|CLOEXEC) = 3
<SNIP>
32130.100 ( 0.008 ms): perf/97391 openat(dfd: CWD, filename: "/root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo") = 3
<SNIP>
Available variables at icmp_rcv
@<icmp_rcv+0>
struct sk_buff* skb
<SNIP>
#
# pahole --running_kernel_vmlinux
/root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
# file /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
/root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=aa3c82b4a13f9c0e0301bebb20fe958c4db6f362, with debug_info, not stripped
# ls -la /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
-r--------. 1 root root 475401512 Mar 27 21:00 /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
#
Then, cached:
# perf stat --null perf probe --vars icmp_rcv
Available variables at icmp_rcv
@<icmp_rcv+0>
struct sk_buff* skb
Performance counter stats for 'perf probe --vars icmp_rcv':
0.671389041 seconds time elapsed
0.519176000 seconds user
0.150860000 seconds sys
Fixes: c7a14fdcb3fa7736 ("perf build-ids: Fall back to debuginfod query if debuginfo not found")
Tested-by: Ingo Molnar <mingo@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Dmitriy Vyukov <dvyukov@google.com>
Cc: Howard Chu <howardchu95@gmail.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Frank Ch. Eigler <fche@redhat.com>
Link: https://lore.kernel.org/r/Z_dkNDj9EPFwPqq1@gmail.com
[ Folded patch from Ingo to have the debian/ubuntu devel package added build warning message ]
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/Makefile.config | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config
index d66b52407e19c..9da9f878f50f7 100644
--- a/tools/perf/Makefile.config
+++ b/tools/perf/Makefile.config
@@ -554,6 +554,8 @@ ifndef NO_LIBELF
ifeq ($(feature-libdebuginfod), 1)
CFLAGS += -DHAVE_DEBUGINFOD_SUPPORT
EXTLIBS += -ldebuginfod
+ else
+ $(warning No elfutils/debuginfod.h found, no debuginfo server support, please install libdebuginfod-dev/elfutils-debuginfod-client-devel or equivalent)
endif
endif
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 199/356] perf ui browser hists: Set actions->thread before calling do_zoom_thread()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 198/356] perf build: Warn when libdebuginfod devel files are not available Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 200/356] dm: dont change md if dm_table_set_restrictions() fails Greg Kroah-Hartman
` (165 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ingo Molnar, Adrian Hunter,
Ian Rogers, James Clark, Jiri Olsa, Kan Liang, Namhyung Kim,
Arnaldo Carvalho de Melo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit 1741189d843a1d5ef38538bc52a3760e2e46cb2e ]
In 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct
perf_hpp_list") it assumes that act->thread is set prior to calling
do_zoom_thread().
This doesn't happen when we use ESC or the Left arrow key to Zoom out of
a specific thread, making this operation not to work and we get stuck
into the thread zoom.
In 6422184b087ff435 ("perf hists browser: Simplify zooming code using
pstack_peek()") it says no need to set actions->thread, and at that
point that was true, but in 7cecb7fe8388d5c3 a actions->thread == NULL
check was added before the zoom out of thread could kick in.
We can zoom out using the alternative 't' thread zoom toggle hotkey to
finally set actions->thread before calling do_zoom_thread() and zoom
out, but lets also fix the ESC/Zoom out of thread case.
Fixes: 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct perf_hpp_list")
Reported-by: Ingo Molnar <mingo@kernel.org>
Tested-by: Ingo Molnar <mingo@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: https://lore.kernel.org/r/Z_TYux5fUg2pW-pF@gmail.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/ui/browsers/hists.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c
index bb59d27642ccf..a53a0257a4bca 100644
--- a/tools/perf/ui/browsers/hists.c
+++ b/tools/perf/ui/browsers/hists.c
@@ -3239,10 +3239,10 @@ static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *h
/*
* No need to set actions->dso here since
* it's just to remove the current filter.
- * Ditto for thread below.
*/
do_zoom_dso(browser, actions);
} else if (top == &browser->hists->thread_filter) {
+ actions->thread = thread;
do_zoom_thread(browser, actions);
} else if (top == &browser->hists->socket_filter) {
do_zoom_socket(browser, actions);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 200/356] dm: dont change md if dm_table_set_restrictions() fails
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 199/356] perf ui browser hists: Set actions->thread before calling do_zoom_thread() Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 201/356] dm: free table mempools if not used in __bind Greg Kroah-Hartman
` (164 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Benjamin Marzinski,
Mikulas Patocka, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Marzinski <bmarzins@redhat.com>
[ Upstream commit 9eb7109a5bfc5b8226e9517e9f3cc6d414391884 ]
__bind was changing the disk capacity, geometry and mempools of the
mapped device before calling dm_table_set_restrictions() which could
fail, forcing dm to drop the new table. Failing here would leave the
device using the old table but with the wrong capacity and mempools.
Move dm_table_set_restrictions() earlier in __bind(). Since it needs the
capacity to be set, save the old version and restore it on failure.
Fixes: bb37d77239af2 ("dm: introduce zone append emulation")
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Tested-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index 9ea868bd0d129..d154c89305fbe 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -2195,21 +2195,29 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
struct queue_limits *limits)
{
struct dm_table *old_map;
- sector_t size;
+ sector_t size, old_size;
int ret;
lockdep_assert_held(&md->suspend_lock);
size = dm_table_get_size(t);
+ old_size = dm_get_size(md);
+ set_capacity(md->disk, size);
+
+ ret = dm_table_set_restrictions(t, md->queue, limits);
+ if (ret) {
+ set_capacity(md->disk, old_size);
+ old_map = ERR_PTR(ret);
+ goto out;
+ }
+
/*
* Wipe any geometry if the size of the table changed.
*/
- if (size != dm_get_size(md))
+ if (size != old_size)
memset(&md->geometry, 0, sizeof(md->geometry));
- set_capacity(md->disk, size);
-
dm_table_event_callback(t, event_callback, md);
if (dm_table_request_based(t)) {
@@ -2242,12 +2250,6 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
t->mempools = NULL;
}
- ret = dm_table_set_restrictions(t, md->queue, limits);
- if (ret) {
- old_map = ERR_PTR(ret);
- goto out;
- }
-
old_map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock));
rcu_assign_pointer(md->map, (void *)t);
md->immutable_target_type = dm_table_get_immutable_target_type(t);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 201/356] dm: free table mempools if not used in __bind
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 200/356] dm: dont change md if dm_table_set_restrictions() fails Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 202/356] backlight: pm8941: Add NULL check in wled_configure() Greg Kroah-Hartman
` (163 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Benjamin Marzinski,
Mikulas Patocka, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Marzinski <bmarzins@redhat.com>
[ Upstream commit e8819e7f03470c5b468720630d9e4e1d5b99159e ]
With request-based dm, the mempools don't need reloading when switching
tables, but the unused table mempools are not freed until the active
table is finally freed. Free them immediately if they are not needed.
Fixes: 29dec90a0f1d9 ("dm: fix bio_set allocation")
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Tested-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index d154c89305fbe..44424554e6b52 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -2235,10 +2235,10 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
* requests in the queue may refer to bio from the old bioset,
* so you must walk through the queue to unprep.
*/
- if (!md->mempools) {
+ if (!md->mempools)
md->mempools = t->mempools;
- t->mempools = NULL;
- }
+ else
+ dm_free_md_mempools(t->mempools);
} else {
/*
* The md may already have mempools that need changing.
@@ -2247,8 +2247,8 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
*/
dm_free_md_mempools(md->mempools);
md->mempools = t->mempools;
- t->mempools = NULL;
}
+ t->mempools = NULL;
old_map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock));
rcu_assign_pointer(md->map, (void *)t);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 202/356] backlight: pm8941: Add NULL check in wled_configure()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 201/356] dm: free table mempools if not used in __bind Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 203/356] mtd: nand: ecc-mxic: Fix use of uninitialized variable ret Greg Kroah-Hartman
` (162 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, Dmitry Baryshkov,
Daniel Thompson (RISCstar), Lee Jones, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit e12d3e1624a02706cdd3628bbf5668827214fa33 ]
devm_kasprintf() returns NULL when memory allocation fails. Currently,
wled_configure() does not check for this case, which results in a NULL
pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
Fixes: f86b77583d88 ("backlight: pm8941: Convert to using %pOFn instead of device_node.name")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: "Daniel Thompson (RISCstar)" <danielt@kernel.org>
Link: https://lore.kernel.org/r/20250401091647.22784-1-bsdhenrymartin@gmail.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/backlight/qcom-wled.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c
index 10129095a4c17..b19e5f73de8bb 100644
--- a/drivers/video/backlight/qcom-wled.c
+++ b/drivers/video/backlight/qcom-wled.c
@@ -1406,9 +1406,11 @@ static int wled_configure(struct wled *wled)
wled->ctrl_addr = be32_to_cpu(*prop_addr);
rc = of_property_read_string(dev->of_node, "label", &wled->name);
- if (rc)
+ if (rc) {
wled->name = devm_kasprintf(dev, GFP_KERNEL, "%pOFn", dev->of_node);
-
+ if (!wled->name)
+ return -ENOMEM;
+ }
switch (wled->version) {
case 3:
u32_opts = wled3_opts;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 203/356] mtd: nand: ecc-mxic: Fix use of uninitialized variable ret
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 202/356] backlight: pm8941: Add NULL check in wled_configure() Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 204/356] hwmon: (asus-ec-sensors) check sensor index in read_string() Greg Kroah-Hartman
` (161 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikhail Arkhipov, Miquel Raynal,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikhail Arkhipov <m.arhipov@rosa.ru>
[ Upstream commit d95846350aac72303036a70c4cdc69ae314aa26d ]
If ctx->steps is zero, the loop processing ECC steps is skipped,
and the variable ret remains uninitialized. It is later checked
and returned, which leads to undefined behavior and may cause
unpredictable results in user space or kernel crashes.
This scenario can be triggered in edge cases such as misconfigured
geometry, ECC engine misuse, or if ctx->steps is not validated
after initialization.
Initialize ret to zero before the loop to ensure correct and safe
behavior regardless of the ctx->steps value.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 48e6633a9fa2 ("mtd: nand: mxic-ecc: Add Macronix external ECC engine support")
Signed-off-by: Mikhail Arkhipov <m.arhipov@rosa.ru>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/ecc-mxic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/nand/ecc-mxic.c b/drivers/mtd/nand/ecc-mxic.c
index 47e10945b8d27..63cb206269dd9 100644
--- a/drivers/mtd/nand/ecc-mxic.c
+++ b/drivers/mtd/nand/ecc-mxic.c
@@ -614,7 +614,7 @@ static int mxic_ecc_finish_io_req_external(struct nand_device *nand,
{
struct mxic_ecc_engine *mxic = nand_to_mxic(nand);
struct mxic_ecc_ctx *ctx = nand_to_ecc_ctx(nand);
- int nents, step, ret;
+ int nents, step, ret = 0;
if (req->mode == MTD_OPS_RAW)
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 204/356] hwmon: (asus-ec-sensors) check sensor index in read_string()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 203/356] mtd: nand: ecc-mxic: Fix use of uninitialized variable ret Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 205/356] dm-flakey: error all IOs when num_features is absent Greg Kroah-Hartman
` (160 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexei Safin, Guenter Roeck,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexei Safin <a.safin@rosa.ru>
[ Upstream commit 25be318324563c63cbd9cb53186203a08d2f83a1 ]
Prevent a potential invalid memory access when the requested sensor
is not found.
find_ec_sensor_index() may return a negative value (e.g. -ENOENT),
but its result was used without checking, which could lead to
undefined behavior when passed to get_sensor_info().
Add a proper check to return -EINVAL if sensor_index is negative.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d0ddfd241e57 ("hwmon: (asus-ec-sensors) add driver for ASUS EC")
Signed-off-by: Alexei Safin <a.safin@rosa.ru>
Link: https://lore.kernel.org/r/20250424202654.5902-1-a.safin@rosa.ru
[groeck: Return error code returned from find_ec_sensor_index]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/asus-ec-sensors.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/hwmon/asus-ec-sensors.c b/drivers/hwmon/asus-ec-sensors.c
index f20b864c1bb20..ce2f14a62754e 100644
--- a/drivers/hwmon/asus-ec-sensors.c
+++ b/drivers/hwmon/asus-ec-sensors.c
@@ -888,6 +888,10 @@ static int asus_ec_hwmon_read_string(struct device *dev,
{
struct ec_sensors_data *state = dev_get_drvdata(dev);
int sensor_index = find_ec_sensor_index(state, type, channel);
+
+ if (sensor_index < 0)
+ return sensor_index;
+
*str = get_sensor_info(state, sensor_index)->label;
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 205/356] dm-flakey: error all IOs when num_features is absent
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 204/356] hwmon: (asus-ec-sensors) check sensor index in read_string() Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 206/356] dm-flakey: make corrupting read bios work Greg Kroah-Hartman
` (159 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kent Overstreet, Benjamin Marzinski,
Mikulas Patocka, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Marzinski <bmarzins@redhat.com>
[ Upstream commit 40ed054f39bc99eac09871c33198e501f4acdf24 ]
dm-flakey would error all IOs if num_features was 0, but if it was
absent, dm-flakey would never error any IO. Fix this so that no
num_features works the same as num_features set to 0.
Fixes: aa7d7bc99fed7 ("dm flakey: add an "error_reads" option")
Reported-by: Kent Overstreet <kent.overstreet@linux.dev>
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-flakey.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c
index dc491dc771d71..aeb9ecaf9a207 100644
--- a/drivers/md/dm-flakey.c
+++ b/drivers/md/dm-flakey.c
@@ -53,8 +53,8 @@ struct per_bio_data {
static int parse_features(struct dm_arg_set *as, struct flakey_c *fc,
struct dm_target *ti)
{
- int r;
- unsigned int argc;
+ int r = 0;
+ unsigned int argc = 0;
const char *arg_name;
static const struct dm_arg _args[] = {
@@ -65,14 +65,13 @@ static int parse_features(struct dm_arg_set *as, struct flakey_c *fc,
{0, PROBABILITY_BASE, "Invalid random corrupt argument"},
};
- /* No feature arguments supplied. */
- if (!as->argc)
- return 0;
-
- r = dm_read_arg_group(_args, as, &argc, &ti->error);
- if (r)
+ if (as->argc && (r = dm_read_arg_group(_args, as, &argc, &ti->error)))
return r;
+ /* No feature arguments supplied. */
+ if (!argc)
+ goto error_all_io;
+
while (argc) {
arg_name = dm_shift_arg(as);
argc--;
@@ -217,6 +216,7 @@ static int parse_features(struct dm_arg_set *as, struct flakey_c *fc,
if (!fc->corrupt_bio_byte && !test_bit(ERROR_READS, &fc->flags) &&
!test_bit(DROP_WRITES, &fc->flags) && !test_bit(ERROR_WRITES, &fc->flags) &&
!fc->random_read_corrupt && !fc->random_write_corrupt) {
+error_all_io:
set_bit(ERROR_WRITES, &fc->flags);
set_bit(ERROR_READS, &fc->flags);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 206/356] dm-flakey: make corrupting read bios work
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 205/356] dm-flakey: error all IOs when num_features is absent Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 207/356] perf trace: Fix leaks of struct thread in set_filter_loop_pids() Greg Kroah-Hartman
` (158 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kent Overstreet, Benjamin Marzinski,
Mikulas Patocka, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Marzinski <bmarzins@redhat.com>
[ Upstream commit 13e79076c89f6e96a6cca8f6df38b40d025907b4 ]
dm-flakey corrupts the read bios in the endio function. However, the
corrupt_bio_* functions checked bio_has_data() to see if there was data
to corrupt. Since this was the endio function, there was no data left to
complete, so bio_has_data() was always false. Fix this by saving a copy
of the bio's bi_iter in flakey_map(), and using this to initialize the
iter for corrupting the read bios. This patch also skips cloning the bio
for write bios with no data.
Reported-by: Kent Overstreet <kent.overstreet@linux.dev>
Fixes: a3998799fb4df ("dm flakey: add corrupt_bio_byte feature")
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-flakey.c | 54 ++++++++++++++++++++++--------------------
1 file changed, 28 insertions(+), 26 deletions(-)
diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c
index aeb9ecaf9a207..ada679f4fca67 100644
--- a/drivers/md/dm-flakey.c
+++ b/drivers/md/dm-flakey.c
@@ -47,7 +47,8 @@ enum feature_flag_bits {
};
struct per_bio_data {
- bool bio_submitted;
+ bool bio_can_corrupt;
+ struct bvec_iter saved_iter;
};
static int parse_features(struct dm_arg_set *as, struct flakey_c *fc,
@@ -339,7 +340,8 @@ static void flakey_map_bio(struct dm_target *ti, struct bio *bio)
}
static void corrupt_bio_common(struct bio *bio, unsigned int corrupt_bio_byte,
- unsigned char corrupt_bio_value)
+ unsigned char corrupt_bio_value,
+ struct bvec_iter start)
{
struct bvec_iter iter;
struct bio_vec bvec;
@@ -348,7 +350,7 @@ static void corrupt_bio_common(struct bio *bio, unsigned int corrupt_bio_byte,
* Overwrite the Nth byte of the bio's data, on whichever page
* it falls.
*/
- bio_for_each_segment(bvec, bio, iter) {
+ __bio_for_each_segment(bvec, bio, iter, start) {
if (bio_iter_len(bio, iter) > corrupt_bio_byte) {
unsigned char *segment = bvec_kmap_local(&bvec);
segment[corrupt_bio_byte] = corrupt_bio_value;
@@ -357,36 +359,31 @@ static void corrupt_bio_common(struct bio *bio, unsigned int corrupt_bio_byte,
"(rw=%c bi_opf=%u bi_sector=%llu size=%u)\n",
bio, corrupt_bio_value, corrupt_bio_byte,
(bio_data_dir(bio) == WRITE) ? 'w' : 'r', bio->bi_opf,
- (unsigned long long)bio->bi_iter.bi_sector,
- bio->bi_iter.bi_size);
+ (unsigned long long)start.bi_sector,
+ start.bi_size);
break;
}
corrupt_bio_byte -= bio_iter_len(bio, iter);
}
}
-static void corrupt_bio_data(struct bio *bio, struct flakey_c *fc)
+static void corrupt_bio_data(struct bio *bio, struct flakey_c *fc,
+ struct bvec_iter start)
{
unsigned int corrupt_bio_byte = fc->corrupt_bio_byte - 1;
- if (!bio_has_data(bio))
- return;
-
- corrupt_bio_common(bio, corrupt_bio_byte, fc->corrupt_bio_value);
+ corrupt_bio_common(bio, corrupt_bio_byte, fc->corrupt_bio_value, start);
}
-static void corrupt_bio_random(struct bio *bio)
+static void corrupt_bio_random(struct bio *bio, struct bvec_iter start)
{
unsigned int corrupt_byte;
unsigned char corrupt_value;
- if (!bio_has_data(bio))
- return;
-
- corrupt_byte = get_random_u32() % bio->bi_iter.bi_size;
+ corrupt_byte = get_random_u32() % start.bi_size;
corrupt_value = get_random_u8();
- corrupt_bio_common(bio, corrupt_byte, corrupt_value);
+ corrupt_bio_common(bio, corrupt_byte, corrupt_value, start);
}
static void clone_free(struct bio *clone)
@@ -481,7 +478,7 @@ static int flakey_map(struct dm_target *ti, struct bio *bio)
unsigned int elapsed;
struct per_bio_data *pb = dm_per_bio_data(bio, sizeof(struct per_bio_data));
- pb->bio_submitted = false;
+ pb->bio_can_corrupt = false;
if (op_is_zone_mgmt(bio_op(bio)))
goto map_bio;
@@ -490,10 +487,11 @@ static int flakey_map(struct dm_target *ti, struct bio *bio)
elapsed = (jiffies - fc->start_time) / HZ;
if (elapsed % (fc->up_interval + fc->down_interval) >= fc->up_interval) {
bool corrupt_fixed, corrupt_random;
- /*
- * Flag this bio as submitted while down.
- */
- pb->bio_submitted = true;
+
+ if (bio_has_data(bio)) {
+ pb->bio_can_corrupt = true;
+ pb->saved_iter = bio->bi_iter;
+ }
/*
* Error reads if neither corrupt_bio_byte or drop_writes or error_writes are set.
@@ -516,6 +514,8 @@ static int flakey_map(struct dm_target *ti, struct bio *bio)
return DM_MAPIO_SUBMITTED;
}
+ if (!pb->bio_can_corrupt)
+ goto map_bio;
/*
* Corrupt matching writes.
*/
@@ -535,9 +535,11 @@ static int flakey_map(struct dm_target *ti, struct bio *bio)
struct bio *clone = clone_bio(ti, fc, bio);
if (clone) {
if (corrupt_fixed)
- corrupt_bio_data(clone, fc);
+ corrupt_bio_data(clone, fc,
+ clone->bi_iter);
if (corrupt_random)
- corrupt_bio_random(clone);
+ corrupt_bio_random(clone,
+ clone->bi_iter);
submit_bio(clone);
return DM_MAPIO_SUBMITTED;
}
@@ -559,21 +561,21 @@ static int flakey_end_io(struct dm_target *ti, struct bio *bio,
if (op_is_zone_mgmt(bio_op(bio)))
return DM_ENDIO_DONE;
- if (!*error && pb->bio_submitted && (bio_data_dir(bio) == READ)) {
+ if (!*error && pb->bio_can_corrupt && (bio_data_dir(bio) == READ)) {
if (fc->corrupt_bio_byte) {
if ((fc->corrupt_bio_rw == READ) &&
all_corrupt_bio_flags_match(bio, fc)) {
/*
* Corrupt successful matching READs while in down state.
*/
- corrupt_bio_data(bio, fc);
+ corrupt_bio_data(bio, fc, pb->saved_iter);
}
}
if (fc->random_read_corrupt) {
u64 rnd = get_random_u64();
u32 rem = do_div(rnd, PROBABILITY_BASE);
if (rem < fc->random_read_corrupt)
- corrupt_bio_random(bio);
+ corrupt_bio_random(bio, pb->saved_iter);
}
if (test_bit(ERROR_READS, &fc->flags)) {
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 207/356] perf trace: Fix leaks of struct thread in set_filter_loop_pids()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 206/356] dm-flakey: make corrupting read bios work Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 208/356] perf intel-pt: Fix PEBS-via-PT data_src Greg Kroah-Hartman
` (157 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Howard Chu, Namhyung Kim,
Adrian Hunter, Ian Rogers, Ingo Molnar, Jiri Olsa, Kan Liang,
Peter Zijlstra, Arnaldo Carvalho de Melo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namhyung Kim <namhyung@kernel.org>
[ Upstream commit 30d20fb1f84ad5c92706fe2c6cbb2d4cc293e671 ]
I've found some leaks from 'perf trace -a'.
It seems there are more leaks but this is what I can find for now.
Fixes: 082ab9a18e532864 ("perf trace: Filter out 'sshd' in the tracer ancestry in syswide tracing")
Reviewed-by: Howard Chu <howardchu95@gmail.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20250403054213.7021-1-namhyung@kernel.org
[ split from a larget patch ]
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-trace.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
index 12bdbf3ecc6ae..908509df007ba 100644
--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -3589,10 +3589,13 @@ static int trace__set_filter_loop_pids(struct trace *trace)
if (!strcmp(thread__comm_str(parent), "sshd") ||
strstarts(thread__comm_str(parent), "gnome-terminal")) {
pids[nr++] = thread__tid(parent);
+ thread__put(parent);
break;
}
+ thread__put(thread);
thread = parent;
}
+ thread__put(thread);
err = evlist__append_tp_filter_pids(trace->evlist, nr, pids);
if (!err && trace->filter_pids.map)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 208/356] perf intel-pt: Fix PEBS-via-PT data_src
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 207/356] perf trace: Fix leaks of struct thread in set_filter_loop_pids() Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 209/356] perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3 Greg Kroah-Hartman
` (156 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kan Liang, Adrian Hunter,
Alexander Shishkin, Ian Rogers, Jiri Olsa, Namhyung Kim,
Arnaldo Carvalho de Melo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
[ Upstream commit e00eac6b5b6d956f38d8880c44bf7fd9954063c3 ]
The Fixes commit did not add support for decoding PEBS-via-PT data_src.
Fix by adding support.
PEBS-via-PT is a feature of some E-core processors, starting with
processors based on Tremont microarchitecture. Because the kernel only
supports Intel PT features that are on all processors, there is no support
for PEBS-via-PT on hybrids.
Currently that leaves processors based on Tremont, Gracemont and Crestmont,
however there are no events on Tremont that produce data_src information,
and for Gracemont and Crestmont there are only:
mem-loads event=0xd0,umask=0x5,ldlat=3
mem-stores event=0xd0,umask=0x6
Affected processors include Alder Lake N (Gracemont), Sierra Forest
(Crestmont) and Grand Ridge (Crestmont).
Example:
# perf record -d -e intel_pt/branch=0/ -e mem-loads/aux-output/pp uname
Before:
# perf.before script --itrace=o -Fdata_src
0 |OP No|LVL N/A|SNP N/A|TLB N/A|LCK No|BLK N/A
0 |OP No|LVL N/A|SNP N/A|TLB N/A|LCK No|BLK N/A
After:
# perf script --itrace=o -Fdata_src
10268100142 |OP LOAD|LVL L1 hit|SNP None|TLB L1 or L2 hit|LCK No|BLK N/A
10450100442 |OP LOAD|LVL L2 hit|SNP None|TLB L2 miss|LCK No|BLK N/A
Fixes: 975846eddf907297 ("perf intel-pt: Add memory information to synthesized PEBS sample")
Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: https://lore.kernel.org/r/20250512093932.79854-2-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/intel-pt.c | 205 ++++++++++++++++++++++++++++++++++++-
1 file changed, 202 insertions(+), 3 deletions(-)
diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
index 4db9a098f5926..e9f97c0c33582 100644
--- a/tools/perf/util/intel-pt.c
+++ b/tools/perf/util/intel-pt.c
@@ -127,6 +127,7 @@ struct intel_pt {
bool single_pebs;
bool sample_pebs;
+ int pebs_data_src_fmt;
struct evsel *pebs_evsel;
u64 evt_sample_type;
@@ -175,6 +176,7 @@ enum switch_state {
struct intel_pt_pebs_event {
struct evsel *evsel;
u64 id;
+ int data_src_fmt;
};
struct intel_pt_queue {
@@ -2232,7 +2234,146 @@ static void intel_pt_add_lbrs(struct branch_stack *br_stack,
}
}
-static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evsel *evsel, u64 id)
+#define P(a, b) PERF_MEM_S(a, b)
+#define OP_LH (P(OP, LOAD) | P(LVL, HIT))
+#define LEVEL(x) P(LVLNUM, x)
+#define REM P(REMOTE, REMOTE)
+#define SNOOP_NONE_MISS (P(SNOOP, NONE) | P(SNOOP, MISS))
+
+#define PERF_PEBS_DATA_SOURCE_GRT_MAX 0x10
+#define PERF_PEBS_DATA_SOURCE_GRT_MASK (PERF_PEBS_DATA_SOURCE_GRT_MAX - 1)
+
+/* Based on kernel __intel_pmu_pebs_data_source_grt() and pebs_data_source */
+static const u64 pebs_data_source_grt[PERF_PEBS_DATA_SOURCE_GRT_MAX] = {
+ P(OP, LOAD) | P(LVL, MISS) | LEVEL(L3) | P(SNOOP, NA), /* L3 miss|SNP N/A */
+ OP_LH | P(LVL, L1) | LEVEL(L1) | P(SNOOP, NONE), /* L1 hit|SNP None */
+ OP_LH | P(LVL, LFB) | LEVEL(LFB) | P(SNOOP, NONE), /* LFB/MAB hit|SNP None */
+ OP_LH | P(LVL, L2) | LEVEL(L2) | P(SNOOP, NONE), /* L2 hit|SNP None */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, NONE), /* L3 hit|SNP None */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HIT), /* L3 hit|SNP Hit */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP HitM */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP HitM */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOPX, FWD), /* L3 hit|SNP Fwd */
+ OP_LH | P(LVL, REM_CCE1) | REM | LEVEL(L3) | P(SNOOP, HITM), /* Remote L3 hit|SNP HitM */
+ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | P(SNOOP, HIT), /* RAM hit|SNP Hit */
+ OP_LH | P(LVL, REM_RAM1) | REM | LEVEL(L3) | P(SNOOP, HIT), /* Remote L3 hit|SNP Hit */
+ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | SNOOP_NONE_MISS, /* RAM hit|SNP None or Miss */
+ OP_LH | P(LVL, REM_RAM1) | LEVEL(RAM) | REM | SNOOP_NONE_MISS, /* Remote RAM hit|SNP None or Miss */
+ OP_LH | P(LVL, IO) | LEVEL(NA) | P(SNOOP, NONE), /* I/O hit|SNP None */
+ OP_LH | P(LVL, UNC) | LEVEL(NA) | P(SNOOP, NONE), /* Uncached hit|SNP None */
+};
+
+/* Based on kernel __intel_pmu_pebs_data_source_cmt() and pebs_data_source */
+static const u64 pebs_data_source_cmt[PERF_PEBS_DATA_SOURCE_GRT_MAX] = {
+ P(OP, LOAD) | P(LVL, MISS) | LEVEL(L3) | P(SNOOP, NA), /* L3 miss|SNP N/A */
+ OP_LH | P(LVL, L1) | LEVEL(L1) | P(SNOOP, NONE), /* L1 hit|SNP None */
+ OP_LH | P(LVL, LFB) | LEVEL(LFB) | P(SNOOP, NONE), /* LFB/MAB hit|SNP None */
+ OP_LH | P(LVL, L2) | LEVEL(L2) | P(SNOOP, NONE), /* L2 hit|SNP None */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, NONE), /* L3 hit|SNP None */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, MISS), /* L3 hit|SNP Hit */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HIT), /* L3 hit|SNP HitM */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOPX, FWD), /* L3 hit|SNP HitM */
+ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP Fwd */
+ OP_LH | P(LVL, REM_CCE1) | REM | LEVEL(L3) | P(SNOOP, HITM), /* Remote L3 hit|SNP HitM */
+ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | P(SNOOP, NONE), /* RAM hit|SNP Hit */
+ OP_LH | LEVEL(RAM) | REM | P(SNOOP, NONE), /* Remote L3 hit|SNP Hit */
+ OP_LH | LEVEL(RAM) | REM | P(SNOOPX, FWD), /* RAM hit|SNP None or Miss */
+ OP_LH | LEVEL(RAM) | REM | P(SNOOP, HITM), /* Remote RAM hit|SNP None or Miss */
+ OP_LH | P(LVL, IO) | LEVEL(NA) | P(SNOOP, NONE), /* I/O hit|SNP None */
+ OP_LH | P(LVL, UNC) | LEVEL(NA) | P(SNOOP, NONE), /* Uncached hit|SNP None */
+};
+
+/* Based on kernel pebs_set_tlb_lock() */
+static inline void pebs_set_tlb_lock(u64 *val, bool tlb, bool lock)
+{
+ /*
+ * TLB access
+ * 0 = did not miss 2nd level TLB
+ * 1 = missed 2nd level TLB
+ */
+ if (tlb)
+ *val |= P(TLB, MISS) | P(TLB, L2);
+ else
+ *val |= P(TLB, HIT) | P(TLB, L1) | P(TLB, L2);
+
+ /* locked prefix */
+ if (lock)
+ *val |= P(LOCK, LOCKED);
+}
+
+/* Based on kernel __grt_latency_data() */
+static u64 intel_pt_grt_latency_data(u8 dse, bool tlb, bool lock, bool blk,
+ const u64 *pebs_data_source)
+{
+ u64 val;
+
+ dse &= PERF_PEBS_DATA_SOURCE_GRT_MASK;
+ val = pebs_data_source[dse];
+
+ pebs_set_tlb_lock(&val, tlb, lock);
+
+ if (blk)
+ val |= P(BLK, DATA);
+ else
+ val |= P(BLK, NA);
+
+ return val;
+}
+
+/* Default value for data source */
+#define PERF_MEM_NA (PERF_MEM_S(OP, NA) |\
+ PERF_MEM_S(LVL, NA) |\
+ PERF_MEM_S(SNOOP, NA) |\
+ PERF_MEM_S(LOCK, NA) |\
+ PERF_MEM_S(TLB, NA) |\
+ PERF_MEM_S(LVLNUM, NA))
+
+enum DATA_SRC_FORMAT {
+ DATA_SRC_FORMAT_ERR = -1,
+ DATA_SRC_FORMAT_NA = 0,
+ DATA_SRC_FORMAT_GRT = 1,
+ DATA_SRC_FORMAT_CMT = 2,
+};
+
+/* Based on kernel grt_latency_data() and cmt_latency_data */
+static u64 intel_pt_get_data_src(u64 mem_aux_info, int data_src_fmt)
+{
+ switch (data_src_fmt) {
+ case DATA_SRC_FORMAT_GRT: {
+ union {
+ u64 val;
+ struct {
+ unsigned int dse:4;
+ unsigned int locked:1;
+ unsigned int stlb_miss:1;
+ unsigned int fwd_blk:1;
+ unsigned int reserved:25;
+ };
+ } x = {.val = mem_aux_info};
+ return intel_pt_grt_latency_data(x.dse, x.stlb_miss, x.locked, x.fwd_blk,
+ pebs_data_source_grt);
+ }
+ case DATA_SRC_FORMAT_CMT: {
+ union {
+ u64 val;
+ struct {
+ unsigned int dse:5;
+ unsigned int locked:1;
+ unsigned int stlb_miss:1;
+ unsigned int fwd_blk:1;
+ unsigned int reserved:24;
+ };
+ } x = {.val = mem_aux_info};
+ return intel_pt_grt_latency_data(x.dse, x.stlb_miss, x.locked, x.fwd_blk,
+ pebs_data_source_cmt);
+ }
+ default:
+ return PERF_MEM_NA;
+ }
+}
+
+static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evsel *evsel,
+ u64 id, int data_src_fmt)
{
const struct intel_pt_blk_items *items = &ptq->state->items;
struct perf_sample sample = { .ip = 0, };
@@ -2350,6 +2491,18 @@ static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evse
}
}
+ if (sample_type & PERF_SAMPLE_DATA_SRC) {
+ if (items->has_mem_aux_info && data_src_fmt) {
+ if (data_src_fmt < 0) {
+ pr_err("Intel PT missing data_src info\n");
+ return -1;
+ }
+ sample.data_src = intel_pt_get_data_src(items->mem_aux_info, data_src_fmt);
+ } else {
+ sample.data_src = PERF_MEM_NA;
+ }
+ }
+
if (sample_type & PERF_SAMPLE_TRANSACTION && items->has_tsx_aux_info) {
u64 ax = items->has_rax ? items->rax : 0;
/* Refer kernel's intel_hsw_transaction() */
@@ -2368,9 +2521,10 @@ static int intel_pt_synth_single_pebs_sample(struct intel_pt_queue *ptq)
{
struct intel_pt *pt = ptq->pt;
struct evsel *evsel = pt->pebs_evsel;
+ int data_src_fmt = pt->pebs_data_src_fmt;
u64 id = evsel->core.id[0];
- return intel_pt_do_synth_pebs_sample(ptq, evsel, id);
+ return intel_pt_do_synth_pebs_sample(ptq, evsel, id, data_src_fmt);
}
static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq)
@@ -2395,7 +2549,7 @@ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq)
hw_id);
return intel_pt_synth_single_pebs_sample(ptq);
}
- err = intel_pt_do_synth_pebs_sample(ptq, pe->evsel, pe->id);
+ err = intel_pt_do_synth_pebs_sample(ptq, pe->evsel, pe->id, pe->data_src_fmt);
if (err)
return err;
}
@@ -3355,6 +3509,49 @@ static int intel_pt_process_itrace_start(struct intel_pt *pt,
event->itrace_start.tid);
}
+/*
+ * Events with data_src are identified by L1_Hit_Indication
+ * refer https://github.com/intel/perfmon
+ */
+static int intel_pt_data_src_fmt(struct intel_pt *pt, struct evsel *evsel)
+{
+ struct perf_env *env = pt->machine->env;
+ int fmt = DATA_SRC_FORMAT_NA;
+
+ if (!env->cpuid)
+ return DATA_SRC_FORMAT_ERR;
+
+ /*
+ * PEBS-via-PT is only supported on E-core non-hybrid. Of those only
+ * Gracemont and Crestmont have data_src. Check for:
+ * Alderlake N (Gracemont)
+ * Sierra Forest (Crestmont)
+ * Grand Ridge (Crestmont)
+ */
+
+ if (!strncmp(env->cpuid, "GenuineIntel,6,190,", 19))
+ fmt = DATA_SRC_FORMAT_GRT;
+
+ if (!strncmp(env->cpuid, "GenuineIntel,6,175,", 19) ||
+ !strncmp(env->cpuid, "GenuineIntel,6,182,", 19))
+ fmt = DATA_SRC_FORMAT_CMT;
+
+ if (fmt == DATA_SRC_FORMAT_NA)
+ return fmt;
+
+ /*
+ * Only data_src events are:
+ * mem-loads event=0xd0,umask=0x5
+ * mem-stores event=0xd0,umask=0x6
+ */
+ if (evsel->core.attr.type == PERF_TYPE_RAW &&
+ ((evsel->core.attr.config & 0xffff) == 0x5d0 ||
+ (evsel->core.attr.config & 0xffff) == 0x6d0))
+ return fmt;
+
+ return DATA_SRC_FORMAT_NA;
+}
+
static int intel_pt_process_aux_output_hw_id(struct intel_pt *pt,
union perf_event *event,
struct perf_sample *sample)
@@ -3375,6 +3572,7 @@ static int intel_pt_process_aux_output_hw_id(struct intel_pt *pt,
ptq->pebs[hw_id].evsel = evsel;
ptq->pebs[hw_id].id = sample->id;
+ ptq->pebs[hw_id].data_src_fmt = intel_pt_data_src_fmt(pt, evsel);
return 0;
}
@@ -3946,6 +4144,7 @@ static void intel_pt_setup_pebs_events(struct intel_pt *pt)
}
pt->single_pebs = true;
pt->sample_pebs = true;
+ pt->pebs_data_src_fmt = intel_pt_data_src_fmt(pt, evsel);
pt->pebs_evsel = evsel;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 209/356] perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 208/356] perf intel-pt: Fix PEBS-via-PT data_src Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 210/356] remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe Greg Kroah-Hartman
` (155 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Alexander Shishkin,
Ian Rogers, Jiri Olsa, Kan Liang, Namhyung Kim, Tony Jones,
Arnaldo Carvalho de Melo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
[ Upstream commit 17e548405a81665fd14cee960db7d093d1396400 ]
The script allows the user to enter patterns to find symbols.
The pattern matching characters are converted for use in SQL.
For PostgreSQL the conversion involves using the Python maketrans()
method which is slightly different in Python 3 compared with Python 2.
Fix to work in Python 3.
Fixes: beda0e725e5f06ac ("perf script python: Add Python3 support to exported-sql-viewer.py")
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Tony Jones <tonyj@suse.de>
Link: https://lore.kernel.org/r/20250512093932.79854-4-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/scripts/python/exported-sql-viewer.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tools/perf/scripts/python/exported-sql-viewer.py b/tools/perf/scripts/python/exported-sql-viewer.py
index 13f2d8a816109..99742013676b3 100755
--- a/tools/perf/scripts/python/exported-sql-viewer.py
+++ b/tools/perf/scripts/python/exported-sql-viewer.py
@@ -680,7 +680,10 @@ class CallGraphModelBase(TreeModel):
s = value.replace("%", "\%")
s = s.replace("_", "\_")
# Translate * and ? into SQL LIKE pattern characters % and _
- trans = string.maketrans("*?", "%_")
+ if sys.version_info[0] == 3:
+ trans = str.maketrans("*?", "%_")
+ else:
+ trans = string.maketrans("*?", "%_")
match = " LIKE '" + str(s).translate(trans) + "'"
else:
match = " GLOB '" + str(value) + "'"
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 210/356] remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 209/356] perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3 Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 211/356] remoteproc: k3-r5: Drop check performed in k3_r5_rproc_{mbox_callback/kick} Greg Kroah-Hartman
` (154 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 0cb4b1b97041d8a1f773425208ded253c1cb5869 ]
The device_del() call matches with the device_add() but we also need
to call put_device() to trigger the qcom_iris_release().
Fixes: 1fcef985c8bd ("remoteproc: qcom: wcnss: Fix race with iris probe")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/4604f7e0-3217-4095-b28a-3ff8b5afad3a@stanley.mountain
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_wcnss_iris.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/remoteproc/qcom_wcnss_iris.c b/drivers/remoteproc/qcom_wcnss_iris.c
index dd36fd077911a..1e197f7734742 100644
--- a/drivers/remoteproc/qcom_wcnss_iris.c
+++ b/drivers/remoteproc/qcom_wcnss_iris.c
@@ -197,6 +197,7 @@ struct qcom_iris *qcom_iris_probe(struct device *parent, bool *use_48mhz_xo)
err_device_del:
device_del(&iris->dev);
+ put_device(&iris->dev);
return ERR_PTR(ret);
}
@@ -204,4 +205,5 @@ struct qcom_iris *qcom_iris_probe(struct device *parent, bool *use_48mhz_xo)
void qcom_iris_remove(struct qcom_iris *iris)
{
device_del(&iris->dev);
+ put_device(&iris->dev);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 211/356] remoteproc: k3-r5: Drop check performed in k3_r5_rproc_{mbox_callback/kick}
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 210/356] remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 212/356] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Greg Kroah-Hartman
` (153 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siddharth Vadapalli, Beleswar Padhi,
Judith Mendez, Andrew Davis, Mathieu Poirier, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siddharth Vadapalli <s-vadapalli@ti.com>
[ Upstream commit 9995dbfc2235efabdb3759606d522e1a7ec3bdcb ]
Commit f3f11cfe8907 ("remoteproc: k3-r5: Acquire mailbox handle during
probe routine") introduced a check in the "k3_r5_rproc_mbox_callback()"
and "k3_r5_rproc_kick()" callbacks, causing them to exit if the remote
core's state is "RPROC_DETACHED". However, the "__rproc_attach()"
function that is responsible for attaching to a remote core, updates
the state of the remote core to "RPROC_ATTACHED" only after invoking
"rproc_start_subdevices()".
The "rproc_start_subdevices()" function triggers the probe of the Virtio
RPMsg devices associated with the remote core, which require that the
"k3_r5_rproc_kick()" and "k3_r5_rproc_mbox_callback()" callbacks are
functional. Hence, drop the check in the callbacks.
Fixes: f3f11cfe8907 ("remoteproc: k3-r5: Acquire mailbox handle during probe routine")
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Signed-off-by: Beleswar Padhi <b-padhi@ti.com>
Tested-by: Judith Mendez <jm@ti.com>
Reviewed-by: Andrew Davis <afd@ti.com>
Link: https://lore.kernel.org/r/20250513054510.3439842-2-b-padhi@ti.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/ti_k3_r5_remoteproc.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/drivers/remoteproc/ti_k3_r5_remoteproc.c b/drivers/remoteproc/ti_k3_r5_remoteproc.c
index 5491b1b17ca36..37005640c784c 100644
--- a/drivers/remoteproc/ti_k3_r5_remoteproc.c
+++ b/drivers/remoteproc/ti_k3_r5_remoteproc.c
@@ -194,10 +194,6 @@ static void k3_r5_rproc_mbox_callback(struct mbox_client *client, void *data)
const char *name = kproc->rproc->name;
u32 msg = omap_mbox_message(data);
- /* Do not forward message from a detached core */
- if (kproc->rproc->state == RPROC_DETACHED)
- return;
-
dev_dbg(dev, "mbox msg: 0x%x\n", msg);
switch (msg) {
@@ -233,10 +229,6 @@ static void k3_r5_rproc_kick(struct rproc *rproc, int vqid)
mbox_msg_t msg = (mbox_msg_t)vqid;
int ret;
- /* Do not forward message to a detached core */
- if (kproc->rproc->state == RPROC_DETACHED)
- return;
-
/* send the index of the triggered virtqueue in the mailbox payload */
ret = mbox_send_message(kproc->mbox, (void *)msg);
if (ret < 0)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 212/356] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 211/356] remoteproc: k3-r5: Drop check performed in k3_r5_rproc_{mbox_callback/kick} Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 213/356] mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() Greg Kroah-Hartman
` (152 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Bjorn Andersson,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 5de775df3362090a6e90046d1f2d83fe62489aa0 ]
The "ret" variable isn't initialized if we don't enter the loop. For
example, if "channel->state" is not SMD_CHANNEL_OPENED.
Fixes: 33e3820dda88 ("rpmsg: smd: Use spinlock in tx path")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/aAkhvV0nSbrsef1P@stanley.mountain
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rpmsg/qcom_smd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c
index 43f601c84b4fc..79d35ab43729e 100644
--- a/drivers/rpmsg/qcom_smd.c
+++ b/drivers/rpmsg/qcom_smd.c
@@ -746,7 +746,7 @@ static int __qcom_smd_send(struct qcom_smd_channel *channel, const void *data,
__le32 hdr[5] = { cpu_to_le32(len), };
int tlen = sizeof(hdr) + len;
unsigned long flags;
- int ret;
+ int ret = 0;
/* Word aligned channels only accept word size aligned data */
if (channel->info_word && len % 4)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 213/356] mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 212/356] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 214/356] mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE Greg Kroah-Hartman
` (151 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET,
Krzysztof Kozlowski, Lee Jones, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit b70b84556eeca5262d290e8619fe0af5b7664a52 ]
exynos_lpass_disable() is called twice in the remove function. Remove
one of these calls.
Fixes: 90f447170c6f ("mfd: exynos-lpass: Add runtime PM support")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/74d69e8de10308c9855db6d54155a3de4b11abfd.1745247209.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/exynos-lpass.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/mfd/exynos-lpass.c b/drivers/mfd/exynos-lpass.c
index 1506d8d352b19..5e39d91b728fc 100644
--- a/drivers/mfd/exynos-lpass.c
+++ b/drivers/mfd/exynos-lpass.c
@@ -141,7 +141,6 @@ static int exynos_lpass_remove(struct platform_device *pdev)
{
struct exynos_lpass *lpass = platform_get_drvdata(pdev);
- exynos_lpass_disable(lpass);
pm_runtime_disable(&pdev->dev);
if (!pm_runtime_status_suspended(&pdev->dev))
exynos_lpass_disable(lpass);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 214/356] mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 213/356] mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 215/356] perf tests switch-tracking: Fix timestamp comparison Greg Kroah-Hartman
` (150 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Gladkov, Krzysztof Kozlowski,
Lee Jones, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Gladkov <legion@kernel.org>
[ Upstream commit 59d60c16ed41475f3b5f7b605e75fbf8e3628720 ]
The name used in the macro does not exist.
drivers/mfd/stmpe-spi.c:132:26: error: use of undeclared identifier 'stmpe_id'
132 | MODULE_DEVICE_TABLE(spi, stmpe_id);
Fixes: e789995d5c61 ("mfd: Add support for STMPE SPI interface")
Signed-off-by: Alexey Gladkov <legion@kernel.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/79d5a847303e45a46098f2d827d3d8a249a32be3.1745591072.git.legion@kernel.org
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/stmpe-spi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mfd/stmpe-spi.c b/drivers/mfd/stmpe-spi.c
index 792236f56399a..b9cc85ea2c401 100644
--- a/drivers/mfd/stmpe-spi.c
+++ b/drivers/mfd/stmpe-spi.c
@@ -129,7 +129,7 @@ static const struct spi_device_id stmpe_spi_id[] = {
{ "stmpe2403", STMPE2403 },
{ }
};
-MODULE_DEVICE_TABLE(spi, stmpe_id);
+MODULE_DEVICE_TABLE(spi, stmpe_spi_id);
static struct spi_driver stmpe_spi_driver = {
.driver = {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 215/356] perf tests switch-tracking: Fix timestamp comparison
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 214/356] mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 216/356] perf record: Fix incorrect --user-regs comments Greg Kroah-Hartman
` (149 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Leo Yan, Adrian Hunter,
James Clark, Kan Liang, Namhyung Kim, Arnaldo Carvalho de Melo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 628e124404b3db5e10e17228e680a2999018ab33 ]
The test might fail on the Arm64 platform with the error:
# perf test -vvv "Track with sched_switch"
Missing sched_switch events
#
The issue is caused by incorrect handling of timestamp comparisons. The
comparison result, a signed 64-bit value, was being directly cast to an
int, leading to incorrect sorting for sched events.
The case does not fail everytime, usually I can trigger the failure
after run 20 ~ 30 times:
# while true; do perf test "Track with sched_switch"; done
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : FAILED!
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
106: Track with sched_switch : FAILED!
106: Track with sched_switch : Ok
106: Track with sched_switch : Ok
I used cross compiler to build Perf tool on my host machine and tested on
Debian / Juno board. Generally, I think this issue is not very specific
to GCC versions. As both internal CI and my local env can reproduce the
issue.
My Host Build compiler:
# aarch64-linux-gnu-gcc --version
aarch64-linux-gnu-gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0
Juno Board:
# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
Fix this by explicitly returning 0, 1, or -1 based on whether the result
is zero, positive, or negative.
Fixes: d44bc558297222d9 ("perf tests: Add a test for tracking with sched_switch")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: https://lore.kernel.org/r/20250331172759.115604-1-leo.yan@arm.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/tests/switch-tracking.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/tests/switch-tracking.c b/tools/perf/tests/switch-tracking.c
index e52b031bedc5a..2c7bdf4fd55ed 100644
--- a/tools/perf/tests/switch-tracking.c
+++ b/tools/perf/tests/switch-tracking.c
@@ -258,7 +258,7 @@ static int compar(const void *a, const void *b)
const struct event_node *nodeb = b;
s64 cmp = nodea->event_time - nodeb->event_time;
- return cmp;
+ return cmp < 0 ? -1 : (cmp > 0 ? 1 : 0);
}
static int process_events(struct evlist *evlist,
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 216/356] perf record: Fix incorrect --user-regs comments
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 215/356] perf tests switch-tracking: Fix timestamp comparison Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 217/356] perf trace: Always print return value for syscalls returning a pid Greg Kroah-Hartman
` (148 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Dapeng Mi, Adrian Hunter,
Alexander Shishkin, Andi Kleen, Ingo Molnar, Kan Liang,
Namhyung Kim, Peter Zijlstra, Arnaldo Carvalho de Melo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dapeng Mi <dapeng1.mi@linux.intel.com>
[ Upstream commit a4a859eb6704a8aa46aa1cec5396c8d41383a26b ]
The comment of "--user-regs" option is not correct, fix it.
"on interrupt," -> "in user space,"
Fixes: 84c417422798c897 ("perf record: Support direct --user-regs arguments")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20250403060810.196028-1-dapeng1.mi@linux.intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-record.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c
index b94ae33a343c2..81f77c0505fde 100644
--- a/tools/perf/builtin-record.c
+++ b/tools/perf/builtin-record.c
@@ -3427,7 +3427,7 @@ static struct option __record_options[] = {
"sample selected machine registers on interrupt,"
" use '-I?' to list register names", parse_intr_regs),
OPT_CALLBACK_OPTARG(0, "user-regs", &record.opts.sample_user_regs, NULL, "any register",
- "sample selected machine registers on interrupt,"
+ "sample selected machine registers in user space,"
" use '--user-regs=?' to list register names", parse_user_regs),
OPT_BOOLEAN(0, "running-time", &record.opts.running_time,
"Record running/enabled time of read (:S) events"),
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 217/356] perf trace: Always print return value for syscalls returning a pid
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 216/356] perf record: Fix incorrect --user-regs comments Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 218/356] nfs: clear SB_RDONLY before getting superblock Greg Kroah-Hartman
` (147 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Howard Chu, Anubhav Shelat,
Namhyung Kim, Adrian Hunter, Alexander Shishkin, Dapeng Mi,
Ian Rogers, Ingo Molnar, James Clark, Jiri Olsa, Kan Liang,
Mark Rutland, Michael Petlan, Peter Zijlstra,
Arnaldo Carvalho de Melo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anubhav Shelat <ashelat@redhat.com>
[ Upstream commit c7a48ea9b919e2fa0e4a1d9938fdb03e9afe276c ]
The syscalls that were consistently observed were set_robust_list and
rseq. This is because perf cannot find their child process.
This change ensures that the return value is always printed.
Before:
0.256 ( 0.001 ms): set_robust_list(head: 0x7f09c77dba20, len: 24) =
0.259 ( 0.001 ms): rseq(rseq: 0x7f09c77dc0e0, rseq_len: 32, sig: 1392848979) =
After:
0.270 ( 0.002 ms): set_robust_list(head: 0x7f0bb14a6a20, len: 24) = 0
0.273 ( 0.002 ms): rseq(rseq: 0x7f0bb14a70e0, rseq_len: 32, sig: 1392848979) = 0
Committer notes:
As discussed in the thread in the Link: tag below, these two don't
return a pid, but for syscalls returning one, we need to print the
result and if we manage to find the children in 'perf trace' data
structures, then print its name as well.
Fixes: 11c8e39f5133aed9 ("perf trace: Infrastructure to show COMM strings for syscalls returning PIDs")
Reviewed-by: Howard Chu <howardchu95@gmail.com>
Signed-off-by: Anubhav Shelat <ashelat@redhat.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Dapeng Mi <dapeng1.mi@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Michael Petlan <mpetlan@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20250403160411.159238-2-ashelat@redhat.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
index 908509df007ba..7ee3285af10c9 100644
--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -2586,8 +2586,8 @@ errno_print: {
else if (sc->fmt->errpid) {
struct thread *child = machine__find_thread(trace->host, ret, ret);
+ fprintf(trace->output, "%ld", ret);
if (child != NULL) {
- fprintf(trace->output, "%ld", ret);
if (thread__comm_set(child))
fprintf(trace->output, " (%s)", thread__comm_str(child));
thread__put(child);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 218/356] nfs: clear SB_RDONLY before getting superblock
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 217/356] perf trace: Always print return value for syscalls returning a pid Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 219/356] nfs: ignore SB_RDONLY when remounting nfs Greg Kroah-Hartman
` (146 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Lingfeng, Anna Schumaker,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Lingfeng <lilingfeng3@huawei.com>
[ Upstream commit 8cd9b785943c57a136536250da80ba1eb6f8eb18 ]
As described in the link, commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when
mounting nfs") removed the check for the ro flag when determining whether
to share the superblock, which caused issues when mounting different
subdirectories under the same export directory via NFSv3. However, this
change did not affect NFSv4.
For NFSv3:
1) A single superblock is created for the initial mount.
2) When mounted read-only, this superblock carries the SB_RDONLY flag.
3) Before commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs"):
Subsequent rw mounts would not share the existing ro superblock due to
flag mismatch, creating a new superblock without SB_RDONLY.
After the commit:
The SB_RDONLY flag is ignored during superblock comparison, and this leads
to sharing the existing superblock even for rw mounts.
Ultimately results in write operations being rejected at the VFS layer.
For NFSv4:
1) Multiple superblocks are created and the last one will be kept.
2) The actually used superblock for ro mounts doesn't carry SB_RDONLY flag.
Therefore, commit 52cb7f8f1778 doesn't affect NFSv4 mounts.
Clear SB_RDONLY before getting superblock when NFS_MOUNT_UNSHARED is not
set to fix it.
Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs")
Closes: https://lore.kernel.org/all/12d7ea53-1202-4e21-a7ef-431c94758ce5@app.fastmail.com/T/
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/super.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index e1bcad5906ae7..59bf4b2c0f86e 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1277,8 +1277,17 @@ int nfs_get_tree_common(struct fs_context *fc)
if (IS_ERR(server))
return PTR_ERR(server);
+ /*
+ * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a
+ * superblock among each filesystem that mounts sub-directories
+ * belonging to a single exported root path.
+ * To prevent interference between different filesystems, the
+ * SB_RDONLY flag should be removed from the superblock.
+ */
if (server->flags & NFS_MOUNT_UNSHARED)
compare_super = NULL;
+ else
+ fc->sb_flags &= ~SB_RDONLY;
/* -o noac implies -o sync */
if (server->flags & NFS_MOUNT_NOAC)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 219/356] nfs: ignore SB_RDONLY when remounting nfs
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 218/356] nfs: clear SB_RDONLY before getting superblock Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 220/356] cifs: Fix validation of SMB1 query reparse point response Greg Kroah-Hartman
` (145 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Lingfeng, Anna Schumaker,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Lingfeng <lilingfeng3@huawei.com>
[ Upstream commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a ]
In some scenarios, when mounting NFS, more than one superblock may be
created. The final superblock used is the last one created, but only the
first superblock carries the ro flag passed from user space. If a ro flag
is added to the superblock via remount, it will trigger the issue
described in Link[1].
Link[2] attempted to address this by marking the superblock as ro during
the initial mount. However, this introduced a new problem in scenarios
where multiple mount points share the same superblock:
[root@a ~]# mount /dev/sdb /mnt/sdb
[root@a ~]# echo "/mnt/sdb *(rw,no_root_squash)" > /etc/exports
[root@a ~]# echo "/mnt/sdb/test_dir2 *(ro,no_root_squash)" >> /etc/exports
[root@a ~]# systemctl restart nfs-server
[root@a ~]# mount -t nfs -o rw 127.0.0.1:/mnt/sdb/test_dir1 /mnt/test_mp1
[root@a ~]# mount | grep nfs4
127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (rw,relatime,...
[root@a ~]# mount -t nfs -o ro 127.0.0.1:/mnt/sdb/test_dir2 /mnt/test_mp2
[root@a ~]# mount | grep nfs4
127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (ro,relatime,...
127.0.0.1:/mnt/sdb/test_dir2 on /mnt/test_mp2 type nfs4 (ro,relatime,...
[root@a ~]#
When mounting the second NFS, the shared superblock is marked as ro,
causing the previous NFS mount to become read-only.
To resolve both issues, the ro flag is no longer applied to the superblock
during remount. Instead, the ro flag on the mount is used to control
whether the mount point is read-only.
Fixes: 281cad46b34d ("NFS: Create a submount rpc_op")
Link[1]: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/
Link[2]: https://lore.kernel.org/all/20241130035818.1459775-1-lilingfeng3@huawei.com/
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/super.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 59bf4b2c0f86e..4e72ee57fc8fc 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1020,6 +1020,16 @@ int nfs_reconfigure(struct fs_context *fc)
sync_filesystem(sb);
+ /*
+ * The SB_RDONLY flag has been removed from the superblock during
+ * mounts to prevent interference between different filesystems.
+ * Similarly, it is also necessary to ignore the SB_RDONLY flag
+ * during reconfiguration; otherwise, it may also result in the
+ * creation of redundant superblocks when mounting a directory with
+ * different rw and ro flags multiple times.
+ */
+ fc->sb_flags_mask &= ~SB_RDONLY;
+
/*
* Userspace mount programs that send binary options generally send
* them populated with default values. We have no way to know which
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 220/356] cifs: Fix validation of SMB1 query reparse point response
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 219/356] nfs: ignore SB_RDONLY when remounting nfs Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 221/356] rtc: sh: assign correct interrupts with DT Greg Kroah-Hartman
` (144 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Steve French,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pali Rohár <pali@kernel.org>
[ Upstream commit 56e84c64fc257a95728ee73165456b025c48d408 ]
Validate the SMB1 query reparse point response per [MS-CIFS] section
2.2.7.2 NT_TRANSACT_IOCTL.
NT_TRANSACT_IOCTL response contains one word long setup data after which is
ByteCount member. So check that SetupCount is 1 before trying to read and
use ByteCount member.
Output setup data contains ReturnedDataLen member which is the output
length of executed IOCTL command by remote system. So check that output was
not truncated before transferring over network.
Change MaxSetupCount of NT_TRANSACT_IOCTL request from 4 to 1 as io_rsp
structure already expects one word long output setup data. This should
prevent server sending incompatible structure (in case it would be extended
in future, which is unlikely).
Change MaxParameterCount of NT_TRANSACT_IOCTL request from 2 to 0 as
NT IOCTL does not have any documented output parameters and this function
does not parse any output parameters at all.
Fixes: ed3e0a149b58 ("smb: client: implement ->query_reparse_point() for SMB1")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/cifssmb.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
index b91184ebce02c..c36ab20050c16 100644
--- a/fs/smb/client/cifssmb.c
+++ b/fs/smb/client/cifssmb.c
@@ -2738,10 +2738,10 @@ int cifs_query_reparse_point(const unsigned int xid,
io_req->TotalParameterCount = 0;
io_req->TotalDataCount = 0;
- io_req->MaxParameterCount = cpu_to_le32(2);
+ io_req->MaxParameterCount = cpu_to_le32(0);
/* BB find exact data count max from sess structure BB */
io_req->MaxDataCount = cpu_to_le32(CIFSMaxBufSize & 0xFFFFFF00);
- io_req->MaxSetupCount = 4;
+ io_req->MaxSetupCount = 1;
io_req->Reserved = 0;
io_req->ParameterOffset = 0;
io_req->DataCount = 0;
@@ -2768,6 +2768,22 @@ int cifs_query_reparse_point(const unsigned int xid,
goto error;
}
+ /* SetupCount must be 1, otherwise offset to ByteCount is incorrect. */
+ if (io_rsp->SetupCount != 1) {
+ rc = -EIO;
+ goto error;
+ }
+
+ /*
+ * ReturnedDataLen is output length of executed IOCTL.
+ * DataCount is output length transferred over network.
+ * Check that we have full FSCTL_GET_REPARSE_POINT buffer.
+ */
+ if (data_count != le16_to_cpu(io_rsp->ReturnedDataLen)) {
+ rc = -EIO;
+ goto error;
+ }
+
end = 2 + get_bcc(&io_rsp->hdr) + (__u8 *)&io_rsp->ByteCount;
start = (__u8 *)&io_rsp->hdr.Protocol + data_offset;
if (start >= end) {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 221/356] rtc: sh: assign correct interrupts with DT
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 220/356] cifs: Fix validation of SMB1 query reparse point response Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 222/356] PCI: Print the actual delay time in pci_bridge_wait_for_secondary_bus() Greg Kroah-Hartman
` (143 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Alexandre Belloni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 8f2efdbc303fe7baa83843d3290dd6ea5ba3276c ]
The DT bindings for this driver define the interrupts in the order as
they are numbered in the interrupt controller. The old platform_data,
however, listed them in a different order. So, for DT based platforms,
they are mixed up. Assign them specifically for DT, so we can keep the
bindings stable. After the fix, 'rtctest' passes again on the Renesas
Genmai board (RZ-A1 / R7S72100).
Fixes: dab5aec64bf5 ("rtc: sh: add support for rza series")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Link: https://lore.kernel.org/r/20250227134256.9167-11-wsa+renesas@sang-engineering.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-sh.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c
index cd146b5741431..341b1b776e1a3 100644
--- a/drivers/rtc/rtc-sh.c
+++ b/drivers/rtc/rtc-sh.c
@@ -485,9 +485,15 @@ static int __init sh_rtc_probe(struct platform_device *pdev)
return -ENOENT;
}
- rtc->periodic_irq = ret;
- rtc->carry_irq = platform_get_irq(pdev, 1);
- rtc->alarm_irq = platform_get_irq(pdev, 2);
+ if (!pdev->dev.of_node) {
+ rtc->periodic_irq = ret;
+ rtc->carry_irq = platform_get_irq(pdev, 1);
+ rtc->alarm_irq = platform_get_irq(pdev, 2);
+ } else {
+ rtc->alarm_irq = ret;
+ rtc->periodic_irq = platform_get_irq(pdev, 1);
+ rtc->carry_irq = platform_get_irq(pdev, 2);
+ }
res = platform_get_resource(pdev, IORESOURCE_IO, 0);
if (!res)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 222/356] PCI: Print the actual delay time in pci_bridge_wait_for_secondary_bus()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 221/356] rtc: sh: assign correct interrupts with DT Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 223/356] PCI: cadence: Fix runtime atomic count underflow Greg Kroah-Hartman
` (142 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wilfred Mallawa, Bjorn Helgaas,
Damien Le Moal, Kuppuswamy Sathyanarayanan, Mika Westerberg,
Ilpo Järvinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wilfred Mallawa <wilfred.mallawa@wdc.com>
[ Upstream commit d24eba726aadf8778f2907dd42281c6380b0ccaa ]
Print the delay amount that pcie_wait_for_link_delay() is invoked with
instead of the hardcoded 1000ms value in the debug info print.
Fixes: 7b3ba09febf4 ("PCI/PM: Shorten pci_bridge_wait_for_secondary_bus() wait time for slow links")
Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://patch.msgid.link/20250414001505.21243-2-wilfred.opensource@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 095fa1910d36d..503304aba9eac 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -5221,7 +5221,7 @@ int pci_bridge_wait_for_secondary_bus(struct pci_dev *dev, char *reset_type)
delay);
if (!pcie_wait_for_link_delay(dev, true, delay)) {
/* Did not train, no need to wait any further */
- pci_info(dev, "Data Link Layer Link Active not set in 1000 msec\n");
+ pci_info(dev, "Data Link Layer Link Active not set in %d msec\n", delay);
return -ENOTTY;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 223/356] PCI: cadence: Fix runtime atomic count underflow
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 222/356] PCI: Print the actual delay time in pci_bridge_wait_for_secondary_bus() Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 224/356] PCI: apple: Use gpiod_set_value_cansleep in probe flow Greg Kroah-Hartman
` (141 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans Zhang, Manivannan Sadhasivam,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Zhang <18255117159@163.com>
[ Upstream commit 8805f32a96d3b97cef07999fa6f52112678f7e65 ]
If the call to pci_host_probe() in cdns_pcie_host_setup() fails, PM
runtime count is decremented in the error path using pm_runtime_put_sync().
But the runtime count is not incremented by this driver, but only by the
callers (cdns_plat_pcie_probe/j721e_pcie_probe). And the callers also
decrement the runtime PM count in their error path. So this leads to the
below warning from the PM core:
"runtime PM usage count underflow!"
So fix it by getting rid of pm_runtime_put_sync() in the error path and
directly return the errno.
Fixes: 49e427e6bdd1 ("Merge branch 'pci/host-probe-refactor'")
Signed-off-by: Hans Zhang <18255117159@163.com>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://patch.msgid.link/20250419133058.162048-1-18255117159@163.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/cadence/pcie-cadence-host.c | 11 +----------
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/drivers/pci/controller/cadence/pcie-cadence-host.c b/drivers/pci/controller/cadence/pcie-cadence-host.c
index 8af95e9da7cec..741e10a575ec7 100644
--- a/drivers/pci/controller/cadence/pcie-cadence-host.c
+++ b/drivers/pci/controller/cadence/pcie-cadence-host.c
@@ -570,14 +570,5 @@ int cdns_pcie_host_setup(struct cdns_pcie_rc *rc)
if (!bridge->ops)
bridge->ops = &cdns_pcie_host_ops;
- ret = pci_host_probe(bridge);
- if (ret < 0)
- goto err_init;
-
- return 0;
-
- err_init:
- pm_runtime_put_sync(dev);
-
- return ret;
+ return pci_host_probe(bridge);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 224/356] PCI: apple: Use gpiod_set_value_cansleep in probe flow
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 223/356] PCI: cadence: Fix runtime atomic count underflow Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 225/356] PCI: Explicitly put devices into D0 when initializing Greg Kroah-Hartman
` (140 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hector Martin, Alyssa Rosenzweig,
Marc Zyngier, Manivannan Sadhasivam, Janne Grunau,
Rob Herring (Arm), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hector Martin <marcan@marcan.st>
[ Upstream commit 7334364f9de79a9a236dd0243ba574b8d2876e89 ]
We're allowed to sleep here, so tell the GPIO core by using
gpiod_set_value_cansleep instead of gpiod_set_value.
Fixes: 1e33888fbe44 ("PCI: apple: Add initial hardware bring-up")
Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Tested-by: Janne Grunau <j@jannau.net>
Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Acked-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Link: https://patch.msgid.link/20250401091713.2765724-12-maz@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/pcie-apple.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/controller/pcie-apple.c b/drivers/pci/controller/pcie-apple.c
index f7a248393a8f1..7e6bd63a6425e 100644
--- a/drivers/pci/controller/pcie-apple.c
+++ b/drivers/pci/controller/pcie-apple.c
@@ -541,7 +541,7 @@ static int apple_pcie_setup_port(struct apple_pcie *pcie,
rmw_set(PORT_APPCLK_EN, port->base + PORT_APPCLK);
/* Assert PERST# before setting up the clock */
- gpiod_set_value(reset, 1);
+ gpiod_set_value_cansleep(reset, 1);
ret = apple_pcie_setup_refclk(pcie, port);
if (ret < 0)
@@ -552,7 +552,7 @@ static int apple_pcie_setup_port(struct apple_pcie *pcie,
/* Deassert PERST# */
rmw_set(PORT_PERST_OFF, port->base + PORT_PERST);
- gpiod_set_value(reset, 0);
+ gpiod_set_value_cansleep(reset, 0);
/* Wait for 100ms after PERST# deassertion (PCIe r5.0, 6.6.1) */
msleep(100);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 225/356] PCI: Explicitly put devices into D0 when initializing
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 224/356] PCI: apple: Use gpiod_set_value_cansleep in probe flow Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 16:09 ` Limonciello, Mario
2025-06-17 15:25 ` [PATCH 6.6 226/356] phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug Greg Kroah-Hartman
` (139 subsequent siblings)
364 siblings, 1 reply; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Bjorn Helgaas,
Denis Benato, Yijun Shen, David Perry, Rafael J. Wysocki,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 4d4c10f763d7808fbade28d83d237411603bca05 ]
AMD BIOS team has root caused an issue that NVMe storage failed to come
back from suspend to a lack of a call to _REG when NVMe device was probed.
112a7f9c8edbf ("PCI/ACPI: Call _REG when transitioning D-states") added
support for calling _REG when transitioning D-states, but this only works
if the device actually "transitions" D-states.
967577b062417 ("PCI/PM: Keep runtime PM enabled for unbound PCI devices")
added support for runtime PM on PCI devices, but never actually
'explicitly' sets the device to D0.
To make sure that devices are in D0 and that platform methods such as
_REG are called, explicitly set all devices into D0 during initialization.
Fixes: 967577b062417 ("PCI/PM: Keep runtime PM enabled for unbound PCI devices")
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Denis Benato <benato.denis96@gmail.com>
Tested-By: Yijun Shen <Yijun_Shen@Dell.com>
Tested-By: David Perry <david.perry@amd.com>
Reviewed-by: Rafael J. Wysocki <rafael@kernel.org>
Link: https://patch.msgid.link/20250424043232.1848107-1-superm1@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci-driver.c | 6 ------
drivers/pci/pci.c | 13 ++++++++++---
drivers/pci/pci.h | 1 +
3 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
index 9c59bf03d6579..258ba97d07242 100644
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -564,12 +564,6 @@ static void pci_pm_default_resume(struct pci_dev *pci_dev)
pci_enable_wake(pci_dev, PCI_D0, false);
}
-static void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev)
-{
- pci_power_up(pci_dev);
- pci_update_current_state(pci_dev, PCI_D0);
-}
-
static void pci_pm_default_resume_early(struct pci_dev *pci_dev)
{
pci_pm_power_up_and_verify_state(pci_dev);
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 503304aba9eac..89c6b161f80c9 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -3227,6 +3227,12 @@ void pci_d3cold_disable(struct pci_dev *dev)
}
EXPORT_SYMBOL_GPL(pci_d3cold_disable);
+void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev)
+{
+ pci_power_up(pci_dev);
+ pci_update_current_state(pci_dev, PCI_D0);
+}
+
/**
* pci_pm_init - Initialize PM functions of given PCI device
* @dev: PCI device to handle.
@@ -3237,9 +3243,6 @@ void pci_pm_init(struct pci_dev *dev)
u16 status;
u16 pmc;
- pm_runtime_forbid(&dev->dev);
- pm_runtime_set_active(&dev->dev);
- pm_runtime_enable(&dev->dev);
device_enable_async_suspend(&dev->dev);
dev->wakeup_prepared = false;
@@ -3301,6 +3304,10 @@ void pci_pm_init(struct pci_dev *dev)
pci_read_config_word(dev, PCI_STATUS, &status);
if (status & PCI_STATUS_IMM_READY)
dev->imm_ready = 1;
+ pci_pm_power_up_and_verify_state(dev);
+ pm_runtime_forbid(&dev->dev);
+ pm_runtime_set_active(&dev->dev);
+ pm_runtime_enable(&dev->dev);
}
static unsigned long pci_ea_flags(struct pci_dev *dev, u8 prop)
diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
index d69a17947ffce..a621ba243c25e 100644
--- a/drivers/pci/pci.h
+++ b/drivers/pci/pci.h
@@ -92,6 +92,7 @@ void pci_dev_adjust_pme(struct pci_dev *dev);
void pci_dev_complete_resume(struct pci_dev *pci_dev);
void pci_config_pm_runtime_get(struct pci_dev *dev);
void pci_config_pm_runtime_put(struct pci_dev *dev);
+void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev);
void pci_pm_init(struct pci_dev *dev);
void pci_ea_init(struct pci_dev *dev);
void pci_msi_init(struct pci_dev *dev);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 226/356] phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 225/356] PCI: Explicitly put devices into D0 when initializing Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 227/356] dmaengine: ti: Add NULL check in udma_probe() Greg Kroah-Hartman
` (138 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Johan Hovold,
Krzysztof Kozlowski, Johan Hovold, Dmitry Baryshkov, Vinod Koul,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenyuan Yang <chenyuan0y@gmail.com>
[ Upstream commit d14402a38c2d868cacb1facaf9be908ca6558e59 ]
The qmp_usb_iomap() helper function currently returns the raw result of
devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return
a NULL pointer and the caller only checks error pointers with IS_ERR(),
NULL could bypass the check and lead to an invalid dereference.
Fix the issue by checking if devm_ioremap() returns NULL. When it does,
qmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM),
ensuring safe and consistent error handling.
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
Fixes: a5d6b1ac56cb ("phy: qcom-qmp-usb: fix memleak on probe deferral")
CC: Johan Hovold <johan@kernel.org>
CC: Krzysztof Kozlowski <krzk@kernel.org>
Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250414125050.2118619-1-chenyuan0y@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
index c697d01b2a2a1..5072bca0af7c5 100644
--- a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
+++ b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
@@ -2044,12 +2044,16 @@ static void __iomem *qmp_usb_iomap(struct device *dev, struct device_node *np,
int index, bool exclusive)
{
struct resource res;
+ void __iomem *mem;
if (!exclusive) {
if (of_address_to_resource(np, index, &res))
return IOMEM_ERR_PTR(-EINVAL);
- return devm_ioremap(dev, res.start, resource_size(&res));
+ mem = devm_ioremap(dev, res.start, resource_size(&res));
+ if (!mem)
+ return IOMEM_ERR_PTR(-ENOMEM);
+ return mem;
}
return devm_of_iomap(dev, np, index, NULL);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 227/356] dmaengine: ti: Add NULL check in udma_probe()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 226/356] phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 228/356] PCI/DPC: Initialize aer_err_info before using it Greg Kroah-Hartman
` (137 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, Nathan Lynch,
Peter Ujfalusi, Vinod Koul, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit fd447415e74bccd7362f760d4ea727f8e1ebfe91 ]
devm_kasprintf() returns NULL when memory allocation fails. Currently,
udma_probe() does not check for this case, which results in a NULL
pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
Fixes: 25dcb5dd7b7c ("dmaengine: ti: New driver for K3 UDMA")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Reviewed-by: Nathan Lynch <nathan.lynch@amd.com>
Acked-by: Peter Ujfalusi <peter.ujfalusi@gmail.com>
Link: https://lore.kernel.org/r/20250402023900.43440-1-bsdhenrymartin@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/ti/k3-udma.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/ti/k3-udma.c b/drivers/dma/ti/k3-udma.c
index 418e1774af1e5..d99cf81358c54 100644
--- a/drivers/dma/ti/k3-udma.c
+++ b/drivers/dma/ti/k3-udma.c
@@ -5537,7 +5537,8 @@ static int udma_probe(struct platform_device *pdev)
uc->config.dir = DMA_MEM_TO_MEM;
uc->name = devm_kasprintf(dev, GFP_KERNEL, "%s chan%d",
dev_name(dev), i);
-
+ if (!uc->name)
+ return -ENOMEM;
vchan_init(&uc->vc, &ud->ddev);
/* Use custom vchan completion handling */
tasklet_setup(&uc->vc.task, udma_vchan_complete);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 228/356] PCI/DPC: Initialize aer_err_info before using it
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 227/356] dmaengine: ti: Add NULL check in udma_probe() Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 229/356] rtc: loongson: Add missing alarm notifications for ACPI RTC events Greg Kroah-Hartman
` (136 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Helgaas,
Krzysztof Wilczyński, Kuppuswamy Sathyanarayanan,
Ilpo Järvinen, Jonathan Cameron, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
[ Upstream commit a424b598e6a6c1e69a2bb801d6fd16e805ab2c38 ]
Previously the struct aer_err_info "info" was allocated on the stack
without being initialized, so it contained junk except for the fields we
explicitly set later.
Initialize "info" at declaration so it starts as all zeros.
Fixes: 8aefa9b0d910 ("PCI/DPC: Print AER status in DPC event handling")
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Link: https://patch.msgid.link/20250522232339.1525671-2-helgaas@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pcie/dpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/pcie/dpc.c b/drivers/pci/pcie/dpc.c
index a5cec2a4e057d..3c3ecb9cf57af 100644
--- a/drivers/pci/pcie/dpc.c
+++ b/drivers/pci/pcie/dpc.c
@@ -263,7 +263,7 @@ static int dpc_get_aer_uncorrect_severity(struct pci_dev *dev,
void dpc_process_error(struct pci_dev *pdev)
{
u16 cap = pdev->dpc_cap, status, source, reason, ext_reason;
- struct aer_err_info info;
+ struct aer_err_info info = {};
pci_read_config_word(pdev, cap + PCI_EXP_DPC_STATUS, &status);
pci_read_config_word(pdev, cap + PCI_EXP_DPC_SOURCE_ID, &source);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 229/356] rtc: loongson: Add missing alarm notifications for ACPI RTC events
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 228/356] PCI/DPC: Initialize aer_err_info before using it Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 230/356] usb: renesas_usbhs: Reorder clock handling and power management in probe Greg Kroah-Hartman
` (135 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liu Dalin, Binbin Zhou,
Alexandre Belloni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liu Dalin <liudalin@kylinsec.com.cn>
[ Upstream commit 5af9f1fa576874b24627d4c05e3a84672204c200 ]
When an application sets and enables an alarm on Loongson RTC devices,
the alarm notification fails to propagate to userspace because the
ACPI event handler omits calling rtc_update_irq().
As a result, processes waiting via select() or poll() on RTC device
files fail to receive alarm notifications.
The ACPI interrupt is also triggered multiple times. In loongson_rtc_handler,
we need to clear TOY_MATCH0_REG to resolve this issue.
Fixes: 09471d8f5b39 ("rtc: loongson: clear TOY_MATCH0_REG in loongson_rtc_isr()")
Fixes: 1b733a9ebc3d ("rtc: Add rtc driver for the Loongson family chips")
Signed-off-by: Liu Dalin <liudalin@kylinsec.com.cn>
Reviewed-by: Binbin Zhou <zhoubinbin@loongson.cn>
Link: https://lore.kernel.org/r/20250509084416.7979-1-liudalin@kylinsec.com.cn
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-loongson.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/rtc/rtc-loongson.c b/drivers/rtc/rtc-loongson.c
index 90e9d97a86b48..c9d5b91a6544d 100644
--- a/drivers/rtc/rtc-loongson.c
+++ b/drivers/rtc/rtc-loongson.c
@@ -129,6 +129,14 @@ static u32 loongson_rtc_handler(void *id)
{
struct loongson_rtc_priv *priv = (struct loongson_rtc_priv *)id;
+ rtc_update_irq(priv->rtcdev, 1, RTC_AF | RTC_IRQF);
+
+ /*
+ * The TOY_MATCH0_REG should be cleared 0 here,
+ * otherwise the interrupt cannot be cleared.
+ */
+ regmap_write(priv->regmap, TOY_MATCH0_REG, 0);
+
spin_lock(&priv->lock);
/* Disable RTC alarm wakeup and interrupt */
writel(readl(priv->pm_base + PM1_EN_REG) & ~RTC_EN,
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 230/356] usb: renesas_usbhs: Reorder clock handling and power management in probe
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 229/356] rtc: loongson: Add missing alarm notifications for ACPI RTC events Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 231/356] serial: Fix potential null-ptr-deref in mlb_usio_probe() Greg Kroah-Hartman
` (134 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lad Prabhakar, Yoshihiro Shimoda,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
[ Upstream commit ffb34a60ce86656ba12d46e91f1ccc71dd221251 ]
Reorder the initialization sequence in `usbhs_probe()` to enable runtime
PM before accessing registers, preventing potential crashes due to
uninitialized clocks.
Currently, in the probe path, registers are accessed before enabling the
clocks, leading to a synchronous external abort on the RZ/V2H SoC.
The problematic call flow is as follows:
usbhs_probe()
usbhs_sys_clock_ctrl()
usbhs_bset()
usbhs_write()
iowrite16() <-- Register access before enabling clocks
Since `iowrite16()` is performed without ensuring the required clocks are
enabled, this can lead to access errors. To fix this, enable PM runtime
early in the probe function and ensure clocks are acquired before register
access, preventing crashes like the following on RZ/V2H:
[13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP
[13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6
[13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98
[13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT)
[13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs]
[13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs]
[13.321138] sp : ffff8000827e3850
[13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0
[13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025
[13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010
[13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff
[13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce
[13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000
[13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750
[13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c
[13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000
[13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080
[13.395574] Call trace:
[13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P)
[13.403076] platform_probe+0x68/0xdc
[13.406738] really_probe+0xbc/0x2c0
[13.410306] __driver_probe_device+0x78/0x120
[13.414653] driver_probe_device+0x3c/0x154
[13.418825] __driver_attach+0x90/0x1a0
[13.422647] bus_for_each_dev+0x7c/0xe0
[13.426470] driver_attach+0x24/0x30
[13.430032] bus_add_driver+0xe4/0x208
[13.433766] driver_register+0x68/0x130
[13.437587] __platform_driver_register+0x24/0x30
[13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs]
[13.448450] do_one_initcall+0x60/0x1d4
[13.452276] do_init_module+0x54/0x1f8
[13.456014] load_module+0x1754/0x1c98
[13.459750] init_module_from_file+0x88/0xcc
[13.464004] __arm64_sys_finit_module+0x1c4/0x328
[13.468689] invoke_syscall+0x48/0x104
[13.472426] el0_svc_common.constprop.0+0xc0/0xe0
[13.477113] do_el0_svc+0x1c/0x28
[13.480415] el0_svc+0x30/0xcc
[13.483460] el0t_64_sync_handler+0x10c/0x138
[13.487800] el0t_64_sync+0x198/0x19c
[13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084)
[13.497522] ---[ end trace 0000000000000000 ]---
Fixes: f1407d5c66240 ("usb: renesas_usbhs: Add Renesas USBHS common code")
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Link: https://lore.kernel.org/r/20250407105002.107181-4-prabhakar.mahadev-lad.rj@bp.renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/renesas_usbhs/common.c | 50 +++++++++++++++++++++++-------
1 file changed, 38 insertions(+), 12 deletions(-)
diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c
index 205820544f6f9..b720899725e53 100644
--- a/drivers/usb/renesas_usbhs/common.c
+++ b/drivers/usb/renesas_usbhs/common.c
@@ -674,10 +674,29 @@ static int usbhs_probe(struct platform_device *pdev)
INIT_DELAYED_WORK(&priv->notify_hotplug_work, usbhsc_notify_hotplug);
spin_lock_init(usbhs_priv_to_lock(priv));
+ /*
+ * Acquire clocks and enable power management (PM) early in the
+ * probe process, as the driver accesses registers during
+ * initialization. Ensure the device is active before proceeding.
+ */
+ pm_runtime_enable(dev);
+
+ ret = usbhsc_clk_get(dev, priv);
+ if (ret)
+ goto probe_pm_disable;
+
+ ret = pm_runtime_resume_and_get(dev);
+ if (ret)
+ goto probe_clk_put;
+
+ ret = usbhsc_clk_prepare_enable(priv);
+ if (ret)
+ goto probe_pm_put;
+
/* call pipe and module init */
ret = usbhs_pipe_probe(priv);
if (ret < 0)
- return ret;
+ goto probe_clk_dis_unprepare;
ret = usbhs_fifo_probe(priv);
if (ret < 0)
@@ -694,10 +713,6 @@ static int usbhs_probe(struct platform_device *pdev)
if (ret)
goto probe_fail_rst;
- ret = usbhsc_clk_get(dev, priv);
- if (ret)
- goto probe_fail_clks;
-
/*
* deviece reset here because
* USB device might be used in boot loader.
@@ -710,7 +725,7 @@ static int usbhs_probe(struct platform_device *pdev)
if (ret) {
dev_warn(dev, "USB function not selected (GPIO)\n");
ret = -ENOTSUPP;
- goto probe_end_mod_exit;
+ goto probe_assert_rest;
}
}
@@ -724,14 +739,19 @@ static int usbhs_probe(struct platform_device *pdev)
ret = usbhs_platform_call(priv, hardware_init, pdev);
if (ret < 0) {
dev_err(dev, "platform init failed.\n");
- goto probe_end_mod_exit;
+ goto probe_assert_rest;
}
/* reset phy for connection */
usbhs_platform_call(priv, phy_reset, pdev);
- /* power control */
- pm_runtime_enable(dev);
+ /*
+ * Disable the clocks that were enabled earlier in the probe path,
+ * and let the driver handle the clocks beyond this point.
+ */
+ usbhsc_clk_disable_unprepare(priv);
+ pm_runtime_put(dev);
+
if (!usbhs_get_dparam(priv, runtime_pwctrl)) {
usbhsc_power_ctrl(priv, 1);
usbhs_mod_autonomy_mode(priv);
@@ -748,9 +768,7 @@ static int usbhs_probe(struct platform_device *pdev)
return ret;
-probe_end_mod_exit:
- usbhsc_clk_put(priv);
-probe_fail_clks:
+probe_assert_rest:
reset_control_assert(priv->rsts);
probe_fail_rst:
usbhs_mod_remove(priv);
@@ -758,6 +776,14 @@ static int usbhs_probe(struct platform_device *pdev)
usbhs_fifo_remove(priv);
probe_end_pipe_exit:
usbhs_pipe_remove(priv);
+probe_clk_dis_unprepare:
+ usbhsc_clk_disable_unprepare(priv);
+probe_pm_put:
+ pm_runtime_put(dev);
+probe_clk_put:
+ usbhsc_clk_put(priv);
+probe_pm_disable:
+ pm_runtime_disable(dev);
dev_info(dev, "probe failed (%d)\n", ret);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 231/356] serial: Fix potential null-ptr-deref in mlb_usio_probe()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 230/356] usb: renesas_usbhs: Reorder clock handling and power management in probe Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 232/356] thunderbolt: Fix a logic error in wake on connect Greg Kroah-Hartman
` (133 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Henry Martin, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit 86bcae88c9209e334b2f8c252f4cc66beb261886 ]
devm_ioremap() can return NULL on error. Currently, mlb_usio_probe()
does not check for this case, which could result in a NULL pointer
dereference.
Add NULL check after devm_ioremap() to prevent this issue.
Fixes: ba44dc043004 ("serial: Add Milbeaut serial control")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Link: https://lore.kernel.org/r/20250403070339.64990-1-bsdhenrymartin@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/milbeaut_usio.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/serial/milbeaut_usio.c b/drivers/tty/serial/milbeaut_usio.c
index 70a910085e937..9de3883a4e0b0 100644
--- a/drivers/tty/serial/milbeaut_usio.c
+++ b/drivers/tty/serial/milbeaut_usio.c
@@ -522,7 +522,10 @@ static int mlb_usio_probe(struct platform_device *pdev)
}
port->membase = devm_ioremap(&pdev->dev, res->start,
resource_size(res));
-
+ if (!port->membase) {
+ ret = -ENOMEM;
+ goto failed;
+ }
ret = platform_get_irq_byname(pdev, "rx");
mlb_usio_irq[index][RX] = ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 232/356] thunderbolt: Fix a logic error in wake on connect
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 231/356] serial: Fix potential null-ptr-deref in mlb_usio_probe() Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 233/356] iio: filter: admv8818: fix band 4, state 15 Greg Kroah-Hartman
` (132 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Mika Westerberg,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 1a760d10ded372d113a0410c42be246315bbc2ff ]
commit a5cfc9d65879c ("thunderbolt: Add wake on connect/disconnect
on USB4 ports") introduced a sysfs file to control wake up policy
for a given USB4 port that defaulted to disabled.
However when testing commit 4bfeea6ec1c02 ("thunderbolt: Use wake
on connect and disconnect over suspend") I found that it was working
even without making changes to the power/wakeup file (which defaults
to disabled). This is because of a logic error doing a bitwise or
of the wake-on-connect flag with device_may_wakeup() which should
have been a logical AND.
Adjust the logic so that policy is only applied when wakeup is
actually enabled.
Fixes: a5cfc9d65879c ("thunderbolt: Add wake on connect/disconnect on USB4 ports")
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thunderbolt/usb4.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/thunderbolt/usb4.c b/drivers/thunderbolt/usb4.c
index 8db9bd32f4738..e445516290f91 100644
--- a/drivers/thunderbolt/usb4.c
+++ b/drivers/thunderbolt/usb4.c
@@ -442,10 +442,10 @@ int usb4_switch_set_wake(struct tb_switch *sw, unsigned int flags)
bool configured = val & PORT_CS_19_PC;
usb4 = port->usb4;
- if (((flags & TB_WAKE_ON_CONNECT) |
+ if (((flags & TB_WAKE_ON_CONNECT) &&
device_may_wakeup(&usb4->dev)) && !configured)
val |= PORT_CS_19_WOC;
- if (((flags & TB_WAKE_ON_DISCONNECT) |
+ if (((flags & TB_WAKE_ON_DISCONNECT) &&
device_may_wakeup(&usb4->dev)) && configured)
val |= PORT_CS_19_WOD;
if ((flags & TB_WAKE_ON_USB4) && configured)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 233/356] iio: filter: admv8818: fix band 4, state 15
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 232/356] thunderbolt: Fix a logic error in wake on connect Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 234/356] iio: filter: admv8818: fix integer overflow Greg Kroah-Hartman
` (131 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Winchenbach, Jonathan Cameron,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Winchenbach <swinchenbach@arka.org>
[ Upstream commit ef0ce24f590ac075d5eda11f2d6434b303333ed6 ]
Corrects the upper range of LPF Band 4 from 18.5 GHz to 18.85 GHz per
the ADMV8818 datasheet
Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
Link: https://patch.msgid.link/20250328174831.227202-3-sam.winchenbach@framepointer.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/filter/admv8818.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
index d85b7d3de8660..3d8740caa1455 100644
--- a/drivers/iio/filter/admv8818.c
+++ b/drivers/iio/filter/admv8818.c
@@ -103,7 +103,7 @@ static const unsigned long long freq_range_lpf[4][2] = {
{2050000000ULL, 3850000000ULL},
{3350000000ULL, 7250000000ULL},
{7000000000, 13000000000},
- {12550000000, 18500000000}
+ {12550000000, 18850000000}
};
static const struct regmap_config admv8818_regmap_config = {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 234/356] iio: filter: admv8818: fix integer overflow
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 233/356] iio: filter: admv8818: fix band 4, state 15 Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 235/356] iio: filter: admv8818: fix range calculation Greg Kroah-Hartman
` (130 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Winchenbach, Jonathan Cameron,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Winchenbach <swinchenbach@arka.org>
[ Upstream commit fb6009a28d77edec4eb548b5875dae8c79b88467 ]
HZ_PER_MHZ is only unsigned long. This math overflows, leading to
incorrect results.
Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
Link: https://patch.msgid.link/20250328174831.227202-4-sam.winchenbach@framepointer.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/filter/admv8818.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
index 3d8740caa1455..cd3aff9a2f7bf 100644
--- a/drivers/iio/filter/admv8818.c
+++ b/drivers/iio/filter/admv8818.c
@@ -154,7 +154,7 @@ static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq)
}
/* Close HPF frequency gap between 12 and 12.5 GHz */
- if (freq >= 12000 * HZ_PER_MHZ && freq <= 12500 * HZ_PER_MHZ) {
+ if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) {
hpf_band = 3;
hpf_step = 15;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 235/356] iio: filter: admv8818: fix range calculation
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 234/356] iio: filter: admv8818: fix integer overflow Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 236/356] iio: filter: admv8818: Support frequencies >= 2^32 Greg Kroah-Hartman
` (129 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Winchenbach, Jonathan Cameron,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Winchenbach <swinchenbach@arka.org>
[ Upstream commit d542db7095d322bfcdc8e306db6f8c48358c9619 ]
Search for the minimum error while ensuring that the LPF corner
frequency is greater than the target, and the HPF corner frequency
is lower than the target
This fixes issues where the range calculations were suboptimal.
Add two new DTS properties to set the margin between the input frequency
and the calculated corner frequency
Below is a generated table of the differences between the old algorithm
and the new. This is a sweep from 0 to 20 GHz in 10 MHz steps.
=== HPF ===
freq = 1750 MHz, 3db: bypass => 1750 MHz
freq = 3400 MHz, 3db: 3310 => 3400 MHz
freq = 3410 MHz, 3db: 3310 => 3400 MHz
freq = 3420 MHz, 3db: 3310 => 3400 MHz
freq = 3660 MHz, 3db: 3550 => 3656 MHz
freq = 6600 MHz, 3db: 6479 => 6600 MHz
freq = 6610 MHz, 3db: 6479 => 6600 MHz
freq = 6620 MHz, 3db: 6479 => 6600 MHz
freq = 6630 MHz, 3db: 6479 => 6600 MHz
freq = 6640 MHz, 3db: 6479 => 6600 MHz
freq = 6650 MHz, 3db: 6479 => 6600 MHz
freq = 6660 MHz, 3db: 6479 => 6600 MHz
freq = 6670 MHz, 3db: 6479 => 6600 MHz
freq = 6680 MHz, 3db: 6479 => 6600 MHz
freq = 6690 MHz, 3db: 6479 => 6600 MHz
freq = 6700 MHz, 3db: 6479 => 6600 MHz
freq = 6710 MHz, 3db: 6479 => 6600 MHz
freq = 6720 MHz, 3db: 6479 => 6600 MHz
freq = 6730 MHz, 3db: 6479 => 6600 MHz
freq = 6960 MHz, 3db: 6736 => 6960 MHz
freq = 6970 MHz, 3db: 6736 => 6960 MHz
freq = 6980 MHz, 3db: 6736 => 6960 MHz
freq = 6990 MHz, 3db: 6736 => 6960 MHz
freq = 7320 MHz, 3db: 7249 => 7320 MHz
freq = 7330 MHz, 3db: 7249 => 7320 MHz
freq = 7340 MHz, 3db: 7249 => 7320 MHz
freq = 7350 MHz, 3db: 7249 => 7320 MHz
freq = 7360 MHz, 3db: 7249 => 7320 MHz
freq = 7370 MHz, 3db: 7249 => 7320 MHz
freq = 7380 MHz, 3db: 7249 => 7320 MHz
freq = 7390 MHz, 3db: 7249 => 7320 MHz
freq = 7400 MHz, 3db: 7249 => 7320 MHz
freq = 7410 MHz, 3db: 7249 => 7320 MHz
freq = 7420 MHz, 3db: 7249 => 7320 MHz
freq = 7430 MHz, 3db: 7249 => 7320 MHz
freq = 7440 MHz, 3db: 7249 => 7320 MHz
freq = 7450 MHz, 3db: 7249 => 7320 MHz
freq = 7460 MHz, 3db: 7249 => 7320 MHz
freq = 7470 MHz, 3db: 7249 => 7320 MHz
freq = 7480 MHz, 3db: 7249 => 7320 MHz
freq = 7490 MHz, 3db: 7249 => 7320 MHz
freq = 7500 MHz, 3db: 7249 => 7320 MHz
freq = 12500 MHz, 3db: 12000 => 12500 MHz
=== LPF ===
freq = 2050 MHz, 3db: bypass => 2050 MHz
freq = 2170 MHz, 3db: 2290 => 2170 MHz
freq = 2290 MHz, 3db: 2410 => 2290 MHz
freq = 2410 MHz, 3db: 2530 => 2410 MHz
freq = 2530 MHz, 3db: 2650 => 2530 MHz
freq = 2650 MHz, 3db: 2770 => 2650 MHz
freq = 2770 MHz, 3db: 2890 => 2770 MHz
freq = 2890 MHz, 3db: 3010 => 2890 MHz
freq = 3010 MHz, 3db: 3130 => 3010 MHz
freq = 3130 MHz, 3db: 3250 => 3130 MHz
freq = 3250 MHz, 3db: 3370 => 3250 MHz
freq = 3260 MHz, 3db: 3370 => 3350 MHz
freq = 3270 MHz, 3db: 3370 => 3350 MHz
freq = 3280 MHz, 3db: 3370 => 3350 MHz
freq = 3290 MHz, 3db: 3370 => 3350 MHz
freq = 3300 MHz, 3db: 3370 => 3350 MHz
freq = 3310 MHz, 3db: 3370 => 3350 MHz
freq = 3320 MHz, 3db: 3370 => 3350 MHz
freq = 3330 MHz, 3db: 3370 => 3350 MHz
freq = 3340 MHz, 3db: 3370 => 3350 MHz
freq = 3350 MHz, 3db: 3370 => 3350 MHz
freq = 3370 MHz, 3db: 3490 => 3370 MHz
freq = 3490 MHz, 3db: 3610 => 3490 MHz
freq = 3610 MHz, 3db: 3730 => 3610 MHz
freq = 3730 MHz, 3db: 3850 => 3730 MHz
freq = 3850 MHz, 3db: 3870 => 3850 MHz
freq = 3870 MHz, 3db: 4130 => 3870 MHz
freq = 4130 MHz, 3db: 4390 => 4130 MHz
freq = 4390 MHz, 3db: 4650 => 4390 MHz
freq = 4650 MHz, 3db: 4910 => 4650 MHz
freq = 4910 MHz, 3db: 5170 => 4910 MHz
freq = 5170 MHz, 3db: 5430 => 5170 MHz
freq = 5430 MHz, 3db: 5690 => 5430 MHz
freq = 5690 MHz, 3db: 5950 => 5690 MHz
freq = 5950 MHz, 3db: 6210 => 5950 MHz
freq = 6210 MHz, 3db: 6470 => 6210 MHz
freq = 6470 MHz, 3db: 6730 => 6470 MHz
freq = 6730 MHz, 3db: 6990 => 6730 MHz
freq = 6990 MHz, 3db: 7250 => 6990 MHz
freq = 7000 MHz, 3db: 7250 => 7000 MHz
freq = 7250 MHz, 3db: 7400 => 7250 MHz
freq = 7400 MHz, 3db: 7800 => 7400 MHz
freq = 7800 MHz, 3db: 8200 => 7800 MHz
freq = 8200 MHz, 3db: 8600 => 8200 MHz
freq = 8600 MHz, 3db: 9000 => 8600 MHz
freq = 9000 MHz, 3db: 9400 => 9000 MHz
freq = 9400 MHz, 3db: 9800 => 9400 MHz
freq = 9800 MHz, 3db: 10200 => 9800 MHz
freq = 10200 MHz, 3db: 10600 => 10200 MHz
freq = 10600 MHz, 3db: 11000 => 10600 MHz
freq = 11000 MHz, 3db: 11400 => 11000 MHz
freq = 11400 MHz, 3db: 11800 => 11400 MHz
freq = 11800 MHz, 3db: 12200 => 11800 MHz
freq = 12200 MHz, 3db: 12600 => 12200 MHz
freq = 12210 MHz, 3db: 12600 => 12550 MHz
freq = 12220 MHz, 3db: 12600 => 12550 MHz
freq = 12230 MHz, 3db: 12600 => 12550 MHz
freq = 12240 MHz, 3db: 12600 => 12550 MHz
freq = 12250 MHz, 3db: 12600 => 12550 MHz
freq = 12260 MHz, 3db: 12600 => 12550 MHz
freq = 12270 MHz, 3db: 12600 => 12550 MHz
freq = 12280 MHz, 3db: 12600 => 12550 MHz
freq = 12290 MHz, 3db: 12600 => 12550 MHz
freq = 12300 MHz, 3db: 12600 => 12550 MHz
freq = 12310 MHz, 3db: 12600 => 12550 MHz
freq = 12320 MHz, 3db: 12600 => 12550 MHz
freq = 12330 MHz, 3db: 12600 => 12550 MHz
freq = 12340 MHz, 3db: 12600 => 12550 MHz
freq = 12350 MHz, 3db: 12600 => 12550 MHz
freq = 12360 MHz, 3db: 12600 => 12550 MHz
freq = 12370 MHz, 3db: 12600 => 12550 MHz
freq = 12380 MHz, 3db: 12600 => 12550 MHz
freq = 12390 MHz, 3db: 12600 => 12550 MHz
freq = 12400 MHz, 3db: 12600 => 12550 MHz
freq = 12410 MHz, 3db: 12600 => 12550 MHz
freq = 12420 MHz, 3db: 12600 => 12550 MHz
freq = 12430 MHz, 3db: 12600 => 12550 MHz
freq = 12440 MHz, 3db: 12600 => 12550 MHz
freq = 12450 MHz, 3db: 12600 => 12550 MHz
freq = 12460 MHz, 3db: 12600 => 12550 MHz
freq = 12470 MHz, 3db: 12600 => 12550 MHz
freq = 12480 MHz, 3db: 12600 => 12550 MHz
freq = 12490 MHz, 3db: 12600 => 12550 MHz
freq = 12500 MHz, 3db: 12600 => 12550 MHz
freq = 12510 MHz, 3db: 12600 => 12550 MHz
freq = 12520 MHz, 3db: 12600 => 12550 MHz
freq = 12530 MHz, 3db: 12600 => 12550 MHz
freq = 12540 MHz, 3db: 12600 => 12550 MHz
freq = 12550 MHz, 3db: 12600 => 12550 MHz
freq = 12600 MHz, 3db: 13000 => 12600 MHz
freq = 12610 MHz, 3db: 13000 => 12970 MHz
freq = 12620 MHz, 3db: 13000 => 12970 MHz
freq = 12630 MHz, 3db: 13000 => 12970 MHz
freq = 12640 MHz, 3db: 13000 => 12970 MHz
freq = 12650 MHz, 3db: 13000 => 12970 MHz
freq = 12660 MHz, 3db: 13000 => 12970 MHz
freq = 12670 MHz, 3db: 13000 => 12970 MHz
freq = 12680 MHz, 3db: 13000 => 12970 MHz
freq = 12690 MHz, 3db: 13000 => 12970 MHz
freq = 12700 MHz, 3db: 13000 => 12970 MHz
freq = 12710 MHz, 3db: 13000 => 12970 MHz
freq = 12720 MHz, 3db: 13000 => 12970 MHz
freq = 12730 MHz, 3db: 13000 => 12970 MHz
freq = 12740 MHz, 3db: 13000 => 12970 MHz
freq = 12750 MHz, 3db: 13000 => 12970 MHz
freq = 12760 MHz, 3db: 13000 => 12970 MHz
freq = 12770 MHz, 3db: 13000 => 12970 MHz
freq = 12780 MHz, 3db: 13000 => 12970 MHz
freq = 12790 MHz, 3db: 13000 => 12970 MHz
freq = 12800 MHz, 3db: 13000 => 12970 MHz
freq = 12810 MHz, 3db: 13000 => 12970 MHz
freq = 12820 MHz, 3db: 13000 => 12970 MHz
freq = 12830 MHz, 3db: 13000 => 12970 MHz
freq = 12840 MHz, 3db: 13000 => 12970 MHz
freq = 12850 MHz, 3db: 13000 => 12970 MHz
freq = 12860 MHz, 3db: 13000 => 12970 MHz
freq = 12870 MHz, 3db: 13000 => 12970 MHz
freq = 12880 MHz, 3db: 13000 => 12970 MHz
freq = 12890 MHz, 3db: 13000 => 12970 MHz
freq = 12900 MHz, 3db: 13000 => 12970 MHz
freq = 12910 MHz, 3db: 13000 => 12970 MHz
freq = 12920 MHz, 3db: 13000 => 12970 MHz
freq = 12930 MHz, 3db: 13000 => 12970 MHz
freq = 12940 MHz, 3db: 13000 => 12970 MHz
freq = 12950 MHz, 3db: 13000 => 12970 MHz
freq = 12960 MHz, 3db: 13000 => 12970 MHz
freq = 12970 MHz, 3db: 13000 => 12970 MHz
freq = 13000 MHz, 3db: 13390 => 13000 MHz
freq = 13390 MHz, 3db: 13810 => 13390 MHz
freq = 13810 MHz, 3db: 14230 => 13810 MHz
freq = 14230 MHz, 3db: 14650 => 14230 MHz
freq = 14650 MHz, 3db: 15070 => 14650 MHz
freq = 15070 MHz, 3db: 15490 => 15070 MHz
freq = 15490 MHz, 3db: 15910 => 15490 MHz
freq = 15910 MHz, 3db: 16330 => 15910 MHz
freq = 16330 MHz, 3db: 16750 => 16330 MHz
freq = 16750 MHz, 3db: 17170 => 16750 MHz
freq = 17170 MHz, 3db: 17590 => 17170 MHz
freq = 17590 MHz, 3db: 18010 => 17590 MHz
freq = 18010 MHz, 3db: 18430 => 18010 MHz
freq = 18430 MHz, 3db: 18850 => 18430 MHz
freq = 18850 MHz, 3db: bypass => 18850 MHz
Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
Link: https://patch.msgid.link/20250328174831.227202-5-sam.winchenbach@framepointer.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/filter/admv8818.c | 205 +++++++++++++++++++++++++---------
1 file changed, 152 insertions(+), 53 deletions(-)
diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
index cd3aff9a2f7bf..380e119b3cf54 100644
--- a/drivers/iio/filter/admv8818.c
+++ b/drivers/iio/filter/admv8818.c
@@ -14,6 +14,7 @@
#include <linux/mod_devicetable.h>
#include <linux/mutex.h>
#include <linux/notifier.h>
+#include <linux/property.h>
#include <linux/regmap.h>
#include <linux/spi/spi.h>
#include <linux/units.h>
@@ -70,6 +71,16 @@
#define ADMV8818_HPF_WR0_MSK GENMASK(7, 4)
#define ADMV8818_LPF_WR0_MSK GENMASK(3, 0)
+#define ADMV8818_BAND_BYPASS 0
+#define ADMV8818_BAND_MIN 1
+#define ADMV8818_BAND_MAX 4
+#define ADMV8818_BAND_CORNER_LOW 0
+#define ADMV8818_BAND_CORNER_HIGH 1
+
+#define ADMV8818_STATE_MIN 0
+#define ADMV8818_STATE_MAX 15
+#define ADMV8818_NUM_STATES 16
+
enum {
ADMV8818_BW_FREQ,
ADMV8818_CENTER_FREQ
@@ -90,16 +101,20 @@ struct admv8818_state {
struct mutex lock;
unsigned int filter_mode;
u64 cf_hz;
+ u64 lpf_margin_hz;
+ u64 hpf_margin_hz;
};
-static const unsigned long long freq_range_hpf[4][2] = {
+static const unsigned long long freq_range_hpf[5][2] = {
+ {0ULL, 0ULL}, /* bypass */
{1750000000ULL, 3550000000ULL},
{3400000000ULL, 7250000000ULL},
{6600000000, 12000000000},
{12500000000, 19900000000}
};
-static const unsigned long long freq_range_lpf[4][2] = {
+static const unsigned long long freq_range_lpf[5][2] = {
+ {U64_MAX, U64_MAX}, /* bypass */
{2050000000ULL, 3850000000ULL},
{3350000000ULL, 7250000000ULL},
{7000000000, 13000000000},
@@ -121,44 +136,59 @@ static const char * const admv8818_modes[] = {
static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq)
{
- unsigned int hpf_step = 0, hpf_band = 0, i, j;
- u64 freq_step;
- int ret;
+ int band, state, ret;
+ unsigned int hpf_state = ADMV8818_STATE_MIN, hpf_band = ADMV8818_BAND_BYPASS;
+ u64 freq_error, min_freq_error, freq_corner, freq_step;
- if (freq < freq_range_hpf[0][0])
+ if (freq < freq_range_hpf[ADMV8818_BAND_MIN][ADMV8818_BAND_CORNER_LOW])
goto hpf_write;
- if (freq > freq_range_hpf[3][1]) {
- hpf_step = 15;
- hpf_band = 4;
-
+ if (freq >= freq_range_hpf[ADMV8818_BAND_MAX][ADMV8818_BAND_CORNER_HIGH]) {
+ hpf_state = ADMV8818_STATE_MAX;
+ hpf_band = ADMV8818_BAND_MAX;
goto hpf_write;
}
- for (i = 0; i < 4; i++) {
- freq_step = div_u64((freq_range_hpf[i][1] -
- freq_range_hpf[i][0]), 15);
+ /* Close HPF frequency gap between 12 and 12.5 GHz */
+ if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) {
+ hpf_state = ADMV8818_STATE_MAX;
+ hpf_band = 3;
+ goto hpf_write;
+ }
- if (freq > freq_range_hpf[i][0] &&
- (freq < freq_range_hpf[i][1] + freq_step)) {
- hpf_band = i + 1;
+ min_freq_error = U64_MAX;
+ for (band = ADMV8818_BAND_MIN; band <= ADMV8818_BAND_MAX; band++) {
+ /*
+ * This (and therefore all other ranges) have a corner
+ * frequency higher than the target frequency.
+ */
+ if (freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW] > freq)
+ break;
- for (j = 1; j <= 16; j++) {
- if (freq < (freq_range_hpf[i][0] + (freq_step * j))) {
- hpf_step = j - 1;
- break;
- }
+ freq_step = freq_range_hpf[band][ADMV8818_BAND_CORNER_HIGH] -
+ freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW];
+ freq_step = div_u64(freq_step, ADMV8818_NUM_STATES - 1);
+
+ for (state = ADMV8818_STATE_MIN; state <= ADMV8818_STATE_MAX; state++) {
+ freq_corner = freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW] +
+ freq_step * state;
+
+ /*
+ * This (and therefore all other states) have a corner
+ * frequency higher than the target frequency.
+ */
+ if (freq_corner > freq)
+ break;
+
+ freq_error = freq - freq_corner;
+ if (freq_error < min_freq_error) {
+ min_freq_error = freq_error;
+ hpf_state = state;
+ hpf_band = band;
}
- break;
}
}
- /* Close HPF frequency gap between 12 and 12.5 GHz */
- if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) {
- hpf_band = 3;
- hpf_step = 15;
- }
-
hpf_write:
ret = regmap_update_bits(st->regmap, ADMV8818_REG_WR0_SW,
ADMV8818_SW_IN_SET_WR0_MSK |
@@ -170,7 +200,7 @@ static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq)
return regmap_update_bits(st->regmap, ADMV8818_REG_WR0_FILTER,
ADMV8818_HPF_WR0_MSK,
- FIELD_PREP(ADMV8818_HPF_WR0_MSK, hpf_step));
+ FIELD_PREP(ADMV8818_HPF_WR0_MSK, hpf_state));
}
static int admv8818_hpf_select(struct admv8818_state *st, u64 freq)
@@ -186,31 +216,52 @@ static int admv8818_hpf_select(struct admv8818_state *st, u64 freq)
static int __admv8818_lpf_select(struct admv8818_state *st, u64 freq)
{
- unsigned int lpf_step = 0, lpf_band = 0, i, j;
- u64 freq_step;
- int ret;
+ int band, state, ret;
+ unsigned int lpf_state = ADMV8818_STATE_MIN, lpf_band = ADMV8818_BAND_BYPASS;
+ u64 freq_error, min_freq_error, freq_corner, freq_step;
- if (freq > freq_range_lpf[3][1])
+ if (freq > freq_range_lpf[ADMV8818_BAND_MAX][ADMV8818_BAND_CORNER_HIGH])
goto lpf_write;
- if (freq < freq_range_lpf[0][0]) {
- lpf_band = 1;
-
+ if (freq < freq_range_lpf[ADMV8818_BAND_MIN][ADMV8818_BAND_CORNER_LOW]) {
+ lpf_state = ADMV8818_STATE_MIN;
+ lpf_band = ADMV8818_BAND_MIN;
goto lpf_write;
}
- for (i = 0; i < 4; i++) {
- if (freq > freq_range_lpf[i][0] && freq < freq_range_lpf[i][1]) {
- lpf_band = i + 1;
- freq_step = div_u64((freq_range_lpf[i][1] - freq_range_lpf[i][0]), 15);
+ min_freq_error = U64_MAX;
+ for (band = ADMV8818_BAND_MAX; band >= ADMV8818_BAND_MIN; --band) {
+ /*
+ * At this point the highest corner frequency of
+ * all remaining ranges is below the target.
+ * LPF corner should be >= the target.
+ */
+ if (freq > freq_range_lpf[band][ADMV8818_BAND_CORNER_HIGH])
+ break;
+
+ freq_step = freq_range_lpf[band][ADMV8818_BAND_CORNER_HIGH] -
+ freq_range_lpf[band][ADMV8818_BAND_CORNER_LOW];
+ freq_step = div_u64(freq_step, ADMV8818_NUM_STATES - 1);
+
+ for (state = ADMV8818_STATE_MAX; state >= ADMV8818_STATE_MIN; --state) {
- for (j = 0; j <= 15; j++) {
- if (freq < (freq_range_lpf[i][0] + (freq_step * j))) {
- lpf_step = j;
- break;
- }
+ freq_corner = freq_range_lpf[band][ADMV8818_BAND_CORNER_LOW] +
+ state * freq_step;
+
+ /*
+ * At this point all other states in range will
+ * place the corner frequency below the target
+ * LPF corner should >= the target.
+ */
+ if (freq > freq_corner)
+ break;
+
+ freq_error = freq_corner - freq;
+ if (freq_error < min_freq_error) {
+ min_freq_error = freq_error;
+ lpf_state = state;
+ lpf_band = band;
}
- break;
}
}
@@ -225,7 +276,7 @@ static int __admv8818_lpf_select(struct admv8818_state *st, u64 freq)
return regmap_update_bits(st->regmap, ADMV8818_REG_WR0_FILTER,
ADMV8818_LPF_WR0_MSK,
- FIELD_PREP(ADMV8818_LPF_WR0_MSK, lpf_step));
+ FIELD_PREP(ADMV8818_LPF_WR0_MSK, lpf_state));
}
static int admv8818_lpf_select(struct admv8818_state *st, u64 freq)
@@ -242,16 +293,28 @@ static int admv8818_lpf_select(struct admv8818_state *st, u64 freq)
static int admv8818_rfin_band_select(struct admv8818_state *st)
{
int ret;
+ u64 hpf_corner_target, lpf_corner_target;
st->cf_hz = clk_get_rate(st->clkin);
+ /* Check for underflow */
+ if (st->cf_hz > st->hpf_margin_hz)
+ hpf_corner_target = st->cf_hz - st->hpf_margin_hz;
+ else
+ hpf_corner_target = 0;
+
+ /* Check for overflow */
+ lpf_corner_target = st->cf_hz + st->lpf_margin_hz;
+ if (lpf_corner_target < st->cf_hz)
+ lpf_corner_target = U64_MAX;
+
mutex_lock(&st->lock);
- ret = __admv8818_hpf_select(st, st->cf_hz);
+ ret = __admv8818_hpf_select(st, hpf_corner_target);
if (ret)
goto exit;
- ret = __admv8818_lpf_select(st, st->cf_hz);
+ ret = __admv8818_lpf_select(st, lpf_corner_target);
exit:
mutex_unlock(&st->lock);
return ret;
@@ -278,8 +341,11 @@ static int __admv8818_read_hpf_freq(struct admv8818_state *st, u64 *hpf_freq)
hpf_state = FIELD_GET(ADMV8818_HPF_WR0_MSK, data);
- *hpf_freq = div_u64(freq_range_hpf[hpf_band - 1][1] - freq_range_hpf[hpf_band - 1][0], 15);
- *hpf_freq = freq_range_hpf[hpf_band - 1][0] + (*hpf_freq * hpf_state);
+ *hpf_freq = freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_HIGH] -
+ freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_LOW];
+ *hpf_freq = div_u64(*hpf_freq, ADMV8818_NUM_STATES - 1);
+ *hpf_freq = freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_LOW] +
+ (*hpf_freq * hpf_state);
return ret;
}
@@ -316,8 +382,11 @@ static int __admv8818_read_lpf_freq(struct admv8818_state *st, u64 *lpf_freq)
lpf_state = FIELD_GET(ADMV8818_LPF_WR0_MSK, data);
- *lpf_freq = div_u64(freq_range_lpf[lpf_band - 1][1] - freq_range_lpf[lpf_band - 1][0], 15);
- *lpf_freq = freq_range_lpf[lpf_band - 1][0] + (*lpf_freq * lpf_state);
+ *lpf_freq = freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_HIGH] -
+ freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_LOW];
+ *lpf_freq = div_u64(*lpf_freq, ADMV8818_NUM_STATES - 1);
+ *lpf_freq = freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_LOW] +
+ (*lpf_freq * lpf_state);
return ret;
}
@@ -641,6 +710,32 @@ static int admv8818_clk_setup(struct admv8818_state *st)
return devm_add_action_or_reset(&spi->dev, admv8818_clk_notifier_unreg, st);
}
+static int admv8818_read_properties(struct admv8818_state *st)
+{
+ struct spi_device *spi = st->spi;
+ u32 mhz;
+ int ret;
+
+ ret = device_property_read_u32(&spi->dev, "adi,lpf-margin-mhz", &mhz);
+ if (ret == 0)
+ st->lpf_margin_hz = (u64)mhz * HZ_PER_MHZ;
+ else if (ret == -EINVAL)
+ st->lpf_margin_hz = 0;
+ else
+ return ret;
+
+
+ ret = device_property_read_u32(&spi->dev, "adi,hpf-margin-mhz", &mhz);
+ if (ret == 0)
+ st->hpf_margin_hz = (u64)mhz * HZ_PER_MHZ;
+ else if (ret == -EINVAL)
+ st->hpf_margin_hz = 0;
+ else if (ret < 0)
+ return ret;
+
+ return 0;
+}
+
static int admv8818_probe(struct spi_device *spi)
{
struct iio_dev *indio_dev;
@@ -672,6 +767,10 @@ static int admv8818_probe(struct spi_device *spi)
mutex_init(&st->lock);
+ ret = admv8818_read_properties(st);
+ if (ret)
+ return ret;
+
ret = admv8818_init(st);
if (ret)
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 236/356] iio: filter: admv8818: Support frequencies >= 2^32
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 235/356] iio: filter: admv8818: fix range calculation Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 237/356] iio: adc: ad7124: Fix 3dB filter frequency reading Greg Kroah-Hartman
` (128 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Pellegrino, Sam Winchenbach,
Jonathan Cameron, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Pellegrino <bpellegrino@arka.org>
[ Upstream commit 9016776f1301627de78a633bda7c898425a56572 ]
This patch allows writing u64 values to the ADMV8818's high and low-pass
filter frequencies. It includes the following changes:
- Rejects negative frequencies in admv8818_write_raw.
- Adds a write_raw_get_fmt function to admv8818's iio_info, returning
IIO_VAL_INT_64 for the high and low-pass filter 3dB frequency channels.
Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
Signed-off-by: Brian Pellegrino <bpellegrino@arka.org>
Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
Link: https://patch.msgid.link/20250328174831.227202-7-sam.winchenbach@framepointer.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/filter/admv8818.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
index 380e119b3cf54..cc8ce0fe74e7c 100644
--- a/drivers/iio/filter/admv8818.c
+++ b/drivers/iio/filter/admv8818.c
@@ -402,6 +402,19 @@ static int admv8818_read_lpf_freq(struct admv8818_state *st, u64 *lpf_freq)
return ret;
}
+static int admv8818_write_raw_get_fmt(struct iio_dev *indio_dev,
+ struct iio_chan_spec const *chan,
+ long mask)
+{
+ switch (mask) {
+ case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY:
+ case IIO_CHAN_INFO_HIGH_PASS_FILTER_3DB_FREQUENCY:
+ return IIO_VAL_INT_64;
+ default:
+ return -EINVAL;
+ }
+}
+
static int admv8818_write_raw(struct iio_dev *indio_dev,
struct iio_chan_spec const *chan,
int val, int val2, long info)
@@ -410,6 +423,9 @@ static int admv8818_write_raw(struct iio_dev *indio_dev,
u64 freq = ((u64)val2 << 32 | (u32)val);
+ if ((s64)freq < 0)
+ return -EINVAL;
+
switch (info) {
case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY:
return admv8818_lpf_select(st, freq);
@@ -571,6 +587,7 @@ static int admv8818_set_mode(struct iio_dev *indio_dev,
static const struct iio_info admv8818_info = {
.write_raw = admv8818_write_raw,
+ .write_raw_get_fmt = admv8818_write_raw_get_fmt,
.read_raw = admv8818_read_raw,
.debugfs_reg_access = &admv8818_reg_access,
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 237/356] iio: adc: ad7124: Fix 3dB filter frequency reading
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 236/356] iio: filter: admv8818: Support frequencies >= 2^32 Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 238/356] MIPS: Loongson64: Add missing #interrupt-cells for loongson64c_ls7a Greg Kroah-Hartman
` (127 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Marcelo Schmitt, Jonathan Cameron, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit 8712e4986e7ce42a14c762c4c350f290989986a5 ]
The sinc4 filter has a factor 0.23 between Output Data Rate and f_{3dB}
and for sinc3 the factor is 0.272 according to the data sheets for
ad7124-4 (Rev. E.) and ad7124-8 (Rev. F).
Fixes: cef2760954cf ("iio: adc: ad7124: add 3db filter")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Reviewed-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
Link: https://patch.msgid.link/20250317115247.3735016-6-u.kleine-koenig@baylibre.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/adc/ad7124.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c
index 0e6baf017bfd1..f631351eef97b 100644
--- a/drivers/iio/adc/ad7124.c
+++ b/drivers/iio/adc/ad7124.c
@@ -300,9 +300,9 @@ static int ad7124_get_3db_filter_freq(struct ad7124_state *st,
switch (st->channels[channel].cfg.filter_type) {
case AD7124_SINC3_FILTER:
- return DIV_ROUND_CLOSEST(fadc * 230, 1000);
+ return DIV_ROUND_CLOSEST(fadc * 272, 1000);
case AD7124_SINC4_FILTER:
- return DIV_ROUND_CLOSEST(fadc * 262, 1000);
+ return DIV_ROUND_CLOSEST(fadc * 230, 1000);
default:
return -EINVAL;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 238/356] MIPS: Loongson64: Add missing #interrupt-cells for loongson64c_ls7a
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 237/356] iio: adc: ad7124: Fix 3dB filter frequency reading Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 239/356] counter: interrupt-cnt: Protect enable/disable OPs with mutex Greg Kroah-Hartman
` (126 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, WangYuli,
Philippe Mathieu-Daudé, Thomas Bogendoerfer, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyuli@uniontech.com>
[ Upstream commit 6d223b8ffcd1593d032b71875def2daa71c53111 ]
Similar to commit 98a9e2ac3755 ("MIPS: Loongson64: DTS: Fix msi node for ls7a").
Fix follow warnings:
arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts:28.31-36.4: Warning (interrupt_provider): /bus@10000000/msi-controller@2ff00000: Missing '#interrupt-cells' in interrupt provider
arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dtb: Warning (interrupt_map): Failed prerequisite 'interrupt_provider'
Fixes: 24af105962c8 ("MIPS: Loongson64: DeviceTree for LS7A PCH")
Tested-by: WangYuli <wangyuli@uniontech.com>
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts
index c7ea4f1c0bb21..6c277ab83d4b9 100644
--- a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts
+++ b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts
@@ -29,6 +29,7 @@
compatible = "loongson,pch-msi-1.0";
reg = <0 0x2ff00000 0 0x8>;
interrupt-controller;
+ #interrupt-cells = <1>;
msi-controller;
loongson,msi-base-vec = <64>;
loongson,msi-num-vecs = <64>;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 239/356] counter: interrupt-cnt: Protect enable/disable OPs with mutex
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 238/356] MIPS: Loongson64: Add missing #interrupt-cells for loongson64c_ls7a Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 240/356] fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt() Greg Kroah-Hartman
` (125 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Sverdlin, Oleksij Rempel,
William Breathitt Gray, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
[ Upstream commit 7351312632e831e51383f48957d47712fae791ef ]
Enable/disable seems to be racy on SMP, consider the following scenario:
CPU0 CPU1
interrupt_cnt_enable_write(true)
{
if (priv->enabled == enable)
return 0;
if (enable) {
priv->enabled = true;
interrupt_cnt_enable_write(false)
{
if (priv->enabled == enable)
return 0;
if (enable) {
priv->enabled = true;
enable_irq(priv->irq);
} else {
disable_irq(priv->irq)
priv->enabled = false;
}
enable_irq(priv->irq);
} else {
disable_irq(priv->irq);
priv->enabled = false;
}
The above would result in priv->enabled == false, but IRQ left enabled.
Protect both write (above race) and read (to propagate the value on SMP)
callbacks with a mutex.
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Fixes: a55ebd47f21f ("counter: add IRQ or GPIO based counter")
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://lore.kernel.org/r/20250331163642.2382651-1-alexander.sverdlin@siemens.com
Signed-off-by: William Breathitt Gray <wbg@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/counter/interrupt-cnt.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/counter/interrupt-cnt.c b/drivers/counter/interrupt-cnt.c
index 229473855c5b3..bc762ba87a19b 100644
--- a/drivers/counter/interrupt-cnt.c
+++ b/drivers/counter/interrupt-cnt.c
@@ -3,12 +3,14 @@
* Copyright (c) 2021 Pengutronix, Oleksij Rempel <kernel@pengutronix.de>
*/
+#include <linux/cleanup.h>
#include <linux/counter.h>
#include <linux/gpio/consumer.h>
#include <linux/interrupt.h>
#include <linux/irq.h>
#include <linux/mod_devicetable.h>
#include <linux/module.h>
+#include <linux/mutex.h>
#include <linux/platform_device.h>
#include <linux/types.h>
@@ -19,6 +21,7 @@ struct interrupt_cnt_priv {
struct gpio_desc *gpio;
int irq;
bool enabled;
+ struct mutex lock;
struct counter_signal signals;
struct counter_synapse synapses;
struct counter_count cnts;
@@ -41,6 +44,8 @@ static int interrupt_cnt_enable_read(struct counter_device *counter,
{
struct interrupt_cnt_priv *priv = counter_priv(counter);
+ guard(mutex)(&priv->lock);
+
*enable = priv->enabled;
return 0;
@@ -51,6 +56,8 @@ static int interrupt_cnt_enable_write(struct counter_device *counter,
{
struct interrupt_cnt_priv *priv = counter_priv(counter);
+ guard(mutex)(&priv->lock);
+
if (priv->enabled == enable)
return 0;
@@ -227,6 +234,8 @@ static int interrupt_cnt_probe(struct platform_device *pdev)
if (ret)
return ret;
+ mutex_init(&priv->lock);
+
ret = devm_counter_add(dev, counter);
if (ret < 0)
return dev_err_probe(dev, ret, "Failed to add counter\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 240/356] fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 239/356] counter: interrupt-cnt: Protect enable/disable OPs with mutex Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 241/356] coresight: prevent deactivate active config while enabling the config Greg Kroah-Hartman
` (124 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marco Pagani, Qasim Ijaz, Xu Yilun,
Xu Yilun, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qasim Ijaz <qasdev00@gmail.com>
[ Upstream commit 6ebf1982038af12f3588417e4fd0417d2551da28 ]
fpga_mgr_test_img_load_sgt() allocates memory for sgt using
kunit_kzalloc() however it does not check if the allocation failed.
It then passes sgt to sg_alloc_table(), which passes it to
__sg_alloc_table(). This function calls memset() on sgt in an attempt to
zero it out. If the allocation fails then sgt will be NULL and the
memset will trigger a NULL pointer dereference.
Fix this by checking the allocation with KUNIT_ASSERT_NOT_ERR_OR_NULL().
Reviewed-by: Marco Pagani <marco.pagani@linux.dev>
Fixes: ccbc1c302115 ("fpga: add an initial KUnit suite for the FPGA Manager")
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Acked-by: Xu Yilun <yilun.xu@intel.com>
Link: https://lore.kernel.org/r/20250422153737.5264-1-qasdev00@gmail.com
Signed-off-by: Xu Yilun <yilun.xu@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/fpga/tests/fpga-mgr-test.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/fpga/tests/fpga-mgr-test.c b/drivers/fpga/tests/fpga-mgr-test.c
index 6acec55b60ce9..bfe25c0c0c1c3 100644
--- a/drivers/fpga/tests/fpga-mgr-test.c
+++ b/drivers/fpga/tests/fpga-mgr-test.c
@@ -253,6 +253,7 @@ static void fpga_mgr_test_img_load_sgt(struct kunit *test)
img_buf = init_test_buffer(test, IMAGE_SIZE);
sgt = kunit_kzalloc(test, sizeof(*sgt), GFP_KERNEL);
+ KUNIT_ASSERT_NOT_ERR_OR_NULL(test, sgt);
ret = sg_alloc_table(sgt, 1, GFP_KERNEL);
KUNIT_ASSERT_EQ(test, ret, 0);
sg_init_one(sgt->sgl, img_buf, IMAGE_SIZE);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 241/356] coresight: prevent deactivate active config while enabling the config
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 240/356] fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt() Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 242/356] vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() Greg Kroah-Hartman
` (123 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suzuki K Poulose, Yeoreum Yun,
Leo Yan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yeoreum Yun <yeoreum.yun@arm.com>
[ Upstream commit 408c97c4a5e0b634dcd15bf8b8808b382e888164 ]
While enable active config via cscfg_csdev_enable_active_config(),
active config could be deactivated via configfs' sysfs interface.
This could make UAF issue in below scenario:
CPU0 CPU1
(sysfs enable) load module
cscfg_load_config_sets()
activate config. // sysfs
(sys_active_cnt == 1)
...
cscfg_csdev_enable_active_config()
lock(csdev->cscfg_csdev_lock)
// here load config activate by CPU1
unlock(csdev->cscfg_csdev_lock)
deactivate config // sysfs
(sys_activec_cnt == 0)
cscfg_unload_config_sets()
unload module
// access to config_desc which freed
// while unloading module.
cscfg_csdev_enable_config
To address this, use cscfg_config_desc's active_cnt as a reference count
which will be holded when
- activate the config.
- enable the activated config.
and put the module reference when config_active_cnt == 0.
Fixes: f8cce2ff3c04 ("coresight: syscfg: Add API to activate and enable configurations")
Suggested-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
Reviewed-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20250514161951.3427590-4-yeoreum.yun@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../hwtracing/coresight/coresight-config.h | 2 +-
.../hwtracing/coresight/coresight-syscfg.c | 49 +++++++++++++------
2 files changed, 35 insertions(+), 16 deletions(-)
diff --git a/drivers/hwtracing/coresight/coresight-config.h b/drivers/hwtracing/coresight/coresight-config.h
index 6ba0139757418..84cdde6f0e4db 100644
--- a/drivers/hwtracing/coresight/coresight-config.h
+++ b/drivers/hwtracing/coresight/coresight-config.h
@@ -228,7 +228,7 @@ struct cscfg_feature_csdev {
* @feats_csdev:references to the device features to enable.
*/
struct cscfg_config_csdev {
- const struct cscfg_config_desc *config_desc;
+ struct cscfg_config_desc *config_desc;
struct coresight_device *csdev;
bool enabled;
struct list_head node;
diff --git a/drivers/hwtracing/coresight/coresight-syscfg.c b/drivers/hwtracing/coresight/coresight-syscfg.c
index 11138a9762b01..30a561d874819 100644
--- a/drivers/hwtracing/coresight/coresight-syscfg.c
+++ b/drivers/hwtracing/coresight/coresight-syscfg.c
@@ -867,6 +867,25 @@ void cscfg_csdev_reset_feats(struct coresight_device *csdev)
}
EXPORT_SYMBOL_GPL(cscfg_csdev_reset_feats);
+static bool cscfg_config_desc_get(struct cscfg_config_desc *config_desc)
+{
+ if (!atomic_fetch_inc(&config_desc->active_cnt)) {
+ /* must ensure that config cannot be unloaded in use */
+ if (unlikely(cscfg_owner_get(config_desc->load_owner))) {
+ atomic_dec(&config_desc->active_cnt);
+ return false;
+ }
+ }
+
+ return true;
+}
+
+static void cscfg_config_desc_put(struct cscfg_config_desc *config_desc)
+{
+ if (!atomic_dec_return(&config_desc->active_cnt))
+ cscfg_owner_put(config_desc->load_owner);
+}
+
/*
* This activate configuration for either perf or sysfs. Perf can have multiple
* active configs, selected per event, sysfs is limited to one.
@@ -890,22 +909,17 @@ static int _cscfg_activate_config(unsigned long cfg_hash)
if (config_desc->available == false)
return -EBUSY;
- /* must ensure that config cannot be unloaded in use */
- err = cscfg_owner_get(config_desc->load_owner);
- if (err)
+ if (!cscfg_config_desc_get(config_desc)) {
+ err = -EINVAL;
break;
+ }
+
/*
* increment the global active count - control changes to
* active configurations
*/
atomic_inc(&cscfg_mgr->sys_active_cnt);
- /*
- * mark the descriptor as active so enable config on a
- * device instance will use it
- */
- atomic_inc(&config_desc->active_cnt);
-
err = 0;
dev_dbg(cscfg_device(), "Activate config %s.\n", config_desc->name);
break;
@@ -920,9 +934,8 @@ static void _cscfg_deactivate_config(unsigned long cfg_hash)
list_for_each_entry(config_desc, &cscfg_mgr->config_desc_list, item) {
if ((unsigned long)config_desc->event_ea->var == cfg_hash) {
- atomic_dec(&config_desc->active_cnt);
atomic_dec(&cscfg_mgr->sys_active_cnt);
- cscfg_owner_put(config_desc->load_owner);
+ cscfg_config_desc_put(config_desc);
dev_dbg(cscfg_device(), "Deactivate config %s.\n", config_desc->name);
break;
}
@@ -1047,7 +1060,7 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev,
unsigned long cfg_hash, int preset)
{
struct cscfg_config_csdev *config_csdev_active = NULL, *config_csdev_item;
- const struct cscfg_config_desc *config_desc;
+ struct cscfg_config_desc *config_desc;
unsigned long flags;
int err = 0;
@@ -1062,8 +1075,8 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev,
spin_lock_irqsave(&csdev->cscfg_csdev_lock, flags);
list_for_each_entry(config_csdev_item, &csdev->config_csdev_list, node) {
config_desc = config_csdev_item->config_desc;
- if ((atomic_read(&config_desc->active_cnt)) &&
- ((unsigned long)config_desc->event_ea->var == cfg_hash)) {
+ if (((unsigned long)config_desc->event_ea->var == cfg_hash) &&
+ cscfg_config_desc_get(config_desc)) {
config_csdev_active = config_csdev_item;
csdev->active_cscfg_ctxt = (void *)config_csdev_active;
break;
@@ -1097,7 +1110,11 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev,
err = -EBUSY;
spin_unlock_irqrestore(&csdev->cscfg_csdev_lock, flags);
}
+
+ if (err)
+ cscfg_config_desc_put(config_desc);
}
+
return err;
}
EXPORT_SYMBOL_GPL(cscfg_csdev_enable_active_config);
@@ -1136,8 +1153,10 @@ void cscfg_csdev_disable_active_config(struct coresight_device *csdev)
spin_unlock_irqrestore(&csdev->cscfg_csdev_lock, flags);
/* true if there was an enabled active config */
- if (config_csdev)
+ if (config_csdev) {
cscfg_csdev_disable_config(config_csdev);
+ cscfg_config_desc_put(config_csdev->config_desc);
+ }
}
EXPORT_SYMBOL_GPL(cscfg_csdev_disable_active_config);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 242/356] vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 241/356] coresight: prevent deactivate active config while enabling the config Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 243/356] net: stmmac: platform: guarantee uniqueness of bus_id Greg Kroah-Hartman
` (122 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicolas Pitre, Jiri Slaby,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Pitre <npitre@baylibre.com>
[ Upstream commit c4c7ead7b86c1e7f11c64915b7e5bb6d2e242691 ]
They are listed amon those cmd values that "treat 'arg' as an integer"
which is wrong. They should instead fall into the default case. Probably
nobody ever relied on that code since 2009 but still.
Fixes: e92166517e3c ("tty: handle VT specific compat ioctls in vt driver")
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Link: https://lore.kernel.org/r/pr214s15-36r8-6732-2pop-159nq85o48r7@syhkavp.arg
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/vt/vt_ioctl.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
index 8c685b5014044..5b21b60547da1 100644
--- a/drivers/tty/vt/vt_ioctl.c
+++ b/drivers/tty/vt/vt_ioctl.c
@@ -1105,8 +1105,6 @@ long vt_compat_ioctl(struct tty_struct *tty,
case VT_WAITACTIVE:
case VT_RELDISP:
case VT_DISALLOCATE:
- case VT_RESIZE:
- case VT_RESIZEX:
return vt_ioctl(tty, cmd, arg);
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 243/356] net: stmmac: platform: guarantee uniqueness of bus_id
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 242/356] vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 244/356] gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt Greg Kroah-Hartman
` (121 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quentin Schulz, Maxime Chevallier,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quentin Schulz <quentin.schulz@cherry.de>
[ Upstream commit eb7fd7aa35bfcc1e1fda4ecc42ccfcb526cdc780 ]
bus_id is currently derived from the ethernetX alias. If one is missing
for the device, 0 is used. If ethernet0 points to another stmmac device
or if there are 2+ stmmac devices without an ethernet alias, then bus_id
will be 0 for all of those.
This is an issue because the bus_id is used to generate the mdio bus id
(new_bus->id in drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
stmmac_mdio_register) and this needs to be unique.
This allows to avoid needing to define ethernet aliases for devices with
multiple stmmac controllers (such as the Rockchip RK3588) for multiple
stmmac devices to probe properly.
Obviously, the bus_id isn't guaranteed to be stable across reboots if no
alias is set for the device but that is easily fixed by simply adding an
alias if this is desired.
Fixes: 25c83b5c2e82 ("dt:net:stmmac: Add support to dwmac version 3.610 and 3.710")
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20250527-stmmac-mdio-bus_id-v2-1-a5ca78454e3c@cherry.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
index 4d570efd9d4bb..6c684f6ee84be 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
@@ -419,6 +419,7 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac)
struct device_node *np = pdev->dev.of_node;
struct plat_stmmacenet_data *plat;
struct stmmac_dma_cfg *dma_cfg;
+ static int bus_id = -ENODEV;
int phy_mode;
void *ret;
int rc;
@@ -454,8 +455,14 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac)
of_property_read_u32(np, "max-speed", &plat->max_speed);
plat->bus_id = of_alias_get_id(np, "ethernet");
- if (plat->bus_id < 0)
- plat->bus_id = 0;
+ if (plat->bus_id < 0) {
+ if (bus_id < 0)
+ bus_id = of_alias_get_highest_id("ethernet");
+ /* No ethernet alias found, init at -1 so first bus_id is 0 */
+ if (bus_id < 0)
+ bus_id = -1;
+ plat->bus_id = ++bus_id;
+ }
/* Default to phy auto-detection */
plat->phy_addr = -1;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 244/356] gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 243/356] net: stmmac: platform: guarantee uniqueness of bus_id Greg Kroah-Hartman
@ 2025-06-17 15:25 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 245/356] net: tipc: fix refcount warning in tipc_aead_encrypt Greg Kroah-Hartman
` (120 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit f41a94aade120dc60322865f363cee7865f2df01 ]
Previously, the RX_BUFFERS_POSTED stat incorrectly reported the
fill_cnt from RX queue 0 for all queues, resulting in inaccurate
per-queue statistics.
Fix this by correctly indexing priv->rx[idx].fill_cnt for each RX queue.
Fixes: 24aeb56f2d38 ("gve: Add Gvnic stats AQ command and ethtool show/set-priv-flags.")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20250527130830.1812903-1-alok.a.tiwari@oracle.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/google/gve/gve_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c
index 8cd098fe88ef2..b4745d94cbbdb 100644
--- a/drivers/net/ethernet/google/gve/gve_main.c
+++ b/drivers/net/ethernet/google/gve/gve_main.c
@@ -1992,7 +1992,7 @@ void gve_handle_report_stats(struct gve_priv *priv)
};
stats[stats_idx++] = (struct stats) {
.stat_name = cpu_to_be32(RX_BUFFERS_POSTED),
- .value = cpu_to_be64(priv->rx[0].fill_cnt),
+ .value = cpu_to_be64(priv->rx[idx].fill_cnt),
.queue_id = cpu_to_be32(idx),
};
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 245/356] net: tipc: fix refcount warning in tipc_aead_encrypt
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2025-06-17 15:25 ` [PATCH 6.6 244/356] gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 246/356] driver: net: ethernet: mtk_star_emac: fix suspend/resume issue Greg Kroah-Hartman
` (119 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f0c4a4aba757549ae26c,
Charalampos Mitrodimas, Tung Nguyen, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charalampos Mitrodimas <charmitro@posteo.net>
[ Upstream commit f29ccaa07cf3d35990f4d25028cc55470d29372b ]
syzbot reported a refcount warning [1] caused by calling get_net() on
a network namespace that is being destroyed (refcount=0). This happens
when a TIPC discovery timer fires during network namespace cleanup.
The recently added get_net() call in commit e279024617134 ("net/tipc:
fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to
hold a reference to the network namespace. However, if the namespace
is already being destroyed, its refcount might be zero, leading to the
use-after-free warning.
Replace get_net() with maybe_get_net(), which safely checks if the
refcount is non-zero before incrementing it. If the namespace is being
destroyed, return -ENODEV early, after releasing the bearer reference.
[1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2
Reported-by: syzbot+f0c4a4aba757549ae26c@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2
Fixes: e27902461713 ("net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done")
Signed-off-by: Charalampos Mitrodimas <charmitro@posteo.net>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Link: https://patch.msgid.link/20250527-net-tipc-warning-v2-1-df3dc398a047@posteo.net
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/crypto.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index 8584893b47851..79f91b6ca8c84 100644
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -818,7 +818,11 @@ static int tipc_aead_encrypt(struct tipc_aead *aead, struct sk_buff *skb,
}
/* Get net to avoid freed tipc_crypto when delete namespace */
- get_net(aead->crypto->net);
+ if (!maybe_get_net(aead->crypto->net)) {
+ tipc_bearer_put(b);
+ rc = -ENODEV;
+ goto exit;
+ }
/* Now, do encrypt */
rc = crypto_aead_encrypt(req);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 246/356] driver: net: ethernet: mtk_star_emac: fix suspend/resume issue
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 245/356] net: tipc: fix refcount warning in tipc_aead_encrypt Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 247/356] net/mlx4_en: Prevent potential integer overflow calculating Hz Greg Kroah-Hartman
` (118 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yanqing Wang, Macpaul Lin,
Biao Huang, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yanqing Wang <ot_yanqing.wang@mediatek.com>
[ Upstream commit ba99c627aac85bc746fb4a6e2d79edb3ad100326 ]
Identify the cause of the suspend/resume hang: netif_carrier_off()
is called during link state changes and becomes stuck while
executing linkwatch_work().
To resolve this issue, call netif_device_detach() during the Ethernet
suspend process to temporarily detach the network device from the
kernel and prevent the suspend/resume hang.
Fixes: 8c7bd5a454ff ("net: ethernet: mtk-star-emac: new driver")
Signed-off-by: Yanqing Wang <ot_yanqing.wang@mediatek.com>
Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
Signed-off-by: Biao Huang <biao.huang@mediatek.com>
Link: https://patch.msgid.link/20250528075351.593068-1-macpaul.lin@mediatek.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mediatek/mtk_star_emac.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/mediatek/mtk_star_emac.c b/drivers/net/ethernet/mediatek/mtk_star_emac.c
index c2ab87828d858..5eb7a97e7eb17 100644
--- a/drivers/net/ethernet/mediatek/mtk_star_emac.c
+++ b/drivers/net/ethernet/mediatek/mtk_star_emac.c
@@ -1468,6 +1468,8 @@ static __maybe_unused int mtk_star_suspend(struct device *dev)
if (netif_running(ndev))
mtk_star_disable(ndev);
+ netif_device_detach(ndev);
+
clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks);
return 0;
@@ -1492,6 +1494,8 @@ static __maybe_unused int mtk_star_resume(struct device *dev)
clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks);
}
+ netif_device_attach(ndev);
+
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 247/356] net/mlx4_en: Prevent potential integer overflow calculating Hz
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 246/356] driver: net: ethernet: mtk_star_emac: fix suspend/resume issue Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 248/356] net: lan966x: Make sure to insert the vlan tags also in host mode Greg Kroah-Hartman
` (117 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Simon Horman,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 54d34165b4f786d7fea8412a18fb4a54c1eab623 ]
The "freq" variable is in terms of MHz and "max_val_cycles" is in terms
of Hz. The fact that "max_val_cycles" is a u64 suggests that support
for high frequency is intended but the "freq_khz * 1000" would overflow
the u32 type if we went above 4GHz. Use unsigned long long type for the
mutliplication to prevent that.
Fixes: 31c128b66e5b ("net/mlx4_en: Choose time-stamping shift value according to HW frequency")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/aDbFHe19juIJKjsb@stanley.mountain
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx4/en_clock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_clock.c b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
index 9e3b761820881..2d5b86207e079 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_clock.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
@@ -249,7 +249,7 @@ static const struct ptp_clock_info mlx4_en_ptp_clock_info = {
static u32 freq_to_shift(u16 freq)
{
u32 freq_khz = freq * 1000;
- u64 max_val_cycles = freq_khz * 1000 * MLX4_EN_WRAP_AROUND_SEC;
+ u64 max_val_cycles = freq_khz * 1000ULL * MLX4_EN_WRAP_AROUND_SEC;
u64 max_val_cycles_rounded = 1ULL << fls64(max_val_cycles - 1);
/* calculate max possible multiplier in order to fit in 64bit */
u64 max_mul = div64_u64(ULLONG_MAX, max_val_cycles_rounded);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 248/356] net: lan966x: Make sure to insert the vlan tags also in host mode
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 247/356] net/mlx4_en: Prevent potential integer overflow calculating Hz Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 249/356] spi: bcm63xx-spi: fix shared reset Greg Kroah-Hartman
` (116 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Horatiu Vultur,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit 27eab4c644236a9324084a70fe79e511cbd07393 ]
When running these commands on DUT (and similar at the other end)
ip link set dev eth0 up
ip link add link eth0 name eth0.10 type vlan id 10
ip addr add 10.0.0.1/24 dev eth0.10
ip link set dev eth0.10 up
ping 10.0.0.2
The ping will fail.
The reason why is failing is because, the network interfaces for lan966x
have a flag saying that the HW can insert the vlan tags into the
frames(NETIF_F_HW_VLAN_CTAG_TX). Meaning that the frames that are
transmitted don't have the vlan tag inside the skb data, but they have
it inside the skb. We already get that vlan tag and put it in the IFH
but the problem is that we don't configure the HW to rewrite the frame
when the interface is in host mode.
The fix consists in actually configuring the HW to insert the vlan tag
if it is different than 0.
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Fixes: 6d2c186afa5d ("net: lan966x: Add vlan support.")
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Link: https://patch.msgid.link/20250528093619.3738998-1-horatiu.vultur@microchip.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/microchip/lan966x/lan966x_main.c | 1 +
.../ethernet/microchip/lan966x/lan966x_main.h | 1 +
.../microchip/lan966x/lan966x_switchdev.c | 1 +
.../ethernet/microchip/lan966x/lan966x_vlan.c | 21 +++++++++++++++++++
4 files changed, 24 insertions(+)
diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
index 05f6c92275830..b424e75fd40c4 100644
--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
+++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
@@ -881,6 +881,7 @@ static int lan966x_probe_port(struct lan966x *lan966x, u32 p,
lan966x_vlan_port_set_vlan_aware(port, 0);
lan966x_vlan_port_set_vid(port, HOST_PVID, false, false);
lan966x_vlan_port_apply(port);
+ lan966x_vlan_port_rew_host(port);
return 0;
}
diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
index b65d58a1552b5..5a16d76eb000d 100644
--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
+++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
@@ -549,6 +549,7 @@ void lan966x_vlan_port_apply(struct lan966x_port *port);
bool lan966x_vlan_cpu_member_cpu_vlan_mask(struct lan966x *lan966x, u16 vid);
void lan966x_vlan_port_set_vlan_aware(struct lan966x_port *port,
bool vlan_aware);
+void lan966x_vlan_port_rew_host(struct lan966x_port *port);
int lan966x_vlan_port_set_vid(struct lan966x_port *port,
u16 vid,
bool pvid,
diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c b/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c
index 1c88120eb291a..bcb4db76b75cd 100644
--- a/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c
+++ b/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c
@@ -297,6 +297,7 @@ static void lan966x_port_bridge_leave(struct lan966x_port *port,
lan966x_vlan_port_set_vlan_aware(port, false);
lan966x_vlan_port_set_vid(port, HOST_PVID, false, false);
lan966x_vlan_port_apply(port);
+ lan966x_vlan_port_rew_host(port);
}
int lan966x_port_changeupper(struct net_device *dev,
diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c b/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c
index 3c44660128dae..ffb245fb7d678 100644
--- a/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c
+++ b/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c
@@ -149,6 +149,27 @@ void lan966x_vlan_port_set_vlan_aware(struct lan966x_port *port,
port->vlan_aware = vlan_aware;
}
+/* When the interface is in host mode, the interface should not be vlan aware
+ * but it should insert all the tags that it gets from the network stack.
+ * The tags are not in the data of the frame but actually in the skb and the ifh
+ * is configured already to get this tag. So what we need to do is to update the
+ * rewriter to insert the vlan tag for all frames which have a vlan tag
+ * different than 0.
+ */
+void lan966x_vlan_port_rew_host(struct lan966x_port *port)
+{
+ struct lan966x *lan966x = port->lan966x;
+ u32 val;
+
+ /* Tag all frames except when VID=0*/
+ val = REW_TAG_CFG_TAG_CFG_SET(2);
+
+ /* Update only some bits in the register */
+ lan_rmw(val,
+ REW_TAG_CFG_TAG_CFG,
+ lan966x, REW_TAG_CFG(port->chip_port));
+}
+
void lan966x_vlan_port_apply(struct lan966x_port *port)
{
struct lan966x *lan966x = port->lan966x;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 249/356] spi: bcm63xx-spi: fix shared reset
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 248/356] net: lan966x: Make sure to insert the vlan tags also in host mode Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 250/356] spi: bcm63xx-hsspi: " Greg Kroah-Hartman
` (115 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski,
Álvaro Fernández Rojas, Florian Fainelli, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit 5ad20e3d8cfe3b2e42bbddc7e0ebaa74479bb589 ]
Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI
and HSSPI controllers, so reset shouldn't be exclusive.
Fixes: 38807adeaf1e ("spi: bcm63xx-spi: add reset support")
Reported-by: Jonas Gorski <jonas.gorski@gmail.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250529130915.2519590-2-noltari@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-bcm63xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c
index ef3a7226db125..a95badb7b7114 100644
--- a/drivers/spi/spi-bcm63xx.c
+++ b/drivers/spi/spi-bcm63xx.c
@@ -523,7 +523,7 @@ static int bcm63xx_spi_probe(struct platform_device *pdev)
return PTR_ERR(clk);
}
- reset = devm_reset_control_get_optional_exclusive(dev, NULL);
+ reset = devm_reset_control_get_optional_shared(dev, NULL);
if (IS_ERR(reset))
return PTR_ERR(reset);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 250/356] spi: bcm63xx-hsspi: fix shared reset
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 249/356] spi: bcm63xx-spi: fix shared reset Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 251/356] Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION Greg Kroah-Hartman
` (114 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski,
Álvaro Fernández Rojas, Florian Fainelli, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit 3d6d84c8f2f66d3fd6a43a1e2ce8e6b54c573960 ]
Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI
and HSSPI controllers, so reset shouldn't be exclusive.
Fixes: 0eeadddbf09a ("spi: bcm63xx-hsspi: add reset support")
Reported-by: Jonas Gorski <jonas.gorski@gmail.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250529130915.2519590-3-noltari@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-bcm63xx-hsspi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c
index 1ca857c2a4aa3..8df12efeea21c 100644
--- a/drivers/spi/spi-bcm63xx-hsspi.c
+++ b/drivers/spi/spi-bcm63xx-hsspi.c
@@ -745,7 +745,7 @@ static int bcm63xx_hsspi_probe(struct platform_device *pdev)
if (IS_ERR(clk))
return PTR_ERR(clk);
- reset = devm_reset_control_get_optional_exclusive(dev, NULL);
+ reset = devm_reset_control_get_optional_shared(dev, NULL);
if (IS_ERR(reset))
return PTR_ERR(reset);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 251/356] Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 250/356] spi: bcm63xx-hsspi: " Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 252/356] ice: fix Tx scheduler error handling in XDP callback Greg Kroah-Hartman
` (113 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 03dba9cea72f977e873e4e60e220fa596959dd8f ]
Depending on the security set the response to L2CAP_LE_CONN_REQ shall be
just L2CAP_CR_LE_ENCRYPTION if only encryption when BT_SECURITY_MEDIUM
is selected since that means security mode 2 which doesn't require
authentication which is something that is covered in the qualification
test L2CAP/LE/CFC/BV-25-C.
Link: https://github.com/bluez/bluez/issues/1270
Fixes: 27e2d4c8d28b ("Bluetooth: Add basic LE L2CAP connect request receiving support")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 1c54e812ef1f7..2744ad11687c6 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4833,7 +4833,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
SMP_ALLOW_STK)) {
- result = L2CAP_CR_LE_AUTHENTICATION;
+ result = pchan->sec_level == BT_SECURITY_MEDIUM ?
+ L2CAP_CR_LE_ENCRYPTION : L2CAP_CR_LE_AUTHENTICATION;
chan = NULL;
goto response_unlock;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 252/356] ice: fix Tx scheduler error handling in XDP callback
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 251/356] Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 253/356] ice: create new Tx scheduler nodes for new queues only Greg Kroah-Hartman
` (112 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dawid Osuchowski, Przemek Kitszel,
Jacob Keller, Michal Kubiak, Aleksandr Loktionov, Simon Horman,
Jesse Brandeburg, Tony Nguyen, Sasha Levin, Saritha Sanigani
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Kubiak <michal.kubiak@intel.com>
[ Upstream commit 0153f36041b8e52019ebfa8629c13bf8f9b0a951 ]
When the XDP program is loaded, the XDP callback adds new Tx queues.
This means that the callback must update the Tx scheduler with the new
queue number. In the event of a Tx scheduler failure, the XDP callback
should also fail and roll back any changes previously made for XDP
preparation.
The previous implementation had a bug that not all changes made by the
XDP callback were rolled back. This caused the crash with the following
call trace:
[ +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5
[ +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI
[ +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary)
[ +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022
[ +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice]
[...]
[ +0.002715] Call Trace:
[ +0.002452] <IRQ>
[ +0.002021] ? __die_body.cold+0x19/0x29
[ +0.003922] ? die_addr+0x3c/0x60
[ +0.003319] ? exc_general_protection+0x17c/0x400
[ +0.004707] ? asm_exc_general_protection+0x26/0x30
[ +0.004879] ? __ice_update_sample+0x39/0xe0 [ice]
[ +0.004835] ice_napi_poll+0x665/0x680 [ice]
[ +0.004320] __napi_poll+0x28/0x190
[ +0.003500] net_rx_action+0x198/0x360
[ +0.003752] ? update_rq_clock+0x39/0x220
[ +0.004013] handle_softirqs+0xf1/0x340
[ +0.003840] ? sched_clock_cpu+0xf/0x1f0
[ +0.003925] __irq_exit_rcu+0xc2/0xe0
[ +0.003665] common_interrupt+0x85/0xa0
[ +0.003839] </IRQ>
[ +0.002098] <TASK>
[ +0.002106] asm_common_interrupt+0x26/0x40
[ +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690
Fix this by performing the missing unmapping of XDP queues from
q_vectors and setting the XDP rings pointer back to NULL after all those
queues are released.
Also, add an immediate exit from the XDP callback in case of ring
preparation failure.
Fixes: efc2214b6047 ("ice: Add support for XDP")
Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Michal Kubiak <michal.kubiak@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
Tested-by: Saritha Sanigani <sarithax.sanigani@intel.com> (A Contingent Worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_main.c | 47 ++++++++++++++++-------
1 file changed, 33 insertions(+), 14 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
index 0ae7bdfff83fb..e1a68fb5e9fff 100644
--- a/drivers/net/ethernet/intel/ice/ice_main.c
+++ b/drivers/net/ethernet/intel/ice/ice_main.c
@@ -2650,6 +2650,27 @@ static void ice_vsi_assign_bpf_prog(struct ice_vsi *vsi, struct bpf_prog *prog)
bpf_prog_put(old_prog);
}
+/**
+ * ice_unmap_xdp_rings - Unmap XDP rings from interrupt vectors
+ * @vsi: the VSI with XDP rings being unmapped
+ */
+static void ice_unmap_xdp_rings(struct ice_vsi *vsi)
+{
+ int v_idx;
+
+ ice_for_each_q_vector(vsi, v_idx) {
+ struct ice_q_vector *q_vector = vsi->q_vectors[v_idx];
+ struct ice_tx_ring *ring;
+
+ ice_for_each_tx_ring(ring, q_vector->tx)
+ if (!ring->tx_buf || !ice_ring_is_xdp(ring))
+ break;
+
+ /* restore the value of last node prior to XDP setup */
+ q_vector->tx.tx_ring = ring;
+ }
+}
+
/**
* ice_prepare_xdp_rings - Allocate, configure and setup Tx rings for XDP
* @vsi: VSI to bring up Tx rings used by XDP
@@ -2749,7 +2770,7 @@ int ice_prepare_xdp_rings(struct ice_vsi *vsi, struct bpf_prog *prog,
if (status) {
dev_err(dev, "Failed VSI LAN queue config for XDP, error: %d\n",
status);
- goto clear_xdp_rings;
+ goto unmap_xdp_rings;
}
/* assign the prog only when it's not already present on VSI;
@@ -2765,6 +2786,8 @@ int ice_prepare_xdp_rings(struct ice_vsi *vsi, struct bpf_prog *prog,
ice_vsi_assign_bpf_prog(vsi, prog);
return 0;
+unmap_xdp_rings:
+ ice_unmap_xdp_rings(vsi);
clear_xdp_rings:
ice_for_each_xdp_txq(vsi, i)
if (vsi->xdp_rings[i]) {
@@ -2781,6 +2804,8 @@ int ice_prepare_xdp_rings(struct ice_vsi *vsi, struct bpf_prog *prog,
mutex_unlock(&pf->avail_q_mutex);
devm_kfree(dev, vsi->xdp_rings);
+ vsi->xdp_rings = NULL;
+
return -ENOMEM;
}
@@ -2796,7 +2821,7 @@ int ice_destroy_xdp_rings(struct ice_vsi *vsi, enum ice_xdp_cfg cfg_type)
{
u16 max_txqs[ICE_MAX_TRAFFIC_CLASS] = { 0 };
struct ice_pf *pf = vsi->back;
- int i, v_idx;
+ int i;
/* q_vectors are freed in reset path so there's no point in detaching
* rings
@@ -2804,17 +2829,7 @@ int ice_destroy_xdp_rings(struct ice_vsi *vsi, enum ice_xdp_cfg cfg_type)
if (cfg_type == ICE_XDP_CFG_PART)
goto free_qmap;
- ice_for_each_q_vector(vsi, v_idx) {
- struct ice_q_vector *q_vector = vsi->q_vectors[v_idx];
- struct ice_tx_ring *ring;
-
- ice_for_each_tx_ring(ring, q_vector->tx)
- if (!ring->tx_buf || !ice_ring_is_xdp(ring))
- break;
-
- /* restore the value of last node prior to XDP setup */
- q_vector->tx.tx_ring = ring;
- }
+ ice_unmap_xdp_rings(vsi);
free_qmap:
mutex_lock(&pf->avail_q_mutex);
@@ -2956,11 +2971,14 @@ ice_xdp_setup_prog(struct ice_vsi *vsi, struct bpf_prog *prog,
xdp_ring_err = ice_vsi_determine_xdp_res(vsi);
if (xdp_ring_err) {
NL_SET_ERR_MSG_MOD(extack, "Not enough Tx resources for XDP");
+ goto resume_if;
} else {
xdp_ring_err = ice_prepare_xdp_rings(vsi, prog,
ICE_XDP_CFG_FULL);
- if (xdp_ring_err)
+ if (xdp_ring_err) {
NL_SET_ERR_MSG_MOD(extack, "Setting up XDP Tx resources failed");
+ goto resume_if;
+ }
}
xdp_features_set_redirect_target(vsi->netdev, true);
/* reallocate Rx queues that are used for zero-copy */
@@ -2978,6 +2996,7 @@ ice_xdp_setup_prog(struct ice_vsi *vsi, struct bpf_prog *prog,
NL_SET_ERR_MSG_MOD(extack, "Freeing XDP Rx resources failed");
}
+resume_if:
if (if_running)
ret = ice_up(vsi);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 253/356] ice: create new Tx scheduler nodes for new queues only
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 252/356] ice: fix Tx scheduler error handling in XDP callback Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 254/356] ice: fix rebuilding the Tx scheduler tree for large queue counts Greg Kroah-Hartman
` (111 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dawid Osuchowski, Przemek Kitszel,
Jacob Keller, Michal Kubiak, Simon Horman, Jesse Brandeburg,
Tony Nguyen, Sasha Levin, Saritha Sanigani
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Kubiak <michal.kubiak@intel.com>
[ Upstream commit 6fa2942578472c9cab13a8fc1dae0d830193e0a1 ]
The current implementation of the Tx scheduler tree attempts
to create nodes for all Tx queues, ignoring the fact that some
queues may already exist in the tree. For example, if the VSI
already has 128 Tx queues and the user requests for 16 new queues,
the Tx scheduler will compute the tree for 272 queues (128 existing
queues + 144 new queues), instead of 144 queues (128 existing queues
and 16 new queues).
Fix that by modifying the node count calculation algorithm to skip
the queues that already exist in the tree.
Fixes: 5513b920a4f7 ("ice: Update Tx scheduler tree for VSI multi-Tx queue support")
Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Michal Kubiak <michal.kubiak@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
Tested-by: Saritha Sanigani <sarithax.sanigani@intel.com> (A Contingent Worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_sched.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c
index 908bcd0738033..e40a5f9a893d5 100644
--- a/drivers/net/ethernet/intel/ice/ice_sched.c
+++ b/drivers/net/ethernet/intel/ice/ice_sched.c
@@ -1614,16 +1614,16 @@ ice_sched_get_agg_node(struct ice_port_info *pi, struct ice_sched_node *tc_node,
/**
* ice_sched_calc_vsi_child_nodes - calculate number of VSI child nodes
* @hw: pointer to the HW struct
- * @num_qs: number of queues
+ * @num_new_qs: number of new queues that will be added to the tree
* @num_nodes: num nodes array
*
* This function calculates the number of VSI child nodes based on the
* number of queues.
*/
static void
-ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_qs, u16 *num_nodes)
+ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_new_qs, u16 *num_nodes)
{
- u16 num = num_qs;
+ u16 num = num_new_qs;
u8 i, qgl, vsil;
qgl = ice_sched_get_qgrp_layer(hw);
@@ -1873,8 +1873,9 @@ ice_sched_update_vsi_child_nodes(struct ice_port_info *pi, u16 vsi_handle,
return status;
}
- if (new_numqs)
- ice_sched_calc_vsi_child_nodes(hw, new_numqs, new_num_nodes);
+ ice_sched_calc_vsi_child_nodes(hw, new_numqs - prev_numqs,
+ new_num_nodes);
+
/* Keep the max number of queue configuration all the time. Update the
* tree only if number of queues > previous number of queues. This may
* leave some extra nodes in the tree if number of queues < previous
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 254/356] ice: fix rebuilding the Tx scheduler tree for large queue counts
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 253/356] ice: create new Tx scheduler nodes for new queues only Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 255/356] net: dsa: tag_brcm: legacy: fix pskb_may_pull length Greg Kroah-Hartman
` (110 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dawid Osuchowski, Przemek Kitszel,
Michal Kubiak, Simon Horman, Jesse Brandeburg, Tony Nguyen,
Sasha Levin, Saritha Sanigani
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Kubiak <michal.kubiak@intel.com>
[ Upstream commit 73145e6d81070d34a21431c9e0d7aaf2f29ca048 ]
The current implementation of the Tx scheduler allows the tree to be
rebuilt as the user adds more Tx queues to the VSI. In such a case,
additional child nodes are added to the tree to support the new number
of queues.
Unfortunately, this algorithm does not take into account that the limit
of the VSI support node may be exceeded, so an additional node in the
VSI layer may be required to handle all the requested queues.
Such a scenario occurs when adding XDP Tx queues on machines with many
CPUs. Although the driver still respects the queue limit returned by
the FW, the Tx scheduler was unable to add those queues to its tree
and returned one of the errors below.
Such a scenario occurs when adding XDP Tx queues on machines with many
CPUs (e.g. at least 321 CPUs, if there is already 128 Tx/Rx queue pairs).
Although the driver still respects the queue limit returned by the FW,
the Tx scheduler was unable to add those queues to its tree and returned
the following errors:
Failed VSI LAN queue config for XDP, error: -5
or:
Failed to set LAN Tx queue context, error: -22
Fix this problem by extending the tree rebuild algorithm to check if the
current VSI node can support the requested number of queues. If it
cannot, create as many additional VSI support nodes as necessary to
handle all the required Tx queues. Symmetrically, adjust the VSI node
removal algorithm to remove all nodes associated with the given VSI.
Also, make the search for the next free VSI node more restrictive. That is,
add queue group nodes only to the VSI support nodes that have a matching
VSI handle.
Finally, fix the comment describing the tree update algorithm to better
reflect the current scenario.
Fixes: b0153fdd7e8a ("ice: update VSI config dynamically")
Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Michal Kubiak <michal.kubiak@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
Tested-by: Saritha Sanigani <sarithax.sanigani@intel.com> (A Contingent Worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_sched.c | 170 +++++++++++++++++----
1 file changed, 142 insertions(+), 28 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c
index e40a5f9a893d5..c2de166f05515 100644
--- a/drivers/net/ethernet/intel/ice/ice_sched.c
+++ b/drivers/net/ethernet/intel/ice/ice_sched.c
@@ -84,6 +84,27 @@ ice_sched_find_node_by_teid(struct ice_sched_node *start_node, u32 teid)
return NULL;
}
+/**
+ * ice_sched_find_next_vsi_node - find the next node for a given VSI
+ * @vsi_node: VSI support node to start search with
+ *
+ * Return: Next VSI support node, or NULL.
+ *
+ * The function returns a pointer to the next node from the VSI layer
+ * assigned to the given VSI, or NULL if there is no such a node.
+ */
+static struct ice_sched_node *
+ice_sched_find_next_vsi_node(struct ice_sched_node *vsi_node)
+{
+ unsigned int vsi_handle = vsi_node->vsi_handle;
+
+ while ((vsi_node = vsi_node->sibling) != NULL)
+ if (vsi_node->vsi_handle == vsi_handle)
+ break;
+
+ return vsi_node;
+}
+
/**
* ice_aqc_send_sched_elem_cmd - send scheduling elements cmd
* @hw: pointer to the HW struct
@@ -1096,8 +1117,10 @@ ice_sched_add_nodes_to_layer(struct ice_port_info *pi,
if (parent->num_children < max_child_nodes) {
new_num_nodes = max_child_nodes - parent->num_children;
} else {
- /* This parent is full, try the next sibling */
- parent = parent->sibling;
+ /* This parent is full,
+ * try the next available sibling.
+ */
+ parent = ice_sched_find_next_vsi_node(parent);
/* Don't modify the first node TEID memory if the
* first node was added already in the above call.
* Instead send some temp memory for all other
@@ -1538,12 +1561,23 @@ ice_sched_get_free_qparent(struct ice_port_info *pi, u16 vsi_handle, u8 tc,
/* get the first queue group node from VSI sub-tree */
qgrp_node = ice_sched_get_first_node(pi, vsi_node, qgrp_layer);
while (qgrp_node) {
+ struct ice_sched_node *next_vsi_node;
+
/* make sure the qgroup node is part of the VSI subtree */
if (ice_sched_find_node_in_subtree(pi->hw, vsi_node, qgrp_node))
if (qgrp_node->num_children < max_children &&
qgrp_node->owner == owner)
break;
qgrp_node = qgrp_node->sibling;
+ if (qgrp_node)
+ continue;
+
+ next_vsi_node = ice_sched_find_next_vsi_node(vsi_node);
+ if (!next_vsi_node)
+ break;
+
+ vsi_node = next_vsi_node;
+ qgrp_node = ice_sched_get_first_node(pi, vsi_node, qgrp_layer);
}
/* Select the best queue group */
@@ -1789,7 +1823,11 @@ ice_sched_add_vsi_support_nodes(struct ice_port_info *pi, u16 vsi_handle,
if (!parent)
return -EIO;
- if (i == vsil)
+ /* Do not modify the VSI handle for already existing VSI nodes,
+ * (if no new VSI node was added to the tree).
+ * Assign the VSI handle only to newly added VSI nodes.
+ */
+ if (i == vsil && num_added)
parent->vsi_handle = vsi_handle;
}
@@ -1822,6 +1860,41 @@ ice_sched_add_vsi_to_topo(struct ice_port_info *pi, u16 vsi_handle, u8 tc)
num_nodes);
}
+/**
+ * ice_sched_recalc_vsi_support_nodes - recalculate VSI support nodes count
+ * @hw: pointer to the HW struct
+ * @vsi_node: pointer to the leftmost VSI node that needs to be extended
+ * @new_numqs: new number of queues that has to be handled by the VSI
+ * @new_num_nodes: pointer to nodes count table to modify the VSI layer entry
+ *
+ * This function recalculates the number of supported nodes that need to
+ * be added after adding more Tx queues for a given VSI.
+ * The number of new VSI support nodes that shall be added will be saved
+ * to the @new_num_nodes table for the VSI layer.
+ */
+static void
+ice_sched_recalc_vsi_support_nodes(struct ice_hw *hw,
+ struct ice_sched_node *vsi_node,
+ unsigned int new_numqs, u16 *new_num_nodes)
+{
+ u32 vsi_nodes_cnt = 1;
+ u32 max_queue_cnt = 1;
+ u32 qgl, vsil;
+
+ qgl = ice_sched_get_qgrp_layer(hw);
+ vsil = ice_sched_get_vsi_layer(hw);
+
+ for (u32 i = vsil; i <= qgl; i++)
+ max_queue_cnt *= hw->max_children[i];
+
+ while ((vsi_node = ice_sched_find_next_vsi_node(vsi_node)) != NULL)
+ vsi_nodes_cnt++;
+
+ if (new_numqs > (max_queue_cnt * vsi_nodes_cnt))
+ new_num_nodes[vsil] = DIV_ROUND_UP(new_numqs, max_queue_cnt) -
+ vsi_nodes_cnt;
+}
+
/**
* ice_sched_update_vsi_child_nodes - update VSI child nodes
* @pi: port information structure
@@ -1873,16 +1946,25 @@ ice_sched_update_vsi_child_nodes(struct ice_port_info *pi, u16 vsi_handle,
return status;
}
+ ice_sched_recalc_vsi_support_nodes(hw, vsi_node,
+ new_numqs, new_num_nodes);
ice_sched_calc_vsi_child_nodes(hw, new_numqs - prev_numqs,
new_num_nodes);
- /* Keep the max number of queue configuration all the time. Update the
- * tree only if number of queues > previous number of queues. This may
+ /* Never decrease the number of queues in the tree. Update the tree
+ * only if number of queues > previous number of queues. This may
* leave some extra nodes in the tree if number of queues < previous
* number but that wouldn't harm anything. Removing those extra nodes
* may complicate the code if those nodes are part of SRL or
* individually rate limited.
+ * Also, add the required VSI support nodes if the existing ones cannot
+ * handle the requested new number of queues.
*/
+ status = ice_sched_add_vsi_support_nodes(pi, vsi_handle, tc_node,
+ new_num_nodes);
+ if (status)
+ return status;
+
status = ice_sched_add_vsi_child_nodes(pi, vsi_handle, tc_node,
new_num_nodes, owner);
if (status)
@@ -2023,6 +2105,58 @@ static bool ice_sched_is_leaf_node_present(struct ice_sched_node *node)
return (node->info.data.elem_type == ICE_AQC_ELEM_TYPE_LEAF);
}
+/**
+ * ice_sched_rm_vsi_subtree - remove all nodes assigned to a given VSI
+ * @pi: port information structure
+ * @vsi_node: pointer to the leftmost node of the VSI to be removed
+ * @owner: LAN or RDMA
+ * @tc: TC number
+ *
+ * Return: Zero in case of success, or -EBUSY if the VSI has leaf nodes in TC.
+ *
+ * This function removes all the VSI support nodes associated with a given VSI
+ * and its LAN or RDMA children nodes from the scheduler tree.
+ */
+static int
+ice_sched_rm_vsi_subtree(struct ice_port_info *pi,
+ struct ice_sched_node *vsi_node, u8 owner, u8 tc)
+{
+ u16 vsi_handle = vsi_node->vsi_handle;
+ bool all_vsi_nodes_removed = true;
+ int j = 0;
+
+ while (vsi_node) {
+ struct ice_sched_node *next_vsi_node;
+
+ if (ice_sched_is_leaf_node_present(vsi_node)) {
+ ice_debug(pi->hw, ICE_DBG_SCHED, "VSI has leaf nodes in TC %d\n", tc);
+ return -EBUSY;
+ }
+ while (j < vsi_node->num_children) {
+ if (vsi_node->children[j]->owner == owner)
+ ice_free_sched_node(pi, vsi_node->children[j]);
+ else
+ j++;
+ }
+
+ next_vsi_node = ice_sched_find_next_vsi_node(vsi_node);
+
+ /* remove the VSI if it has no children */
+ if (!vsi_node->num_children)
+ ice_free_sched_node(pi, vsi_node);
+ else
+ all_vsi_nodes_removed = false;
+
+ vsi_node = next_vsi_node;
+ }
+
+ /* clean up aggregator related VSI info if any */
+ if (all_vsi_nodes_removed)
+ ice_sched_rm_agg_vsi_info(pi, vsi_handle);
+
+ return 0;
+}
+
/**
* ice_sched_rm_vsi_cfg - remove the VSI and its children nodes
* @pi: port information structure
@@ -2049,7 +2183,6 @@ ice_sched_rm_vsi_cfg(struct ice_port_info *pi, u16 vsi_handle, u8 owner)
ice_for_each_traffic_class(i) {
struct ice_sched_node *vsi_node, *tc_node;
- u8 j = 0;
tc_node = ice_sched_get_tc_node(pi, i);
if (!tc_node)
@@ -2059,31 +2192,12 @@ ice_sched_rm_vsi_cfg(struct ice_port_info *pi, u16 vsi_handle, u8 owner)
if (!vsi_node)
continue;
- if (ice_sched_is_leaf_node_present(vsi_node)) {
- ice_debug(pi->hw, ICE_DBG_SCHED, "VSI has leaf nodes in TC %d\n", i);
- status = -EBUSY;
+ status = ice_sched_rm_vsi_subtree(pi, vsi_node, owner, i);
+ if (status)
goto exit_sched_rm_vsi_cfg;
- }
- while (j < vsi_node->num_children) {
- if (vsi_node->children[j]->owner == owner) {
- ice_free_sched_node(pi, vsi_node->children[j]);
- /* reset the counter again since the num
- * children will be updated after node removal
- */
- j = 0;
- } else {
- j++;
- }
- }
- /* remove the VSI if it has no children */
- if (!vsi_node->num_children) {
- ice_free_sched_node(pi, vsi_node);
- vsi_ctx->sched.vsi_node[i] = NULL;
+ vsi_ctx->sched.vsi_node[i] = NULL;
- /* clean up aggregator related VSI info if any */
- ice_sched_rm_agg_vsi_info(pi, vsi_handle);
- }
if (owner == ICE_SCHED_NODE_OWNER_LAN)
vsi_ctx->sched.max_lanq[i] = 0;
else
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 255/356] net: dsa: tag_brcm: legacy: fix pskb_may_pull length
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 254/356] ice: fix rebuilding the Tx scheduler tree for large queue counts Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 256/356] net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping Greg Kroah-Hartman
` (109 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Álvaro Fernández Rojas,
Florian Fainelli, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit efdddc4484859082da6c7877ed144c8121c8ea55 ]
BRCM_LEG_PORT_ID was incorrectly used for pskb_may_pull length.
The correct check is BRCM_LEG_TAG_LEN + VLAN_HLEN, or 10 bytes.
Fixes: 964dbf186eaa ("net: dsa: tag_brcm: add support for legacy tags")
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250529124406.2513779-1-noltari@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/dsa/tag_brcm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c
index cacdafb41200e..146c1dbd15a93 100644
--- a/net/dsa/tag_brcm.c
+++ b/net/dsa/tag_brcm.c
@@ -257,7 +257,7 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb,
int source_port;
u8 *brcm_tag;
- if (unlikely(!pskb_may_pull(skb, BRCM_LEG_PORT_ID)))
+ if (unlikely(!pskb_may_pull(skb, BRCM_LEG_TAG_LEN + VLAN_HLEN)))
return NULL;
brcm_tag = dsa_etype_header_pos_rx(skb);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 256/356] net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 255/356] net: dsa: tag_brcm: legacy: fix pskb_may_pull length Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 257/356] net: Fix checksum update for ILA adj-transport Greg Kroah-Hartman
` (108 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexis Lothoré, Yanteng Si,
Maxime Chevallier, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexis Lothoré <alexis.lothore@bootlin.com>
[ Upstream commit 030ce919e114a111e83b7976ecb3597cefd33f26 ]
The stmmac platform drivers that do not open-code the clk_ptp_rate value
after having retrieved the default one from the device-tree can end up
with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will
eventually propagate up to PTP initialization when bringing up the
interface, leading to a divide by 0:
Division by zero in kernel.
CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22
Hardware name: STM32 (Device Tree Support)
Call trace:
unwind_backtrace from show_stack+0x18/0x1c
show_stack from dump_stack_lvl+0x6c/0x8c
dump_stack_lvl from Ldiv0_64+0x8/0x18
Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4
stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c
stmmac_hw_setup from __stmmac_open+0x18c/0x434
__stmmac_open from stmmac_open+0x3c/0xbc
stmmac_open from __dev_open+0xf4/0x1ac
__dev_open from __dev_change_flags+0x1cc/0x224
__dev_change_flags from dev_change_flags+0x24/0x60
dev_change_flags from ip_auto_config+0x2e8/0x11a0
ip_auto_config from do_one_initcall+0x84/0x33c
do_one_initcall from kernel_init_freeable+0x1b8/0x214
kernel_init_freeable from kernel_init+0x24/0x140
kernel_init from ret_from_fork+0x14/0x28
Exception stack(0xe0815fb0 to 0xe0815ff8)
Prevent this division by 0 by adding an explicit check and error log
about the actual issue. While at it, remove the same check from
stmmac_ptp_register, which then becomes duplicate
Fixes: 19d857c9038e ("stmmac: Fix calculations for ptp counters when clock input = 50Mhz.")
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Reviewed-by: Yanteng Si <si.yanteng@linux.dev>
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20250529-stmmac_tstamp_div-v4-1-d73340a794d5@bootlin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++
drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index d3d5c01f6dcba..615d25a0e46be 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -842,6 +842,11 @@ int stmmac_init_tstamp_counter(struct stmmac_priv *priv, u32 systime_flags)
if (!(priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp))
return -EOPNOTSUPP;
+ if (!priv->plat->clk_ptp_rate) {
+ netdev_err(priv->dev, "Invalid PTP clock rate");
+ return -EINVAL;
+ }
+
stmmac_config_hw_tstamping(priv, priv->ptpaddr, systime_flags);
priv->systime_flags = systime_flags;
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
index a04bb2e42c4ee..80ecbd73333d9 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
@@ -295,7 +295,7 @@ void stmmac_ptp_register(struct stmmac_priv *priv)
/* Calculate the clock domain crossing (CDC) error if necessary */
priv->plat->cdc_error_adj = 0;
- if (priv->plat->has_gmac4 && priv->plat->clk_ptp_rate)
+ if (priv->plat->has_gmac4)
priv->plat->cdc_error_adj = (2 * NSEC_PER_SEC) / priv->plat->clk_ptp_rate;
stmmac_ptp_clock_ops.n_per_out = priv->dma_cap.pps_out_num;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 257/356] net: Fix checksum update for ILA adj-transport
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 256/356] net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-18 16:57 ` Paul Chaignon
2025-06-17 15:26 ` [PATCH 6.6 258/356] net: fix udp gso skb_segment after pull from frag_list Greg Kroah-Hartman
` (107 subsequent siblings)
364 siblings, 1 reply; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Chaignon, Daniel Borkmann,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Chaignon <paul.chaignon@gmail.com>
[ Upstream commit 6043b794c7668c19dabc4a93c75b924a19474d59 ]
During ILA address translations, the L4 checksums can be handled in
different ways. One of them, adj-transport, consist in parsing the
transport layer and updating any found checksum. This logic relies on
inet_proto_csum_replace_by_diff and produces an incorrect skb->csum when
in state CHECKSUM_COMPLETE.
This bug can be reproduced with a simple ILA to SIR mapping, assuming
packets are received with CHECKSUM_COMPLETE:
$ ip a show dev eth0
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 62:ae:35:9e:0f:8d brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 3333:0:0:1::c078/64 scope global
valid_lft forever preferred_lft forever
inet6 fd00:10:244:1::c078/128 scope global nodad
valid_lft forever preferred_lft forever
inet6 fe80::60ae:35ff:fe9e:f8d/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
$ ip ila add loc_match fd00:10:244:1 loc 3333:0:0:1 \
csum-mode adj-transport ident-type luid dev eth0
Then I hit [fd00:10:244:1::c078]:8000 with a server listening only on
[3333:0:0:1::c078]:8000. With the bug, the SYN packet is dropped with
SKB_DROP_REASON_TCP_CSUM after inet_proto_csum_replace_by_diff changed
skb->csum. The translation and drop are visible on pwru [1] traces:
IFACE TUPLE FUNC
eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) ipv6_rcv
eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) ip6_rcv_core
eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) nf_hook_slow
eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) inet_proto_csum_replace_by_diff
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) tcp_v6_early_demux
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_route_input
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_input
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_input_finish
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_protocol_deliver_rcu
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) raw6_local_deliver
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ipv6_raw_deliver
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) tcp_v6_rcv
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) __skb_checksum_complete
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) kfree_skb_reason(SKB_DROP_REASON_TCP_CSUM)
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_release_head_state
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_release_data
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_free_head
eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) kfree_skbmem
This is happening because inet_proto_csum_replace_by_diff is updating
skb->csum when it shouldn't. The L4 checksum is updated such that it
"cancels" the IPv6 address change in terms of checksum computation, so
the impact on skb->csum is null.
Note this would be different for an IPv4 packet since three fields
would be updated: the IPv4 address, the IP checksum, and the L4
checksum. Two would cancel each other and skb->csum would still need
to be updated to take the L4 checksum change into account.
This patch fixes it by passing an ipv6 flag to
inet_proto_csum_replace_by_diff, to skip the skb->csum update if we're
in the IPv6 case. Note the behavior of the only other user of
inet_proto_csum_replace_by_diff, the BPF subsystem, is left as is in
this patch and fixed in the subsequent patch.
With the fix, using the reproduction from above, I can confirm
skb->csum is not touched by inet_proto_csum_replace_by_diff and the TCP
SYN proceeds to the application after the ILA translation.
Link: https://github.com/cilium/pwru [1]
Fixes: 65d7ab8de582 ("net: Identifier Locator Addressing module")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://patch.msgid.link/b5539869e3550d46068504feb02d37653d939c0b.1748509484.git.paul.chaignon@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/checksum.h | 2 +-
net/core/filter.c | 2 +-
net/core/utils.c | 4 ++--
net/ipv6/ila/ila_common.c | 6 +++---
4 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/include/net/checksum.h b/include/net/checksum.h
index 1338cb92c8e72..28b101f26636e 100644
--- a/include/net/checksum.h
+++ b/include/net/checksum.h
@@ -158,7 +158,7 @@ void inet_proto_csum_replace16(__sum16 *sum, struct sk_buff *skb,
const __be32 *from, const __be32 *to,
bool pseudohdr);
void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb,
- __wsum diff, bool pseudohdr);
+ __wsum diff, bool pseudohdr, bool ipv6);
static __always_inline
void inet_proto_csum_replace2(__sum16 *sum, struct sk_buff *skb,
diff --git a/net/core/filter.c b/net/core/filter.c
index 5143c8a9e52ca..e92f3a9017bb4 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1987,7 +1987,7 @@ BPF_CALL_5(bpf_l4_csum_replace, struct sk_buff *, skb, u32, offset,
if (unlikely(from != 0))
return -EINVAL;
- inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo);
+ inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo, false);
break;
case 2:
inet_proto_csum_replace2(ptr, skb, from, to, is_pseudo);
diff --git a/net/core/utils.c b/net/core/utils.c
index c994e95172acf..5895d034bf279 100644
--- a/net/core/utils.c
+++ b/net/core/utils.c
@@ -473,11 +473,11 @@ void inet_proto_csum_replace16(__sum16 *sum, struct sk_buff *skb,
EXPORT_SYMBOL(inet_proto_csum_replace16);
void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb,
- __wsum diff, bool pseudohdr)
+ __wsum diff, bool pseudohdr, bool ipv6)
{
if (skb->ip_summed != CHECKSUM_PARTIAL) {
csum_replace_by_diff(sum, diff);
- if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
+ if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr && !ipv6)
skb->csum = ~csum_sub(diff, skb->csum);
} else if (pseudohdr) {
*sum = ~csum_fold(csum_add(diff, csum_unfold(*sum)));
diff --git a/net/ipv6/ila/ila_common.c b/net/ipv6/ila/ila_common.c
index 95e9146918cc6..b8d43ed4689db 100644
--- a/net/ipv6/ila/ila_common.c
+++ b/net/ipv6/ila/ila_common.c
@@ -86,7 +86,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb,
diff = get_csum_diff(ip6h, p);
inet_proto_csum_replace_by_diff(&th->check, skb,
- diff, true);
+ diff, true, true);
}
break;
case NEXTHDR_UDP:
@@ -97,7 +97,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb,
if (uh->check || skb->ip_summed == CHECKSUM_PARTIAL) {
diff = get_csum_diff(ip6h, p);
inet_proto_csum_replace_by_diff(&uh->check, skb,
- diff, true);
+ diff, true, true);
if (!uh->check)
uh->check = CSUM_MANGLED_0;
}
@@ -111,7 +111,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb,
diff = get_csum_diff(ip6h, p);
inet_proto_csum_replace_by_diff(&ih->icmp6_cksum, skb,
- diff, true);
+ diff, true, true);
}
break;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 258/356] net: fix udp gso skb_segment after pull from frag_list
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 257/356] net: Fix checksum update for ILA adj-transport Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 259/356] net: wwan: t7xx: Fix napi rx poll issue Greg Kroah-Hartman
` (106 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shiming Cheng, Willem de Bruijn,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shiming Cheng <shiming.cheng@mediatek.com>
[ Upstream commit 3382a1ed7f778db841063f5d7e317ac55f9e7f72 ]
Commit a1e40ac5b5e9 ("net: gso: fix udp gso fraglist segmentation after
pull from frag_list") detected invalid geometry in frag_list skbs and
redirects them from skb_segment_list to more robust skb_segment. But some
packets with modified geometry can also hit bugs in that code. We don't
know how many such cases exist. Addressing each one by one also requires
touching the complex skb_segment code, which risks introducing bugs for
other types of skbs. Instead, linearize all these packets that fail the
basic invariants on gso fraglist skbs. That is more robust.
If only part of the fraglist payload is pulled into head_skb, it will
always cause exception when splitting skbs by skb_segment. For detailed
call stack information, see below.
Valid SKB_GSO_FRAGLIST skbs
- consist of two or more segments
- the head_skb holds the protocol headers plus first gso_size
- one or more frag_list skbs hold exactly one segment
- all but the last must be gso_size
Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
modify fraglist skbs, breaking these invariants.
In extreme cases they pull one part of data into skb linear. For UDP,
this causes three payloads with lengths of (11,11,10) bytes were
pulled tail to become (12,10,10) bytes.
The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because
payload was pulled into head_skb, it needs to be linearized before pass
to regular skb_segment.
skb_segment+0xcd0/0xd14
__udp_gso_segment+0x334/0x5f4
udp4_ufo_fragment+0x118/0x15c
inet_gso_segment+0x164/0x338
skb_mac_gso_segment+0xc4/0x13c
__skb_gso_segment+0xc4/0x124
validate_xmit_skb+0x9c/0x2c0
validate_xmit_skb_list+0x4c/0x80
sch_direct_xmit+0x70/0x404
__dev_queue_xmit+0x64c/0xe5c
neigh_resolve_output+0x178/0x1c4
ip_finish_output2+0x37c/0x47c
__ip_finish_output+0x194/0x240
ip_finish_output+0x20/0xf4
ip_output+0x100/0x1a0
NF_HOOK+0xc4/0x16c
ip_forward+0x314/0x32c
ip_rcv+0x90/0x118
__netif_receive_skb+0x74/0x124
process_backlog+0xe8/0x1a4
__napi_poll+0x5c/0x1f8
net_rx_action+0x154/0x314
handle_softirqs+0x154/0x4b8
[118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278!
[118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
[118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000
[118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000
[118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO)
[118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14
[118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14
[118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770
Fixes: a1e40ac5b5e9 ("gso: fix udp gso fraglist segmentation after pull from frag_list")
Signed-off-by: Shiming Cheng <shiming.cheng@mediatek.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/udp_offload.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index 132cfc3b2c847..3870b59f54004 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -332,6 +332,7 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb,
bool copy_dtor;
__sum16 check;
__be16 newlen;
+ int ret = 0;
mss = skb_shinfo(gso_skb)->gso_size;
if (gso_skb->len <= sizeof(*uh) + mss)
@@ -354,6 +355,10 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb,
if (skb_pagelen(gso_skb) - sizeof(*uh) == skb_shinfo(gso_skb)->gso_size)
return __udp_gso_segment_list(gso_skb, features, is_ipv6);
+ ret = __skb_linearize(gso_skb);
+ if (ret)
+ return ERR_PTR(ret);
+
/* Setup csum, as fraglist skips this in udp4_gro_receive. */
gso_skb->csum_start = skb_transport_header(gso_skb) - gso_skb->head;
gso_skb->csum_offset = offsetof(struct udphdr, check);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 259/356] net: wwan: t7xx: Fix napi rx poll issue
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 258/356] net: fix udp gso skb_segment after pull from frag_list Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 260/356] vmxnet3: correctly report gso type for UDP tunnels Greg Kroah-Hartman
` (105 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinjian Song, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjian Song <jinjian.song@fibocom.com>
[ Upstream commit 905fe0845bb27e4eed2ca27ea06e6c4847f1b2b1 ]
When driver handles the napi rx polling requests, the netdev might
have been released by the dellink logic triggered by the disconnect
operation on user plane. However, in the logic of processing skb in
polling, an invalid netdev is still being used, which causes a panic.
BUG: kernel NULL pointer dereference, address: 00000000000000f1
Oops: 0000 [#1] PREEMPT SMP NOPTI
RIP: 0010:dev_gro_receive+0x3a/0x620
[...]
Call Trace:
<IRQ>
? __die_body+0x68/0xb0
? page_fault_oops+0x379/0x3e0
? exc_page_fault+0x4f/0xa0
? asm_exc_page_fault+0x22/0x30
? __pfx_t7xx_ccmni_recv_skb+0x10/0x10 [mtk_t7xx (HASH:1400 7)]
? dev_gro_receive+0x3a/0x620
napi_gro_receive+0xad/0x170
t7xx_ccmni_recv_skb+0x48/0x70 [mtk_t7xx (HASH:1400 7)]
t7xx_dpmaif_napi_rx_poll+0x590/0x800 [mtk_t7xx (HASH:1400 7)]
net_rx_action+0x103/0x470
irq_exit_rcu+0x13a/0x310
sysvec_apic_timer_interrupt+0x56/0x90
</IRQ>
Fixes: 5545b7b9f294 ("net: wwan: t7xx: Add NAPI support")
Signed-off-by: Jinjian Song <jinjian.song@fibocom.com>
Link: https://patch.msgid.link/20250530031648.5592-1-jinjian.song@fibocom.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wwan/t7xx/t7xx_netdev.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wwan/t7xx/t7xx_netdev.c b/drivers/net/wwan/t7xx/t7xx_netdev.c
index 3ef4a8a4f8fdb..d879424093b78 100644
--- a/drivers/net/wwan/t7xx/t7xx_netdev.c
+++ b/drivers/net/wwan/t7xx/t7xx_netdev.c
@@ -296,7 +296,7 @@ static int t7xx_ccmni_wwan_newlink(void *ctxt, struct net_device *dev, u32 if_id
ccmni->ctlb = ctlb;
ccmni->dev = dev;
atomic_set(&ccmni->usage, 0);
- ctlb->ccmni_inst[if_id] = ccmni;
+ WRITE_ONCE(ctlb->ccmni_inst[if_id], ccmni);
ret = register_netdevice(dev);
if (ret)
@@ -318,6 +318,7 @@ static void t7xx_ccmni_wwan_dellink(void *ctxt, struct net_device *dev, struct l
if (WARN_ON(ctlb->ccmni_inst[if_id] != ccmni))
return;
+ WRITE_ONCE(ctlb->ccmni_inst[if_id], NULL);
unregister_netdevice(dev);
}
@@ -413,7 +414,7 @@ static void t7xx_ccmni_recv_skb(struct t7xx_ccmni_ctrl *ccmni_ctlb, struct sk_bu
skb_cb = T7XX_SKB_CB(skb);
netif_id = skb_cb->netif_idx;
- ccmni = ccmni_ctlb->ccmni_inst[netif_id];
+ ccmni = READ_ONCE(ccmni_ctlb->ccmni_inst[netif_id]);
if (!ccmni) {
dev_kfree_skb(skb);
return;
@@ -435,7 +436,7 @@ static void t7xx_ccmni_recv_skb(struct t7xx_ccmni_ctrl *ccmni_ctlb, struct sk_bu
static void t7xx_ccmni_queue_tx_irq_notify(struct t7xx_ccmni_ctrl *ctlb, int qno)
{
- struct t7xx_ccmni *ccmni = ctlb->ccmni_inst[0];
+ struct t7xx_ccmni *ccmni = READ_ONCE(ctlb->ccmni_inst[0]);
struct netdev_queue *net_queue;
if (netif_running(ccmni->dev) && atomic_read(&ccmni->usage) > 0) {
@@ -447,7 +448,7 @@ static void t7xx_ccmni_queue_tx_irq_notify(struct t7xx_ccmni_ctrl *ctlb, int qno
static void t7xx_ccmni_queue_tx_full_notify(struct t7xx_ccmni_ctrl *ctlb, int qno)
{
- struct t7xx_ccmni *ccmni = ctlb->ccmni_inst[0];
+ struct t7xx_ccmni *ccmni = READ_ONCE(ctlb->ccmni_inst[0]);
struct netdev_queue *net_queue;
if (atomic_read(&ccmni->usage) > 0) {
@@ -465,7 +466,7 @@ static void t7xx_ccmni_queue_state_notify(struct t7xx_pci_dev *t7xx_dev,
if (ctlb->md_sta != MD_STATE_READY)
return;
- if (!ctlb->ccmni_inst[0]) {
+ if (!READ_ONCE(ctlb->ccmni_inst[0])) {
dev_warn(&t7xx_dev->pdev->dev, "No netdev registered yet\n");
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 260/356] vmxnet3: correctly report gso type for UDP tunnels
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 259/356] net: wwan: t7xx: Fix napi rx poll issue Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 261/356] PM: sleep: Fix power.is_suspended cleanup for direct-complete devices Greg Kroah-Hartman
` (104 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ronak Doshi, Guolin Yang,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ronak Doshi <ronak.doshi@broadcom.com>
[ Upstream commit 982d30c30eaa2ec723df42e3bf526c014c1dbb88 ]
Commit 3d010c8031e3 ("udp: do not accept non-tunnel GSO skbs landing
in a tunnel") added checks in linux stack to not accept non-tunnel
GRO packets landing in a tunnel. This exposed an issue in vmxnet3
which was not correctly reporting GRO packets for tunnel packets.
This patch fixes this issue by setting correct GSO type for the
tunnel packets.
Currently, vmxnet3 does not support reporting inner fields for LRO
tunnel packets. The issue is not seen for egress drivers that do not
use skb inner fields. The workaround is to enable tnl-segmentation
offload on the egress interfaces if the driver supports it. This
problem pre-exists this patch fix and can be addressed as a separate
future patch.
Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support")
Signed-off-by: Ronak Doshi <ronak.doshi@broadcom.com>
Acked-by: Guolin Yang <guolin.yang@broadcom.com>
Link: https://patch.msgid.link/20250530152701.70354-1-ronak.doshi@broadcom.com
[pabeni@redhat.com: dropped the changelog]
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vmxnet3/vmxnet3_drv.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
index beebe09eb88ff..afd78324f3aa3 100644
--- a/drivers/net/vmxnet3/vmxnet3_drv.c
+++ b/drivers/net/vmxnet3/vmxnet3_drv.c
@@ -1499,6 +1499,30 @@ vmxnet3_get_hdr_len(struct vmxnet3_adapter *adapter, struct sk_buff *skb,
return (hlen + (hdr.tcp->doff << 2));
}
+static void
+vmxnet3_lro_tunnel(struct sk_buff *skb, __be16 ip_proto)
+{
+ struct udphdr *uh = NULL;
+
+ if (ip_proto == htons(ETH_P_IP)) {
+ struct iphdr *iph = (struct iphdr *)skb->data;
+
+ if (iph->protocol == IPPROTO_UDP)
+ uh = (struct udphdr *)(iph + 1);
+ } else {
+ struct ipv6hdr *iph = (struct ipv6hdr *)skb->data;
+
+ if (iph->nexthdr == IPPROTO_UDP)
+ uh = (struct udphdr *)(iph + 1);
+ }
+ if (uh) {
+ if (uh->check)
+ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL_CSUM;
+ else
+ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL;
+ }
+}
+
static int
vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
struct vmxnet3_adapter *adapter, int quota)
@@ -1803,6 +1827,8 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
if (segCnt != 0 && mss != 0) {
skb_shinfo(skb)->gso_type = rcd->v4 ?
SKB_GSO_TCPV4 : SKB_GSO_TCPV6;
+ if (encap_lro)
+ vmxnet3_lro_tunnel(skb, skb->protocol);
skb_shinfo(skb)->gso_size = mss;
skb_shinfo(skb)->gso_segs = segCnt;
} else if ((segCnt != 0 || skb->len > mtu) && !encap_lro) {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 261/356] PM: sleep: Fix power.is_suspended cleanup for direct-complete devices
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 260/356] vmxnet3: correctly report gso type for UDP tunnels Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 262/356] gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO Greg Kroah-Hartman
` (103 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Mario Limonciello,
Sasha Levin, Chris Bainbridge
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit d46c4c839c20a599a0eb8d73708ce401f9c7d06d ]
Commit 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete
set on errors") caused power.is_suspended to be set for devices with
power.direct_complete set, but it forgot to ensure the clearing of that
flag for them in device_resume(), so power.is_suspended is still set for
them during the next system suspend-resume cycle.
If that cycle is aborted in dpm_suspend(), the subsequent invocation of
dpm_resume() will trigger a device_resume() call for every device and
because power.is_suspended is set for the devices in question, they will
not be skipped by device_resume() as expected which causes scary error
messages to be logged (as appropriate).
To address this issue, move the clearing of power.is_suspended in
device_resume() immediately after the power.is_suspended check so it
will be always cleared for all devices processed by that function.
Fixes: 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete set on errors")
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4280
Reported-and-tested-by: Chris Bainbridge <chris.bainbridge@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Link: https://patch.msgid.link/4990586.GXAFRqVoOG@rjwysocki.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
index 343d3c966e7a7..baa31194cf20d 100644
--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -897,6 +897,8 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
if (!dev->power.is_suspended)
goto Complete;
+ dev->power.is_suspended = false;
+
if (dev->power.direct_complete) {
/* Match the pm_runtime_disable() in __device_suspend(). */
pm_runtime_enable(dev);
@@ -952,7 +954,6 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
End:
error = dpm_run_callback(callback, dev, state, info);
- dev->power.is_suspended = false;
device_unlock(dev);
dpm_watchdog_clear(&wd);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 262/356] gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 261/356] PM: sleep: Fix power.is_suspended cleanup for direct-complete devices Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 263/356] netfilter: nf_set_pipapo_avx2: fix initial map fill Greg Kroah-Hartman
` (102 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Mina Almasry,
Simon Horman, David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 12c331b29c7397ac3b03584e12902990693bc248 ]
gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo()
did not check for this case before dereferencing the returned pointer.
Add a missing NULL check to prevent a potential NULL pointer
dereference when allocation fails.
This improves robustness in low-memory scenarios.
Fixes: a57e5de476be ("gve: DQO: Add TX path")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Mina Almasry <almasrymina@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/google/gve/gve_tx_dqo.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/google/gve/gve_tx_dqo.c b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
index 89b62b8d16e14..857749fef37cf 100644
--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c
+++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
@@ -716,6 +716,9 @@ static int gve_tx_add_skb_dqo(struct gve_tx_ring *tx,
s16 completion_tag;
pkt = gve_alloc_pending_packet(tx);
+ if (!pkt)
+ return -ENOMEM;
+
pkt->skb = skb;
completion_tag = pkt - tx->dqo.pending_packets;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 263/356] netfilter: nf_set_pipapo_avx2: fix initial map fill
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 262/356] gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 264/356] netfilter: nf_nat: also check reverse tuple to obtain clashing entry Greg Kroah-Hartman
` (101 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Stefano Brivio,
Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit ea77c397bff8b6d59f6d83dae1425b08f465e8b5 ]
If the first field doesn't cover the entire start map, then we must zero
out the remainder, else we leak those bits into the next match round map.
The early fix was incomplete and did only fix up the generic C
implementation.
A followup patch adds a test case to nft_concat_range.sh.
Fixes: 791a615b7ad2 ("netfilter: nf_set_pipapo: fix initial map fill")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_pipapo_avx2.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
index c15db28c5ebc4..be7c16c79f711 100644
--- a/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1113,6 +1113,25 @@ bool nft_pipapo_avx2_estimate(const struct nft_set_desc *desc, u32 features,
return true;
}
+/**
+ * pipapo_resmap_init_avx2() - Initialise result map before first use
+ * @m: Matching data, including mapping table
+ * @res_map: Result map
+ *
+ * Like pipapo_resmap_init() but do not set start map bits covered by the first field.
+ */
+static inline void pipapo_resmap_init_avx2(const struct nft_pipapo_match *m, unsigned long *res_map)
+{
+ const struct nft_pipapo_field *f = m->f;
+ int i;
+
+ /* Starting map doesn't need to be set to all-ones for this implementation,
+ * but we do need to zero the remaining bits, if any.
+ */
+ for (i = f->bsize; i < m->bsize_max; i++)
+ res_map[i] = 0ul;
+}
+
/**
* nft_pipapo_avx2_lookup() - Lookup function for AVX2 implementation
* @net: Network namespace
@@ -1171,7 +1190,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,
res = scratch->map + (map_index ? m->bsize_max : 0);
fill = scratch->map + (map_index ? 0 : m->bsize_max);
- /* Starting map doesn't need to be set for this implementation */
+ pipapo_resmap_init_avx2(m, res);
nft_pipapo_avx2_prepare();
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 264/356] netfilter: nf_nat: also check reverse tuple to obtain clashing entry
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 263/356] netfilter: nf_set_pipapo_avx2: fix initial map fill Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 265/356] net: dsa: b53: do not enable RGMII delay on bcm63xx Greg Kroah-Hartman
` (100 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yafang Shao, Shaun Brady,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 50d9ce9679dd50df2dc51ada717fa875bc248fad ]
The logic added in the blamed commit was supposed to only omit nat source
port allocation if neither the existing nor the new entry are subject to
NAT.
However, its not enough to lookup the conntrack based on the proposed
tuple, we must also check the reverse direction.
Otherwise there are esoteric cases where the collision is in the reverse
direction because that colliding connection has a port rewrite, but the
new entry doesn't. In this case, we only check the new entry and then
erronously conclude that no clash exists anymore.
The existing (udp) tuple is:
a:p -> b:P, with nat translation to s:P, i.e. pure daddr rewrite,
reverse tuple in conntrack table is s:P -> a:p.
When another UDP packet is sent directly to s, i.e. a:p->s:P, this is
correctly detected as a colliding entry: tuple is taken by existing reply
tuple in reverse direction.
But the colliding conntrack is only searched for with unreversed
direction, and we can't find such entry matching a:p->s:P.
The incorrect conclusion is that the clashing entry has timed out and
that no port address translation is required.
Such conntrack will then be discarded at nf_confirm time because the
proposed reverse direction clashes with an existing mapping in the
conntrack table.
Search for the reverse tuple too, this will then check the NAT bits of
the colliding entry and triggers port reallocation.
Followp patch extends nft_nat.sh selftest to cover this scenario.
The IPS_SEQ_ADJUST change is also a bug fix:
Instead of checking for SEQ_ADJ this tested for SEEN_REPLY and ASSURED
by accident -- _BIT is only for use with the test_bit() API.
This bug has little consequence in practice, because the sequence number
adjustments are only useful for TCP which doesn't support clash resolution.
The existing test case (conntrack_reverse_clash.sh) exercise a race
condition path (parallel conntrack creation on different CPUs), so
the colliding entries have neither SEEN_REPLY nor ASSURED set.
Thanks to Yafang Shao and Shaun Brady for an initial investigation
of this bug.
Fixes: d8f84a9bc7c4 ("netfilter: nf_nat: don't try nat source port reallocation for reverse dir clash")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1795
Reported-by: Yafang Shao <laoar.shao@gmail.com>
Reported-by: Shaun Brady <brady.1345@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Tested-by: Yafang Shao <laoar.shao@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_nat_core.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index ccca6e3848bcc..9df883d79acc9 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -248,7 +248,7 @@ static noinline bool
nf_nat_used_tuple_new(const struct nf_conntrack_tuple *tuple,
const struct nf_conn *ignored_ct)
{
- static const unsigned long uses_nat = IPS_NAT_MASK | IPS_SEQ_ADJUST_BIT;
+ static const unsigned long uses_nat = IPS_NAT_MASK | IPS_SEQ_ADJUST;
const struct nf_conntrack_tuple_hash *thash;
const struct nf_conntrack_zone *zone;
struct nf_conn *ct;
@@ -287,8 +287,14 @@ nf_nat_used_tuple_new(const struct nf_conntrack_tuple *tuple,
zone = nf_ct_zone(ignored_ct);
thash = nf_conntrack_find_get(net, zone, tuple);
- if (unlikely(!thash)) /* clashing entry went away */
- return false;
+ if (unlikely(!thash)) {
+ struct nf_conntrack_tuple reply;
+
+ nf_ct_invert_tuple(&reply, tuple);
+ thash = nf_conntrack_find_get(net, zone, &reply);
+ if (!thash) /* clashing entry went away */
+ return false;
+ }
ct = nf_ct_tuplehash_to_ctrack(thash);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 265/356] net: dsa: b53: do not enable RGMII delay on bcm63xx
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 264/356] netfilter: nf_nat: also check reverse tuple to obtain clashing entry Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 266/356] net: dsa: b53: allow RGMII for bcm63xx RGMII ports Greg Kroah-Hartman
` (99 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski, Florian Fainelli,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Gorski <jonas.gorski@gmail.com>
[ Upstream commit 4af523551d876ab8b8057d1e5303a860fd736fcb ]
bcm63xx's RGMII ports are always in MAC mode, never in PHY mode, so we
shouldn't enable any delays and let the PHY handle any delays as
necessary.
This fixes using RGMII ports with normal PHYs like BCM54612E, which will
handle the delay in the PHY.
Fixes: ce3bf94871f7 ("net: dsa: b53: add support for BCM63xx RGMIIs")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250602193953.1010487-3-jonas.gorski@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 19 +------------------
1 file changed, 1 insertion(+), 18 deletions(-)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index d2ff2c2fcbbfc..7ca42170d8666 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -1237,24 +1237,7 @@ static void b53_adjust_63xx_rgmii(struct dsa_switch *ds, int port,
off = B53_RGMII_CTRL_P(port);
b53_read8(dev, B53_CTRL_PAGE, off, &rgmii_ctrl);
-
- switch (interface) {
- case PHY_INTERFACE_MODE_RGMII_ID:
- rgmii_ctrl |= (RGMII_CTRL_DLL_RXC | RGMII_CTRL_DLL_TXC);
- break;
- case PHY_INTERFACE_MODE_RGMII_RXID:
- rgmii_ctrl &= ~(RGMII_CTRL_DLL_TXC);
- rgmii_ctrl |= RGMII_CTRL_DLL_RXC;
- break;
- case PHY_INTERFACE_MODE_RGMII_TXID:
- rgmii_ctrl &= ~(RGMII_CTRL_DLL_RXC);
- rgmii_ctrl |= RGMII_CTRL_DLL_TXC;
- break;
- case PHY_INTERFACE_MODE_RGMII:
- default:
- rgmii_ctrl &= ~(RGMII_CTRL_DLL_RXC | RGMII_CTRL_DLL_TXC);
- break;
- }
+ rgmii_ctrl &= ~(RGMII_CTRL_DLL_RXC | RGMII_CTRL_DLL_TXC);
if (port != dev->imp_port) {
if (is63268(dev))
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 266/356] net: dsa: b53: allow RGMII for bcm63xx RGMII ports
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 265/356] net: dsa: b53: do not enable RGMII delay on bcm63xx Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 267/356] wireguard: device: enable threaded NAPI Greg Kroah-Hartman
` (98 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli, Jonas Gorski,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Gorski <jonas.gorski@gmail.com>
[ Upstream commit 5ea0d42c1980e6d10e5cb56a78021db5bfcebaaf ]
Add RGMII to supported interfaces for BCM63xx RGMII ports so they can be
actually used in RGMII mode.
Without this, phylink will fail to configure them:
[ 3.580000] b53-switch 10700000.switch GbE3 (uninitialized): validation of rgmii with support 0000000,00000000,00000000,000062ff and advertisement 0000000,00000000,00000000,000062ff failed: -EINVAL
[ 3.600000] b53-switch 10700000.switch GbE3 (uninitialized): failed to connect to PHY: -EINVAL
[ 3.610000] b53-switch 10700000.switch GbE3 (uninitialized): error -22 setting up PHY for tree 0, switch 0, port 4
Fixes: ce3bf94871f7 ("net: dsa: b53: add support for BCM63xx RGMIIs")
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Link: https://patch.msgid.link/20250602193953.1010487-5-jonas.gorski@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index 7ca42170d8666..004d2c988ff09 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -1377,6 +1377,10 @@ static void b53_phylink_get_caps(struct dsa_switch *ds, int port,
__set_bit(PHY_INTERFACE_MODE_MII, config->supported_interfaces);
__set_bit(PHY_INTERFACE_MODE_REVMII, config->supported_interfaces);
+ /* BCM63xx RGMII ports support RGMII */
+ if (is63xx(dev) && in_range(port, B53_63XX_RGMII0, 4))
+ phy_interface_set_rgmii(config->supported_interfaces);
+
config->mac_capabilities = MAC_ASYM_PAUSE | MAC_SYM_PAUSE |
MAC_10 | MAC_100;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 267/356] wireguard: device: enable threaded NAPI
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 266/356] net: dsa: b53: allow RGMII for bcm63xx RGMII ports Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 268/356] seg6: Fix validation of nexthop addresses Greg Kroah-Hartman
` (97 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mirco Barone, Jason A. Donenfeld,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mirco Barone <mirco.barone@polito.it>
[ Upstream commit db9ae3b6b43c79b1ba87eea849fd65efa05b4b2e ]
Enable threaded NAPI by default for WireGuard devices in response to low
performance behavior that we observed when multiple tunnels (and thus
multiple wg devices) are deployed on a single host. This affects any
kind of multi-tunnel deployment, regardless of whether the tunnels share
the same endpoints or not (i.e., a VPN concentrator type of gateway
would also be affected).
The problem is caused by the fact that, in case of a traffic surge that
involves multiple tunnels at the same time, the polling of the NAPI
instance of all these wg devices tends to converge onto the same core,
causing underutilization of the CPU and bottlenecking performance.
This happens because NAPI polling is hosted by default in softirq
context, but the WireGuard driver only raises this softirq after the rx
peer queue has been drained, which doesn't happen during high traffic.
In this case, the softirq already active on a core is reused instead of
raising a new one.
As a result, once two or more tunnel softirqs have been scheduled on
the same core, they remain pinned there until the surge ends.
In our experiments, this almost always leads to all tunnel NAPIs being
handled on a single core shortly after a surge begins, limiting
scalability to less than 3× the performance of a single tunnel, despite
plenty of unused CPU cores being available.
The proposed mitigation is to enable threaded NAPI for all WireGuard
devices. This moves the NAPI polling context to a dedicated per-device
kernel thread, allowing the scheduler to balance the load across all
available cores.
On our 32-core gateways, enabling threaded NAPI yields a ~4× performance
improvement with 16 tunnels, increasing throughput from ~13 Gbps to
~48 Gbps. Meanwhile, CPU usage on the receiver (which is the bottleneck)
jumps from 20% to 100%.
We have found no performance regressions in any scenario we tested.
Single-tunnel throughput remains unchanged.
More details are available in our Netdev paper.
Link: https://netdevconf.info/0x18/docs/netdev-0x18-paper23-talk-paper.pdf
Signed-off-by: Mirco Barone <mirco.barone@polito.it>
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://patch.msgid.link/20250605120616.2808744-1-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireguard/device.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c
index deb9636b0ecf8..f98e0f027a054 100644
--- a/drivers/net/wireguard/device.c
+++ b/drivers/net/wireguard/device.c
@@ -369,6 +369,7 @@ static int wg_newlink(struct net *src_net, struct net_device *dev,
if (ret < 0)
goto err_free_handshake_queue;
+ dev_set_threaded(dev, true);
ret = register_netdevice(dev);
if (ret < 0)
goto err_uninit_ratelimiter;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 268/356] seg6: Fix validation of nexthop addresses
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 267/356] wireguard: device: enable threaded NAPI Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 269/356] scsi: ufs: qcom: Prevent calling phy_exit() before phy_init() Greg Kroah-Hartman
` (96 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Machata, Ido Schimmel,
David Ahern, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 7632fedb266d93ed0ed9f487133e6c6314a9b2d1 ]
The kernel currently validates that the length of the provided nexthop
address does not exceed the specified length. This can lead to the
kernel reading uninitialized memory if user space provided a shorter
length than the specified one.
Fix by validating that the provided length exactly matches the specified
one.
Fixes: d1df6fd8a1d2 ("ipv6: sr: define core operations for seg6local lightweight tunnel")
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250604113252.371528-1-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/seg6_local.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c
index c434940131b1d..7f295b9c13744 100644
--- a/net/ipv6/seg6_local.c
+++ b/net/ipv6/seg6_local.c
@@ -1638,10 +1638,8 @@ static const struct nla_policy seg6_local_policy[SEG6_LOCAL_MAX + 1] = {
[SEG6_LOCAL_SRH] = { .type = NLA_BINARY },
[SEG6_LOCAL_TABLE] = { .type = NLA_U32 },
[SEG6_LOCAL_VRFTABLE] = { .type = NLA_U32 },
- [SEG6_LOCAL_NH4] = { .type = NLA_BINARY,
- .len = sizeof(struct in_addr) },
- [SEG6_LOCAL_NH6] = { .type = NLA_BINARY,
- .len = sizeof(struct in6_addr) },
+ [SEG6_LOCAL_NH4] = NLA_POLICY_EXACT_LEN(sizeof(struct in_addr)),
+ [SEG6_LOCAL_NH6] = NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)),
[SEG6_LOCAL_IIF] = { .type = NLA_U32 },
[SEG6_LOCAL_OIF] = { .type = NLA_U32 },
[SEG6_LOCAL_BPF] = { .type = NLA_NESTED },
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 269/356] scsi: ufs: qcom: Prevent calling phy_exit() before phy_init()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 268/356] seg6: Fix validation of nexthop addresses Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 270/356] ASoC: codecs: hda: Fix RPM usage count underflow Greg Kroah-Hartman
` (95 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nitin Rawat, Konrad Dybcio,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nitin Rawat <quic_nitirawa@quicinc.com>
[ Upstream commit 7831003165d37ecb7b33843fcee05cada0359a82 ]
Prevent calling phy_exit() before phy_init() to avoid abnormal power
count and the following warning during boot up.
[5.146763] phy phy-1d80000.phy.0: phy_power_on was called before phy_init
Fixes: 7bac65687510 ("scsi: ufs: qcom: Power off the PHY if it was already powered on in ufs_qcom_power_up_sequence()")
Signed-off-by: Nitin Rawat <quic_nitirawa@quicinc.com>
Link: https://lore.kernel.org/r/20250526153821.7918-2-quic_nitirawa@quicinc.com
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/host/ufs-qcom.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c
index c6417ef074a47..c94824c999ccd 100644
--- a/drivers/ufs/host/ufs-qcom.c
+++ b/drivers/ufs/host/ufs-qcom.c
@@ -453,10 +453,9 @@ static int ufs_qcom_power_up_sequence(struct ufs_hba *hba)
dev_warn(hba->dev, "%s: host reset returned %d\n",
__func__, ret);
- if (phy->power_count) {
+ if (phy->power_count)
phy_power_off(phy);
- phy_exit(phy);
- }
+
/* phy initialization - calibrate the phy */
ret = phy_init(phy);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 270/356] ASoC: codecs: hda: Fix RPM usage count underflow
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 269/356] scsi: ufs: qcom: Prevent calling phy_exit() before phy_init() Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 271/356] ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX Greg Kroah-Hartman
` (94 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amadeusz Sławiński,
Cezary Rojewski, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cezary Rojewski <cezary.rojewski@intel.com>
[ Upstream commit ff0045de4ee0288dec683690f66f2f369b7d3466 ]
RPM manipulation in hda_codec_probe_complete()'s error path is
superfluous and leads to RPM usage count underflow if the
build-controls operation fails.
hda_codec_probe_complete() is called in:
1) hda_codec_probe() for all non-HDMI codecs
2) in card->late_probe() for HDMI codecs
Error path for hda_codec_probe() takes care of bus' RPM already.
For 2) if late_probe() fails, ASoC performs card cleanup what
triggers hda_codec_remote() - same treatment is in 1).
Fixes: b5df2a7dca1c ("ASoC: codecs: Add HD-Audio codec driver")
Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://patch.msgid.link/20250530141025.2942936-2-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/hda.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/codecs/hda.c b/sound/soc/codecs/hda.c
index d57b043d6bfef..42aca0a63c441 100644
--- a/sound/soc/codecs/hda.c
+++ b/sound/soc/codecs/hda.c
@@ -150,7 +150,7 @@ int hda_codec_probe_complete(struct hda_codec *codec)
ret = snd_hda_codec_build_controls(codec);
if (ret < 0) {
dev_err(&hdev->dev, "unable to create controls %d\n", ret);
- goto out;
+ return ret;
}
/* Bus suspended codecs as it does not manage their pm */
@@ -158,7 +158,7 @@ int hda_codec_probe_complete(struct hda_codec *codec)
/* rpm was forbidden in snd_hda_codec_device_new() */
snd_hda_codec_set_power_save(codec, 2000);
snd_hda_codec_register(codec);
-out:
+
/* Complement pm_runtime_get_sync(bus) in probe */
pm_runtime_mark_last_busy(bus->dev);
pm_runtime_put_autosuspend(bus->dev);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 271/356] ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 270/356] ASoC: codecs: hda: Fix RPM usage count underflow Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 272/356] ASoC: Intel: avs: Verify content returned by parse_int_array() Greg Kroah-Hartman
` (93 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amadeusz Sławiński,
Cezary Rojewski, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cezary Rojewski <cezary.rojewski@intel.com>
[ Upstream commit 9ad1f3cd0d60444c69948854c7e50d2a61b63755 ]
The procedure handling IPC timeouts and EXCEPTION_CAUGHT notification
shall cancel any D0IX work before proceeding with DSP recovery. If
SET_D0IX called from delayed_work is the failing IPC the procedure will
deadlock. Conditionally skip cancelling the work to fix that.
Fixes: 335c4cbd201d ("ASoC: Intel: avs: D0ix power state support")
Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://patch.msgid.link/20250530141025.2942936-3-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/avs/ipc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/soc/intel/avs/ipc.c b/sound/soc/intel/avs/ipc.c
index 74f676fdfba29..afd472906ede4 100644
--- a/sound/soc/intel/avs/ipc.c
+++ b/sound/soc/intel/avs/ipc.c
@@ -169,7 +169,9 @@ static void avs_dsp_exception_caught(struct avs_dev *adev, union avs_notify_msg
dev_crit(adev->dev, "communication severed, rebooting dsp..\n");
- cancel_delayed_work_sync(&ipc->d0ix_work);
+ /* Avoid deadlock as the exception may be the response to SET_D0IX. */
+ if (current_work() != &ipc->d0ix_work.work)
+ cancel_delayed_work_sync(&ipc->d0ix_work);
ipc->in_d0ix = false;
/* Re-enabled on recovery completion. */
pm_runtime_disable(adev->dev);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 272/356] ASoC: Intel: avs: Verify content returned by parse_int_array()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 271/356] ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 273/356] ASoC: ti: omap-hdmi: Re-add dai_link->platform to fix card init Greg Kroah-Hartman
` (92 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amadeusz Sławiński,
Cezary Rojewski, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cezary Rojewski <cezary.rojewski@intel.com>
[ Upstream commit 93e246b6769bdacb09cfff4ea0f00fe5ab4f0d7a ]
The first element of the returned array stores its length. If it is 0,
any manipulation beyond the element at index 0 ends with null-ptr-deref.
Fixes: 5a565ba23abe ("ASoC: Intel: avs: Probing and firmware tracing over debugfs")
Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://patch.msgid.link/20250530141025.2942936-8-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/avs/debugfs.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/sound/soc/intel/avs/debugfs.c b/sound/soc/intel/avs/debugfs.c
index bdd388ec01eaf..26d0c3a5a9542 100644
--- a/sound/soc/intel/avs/debugfs.c
+++ b/sound/soc/intel/avs/debugfs.c
@@ -371,7 +371,10 @@ static ssize_t trace_control_write(struct file *file, const char __user *from, s
return ret;
num_elems = *array;
- resource_mask = array[1];
+ if (!num_elems) {
+ ret = -EINVAL;
+ goto free_array;
+ }
/*
* Disable if just resource mask is provided - no log priority flags.
@@ -379,6 +382,7 @@ static ssize_t trace_control_write(struct file *file, const char __user *from, s
* Enable input format: mask, prio1, .., prioN
* Where 'N' equals number of bits set in the 'mask'.
*/
+ resource_mask = array[1];
if (num_elems == 1) {
ret = disable_logs(adev, resource_mask);
} else {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 273/356] ASoC: ti: omap-hdmi: Re-add dai_link->platform to fix card init
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 272/356] ASoC: Intel: avs: Verify content returned by parse_int_array() Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 274/356] path_overmount(): avoid false negatives Greg Kroah-Hartman
` (91 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuuki NAGAO, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuuki NAGAO <wf.yn386@gmail.com>
[ Upstream commit bae071aa7bcd034054cec91666c80f812adeccd9 ]
The removed dai_link->platform component cause a fail which
is exposed at runtime. (ex: when a sound tool is used)
This patch re-adds the dai_link->platform component to have
a full card registered.
Before this patch:
$ aplay -l
**** List of PLAYBACK Hardware Devices ****
card 1: HDMI [HDMI], device 0: HDMI snd-soc-dummy-dai-0 []
Subdevices: 1/1
Subdevice #0: subdevice #0
$ speaker-test -D plughw:1,0 -t sine
speaker-test 1.2.8
Playback device is plughw:1,0
Stream parameters are 48000Hz, S16_LE, 1 channels
Sine wave rate is 440.0000Hz
Playback open error: -22,Invalid argument
After this patch which restores the platform component:
$ aplay -l
**** List of PLAYBACK Hardware Devices ****
card 0: HDMI [HDMI], device 0: HDMI snd-soc-dummy-dai-0 [HDMI snd-soc-dummy-dai-0]
Subdevices: 0/1
Subdevice #0: subdevice #0
-> Resolve the playback error.
Fixes: 3b0db249cf8f ("ASoC: ti: remove unnecessary dai_link->platform")
Signed-off-by: Yuuki NAGAO <wf.yn386@gmail.com>
Link: https://patch.msgid.link/20250531141341.81164-1-wf.yn386@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/ti/omap-hdmi.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/sound/soc/ti/omap-hdmi.c b/sound/soc/ti/omap-hdmi.c
index 0a731b21e5a58..72fabf22a02ee 100644
--- a/sound/soc/ti/omap-hdmi.c
+++ b/sound/soc/ti/omap-hdmi.c
@@ -361,17 +361,20 @@ static int omap_hdmi_audio_probe(struct platform_device *pdev)
if (!card->dai_link)
return -ENOMEM;
- compnent = devm_kzalloc(dev, sizeof(*compnent), GFP_KERNEL);
+ compnent = devm_kzalloc(dev, 2 * sizeof(*compnent), GFP_KERNEL);
if (!compnent)
return -ENOMEM;
- card->dai_link->cpus = compnent;
+ card->dai_link->cpus = &compnent[0];
card->dai_link->num_cpus = 1;
card->dai_link->codecs = &asoc_dummy_dlc;
card->dai_link->num_codecs = 1;
+ card->dai_link->platforms = &compnent[1];
+ card->dai_link->num_platforms = 1;
card->dai_link->name = card->name;
card->dai_link->stream_name = card->name;
card->dai_link->cpus->dai_name = dev_name(ad->dssdev);
+ card->dai_link->platforms->name = dev_name(ad->dssdev);
card->num_links = 1;
card->dev = dev;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 274/356] path_overmount(): avoid false negatives
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 273/356] ASoC: ti: omap-hdmi: Re-add dai_link->platform to fix card init Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 275/356] fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2) Greg Kroah-Hartman
` (90 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Brauner, Al Viro,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 5f31c549382bcddbbd754c72c5433b19420d485d ]
Holding namespace_sem is enough to make sure that result remains valid.
It is *not* enough to avoid false negatives from __lookup_mnt(). Mounts
can be unhashed outside of namespace_sem (stuck children getting detached
on final mntput() of lazy-umounted mount) and having an unrelated mount
removed from the hash chain while we traverse it may end up with false
negative from __lookup_mnt(). We need to sample and recheck the seqlock
component of mount_lock...
Bug predates the introduction of path_overmount() - it had come from
the code in finish_automount() that got abstracted into that helper.
Reviewed-by: Christian Brauner <brauner@kernel.org>
Fixes: 26df6034fdb2 ("fix automount/automount race properly")
Fixes: 6ac392815628 ("fs: allow to mount beneath top mount")
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/namespace.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index ef3b2ae2957ec..7942a33451ba0 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -3020,18 +3020,25 @@ static int do_set_group(struct path *from_path, struct path *to_path)
* Check if path is overmounted, i.e., if there's a mount on top of
* @path->mnt with @path->dentry as mountpoint.
*
- * Context: This function expects namespace_lock() to be held.
+ * Context: namespace_sem must be held at least shared.
+ * MUST NOT be called under lock_mount_hash() (there one should just
+ * call __lookup_mnt() and check if it returns NULL).
* Return: If path is overmounted true is returned, false if not.
*/
static inline bool path_overmounted(const struct path *path)
{
+ unsigned seq = read_seqbegin(&mount_lock);
+ bool no_child;
+
rcu_read_lock();
- if (unlikely(__lookup_mnt(path->mnt, path->dentry))) {
- rcu_read_unlock();
- return true;
- }
+ no_child = !__lookup_mnt(path->mnt, path->dentry);
rcu_read_unlock();
- return false;
+ if (need_seqretry(&mount_lock, seq)) {
+ read_seqlock_excl(&mount_lock);
+ no_child = !__lookup_mnt(path->mnt, path->dentry);
+ read_sequnlock_excl(&mount_lock);
+ }
+ return unlikely(!no_child);
}
/**
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 275/356] fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2)
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 274/356] path_overmount(): avoid false negatives Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 276/356] do_change_type(): refuse to operate on unmounted/not ours mounts Greg Kroah-Hartman
` (89 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Brauner, Al Viro,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit d8cc0362f918d020ca1340d7694f07062dc30f36 ]
9ffb14ef61ba "move_mount: allow to add a mount into an existing group"
breaks assertions on ->mnt_share/->mnt_slave. For once, the data structures
in question are actually documented.
Documentation/filesystem/sharedsubtree.rst:
All vfsmounts in a peer group have the same ->mnt_master. If it is
non-NULL, they form a contiguous (ordered) segment of slave list.
do_set_group() puts a mount into the same place in propagation graph
as the old one. As the result, if old mount gets events from somewhere
and is not a pure event sink, new one needs to be placed next to the
old one in the slave list the old one's on. If it is a pure event
sink, we only need to make sure the new one doesn't end up in the
middle of some peer group.
"move_mount: allow to add a mount into an existing group" ends up putting
the new one in the beginning of list; that's definitely not going to be
in the middle of anything, so that's fine for case when old is not marked
shared. In case when old one _is_ marked shared (i.e. is not a pure event
sink), that breaks the assumptions of propagation graph iterators.
Put the new mount next to the old one on the list - that does the right thing
in "old is marked shared" case and is just as correct as the current behaviour
if old is not marked shared (kudos to Pavel for pointing that out - my original
suggested fix changed behaviour in the "nor marked" case, which complicated
things for no good reason).
Reviewed-by: Christian Brauner <brauner@kernel.org>
Fixes: 9ffb14ef61ba ("move_mount: allow to add a mount into an existing group")
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/namespace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index 7942a33451ba0..4d8afd0e1eb8f 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2995,7 +2995,7 @@ static int do_set_group(struct path *from_path, struct path *to_path)
if (IS_MNT_SLAVE(from)) {
struct mount *m = from->mnt_master;
- list_add(&to->mnt_slave, &m->mnt_slave_list);
+ list_add(&to->mnt_slave, &from->mnt_slave);
to->mnt_master = m;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 276/356] do_change_type(): refuse to operate on unmounted/not ours mounts
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 275/356] fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2) Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 277/356] net: dsa: microchip: update tag_ksz masks for KSZ9477 family Greg Kroah-Hartman
` (88 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Brauner, Orlando, Noah,
Al Viro, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 12f147ddd6de7382dad54812e65f3f08d05809fc ]
Ensure that propagation settings can only be changed for mounts located
in the caller's mount namespace. This change aligns permission checking
with the rest of mount(2).
Reviewed-by: Christian Brauner <brauner@kernel.org>
Fixes: 07b20889e305 ("beginning of the shared-subtree proper")
Reported-by: "Orlando, Noah" <Noah.Orlando@deshaw.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/namespace.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/namespace.c b/fs/namespace.c
index 4d8afd0e1eb8f..eab9185e22858 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2557,6 +2557,10 @@ static int do_change_type(struct path *path, int ms_flags)
return -EINVAL;
namespace_lock();
+ if (!check_mnt(mnt)) {
+ err = -EINVAL;
+ goto out_unlock;
+ }
if (type == MS_SHARED) {
err = invent_group_ids(mnt, recurse);
if (err)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 277/356] net: dsa: microchip: update tag_ksz masks for KSZ9477 family
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 276/356] do_change_type(): refuse to operate on unmounted/not ours mounts Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 20:23 ` Pieter Van Trappen
2025-06-17 15:26 ` [PATCH 6.6 278/356] net: dsa: microchip: linearize skb for tail-tagging switches Greg Kroah-Hartman
` (87 subsequent siblings)
364 siblings, 1 reply; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pieter Van Trappen, Florian Fainelli,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pieter Van Trappen <pieter.van.trappen@cern.ch>
[ Upstream commit 3f464b193d40e49299dcd087b10cc3b77cbbea68 ]
Remove magic number 7 by introducing a GENMASK macro instead.
Remove magic number 0x80 by using the BIT macro instead.
Signed-off-by: Pieter Van Trappen <pieter.van.trappen@cern.ch>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20240909134301.75448-1-vtpieter@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: ba54bce747fa ("net: dsa: microchip: linearize skb for tail-tagging switches")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/dsa/tag_ksz.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/dsa/tag_ksz.c b/net/dsa/tag_ksz.c
index ea100bd25939b..7bf87fa471a0c 100644
--- a/net/dsa/tag_ksz.c
+++ b/net/dsa/tag_ksz.c
@@ -176,8 +176,9 @@ MODULE_ALIAS_DSA_TAG_DRIVER(DSA_TAG_PROTO_KSZ8795, KSZ8795_NAME);
#define KSZ9477_INGRESS_TAG_LEN 2
#define KSZ9477_PTP_TAG_LEN 4
-#define KSZ9477_PTP_TAG_INDICATION 0x80
+#define KSZ9477_PTP_TAG_INDICATION BIT(7)
+#define KSZ9477_TAIL_TAG_EG_PORT_M GENMASK(2, 0)
#define KSZ9477_TAIL_TAG_PRIO GENMASK(8, 7)
#define KSZ9477_TAIL_TAG_OVERRIDE BIT(9)
#define KSZ9477_TAIL_TAG_LOOKUP BIT(10)
@@ -302,7 +303,7 @@ static struct sk_buff *ksz9477_rcv(struct sk_buff *skb, struct net_device *dev)
{
/* Tag decoding */
u8 *tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN;
- unsigned int port = tag[0] & 7;
+ unsigned int port = tag[0] & KSZ9477_TAIL_TAG_EG_PORT_M;
unsigned int len = KSZ_EGRESS_TAG_LEN;
/* Extra 4-bytes PTP timestamp */
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 278/356] net: dsa: microchip: linearize skb for tail-tagging switches
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 277/356] net: dsa: microchip: update tag_ksz masks for KSZ9477 family Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 279/356] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() Greg Kroah-Hartman
` (86 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakob Unterwurzacher,
Vladimir Oltean, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakob Unterwurzacher <jakobunt@gmail.com>
[ Upstream commit ba54bce747fa9e07896c1abd9b48545f7b4b31d2 ]
The pointer arithmentic for accessing the tail tag only works
for linear skbs.
For nonlinear skbs, it reads uninitialized memory inside the
skb headroom, essentially randomizing the tag. I have observed
it gets set to 6 most of the time.
Example where ksz9477_rcv thinks that the packet from port 1 comes from port 6
(which does not exist for the ksz9896 that's in use), dropping the packet.
Debug prints added by me (not included in this patch):
[ 256.645337] ksz9477_rcv:323 tag0=6
[ 256.645349] skb len=47 headroom=78 headlen=0 tailroom=0
mac=(64,14) mac_len=14 net=(78,0) trans=78
shinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0))
csum(0x0 start=0 offset=0 ip_summed=0 complete_sw=0 valid=0 level=0)
hash(0x0 sw=0 l4=0) proto=0x00f8 pkttype=1 iif=3
priority=0x0 mark=0x0 alloc_cpu=0 vlan_all=0x0
encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0)
[ 256.645377] dev name=end1 feat=0x0002e10200114bb3
[ 256.645386] skb headroom: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 256.645395] skb headroom: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 256.645403] skb headroom: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 256.645411] skb headroom: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 256.645420] skb headroom: 00000040: ff ff ff ff ff ff 00 1c 19 f2 e2 db 08 06
[ 256.645428] skb frag: 00000000: 00 01 08 00 06 04 00 01 00 1c 19 f2 e2 db 0a 02
[ 256.645436] skb frag: 00000010: 00 83 00 00 00 00 00 00 0a 02 a0 2f 00 00 00 00
[ 256.645444] skb frag: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
[ 256.645452] ksz_common_rcv:92 dsa_conduit_find_user returned NULL
Call skb_linearize before trying to access the tag.
This patch fixes ksz9477_rcv which is used by the ksz9896 I have at
hand, and also applies the same fix to ksz8795_rcv which seems to have
the same problem.
Signed-off-by: Jakob Unterwurzacher <jakob.unterwurzacher@cherry.de>
CC: stable@vger.kernel.org
Fixes: 016e43a26bab ("net: dsa: ksz: Add KSZ8795 tag code")
Fixes: 8b8010fb7876 ("dsa: add support for Microchip KSZ tail tagging")
Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
Link: https://patch.msgid.link/20250515072920.2313014-1-jakob.unterwurzacher@cherry.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/dsa/tag_ksz.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/net/dsa/tag_ksz.c b/net/dsa/tag_ksz.c
index 7bf87fa471a0c..0a16c04c4bfc4 100644
--- a/net/dsa/tag_ksz.c
+++ b/net/dsa/tag_ksz.c
@@ -139,7 +139,12 @@ static struct sk_buff *ksz8795_xmit(struct sk_buff *skb, struct net_device *dev)
static struct sk_buff *ksz8795_rcv(struct sk_buff *skb, struct net_device *dev)
{
- u8 *tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN;
+ u8 *tag;
+
+ if (skb_linearize(skb))
+ return NULL;
+
+ tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN;
return ksz_common_rcv(skb, dev, tag[0] & 7, KSZ_EGRESS_TAG_LEN);
}
@@ -301,10 +306,16 @@ static struct sk_buff *ksz9477_xmit(struct sk_buff *skb,
static struct sk_buff *ksz9477_rcv(struct sk_buff *skb, struct net_device *dev)
{
- /* Tag decoding */
- u8 *tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN;
- unsigned int port = tag[0] & KSZ9477_TAIL_TAG_EG_PORT_M;
unsigned int len = KSZ_EGRESS_TAG_LEN;
+ unsigned int port;
+ u8 *tag;
+
+ if (skb_linearize(skb))
+ return NULL;
+
+ /* Tag decoding */
+ tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN;
+ port = tag[0] & KSZ9477_TAIL_TAG_EG_PORT_M;
/* Extra 4-bytes PTP timestamp */
if (tag[0] & KSZ9477_PTP_TAG_INDICATION) {
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 279/356] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 278/356] net: dsa: microchip: linearize skb for tail-tagging switches Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 280/356] Input: synaptics-rmi - fix crash with unsupported versions of F34 Greg Kroah-Hartman
` (85 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Ulf Hansson,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 0f5757667ec0aaf2456c3b76fcf0c6c3ea3591fe ]
The error checking for of_count_phandle_with_args() does not handle
negative error codes correctly. The problem is that "index" is a u32 so
in the condition "if (index >= num_domains)" negative error codes stored
in "num_domains" are type promoted to very high positive values and
"index" is always going to be valid.
Test for negative error codes first and then test if "index" is valid.
Fixes: 3ccf3f0cd197 ("PM / Domains: Enable genpd_dev_pm_attach_by_id|name() for single PM domain")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/aBxPQ8AI8N5v-7rL@stanley.mountain
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/domain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c
index d9d339b8b5710..d1dae47f3534b 100644
--- a/drivers/base/power/domain.c
+++ b/drivers/base/power/domain.c
@@ -2856,7 +2856,7 @@ struct device *genpd_dev_pm_attach_by_id(struct device *dev,
/* Verify that the index is within a valid range. */
num_domains = of_count_phandle_with_args(dev->of_node, "power-domains",
"#power-domain-cells");
- if (index >= num_domains)
+ if (num_domains < 0 || index >= num_domains)
return NULL;
/* Allocate and register device on the genpd bus. */
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 280/356] Input: synaptics-rmi - fix crash with unsupported versions of F34
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 279/356] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 281/356] kasan: use unchecked __memset internally Greg Kroah-Hartman
` (84 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hanno Böck, Dmitry Torokhov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
[ Upstream commit ca39500f6af9cfe6823dc5aa8fbaed788d6e35b2 ]
Sysfs interface for updating firmware for RMI devices is available even
when F34 probe fails. The code checks for presence of F34 "container"
pointer and then tries to use the function data attached to the
sub-device. F34 assigns the function data early, before it knows if
probe will succeed, leaving behind a stale pointer.
Fix this by expanding checks to not only test for presence of F34
"container" but also check if there is driver data assigned to the
sub-device, and call dev_set_drvdata() only after we are certain that
probe is successful.
This is not a complete fix, since F34 will be freed during firmware
update, so there is still a race when fetching and accessing this
pointer. This race will be addressed in follow-up changes.
Reported-by: Hanno Böck <hanno@hboeck.de>
Fixes: 29fd0ec2bdbe ("Input: synaptics-rmi4 - add support for F34 device reflash")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/aBlAl6sGulam-Qcx@google.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/input/rmi4/rmi_f34.c | 135 ++++++++++++++++++++---------------
1 file changed, 76 insertions(+), 59 deletions(-)
diff --git a/drivers/input/rmi4/rmi_f34.c b/drivers/input/rmi4/rmi_f34.c
index 0d9a5756e3f59..cae1e41664921 100644
--- a/drivers/input/rmi4/rmi_f34.c
+++ b/drivers/input/rmi4/rmi_f34.c
@@ -4,6 +4,7 @@
* Copyright (C) 2016 Zodiac Inflight Innovations
*/
+#include "linux/device.h"
#include <linux/kernel.h>
#include <linux/rmi.h>
#include <linux/firmware.h>
@@ -298,39 +299,30 @@ static int rmi_f34_update_firmware(struct f34_data *f34,
return ret;
}
-static int rmi_f34_status(struct rmi_function *fn)
-{
- struct f34_data *f34 = dev_get_drvdata(&fn->dev);
-
- /*
- * The status is the percentage complete, or once complete,
- * zero for success or a negative return code.
- */
- return f34->update_status;
-}
-
static ssize_t rmi_driver_bootloader_id_show(struct device *dev,
struct device_attribute *dattr,
char *buf)
{
struct rmi_driver_data *data = dev_get_drvdata(dev);
- struct rmi_function *fn = data->f34_container;
+ struct rmi_function *fn;
struct f34_data *f34;
- if (fn) {
- f34 = dev_get_drvdata(&fn->dev);
-
- if (f34->bl_version == 5)
- return sysfs_emit(buf, "%c%c\n",
- f34->bootloader_id[0],
- f34->bootloader_id[1]);
- else
- return sysfs_emit(buf, "V%d.%d\n",
- f34->bootloader_id[1],
- f34->bootloader_id[0]);
- }
+ fn = data->f34_container;
+ if (!fn)
+ return -ENODEV;
- return 0;
+ f34 = dev_get_drvdata(&fn->dev);
+ if (!f34)
+ return -ENODEV;
+
+ if (f34->bl_version == 5)
+ return sysfs_emit(buf, "%c%c\n",
+ f34->bootloader_id[0],
+ f34->bootloader_id[1]);
+ else
+ return sysfs_emit(buf, "V%d.%d\n",
+ f34->bootloader_id[1],
+ f34->bootloader_id[0]);
}
static DEVICE_ATTR(bootloader_id, 0444, rmi_driver_bootloader_id_show, NULL);
@@ -343,13 +335,16 @@ static ssize_t rmi_driver_configuration_id_show(struct device *dev,
struct rmi_function *fn = data->f34_container;
struct f34_data *f34;
- if (fn) {
- f34 = dev_get_drvdata(&fn->dev);
+ fn = data->f34_container;
+ if (!fn)
+ return -ENODEV;
- return sysfs_emit(buf, "%s\n", f34->configuration_id);
- }
+ f34 = dev_get_drvdata(&fn->dev);
+ if (!f34)
+ return -ENODEV;
- return 0;
+
+ return sysfs_emit(buf, "%s\n", f34->configuration_id);
}
static DEVICE_ATTR(configuration_id, 0444,
@@ -365,10 +360,14 @@ static int rmi_firmware_update(struct rmi_driver_data *data,
if (!data->f34_container) {
dev_warn(dev, "%s: No F34 present!\n", __func__);
- return -EINVAL;
+ return -ENODEV;
}
f34 = dev_get_drvdata(&data->f34_container->dev);
+ if (!f34) {
+ dev_warn(dev, "%s: No valid F34 present!\n", __func__);
+ return -ENODEV;
+ }
if (f34->bl_version >= 7) {
if (data->pdt_props & HAS_BSR) {
@@ -494,10 +493,18 @@ static ssize_t rmi_driver_update_fw_status_show(struct device *dev,
char *buf)
{
struct rmi_driver_data *data = dev_get_drvdata(dev);
- int update_status = 0;
+ struct f34_data *f34;
+ int update_status = -ENODEV;
- if (data->f34_container)
- update_status = rmi_f34_status(data->f34_container);
+ /*
+ * The status is the percentage complete, or once complete,
+ * zero for success or a negative return code.
+ */
+ if (data->f34_container) {
+ f34 = dev_get_drvdata(&data->f34_container->dev);
+ if (f34)
+ update_status = f34->update_status;
+ }
return sysfs_emit(buf, "%d\n", update_status);
}
@@ -517,33 +524,21 @@ static const struct attribute_group rmi_firmware_attr_group = {
.attrs = rmi_firmware_attrs,
};
-static int rmi_f34_probe(struct rmi_function *fn)
+static int rmi_f34v5_probe(struct f34_data *f34)
{
- struct f34_data *f34;
- unsigned char f34_queries[9];
+ struct rmi_function *fn = f34->fn;
+ u8 f34_queries[9];
bool has_config_id;
- u8 version = fn->fd.function_version;
- int ret;
-
- f34 = devm_kzalloc(&fn->dev, sizeof(struct f34_data), GFP_KERNEL);
- if (!f34)
- return -ENOMEM;
-
- f34->fn = fn;
- dev_set_drvdata(&fn->dev, f34);
-
- /* v5 code only supported version 0, try V7 probe */
- if (version > 0)
- return rmi_f34v7_probe(f34);
+ int error;
f34->bl_version = 5;
- ret = rmi_read_block(fn->rmi_dev, fn->fd.query_base_addr,
- f34_queries, sizeof(f34_queries));
- if (ret) {
+ error = rmi_read_block(fn->rmi_dev, fn->fd.query_base_addr,
+ f34_queries, sizeof(f34_queries));
+ if (error) {
dev_err(&fn->dev, "%s: Failed to query properties\n",
__func__);
- return ret;
+ return error;
}
snprintf(f34->bootloader_id, sizeof(f34->bootloader_id),
@@ -569,11 +564,11 @@ static int rmi_f34_probe(struct rmi_function *fn)
f34->v5.config_blocks);
if (has_config_id) {
- ret = rmi_read_block(fn->rmi_dev, fn->fd.control_base_addr,
- f34_queries, sizeof(f34_queries));
- if (ret) {
+ error = rmi_read_block(fn->rmi_dev, fn->fd.control_base_addr,
+ f34_queries, sizeof(f34_queries));
+ if (error) {
dev_err(&fn->dev, "Failed to read F34 config ID\n");
- return ret;
+ return error;
}
snprintf(f34->configuration_id, sizeof(f34->configuration_id),
@@ -582,12 +577,34 @@ static int rmi_f34_probe(struct rmi_function *fn)
f34_queries[2], f34_queries[3]);
rmi_dbg(RMI_DEBUG_FN, &fn->dev, "Configuration ID: %s\n",
- f34->configuration_id);
+ f34->configuration_id);
}
return 0;
}
+static int rmi_f34_probe(struct rmi_function *fn)
+{
+ struct f34_data *f34;
+ u8 version = fn->fd.function_version;
+ int error;
+
+ f34 = devm_kzalloc(&fn->dev, sizeof(struct f34_data), GFP_KERNEL);
+ if (!f34)
+ return -ENOMEM;
+
+ f34->fn = fn;
+
+ /* v5 code only supported version 0 */
+ error = version == 0 ? rmi_f34v5_probe(f34) : rmi_f34v7_probe(f34);
+ if (error)
+ return error;
+
+ dev_set_drvdata(&fn->dev, f34);
+
+ return 0;
+}
+
int rmi_f34_create_sysfs(struct rmi_device *rmi_dev)
{
return sysfs_create_group(&rmi_dev->dev.kobj, &rmi_firmware_attr_group);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 281/356] kasan: use unchecked __memset internally
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 280/356] Input: synaptics-rmi - fix crash with unsupported versions of F34 Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 282/356] arm64: dts: ti: k3-am65-main: Fix sdhci node properties Greg Kroah-Hartman
` (83 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrey Konovalov, Marco Elver,
Alexander Potapenko, Andrey Ryabinin, Dmitry Vyukov,
kernel test robot, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Konovalov <andreyknvl@google.com>
[ Upstream commit 01a5ad81637672940844052404678678a0ec8854 ]
KASAN code is supposed to use the unchecked __memset implementation when
accessing its metadata.
Change uses of memset to __memset in mm/kasan/.
Link: https://lkml.kernel.org/r/6f621966c6f52241b5aaa7220c348be90c075371.1696605143.git.andreyknvl@google.com
Fixes: 59e6e098d1c1 ("kasan: introduce kasan_complete_mode_report_info")
Fixes: 3c5c3cfb9ef4 ("kasan: support backing vmalloc space with real shadow memory")
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Marco Elver <elver@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: kernel test robot <lkp@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: b6ea95a34cbd ("kasan: avoid sleepable page allocation from atomic context")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/kasan/report.c | 4 ++--
mm/kasan/shadow.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index ecced40e51032..465e6a53b3bf2 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -538,7 +538,7 @@ void kasan_report_invalid_free(void *ptr, unsigned long ip, enum kasan_report_ty
start_report(&flags, true);
- memset(&info, 0, sizeof(info));
+ __memset(&info, 0, sizeof(info));
info.type = type;
info.access_addr = ptr;
info.access_size = 0;
@@ -576,7 +576,7 @@ bool kasan_report(const void *addr, size_t size, bool is_write,
start_report(&irq_flags, true);
- memset(&info, 0, sizeof(info));
+ __memset(&info, 0, sizeof(info));
info.type = KASAN_REPORT_ACCESS;
info.access_addr = addr;
info.access_size = size;
diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c
index dd772f9d0f080..d687f09a7ae37 100644
--- a/mm/kasan/shadow.c
+++ b/mm/kasan/shadow.c
@@ -324,7 +324,7 @@ static int kasan_populate_vmalloc_pte(pte_t *ptep, unsigned long addr,
if (!page)
return -ENOMEM;
- memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE);
+ __memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE);
pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL);
spin_lock(&init_mm.page_table_lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 282/356] arm64: dts: ti: k3-am65-main: Fix sdhci node properties
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 281/356] kasan: use unchecked __memset internally Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 283/356] arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0 Greg Kroah-Hartman
` (82 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Judith Mendez, Nishanth Menon,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Judith Mendez <jm@ti.com>
[ Upstream commit 8ffe9cb889f2b831a9d5bbb1f7ad42d30e31170f ]
Update otap-del-sel properties as per datasheet [0].
Add missing clkbuf-sel and itap-del-sel values also as per
datasheet [0].
Move clkbuf-sel and ti,trm-icp above the otap-del-sel properties
so the sdhci nodes could be more uniform across platforms.
[0] https://www.ti.com/lit/ds/symlink/am6548.pdf
Fixes: eac99d38f861 ("arm64: dts: ti: k3-am654-main: Update otap-del-sel values")
Fixes: d7600d070fb0 ("arm64: dts: ti: k3-am65-main: Add support for sdhci1")
Signed-off-by: Judith Mendez <jm@ti.com>
Link: https://lore.kernel.org/r/20240423151732.3541894-2-jm@ti.com
Signed-off-by: Nishanth Menon <nm@ti.com>
Stable-dep-of: f55c9f087cc2 ("arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
index 57befcce93b97..9c5de448351e9 100644
--- a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
@@ -436,6 +436,8 @@ sdhci0: mmc@4f80000 {
interrupts = <GIC_SPI 136 IRQ_TYPE_LEVEL_HIGH>;
mmc-ddr-1_8v;
mmc-hs200-1_8v;
+ ti,clkbuf-sel = <0x7>;
+ ti,trm-icp = <0x8>;
ti,otap-del-sel-legacy = <0x0>;
ti,otap-del-sel-mmc-hs = <0x0>;
ti,otap-del-sel-sd-hs = <0x0>;
@@ -446,8 +448,7 @@ sdhci0: mmc@4f80000 {
ti,otap-del-sel-ddr50 = <0x5>;
ti,otap-del-sel-ddr52 = <0x5>;
ti,otap-del-sel-hs200 = <0x5>;
- ti,otap-del-sel-hs400 = <0x0>;
- ti,trm-icp = <0x8>;
+ ti,itap-del-sel-ddr52 = <0x0>;
dma-coherent;
};
@@ -458,18 +459,22 @@ sdhci1: mmc@4fa0000 {
clocks = <&k3_clks 48 0>, <&k3_clks 48 1>;
clock-names = "clk_ahb", "clk_xin";
interrupts = <GIC_SPI 137 IRQ_TYPE_LEVEL_HIGH>;
+ ti,clkbuf-sel = <0x7>;
+ ti,trm-icp = <0x8>;
ti,otap-del-sel-legacy = <0x0>;
ti,otap-del-sel-mmc-hs = <0x0>;
ti,otap-del-sel-sd-hs = <0x0>;
- ti,otap-del-sel-sdr12 = <0x0>;
- ti,otap-del-sel-sdr25 = <0x0>;
+ ti,otap-del-sel-sdr12 = <0xf>;
+ ti,otap-del-sel-sdr25 = <0xf>;
ti,otap-del-sel-sdr50 = <0x8>;
ti,otap-del-sel-sdr104 = <0x7>;
ti,otap-del-sel-ddr50 = <0x4>;
ti,otap-del-sel-ddr52 = <0x4>;
ti,otap-del-sel-hs200 = <0x7>;
- ti,clkbuf-sel = <0x7>;
- ti,trm-icp = <0x8>;
+ ti,itap-del-sel-legacy = <0xa>;
+ ti,itap-del-sel-sd-hs = <0x1>;
+ ti,itap-del-sel-sdr12 = <0xa>;
+ ti,itap-del-sel-sdr25 = <0x1>;
dma-coherent;
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 283/356] arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 282/356] arm64: dts: ti: k3-am65-main: Fix sdhci node properties Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 284/356] arm64: dts: ti: k3-j721e-sk: Model CSI2RX connector mux Greg Kroah-Hartman
` (81 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Judith Mendez, Moteen Shah,
Nishanth Menon, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Judith Mendez <jm@ti.com>
[ Upstream commit f55c9f087cc2e2252d44ffd9d58def2066fc176e ]
For am65x, add missing ITAPDLYSEL values for Default Speed and High
Speed SDR modes to sdhci0 node according to the device datasheet [0].
[0] https://www.ti.com/lit/gpn/am6548
Fixes: eac99d38f861 ("arm64: dts: ti: k3-am654-main: Update otap-del-sel values")
Cc: stable@vger.kernel.org
Signed-off-by: Judith Mendez <jm@ti.com>
Reviewed-by: Moteen Shah <m-shah@ti.com>
Link: https://lore.kernel.org/r/20250429173009.33994-1-jm@ti.com
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
index 9c5de448351e9..0523bd0da80c7 100644
--- a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
@@ -448,6 +448,8 @@ sdhci0: mmc@4f80000 {
ti,otap-del-sel-ddr50 = <0x5>;
ti,otap-del-sel-ddr52 = <0x5>;
ti,otap-del-sel-hs200 = <0x5>;
+ ti,itap-del-sel-legacy = <0xa>;
+ ti,itap-del-sel-mmc-hs = <0x1>;
ti,itap-del-sel-ddr52 = <0x0>;
dma-coherent;
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 284/356] arm64: dts: ti: k3-j721e-sk: Model CSI2RX connector mux
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 283/356] arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0 Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 285/356] arm64: dts: ti: k3-j721e-sk: Add support for multiple CAN instances Greg Kroah-Hartman
` (80 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vaishnav Achath, Jai Luthra,
Vignesh Raghavendra, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vaishnav Achath <vaishnav.a@ti.com>
[ Upstream commit f87c88947396674586a42a163b72efa3999e3dee ]
J721E SK has the CSI2RX routed to a MIPI CSI connector and to 15-pin
RPi camera connector through an analog mux with GPIO control, model that
so that an overlay can control the mux state according to connected
cameras. Also provide labels to the I2C mux bus instances so that a
generic overlay can be used across multiple platforms.
J721E SK schematics: https://www.ti.com/lit/zip/sprr438
Signed-off-by: Vaishnav Achath <vaishnav.a@ti.com>
Reviewed-by: Jai Luthra <j-luthra@ti.com>
Link: https://lore.kernel.org/r/20240215085518.552692-6-vaishnav.a@ti.com
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Stable-dep-of: 97b67cc102dc ("arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
index ccacb65683b5b..d967b384071cf 100644
--- a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
+++ b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
@@ -286,6 +286,15 @@ tfp410_out: endpoint {
};
};
};
+
+ csi_mux: mux-controller {
+ compatible = "gpio-mux";
+ #mux-state-cells = <1>;
+ mux-gpios = <&main_gpio0 88 GPIO_ACTIVE_HIGH>;
+ idle-state = <0>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&main_csi_mux_sel_pins_default>;
+ };
};
&main_pmx0 {
@@ -352,6 +361,12 @@ J721E_IOPAD(0x214, PIN_OUTPUT, 4) /* (V4) MCAN1_TX.USB1_DRVVBUS */
>;
};
+ main_csi_mux_sel_pins_default: main-csi-mux-sel-default-pins {
+ pinctrl-single,pins = <
+ J721E_IOPAD(0x164, PIN_OUTPUT, 7) /* (V29) RGMII5_TD2 */
+ >;
+ };
+
dp0_pins_default: dp0-default-pins {
pinctrl-single,pins = <
J721E_IOPAD(0x1c4, PIN_INPUT, 5) /* SPI0_CS1.DP0_HPD */
@@ -707,14 +722,14 @@ i2c-mux@70 {
reg = <0x70>;
/* CSI0 I2C */
- i2c@0 {
+ cam0_i2c: i2c@0 {
#address-cells = <1>;
#size-cells = <0>;
reg = <0>;
};
/* CSI1 I2C */
- i2c@1 {
+ cam1_i2c: i2c@1 {
#address-cells = <1>;
#size-cells = <0>;
reg = <1>;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 285/356] arm64: dts: ti: k3-j721e-sk: Add support for multiple CAN instances
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 284/356] arm64: dts: ti: k3-j721e-sk: Model CSI2RX connector mux Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 286/356] arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators Greg Kroah-Hartman
` (79 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Beleswar Padhi, Bhavya Kapoor,
Vignesh Raghavendra, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Beleswar Padhi <b-padhi@ti.com>
[ Upstream commit 021d3d5f0741e5393a7a110ac909fc746b1e0a4d ]
CAN instance 0 in the mcu domain is brought on the J721E-SK board
through header J1. Thus, add its respective transceiver 1 dt node to add
support for this CAN instance.
CAN instances 0, 5 and 9 in the main domain are brought on the J721E-SK
board through headers J5, J6 and J2 respectively. Thus, add their
respective transceivers 2, 3 and 4 dt nodes to add support for these CAN
instances.
Signed-off-by: Beleswar Padhi <b-padhi@ti.com>
Reviewed-by: Bhavya Kapoor <b-kapoor@ti.com>
Link: https://lore.kernel.org/r/20240430131512.1327283-1-b-padhi@ti.com
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Stable-dep-of: 97b67cc102dc ("arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 116 +++++++++++++++++++++++++
1 file changed, 116 insertions(+)
diff --git a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
index d967b384071cf..5e03a7f58faa4 100644
--- a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
+++ b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
@@ -210,6 +210,42 @@ vdd_sd_dv_alt: gpio-regulator-tps659411 {
<3300000 0x1>;
};
+ transceiver1: can-phy1 {
+ compatible = "ti,tcan1042";
+ #phy-cells = <0>;
+ max-bitrate = <5000000>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&mcu_mcan0_gpio_pins_default>;
+ standby-gpios = <&wkup_gpio0 3 GPIO_ACTIVE_HIGH>;
+ };
+
+ transceiver2: can-phy2 {
+ compatible = "ti,tcan1042";
+ #phy-cells = <0>;
+ max-bitrate = <5000000>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&main_mcan0_gpio_pins_default>;
+ standby-gpios = <&main_gpio0 65 GPIO_ACTIVE_HIGH>;
+ };
+
+ transceiver3: can-phy3 {
+ compatible = "ti,tcan1042";
+ #phy-cells = <0>;
+ max-bitrate = <5000000>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&main_mcan5_gpio_pins_default>;
+ standby-gpios = <&main_gpio0 66 GPIO_ACTIVE_HIGH>;
+ };
+
+ transceiver4: can-phy4 {
+ compatible = "ti,tcan1042";
+ #phy-cells = <0>;
+ max-bitrate = <5000000>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&main_mcan9_gpio_pins_default>;
+ standby-gpios = <&main_gpio0 67 GPIO_ACTIVE_HIGH>;
+ };
+
dp_pwr_3v3: fixedregulator-dp-prw {
compatible = "regulator-fixed";
regulator-name = "dp-pwr";
@@ -367,6 +403,45 @@ J721E_IOPAD(0x164, PIN_OUTPUT, 7) /* (V29) RGMII5_TD2 */
>;
};
+ main_mcan0_pins_default: main-mcan0-default-pins {
+ pinctrl-single,pins = <
+ J721E_IOPAD(0x208, PIN_INPUT, 0) /* (W5) MCAN0_RX */
+ J721E_IOPAD(0x20c, PIN_OUTPUT, 0) /* (W6) MCAN0_TX */
+ >;
+ };
+
+ main_mcan0_gpio_pins_default: main-mcan0-gpio-default-pins {
+ pinctrl-single,pins = <
+ J721E_IOPAD(0x108, PIN_INPUT, 7) /* (AD27) PRG0_PRU1_GPO2.GPIO0_65 */
+ >;
+ };
+
+ main_mcan5_pins_default: main-mcan5-default-pins {
+ pinctrl-single,pins = <
+ J721E_IOPAD(0x050, PIN_INPUT, 6) /* (AE21) PRG1_PRU0_GPO18.MCAN5_RX */
+ J721E_IOPAD(0x04c, PIN_OUTPUT, 6) /* (AJ21) PRG1_PRU0_GPO17.MCAN5_TX */
+ >;
+ };
+
+ main_mcan5_gpio_pins_default: main-mcan5-gpio-default-pins {
+ pinctrl-single,pins = <
+ J721E_IOPAD(0x10c, PIN_INPUT, 7) /* (AC25) PRG0_PRU1_GPO3.GPIO0_66 */
+ >;
+ };
+
+ main_mcan9_pins_default: main-mcan9-default-pins {
+ pinctrl-single,pins = <
+ J721E_IOPAD(0x0d0, PIN_INPUT, 6) /* (AC27) PRG0_PRU0_GPO8.MCAN9_RX */
+ J721E_IOPAD(0x0cc, PIN_OUTPUT, 6) /* (AC28) PRG0_PRU0_GPO7.MCAN9_TX */
+ >;
+ };
+
+ main_mcan9_gpio_pins_default: main-mcan9-gpio-default-pins {
+ pinctrl-single,pins = <
+ J721E_IOPAD(0x110, PIN_INPUT, 7) /* (AD29) PRG0_PRU1_GPO4.GPIO0_67 */
+ >;
+ };
+
dp0_pins_default: dp0-default-pins {
pinctrl-single,pins = <
J721E_IOPAD(0x1c4, PIN_INPUT, 5) /* SPI0_CS1.DP0_HPD */
@@ -549,6 +624,19 @@ J721E_WKUP_IOPAD(0xfc, PIN_INPUT_PULLUP, 0) /* (H24) WKUP_I2C0_SDA */
>;
};
+ mcu_mcan0_pins_default: mcu-mcan0-default-pins {
+ pinctrl-single,pins = <
+ J721E_WKUP_IOPAD(0x0ac, PIN_INPUT, 0) /* (C29) MCU_MCAN0_RX */
+ J721E_WKUP_IOPAD(0x0a8, PIN_OUTPUT, 0) /* (D29) MCU_MCAN0_TX */
+ >;
+ };
+
+ mcu_mcan0_gpio_pins_default: mcu-mcan0-gpio-default-pins {
+ pinctrl-single,pins = <
+ J721E_WKUP_IOPAD(0x0bc, PIN_INPUT, 7) /* (F27) WKUP_GPIO0_3 */
+ >;
+ };
+
/* Reset for M.2 M Key slot on PCIe1 */
mkey_reset_pins_default: mkey-reset-pns-default-pins {
pinctrl-single,pins = <
@@ -957,6 +1045,34 @@ &pcie1_rc {
num-lanes = <2>;
};
+&mcu_mcan0 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&mcu_mcan0_pins_default>;
+ phys = <&transceiver1>;
+ status = "okay";
+};
+
+&main_mcan0 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&main_mcan0_pins_default>;
+ phys = <&transceiver2>;
+ status = "okay";
+};
+
+&main_mcan5 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&main_mcan5_pins_default>;
+ phys = <&transceiver3>;
+ status = "okay";
+};
+
+&main_mcan9 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&main_mcan9_pins_default>;
+ phys = <&transceiver4>;
+ status = "okay";
+};
+
&ufs_wrapper {
status = "disabled";
};
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 286/356] arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 285/356] arm64: dts: ti: k3-j721e-sk: Add support for multiple CAN instances Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 287/356] serial: sh-sci: Check if TX data was written to device in .tx_empty() Greg Kroah-Hartman
` (78 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yemike Abhilash Chandra, Udit Kumar,
Nishanth Menon, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yemike Abhilash Chandra <y-abhilashchandra@ti.com>
[ Upstream commit 97b67cc102dc2cc8aa39a569c22a196e21af5a21 ]
Add device tree nodes for two power regulators on the J721E SK board.
vsys_5v0: A fixed regulator representing the 5V supply output from the
LM61460 and vdd_sd_dv: A GPIO-controlled TLV71033 regulator.
J721E-SK schematics: https://www.ti.com/lit/zip/sprr438
Fixes: 1bfda92a3a36 ("arm64: dts: ti: Add support for J721E SK")
Cc: stable@vger.kernel.org
Signed-off-by: Yemike Abhilash Chandra <y-abhilashchandra@ti.com>
Reviewed-by: Udit Kumar <u-kumar1@ti.com>
Link: https://lore.kernel.org/r/20250415111328.3847502-2-y-abhilashchandra@ti.com
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 31 ++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
index 5e03a7f58faa4..952d2c72628ef 100644
--- a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
+++ b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
@@ -183,6 +183,17 @@ vsys_3v3: fixedregulator-vsys3v3 {
regulator-boot-on;
};
+ vsys_5v0: fixedregulator-vsys5v0 {
+ /* Output of LM61460 */
+ compatible = "regulator-fixed";
+ regulator-name = "vsys_5v0";
+ regulator-min-microvolt = <5000000>;
+ regulator-max-microvolt = <5000000>;
+ vin-supply = <&vusb_main>;
+ regulator-always-on;
+ regulator-boot-on;
+ };
+
vdd_mmc1: fixedregulator-sd {
compatible = "regulator-fixed";
pinctrl-names = "default";
@@ -210,6 +221,20 @@ vdd_sd_dv_alt: gpio-regulator-tps659411 {
<3300000 0x1>;
};
+ vdd_sd_dv: gpio-regulator-TLV71033 {
+ compatible = "regulator-gpio";
+ pinctrl-names = "default";
+ pinctrl-0 = <&vdd_sd_dv_pins_default>;
+ regulator-name = "tlv71033";
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <3300000>;
+ regulator-boot-on;
+ vin-supply = <&vsys_5v0>;
+ gpios = <&main_gpio0 118 GPIO_ACTIVE_HIGH>;
+ states = <1800000 0x0>,
+ <3300000 0x1>;
+ };
+
transceiver1: can-phy1 {
compatible = "ti,tcan1042";
#phy-cells = <0>;
@@ -601,6 +626,12 @@ J721E_WKUP_IOPAD(0xd4, PIN_OUTPUT, 7) /* (G26) WKUP_GPIO0_9 */
>;
};
+ vdd_sd_dv_pins_default: vdd-sd-dv-default-pins {
+ pinctrl-single,pins = <
+ J721E_IOPAD(0x1dc, PIN_OUTPUT, 7) /* (Y1) SPI1_CLK.GPIO0_118 */
+ >;
+ };
+
wkup_uart0_pins_default: wkup-uart0-default-pins {
pinctrl-single,pins = <
J721E_WKUP_IOPAD(0xa0, PIN_INPUT, 0) /* (J29) WKUP_UART0_RXD */
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 287/356] serial: sh-sci: Check if TX data was written to device in .tx_empty()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 286/356] arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 288/356] serial: sh-sci: Move runtime PM enable to sci_probe_single() Greg Kroah-Hartman
` (77 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Claudiu Beznea, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
commit 7cc0e0a43a91052477c2921f924a37d9c3891f0c upstream.
On the Renesas RZ/G3S, when doing suspend to RAM, the uart_suspend_port()
is called. The uart_suspend_port() calls 3 times the
struct uart_port::ops::tx_empty() before shutting down the port.
According to the documentation, the struct uart_port::ops::tx_empty()
API tests whether the transmitter FIFO and shifter for the port is
empty.
The Renesas RZ/G3S SCIFA IP reports the number of data units stored in the
transmit FIFO through the FDR (FIFO Data Count Register). The data units
in the FIFOs are written in the shift register and transmitted from there.
The TEND bit in the Serial Status Register reports if the data was
transmitted from the shift register.
In the previous code, in the tx_empty() API implemented by the sh-sci
driver, it is considered that the TX is empty if the hardware reports the
TEND bit set and the number of data units in the FIFO is zero.
According to the HW manual, the TEND bit has the following meaning:
0: Transmission is in the waiting state or in progress.
1: Transmission is completed.
It has been noticed that when opening the serial device w/o using it and
then switch to a power saving mode, the tx_empty() call in the
uart_port_suspend() function fails, leading to the "Unable to drain
transmitter" message being printed on the console. This is because the
TEND=0 if nothing has been transmitted and the FIFOs are empty. As the
TEND=0 has double meaning (waiting state, in progress) we can't
determined the scenario described above.
Add a software workaround for this. This sets a variable if any data has
been sent on the serial console (when using PIO) or if the DMA callback has
been called (meaning something has been transmitted). In the tx_empty()
API the status of the DMA transaction is also checked and if it is
completed or in progress the code falls back in checking the hardware
registers instead of relying on the software variable.
Fixes: 73a19e4c0301 ("serial: sh-sci: Add DMA support.")
Cc: stable@vger.kernel.org
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Link: https://lore.kernel.org/r/20241125115856.513642-1-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[claudiu.beznea: fixed conflict by:
- keeping serial_port_out() instead of sci_port_out() in
sci_transmit_chars()
- keeping !uart_circ_empty(xmit) condition in sci_dma_tx_complete(),
after s->tx_occurred = true; assignement]
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/sh-sci.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
index 61d8f50676b1b..d57fa80b6f52a 100644
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -174,6 +174,7 @@ struct sci_port {
bool has_rtscts;
bool autorts;
+ bool tx_occurred;
};
#define SCI_NPORTS CONFIG_SERIAL_SH_SCI_NR_UARTS
@@ -838,6 +839,7 @@ static void sci_transmit_chars(struct uart_port *port)
{
struct circ_buf *xmit = &port->state->xmit;
unsigned int stopped = uart_tx_stopped(port);
+ struct sci_port *s = to_sci_port(port);
unsigned short status;
unsigned short ctrl;
int count;
@@ -874,6 +876,7 @@ static void sci_transmit_chars(struct uart_port *port)
}
serial_port_out(port, SCxTDR, c);
+ s->tx_occurred = true;
port->icount.tx++;
} while (--count > 0);
@@ -1230,6 +1233,8 @@ static void sci_dma_tx_complete(void *arg)
if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
uart_write_wakeup(port);
+ s->tx_occurred = true;
+
if (!uart_circ_empty(xmit)) {
s->cookie_tx = 0;
schedule_work(&s->work_tx);
@@ -1719,6 +1724,19 @@ static void sci_flush_buffer(struct uart_port *port)
s->cookie_tx = -EINVAL;
}
}
+
+static void sci_dma_check_tx_occurred(struct sci_port *s)
+{
+ struct dma_tx_state state;
+ enum dma_status status;
+
+ if (!s->chan_tx)
+ return;
+
+ status = dmaengine_tx_status(s->chan_tx, s->cookie_tx, &state);
+ if (status == DMA_COMPLETE || status == DMA_IN_PROGRESS)
+ s->tx_occurred = true;
+}
#else /* !CONFIG_SERIAL_SH_SCI_DMA */
static inline void sci_request_dma(struct uart_port *port)
{
@@ -1728,6 +1746,10 @@ static inline void sci_free_dma(struct uart_port *port)
{
}
+static void sci_dma_check_tx_occurred(struct sci_port *s)
+{
+}
+
#define sci_flush_buffer NULL
#endif /* !CONFIG_SERIAL_SH_SCI_DMA */
@@ -2064,6 +2086,12 @@ static unsigned int sci_tx_empty(struct uart_port *port)
{
unsigned short status = serial_port_in(port, SCxSR);
unsigned short in_tx_fifo = sci_txfill(port);
+ struct sci_port *s = to_sci_port(port);
+
+ sci_dma_check_tx_occurred(s);
+
+ if (!s->tx_occurred)
+ return TIOCSER_TEMT;
return (status & SCxSR_TEND(port)) && !in_tx_fifo ? TIOCSER_TEMT : 0;
}
@@ -2234,6 +2262,7 @@ static int sci_startup(struct uart_port *port)
dev_dbg(port->dev, "%s(%d)\n", __func__, port->line);
+ s->tx_occurred = false;
sci_request_dma(port);
ret = sci_request_irq(s);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 288/356] serial: sh-sci: Move runtime PM enable to sci_probe_single()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 287/356] serial: sh-sci: Check if TX data was written to device in .tx_empty() Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 289/356] serial: sh-sci: Clean sci_ports[0] after at earlycon exit Greg Kroah-Hartman
` (76 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Claudiu Beznea,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
commit 239f11209e5f282e16f5241b99256e25dd0614b6 upstream.
Relocate the runtime PM enable operation to sci_probe_single(). This change
prepares the codebase for upcoming fixes.
While at it, replace the existing logic with a direct call to
devm_pm_runtime_enable() and remove sci_cleanup_single(). The
devm_pm_runtime_enable() function automatically handles disabling runtime
PM during driver removal.
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Link: https://lore.kernel.org/r/20250116182249.3828577-3-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/sh-sci.c | 24 ++++++------------------
1 file changed, 6 insertions(+), 18 deletions(-)
diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
index d57fa80b6f52a..0071cb3043e14 100644
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -3043,10 +3043,6 @@ static int sci_init_single(struct platform_device *dev,
ret = sci_init_clocks(sci_port, &dev->dev);
if (ret < 0)
return ret;
-
- port->dev = &dev->dev;
-
- pm_runtime_enable(&dev->dev);
}
port->type = p->type;
@@ -3076,11 +3072,6 @@ static int sci_init_single(struct platform_device *dev,
return 0;
}
-static void sci_cleanup_single(struct sci_port *port)
-{
- pm_runtime_disable(port->port.dev);
-}
-
#if defined(CONFIG_SERIAL_SH_SCI_CONSOLE) || \
defined(CONFIG_SERIAL_SH_SCI_EARLYCON)
static void serial_console_putchar(struct uart_port *port, unsigned char ch)
@@ -3250,8 +3241,6 @@ static int sci_remove(struct platform_device *dev)
sci_ports_in_use &= ~BIT(port->port.line);
uart_remove_one_port(&sci_uart_driver, &port->port);
- sci_cleanup_single(port);
-
if (port->port.fifosize > 1)
device_remove_file(&dev->dev, &dev_attr_rx_fifo_trigger);
if (type == PORT_SCIFA || type == PORT_SCIFB || type == PORT_HSCIF)
@@ -3414,6 +3403,11 @@ static int sci_probe_single(struct platform_device *dev,
if (ret)
return ret;
+ sciport->port.dev = &dev->dev;
+ ret = devm_pm_runtime_enable(&dev->dev);
+ if (ret)
+ return ret;
+
sciport->gpios = mctrl_gpio_init(&sciport->port, 0);
if (IS_ERR(sciport->gpios))
return PTR_ERR(sciport->gpios);
@@ -3427,13 +3421,7 @@ static int sci_probe_single(struct platform_device *dev,
sciport->port.flags |= UPF_HARD_FLOW;
}
- ret = uart_add_one_port(&sci_uart_driver, &sciport->port);
- if (ret) {
- sci_cleanup_single(sciport);
- return ret;
- }
-
- return 0;
+ return uart_add_one_port(&sci_uart_driver, &sciport->port);
}
static int sci_probe(struct platform_device *dev)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 289/356] serial: sh-sci: Clean sci_ports[0] after at earlycon exit
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 288/356] serial: sh-sci: Move runtime PM enable to sci_probe_single() Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 290/356] scsi: core: ufs: Fix a hang in the error handler Greg Kroah-Hartman
` (75 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Claudiu Beznea, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
commit 5f1017069933489add0c08659673443c9905659e upstream.
The early_console_setup() function initializes sci_ports[0].port with an
object of type struct uart_port obtained from the struct earlycon_device
passed as an argument to early_console_setup().
Later, during serial port probing, the serial port used as earlycon
(e.g., port A) might be remapped to a different position in the sci_ports[]
array, and a different serial port (e.g., port B) might be assigned to slot
0. For example:
sci_ports[0] = port B
sci_ports[X] = port A
In this scenario, the new port mapped at index zero (port B) retains the
data associated with the earlycon configuration. Consequently, after the
Linux boot process, any access to the serial port now mapped to
sci_ports[0] (port B) will block the original earlycon port (port A).
To address this, introduce an early_console_exit() function to clean up
sci_ports[0] when earlycon is exited.
To prevent the cleanup of sci_ports[0] while the serial device is still
being used by earlycon, introduce the struct sci_port::probing flag and
account for it in early_console_exit().
Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support")
Cc: stable@vger.kernel.org
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Link: https://lore.kernel.org/r/20250116182249.3828577-5-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/sh-sci.c | 32 ++++++++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
index 0071cb3043e14..be7e57e1d1e36 100644
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -183,6 +183,7 @@ static struct sci_port sci_ports[SCI_NPORTS];
static unsigned long sci_ports_in_use;
static struct uart_driver sci_uart_driver;
static bool sci_uart_earlycon;
+static bool sci_uart_earlycon_dev_probing;
static inline struct sci_port *
to_sci_port(struct uart_port *uart)
@@ -3374,7 +3375,8 @@ static struct plat_sci_port *sci_parse_dt(struct platform_device *pdev,
static int sci_probe_single(struct platform_device *dev,
unsigned int index,
struct plat_sci_port *p,
- struct sci_port *sciport)
+ struct sci_port *sciport,
+ struct resource *sci_res)
{
int ret;
@@ -3421,6 +3423,14 @@ static int sci_probe_single(struct platform_device *dev,
sciport->port.flags |= UPF_HARD_FLOW;
}
+ if (sci_uart_earlycon && sci_ports[0].port.mapbase == sci_res->start) {
+ /*
+ * Skip cleanup the sci_port[0] in early_console_exit(), this
+ * port is the same as the earlycon one.
+ */
+ sci_uart_earlycon_dev_probing = true;
+ }
+
return uart_add_one_port(&sci_uart_driver, &sciport->port);
}
@@ -3479,7 +3489,7 @@ static int sci_probe(struct platform_device *dev)
platform_set_drvdata(dev, sp);
- ret = sci_probe_single(dev, dev_id, p, sp);
+ ret = sci_probe_single(dev, dev_id, p, sp, res);
if (ret)
return ret;
@@ -3636,6 +3646,22 @@ sh_early_platform_init_buffer("earlyprintk", &sci_driver,
#ifdef CONFIG_SERIAL_SH_SCI_EARLYCON
static struct plat_sci_port port_cfg;
+static int early_console_exit(struct console *co)
+{
+ struct sci_port *sci_port = &sci_ports[0];
+
+ /*
+ * Clean the slot used by earlycon. A new SCI device might
+ * map to this slot.
+ */
+ if (!sci_uart_earlycon_dev_probing) {
+ memset(sci_port, 0, sizeof(*sci_port));
+ sci_uart_earlycon = false;
+ }
+
+ return 0;
+}
+
static int __init early_console_setup(struct earlycon_device *device,
int type)
{
@@ -3655,6 +3681,8 @@ static int __init early_console_setup(struct earlycon_device *device,
SCSCR_RE | SCSCR_TE | port_cfg.scscr);
device->con->write = serial_console_write;
+ device->con->exit = early_console_exit;
+
return 0;
}
static int __init sci_early_console_setup(struct earlycon_device *device,
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 290/356] scsi: core: ufs: Fix a hang in the error handler
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 289/356] serial: sh-sci: Clean sci_ports[0] after at earlycon exit Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 291/356] Bluetooth: hci_core: fix list_for_each_entry_rcu usage Greg Kroah-Hartman
` (74 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanjeev Yadav, Bart Van Assche,
Peter Wang, Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanjeev Yadav <sanjeev.y@mediatek.com>
[ Upstream commit 8a3514d348de87a9d5e2ac00fbac4faae0b97996 ]
ufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter
function can only succeed if UFSHCD_EH_IN_PROGRESS is not set because
resuming involves submitting a SCSI command and ufshcd_queuecommand()
returns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_EH_IN_PROGRESS is set. Fix this
hang by setting UFSHCD_EH_IN_PROGRESS after ufshcd_rpm_get_sync() has
been called instead of before.
Backtrace:
__switch_to+0x174/0x338
__schedule+0x600/0x9e4
schedule+0x7c/0xe8
schedule_timeout+0xa4/0x1c8
io_schedule_timeout+0x48/0x70
wait_for_common_io+0xa8/0x160 //waiting on START_STOP
wait_for_completion_io_timeout+0x10/0x20
blk_execute_rq+0xe4/0x1e4
scsi_execute_cmd+0x108/0x244
ufshcd_set_dev_pwr_mode+0xe8/0x250
__ufshcd_wl_resume+0x94/0x354
ufshcd_wl_runtime_resume+0x3c/0x174
scsi_runtime_resume+0x64/0xa4
rpm_resume+0x15c/0xa1c
__pm_runtime_resume+0x4c/0x90 // Runtime resume ongoing
ufshcd_err_handler+0x1a0/0xd08
process_one_work+0x174/0x808
worker_thread+0x15c/0x490
kthread+0xf4/0x1ec
ret_from_fork+0x10/0x20
Signed-off-by: Sanjeev Yadav <sanjeev.y@mediatek.com>
[ bvanassche: rewrote patch description ]
Fixes: 62694735ca95 ("[SCSI] ufs: Add runtime PM support for UFS host controller driver")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lore.kernel.org/r/20250523201409.1676055-1-bvanassche@acm.org
Reviewed-by: Peter Wang <peter.wang@mediatek.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 2346a1fc72b56..9dabc03675b00 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -6500,9 +6500,14 @@ static void ufshcd_err_handler(struct work_struct *work)
up(&hba->host_sem);
return;
}
- ufshcd_set_eh_in_progress(hba);
spin_unlock_irqrestore(hba->host->host_lock, flags);
+
ufshcd_err_handling_prepare(hba);
+
+ spin_lock_irqsave(hba->host->host_lock, flags);
+ ufshcd_set_eh_in_progress(hba);
+ spin_unlock_irqrestore(hba->host->host_lock, flags);
+
/* Complete requests that have door-bell cleared by h/w */
ufshcd_complete_requests(hba, false);
spin_lock_irqsave(hba->host->host_lock, flags);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 291/356] Bluetooth: hci_core: fix list_for_each_entry_rcu usage
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 290/356] scsi: core: ufs: Fix a hang in the error handler Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 292/356] Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete Greg Kroah-Hartman
` (73 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pauli Virtanen, Paul Menzel,
Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pauli Virtanen <pav@iki.fi>
[ Upstream commit 308a3a8ce8ea41b26c46169f3263e50f5997c28e ]
Releasing + re-acquiring RCU lock inside list_for_each_entry_rcu() loop
body is not correct.
Fix by taking the update-side hdev->lock instead.
Fixes: c7eaf80bfb0c ("Bluetooth: Fix hci_link_tx_to RCU lock usage")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_core.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 30519d47e8a69..febfd389ecf43 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -3380,23 +3380,18 @@ static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
bt_dev_err(hdev, "link tx timeout");
- rcu_read_lock();
+ hci_dev_lock(hdev);
/* Kill stalled connections */
- list_for_each_entry_rcu(c, &h->list, list) {
+ list_for_each_entry(c, &h->list, list) {
if (c->type == type && c->sent) {
bt_dev_err(hdev, "killing stalled connection %pMR",
&c->dst);
- /* hci_disconnect might sleep, so, we have to release
- * the RCU read lock before calling it.
- */
- rcu_read_unlock();
hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
- rcu_read_lock();
}
}
- rcu_read_unlock();
+ hci_dev_unlock(hdev);
}
static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 292/356] Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 291/356] Bluetooth: hci_core: fix list_for_each_entry_rcu usage Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 293/356] Bluetooth: MGMT: Remove unused mgmt_pending_find_data Greg Kroah-Hartman
` (72 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+feb0dc579bbe30a13190,
Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit e6ed54e86aae9e4f7286ce8d5c73780f91b48d1c ]
This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to
avoid crashes like bellow:
==================================================================
BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406
Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341
CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406
hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 5987:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252
mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279
remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
sock_write_iter+0x258/0x330 net/socket.c:1131
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x548/0xa90 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5989:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2380 [inline]
slab_free mm/slub.c:4642 [inline]
kfree+0x18e/0x440 mm/slub.c:4841
mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242
mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366
hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314
__sys_bind_socket net/socket.c:1810 [inline]
__sys_bind+0x2c3/0x3e0 net/socket.c:1841
__do_sys_bind net/socket.c:1846 [inline]
__se_sys_bind net/socket.c:1844 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1844
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 66bd095ab5d4 ("Bluetooth: advmon offload MSFT remove monitor")
Closes: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
Reported-by: syzbot+feb0dc579bbe30a13190@syzkaller.appspotmail.com
Tested-by: syzbot+feb0dc579bbe30a13190@syzkaller.appspotmail.com
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/bluetooth/hci_core.h | 1 -
net/bluetooth/hci_core.c | 4 +---
net/bluetooth/mgmt.c | 37 ++++++++++----------------------
3 files changed, 12 insertions(+), 30 deletions(-)
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index e9214ccfde2d7..1304877813137 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -2305,7 +2305,6 @@ void mgmt_advertising_added(struct sock *sk, struct hci_dev *hdev,
u8 instance);
void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
u8 instance);
-void mgmt_adv_monitor_removed(struct hci_dev *hdev, u16 handle);
int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip);
void mgmt_adv_monitor_device_lost(struct hci_dev *hdev, u16 handle,
bdaddr_t *bdaddr, u8 addr_type);
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index febfd389ecf43..023ad47a385bf 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1862,10 +1862,8 @@ void hci_free_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor)
if (monitor->handle)
idr_remove(&hdev->adv_monitors_idr, monitor->handle);
- if (monitor->state != ADV_MONITOR_STATE_NOT_REGISTERED) {
+ if (monitor->state != ADV_MONITOR_STATE_NOT_REGISTERED)
hdev->adv_monitors_cnt--;
- mgmt_adv_monitor_removed(hdev, monitor->handle);
- }
kfree(monitor);
}
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 589c3a481e4c1..fda492bf0cd47 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -5165,24 +5165,14 @@ static void mgmt_adv_monitor_added(struct sock *sk, struct hci_dev *hdev,
mgmt_event(MGMT_EV_ADV_MONITOR_ADDED, hdev, &ev, sizeof(ev), sk);
}
-void mgmt_adv_monitor_removed(struct hci_dev *hdev, u16 handle)
+static void mgmt_adv_monitor_removed(struct sock *sk, struct hci_dev *hdev,
+ u16 handle)
{
struct mgmt_ev_adv_monitor_removed ev;
- struct mgmt_pending_cmd *cmd;
- struct sock *sk_skip = NULL;
- struct mgmt_cp_remove_adv_monitor *cp;
-
- cmd = pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev);
- if (cmd) {
- cp = cmd->param;
-
- if (cp->monitor_handle)
- sk_skip = cmd->sk;
- }
ev.monitor_handle = cpu_to_le16(handle);
- mgmt_event(MGMT_EV_ADV_MONITOR_REMOVED, hdev, &ev, sizeof(ev), sk_skip);
+ mgmt_event(MGMT_EV_ADV_MONITOR_REMOVED, hdev, &ev, sizeof(ev), sk);
}
static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev,
@@ -5284,8 +5274,7 @@ static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
if (pending_find(MGMT_OP_SET_LE, hdev) ||
pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
- pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev) ||
- pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev)) {
+ pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev)) {
status = MGMT_STATUS_BUSY;
goto unlock;
}
@@ -5455,8 +5444,7 @@ static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
struct mgmt_pending_cmd *cmd = data;
struct mgmt_cp_remove_adv_monitor *cp;
- if (status == -ECANCELED ||
- cmd != pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev))
+ if (status == -ECANCELED)
return;
hci_dev_lock(hdev);
@@ -5465,12 +5453,14 @@ static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
rp.monitor_handle = cp->monitor_handle;
- if (!status)
+ if (!status) {
+ mgmt_adv_monitor_removed(cmd->sk, hdev, cp->monitor_handle);
hci_update_passive_scan(hdev);
+ }
mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
mgmt_status(status), &rp, sizeof(rp));
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
hci_dev_unlock(hdev);
bt_dev_dbg(hdev, "remove monitor %d complete, status %d",
@@ -5480,10 +5470,6 @@ static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
static int mgmt_remove_adv_monitor_sync(struct hci_dev *hdev, void *data)
{
struct mgmt_pending_cmd *cmd = data;
-
- if (cmd != pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev))
- return -ECANCELED;
-
struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
u16 handle = __le16_to_cpu(cp->monitor_handle);
@@ -5502,14 +5488,13 @@ static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
hci_dev_lock(hdev);
if (pending_find(MGMT_OP_SET_LE, hdev) ||
- pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev) ||
pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev)) {
status = MGMT_STATUS_BUSY;
goto unlock;
}
- cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_ADV_MONITOR, hdev, data, len);
+ cmd = mgmt_pending_new(sk, MGMT_OP_REMOVE_ADV_MONITOR, hdev, data, len);
if (!cmd) {
status = MGMT_STATUS_NO_RESOURCES;
goto unlock;
@@ -5519,7 +5504,7 @@ static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
mgmt_remove_adv_monitor_complete);
if (err) {
- mgmt_pending_remove(cmd);
+ mgmt_pending_free(cmd);
if (err == -ENOMEM)
status = MGMT_STATUS_NO_RESOURCES;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 293/356] Bluetooth: MGMT: Remove unused mgmt_pending_find_data
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 292/356] Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 294/356] Bluetooth: MGMT: Protect mgmt_pending list with its own lock Greg Kroah-Hartman
` (71 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dr. David Alan Gilbert, Simon Horman,
Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dr. David Alan Gilbert <linux@treblig.org>
[ Upstream commit 276af34d82f13bda0b2a4d9786c90b8bbf1cd064 ]
mgmt_pending_find_data() last use was removed in 2021 by
commit 5a7501374664 ("Bluetooth: hci_sync: Convert MGMT_OP_GET_CLOCK_INFO")
Remove it.
Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: 6fe26f694c82 ("Bluetooth: MGMT: Protect mgmt_pending list with its own lock")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/mgmt_util.c | 17 -----------------
net/bluetooth/mgmt_util.h | 4 ----
2 files changed, 21 deletions(-)
diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index 17e32605d9b00..dba6a0d66500f 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -229,23 +229,6 @@ struct mgmt_pending_cmd *mgmt_pending_find(unsigned short channel, u16 opcode,
return NULL;
}
-struct mgmt_pending_cmd *mgmt_pending_find_data(unsigned short channel,
- u16 opcode,
- struct hci_dev *hdev,
- const void *data)
-{
- struct mgmt_pending_cmd *cmd;
-
- list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
- if (cmd->user_data != data)
- continue;
- if (cmd->opcode == opcode)
- return cmd;
- }
-
- return NULL;
-}
-
void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev,
void (*cb)(struct mgmt_pending_cmd *cmd, void *data),
void *data)
diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h
index bdf978605d5a8..f2ba994ab1d84 100644
--- a/net/bluetooth/mgmt_util.h
+++ b/net/bluetooth/mgmt_util.h
@@ -54,10 +54,6 @@ int mgmt_cmd_complete(struct sock *sk, u16 index, u16 cmd, u8 status,
struct mgmt_pending_cmd *mgmt_pending_find(unsigned short channel, u16 opcode,
struct hci_dev *hdev);
-struct mgmt_pending_cmd *mgmt_pending_find_data(unsigned short channel,
- u16 opcode,
- struct hci_dev *hdev,
- const void *data);
void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev,
void (*cb)(struct mgmt_pending_cmd *cmd, void *data),
void *data);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 294/356] Bluetooth: MGMT: Protect mgmt_pending list with its own lock
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 293/356] Bluetooth: MGMT: Remove unused mgmt_pending_find_data Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 295/356] ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() Greg Kroah-Hartman
` (70 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+0a7039d5d9986ff4ecec,
syzbot+cc0cc52e7f43dc9e6df1, Dmitry Antipov,
Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 6fe26f694c824b8a4dbf50c635bee1302e3f099c ]
This uses a mutex to protect from concurrent access of mgmt_pending
list which can cause crashes like:
==================================================================
BUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91
Read of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318
CPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xa8/0x254 mm/kasan/report.c:408
print_report+0x68/0x84 mm/kasan/report.c:521
kasan_report+0xb0/0x110 mm/kasan/report.c:634
__asan_report_load2_noabort+0x20/0x2c mm/kasan/report_generic.c:379
hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91
mgmt_pending_find+0x7c/0x140 net/bluetooth/mgmt_util.c:223
pending_find net/bluetooth/mgmt.c:947 [inline]
remove_adv_monitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445
hci_mgmt_cmd+0x780/0xc00 net/bluetooth/hci_sock.c:1712
hci_sock_sendmsg+0x544/0xbb0 net/bluetooth/hci_sock.c:1832
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg net/socket.c:727 [inline]
sock_write_iter+0x25c/0x378 net/socket.c:1131
new_sync_write fs/read_write.c:591 [inline]
vfs_write+0x62c/0x97c fs/read_write.c:684
ksys_write+0x120/0x210 fs/read_write.c:736
__do_sys_write fs/read_write.c:747 [inline]
__se_sys_write fs/read_write.c:744 [inline]
__arm64_sys_write+0x7c/0x90 fs/read_write.c:744
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Allocated by task 7037:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4327 [inline]
__kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4339
kmalloc_noprof include/linux/slab.h:909 [inline]
sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2198
sk_alloc+0x44/0x3ac net/core/sock.c:2254
bt_sock_alloc+0x4c/0x300 net/bluetooth/af_bluetooth.c:148
hci_sock_create+0xa8/0x194 net/bluetooth/hci_sock.c:2202
bt_sock_create+0x14c/0x24c net/bluetooth/af_bluetooth.c:132
__sock_create+0x43c/0x91c net/socket.c:1541
sock_create net/socket.c:1599 [inline]
__sys_socket_create net/socket.c:1636 [inline]
__sys_socket+0xd4/0x1c0 net/socket.c:1683
__do_sys_socket net/socket.c:1697 [inline]
__se_sys_socket net/socket.c:1695 [inline]
__arm64_sys_socket+0x7c/0x94 net/socket.c:1695
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Freed by task 6607:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x68/0x88 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2380 [inline]
slab_free mm/slub.c:4642 [inline]
kfree+0x17c/0x474 mm/slub.c:4841
sk_prot_free net/core/sock.c:2237 [inline]
__sk_destruct+0x4f4/0x760 net/core/sock.c:2332
sk_destruct net/core/sock.c:2360 [inline]
__sk_free+0x320/0x430 net/core/sock.c:2371
sk_free+0x60/0xc8 net/core/sock.c:2382
sock_put include/net/sock.h:1944 [inline]
mgmt_pending_free+0x88/0x118 net/bluetooth/mgmt_util.c:290
mgmt_pending_remove+0xec/0x104 net/bluetooth/mgmt_util.c:298
mgmt_set_powered_complete+0x418/0x5cc net/bluetooth/mgmt.c:1355
hci_cmd_sync_work+0x204/0x33c net/bluetooth/hci_sync.c:334
process_one_work+0x7e8/0x156c kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x958/0xed8 kernel/workqueue.c:3400
kthread+0x5fc/0x75c kernel/kthread.c:464
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847
Fixes: a380b6cff1a2 ("Bluetooth: Add generic mgmt helper API")
Closes: https://syzkaller.appspot.com/bug?extid=0a7039d5d9986ff4ecec
Closes: https://syzkaller.appspot.com/bug?extid=cc0cc52e7f43dc9e6df1
Reported-by: syzbot+0a7039d5d9986ff4ecec@syzkaller.appspotmail.com
Tested-by: syzbot+0a7039d5d9986ff4ecec@syzkaller.appspotmail.com
Tested-by: syzbot+cc0cc52e7f43dc9e6df1@syzkaller.appspotmail.com
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/bluetooth/hci_core.h | 1 +
net/bluetooth/hci_core.c | 1 +
net/bluetooth/mgmt.c | 101 +++++++++++++++----------------
net/bluetooth/mgmt_util.c | 32 ++++++++--
net/bluetooth/mgmt_util.h | 4 +-
5 files changed, 80 insertions(+), 59 deletions(-)
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 1304877813137..d63af08c6cdc2 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -542,6 +542,7 @@ struct hci_dev {
struct hci_conn_hash conn_hash;
struct list_head mesh_pending;
+ struct mutex mgmt_pending_lock;
struct list_head mgmt_pending;
struct list_head reject_list;
struct list_head accept_list;
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 023ad47a385bf..32f7bd0e89168 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2490,6 +2490,7 @@ struct hci_dev *hci_alloc_dev_priv(int sizeof_priv)
mutex_init(&hdev->lock);
mutex_init(&hdev->req_lock);
+ mutex_init(&hdev->mgmt_pending_lock);
ida_init(&hdev->unset_handle_ida);
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index fda492bf0cd47..44174f59b31e6 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1433,22 +1433,17 @@ static void settings_rsp(struct mgmt_pending_cmd *cmd, void *data)
send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
- list_del(&cmd->list);
-
if (match->sk == NULL) {
match->sk = cmd->sk;
sock_hold(match->sk);
}
-
- mgmt_pending_free(cmd);
}
static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
{
u8 *status = data;
- mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
- mgmt_pending_remove(cmd);
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, *status);
}
static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
@@ -1462,8 +1457,6 @@ static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
if (cmd->cmd_complete) {
cmd->cmd_complete(cmd, match->mgmt_status);
- mgmt_pending_remove(cmd);
-
return;
}
@@ -1472,13 +1465,13 @@ static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
static int generic_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
{
- return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
+ return mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, status,
cmd->param, cmd->param_len);
}
static int addr_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
{
- return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
+ return mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, status,
cmd->param, sizeof(struct mgmt_addr_info));
}
@@ -1518,7 +1511,7 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
if (err) {
u8 mgmt_err = mgmt_status(err);
- mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
goto done;
}
@@ -1693,7 +1686,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
if (err) {
u8 mgmt_err = mgmt_status(err);
- mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
goto done;
}
@@ -1930,8 +1923,8 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
new_settings(hdev, NULL);
}
- mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, cmd_status_rsp,
- &mgmt_err);
+ mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true,
+ cmd_status_rsp, &mgmt_err);
return;
}
@@ -1941,7 +1934,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
}
- mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, settings_rsp, &match);
+ mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true, settings_rsp, &match);
if (changed)
new_settings(hdev, match.sk);
@@ -2061,12 +2054,12 @@ static void set_le_complete(struct hci_dev *hdev, void *data, int err)
bt_dev_dbg(hdev, "err %d", err);
if (status) {
- mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
- &status);
+ mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, cmd_status_rsp,
+ &status);
return;
}
- mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
+ mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, settings_rsp, &match);
new_settings(hdev, match.sk);
@@ -2125,7 +2118,7 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
struct sock *sk = cmd->sk;
if (status) {
- mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev,
+ mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true,
cmd_status_rsp, &status);
return;
}
@@ -2566,7 +2559,7 @@ static void mgmt_class_complete(struct hci_dev *hdev, void *data, int err)
bt_dev_dbg(hdev, "err %d", err);
- mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
+ mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
mgmt_status(err), hdev->dev_class, 3);
mgmt_pending_free(cmd);
@@ -3354,7 +3347,7 @@ static int pairing_complete(struct mgmt_pending_cmd *cmd, u8 status)
bacpy(&rp.addr.bdaddr, &conn->dst);
rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
- err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE,
+ err = mgmt_cmd_complete(cmd->sk, cmd->hdev->id, MGMT_OP_PAIR_DEVICE,
status, &rp, sizeof(rp));
/* So we don't get further callbacks for this connection */
@@ -5243,7 +5236,7 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
hci_update_passive_scan(hdev);
}
- mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
+ mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
mgmt_status(status), &rp, sizeof(rp));
mgmt_pending_remove(cmd);
@@ -5458,7 +5451,7 @@ static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
hci_update_passive_scan(hdev);
}
- mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
+ mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
mgmt_status(status), &rp, sizeof(rp));
mgmt_pending_free(cmd);
@@ -5857,7 +5850,7 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev))
return;
- mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err),
+ mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err),
cmd->param, 1);
mgmt_pending_remove(cmd);
@@ -6095,7 +6088,7 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
bt_dev_dbg(hdev, "err %d", err);
- mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err),
+ mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err),
cmd->param, 1);
mgmt_pending_remove(cmd);
@@ -6320,7 +6313,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
u8 status = mgmt_status(err);
if (status) {
- mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
+ mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true,
cmd_status_rsp, &status);
return;
}
@@ -6330,7 +6323,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
else
hci_dev_clear_flag(hdev, HCI_ADVERTISING);
- mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, settings_rsp,
+ mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true, settings_rsp,
&match);
new_settings(hdev, match.sk);
@@ -6674,7 +6667,7 @@ static void set_bredr_complete(struct hci_dev *hdev, void *data, int err)
*/
hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
- mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
} else {
send_settings_rsp(cmd->sk, MGMT_OP_SET_BREDR, hdev);
new_settings(hdev, cmd->sk);
@@ -6811,7 +6804,7 @@ static void set_secure_conn_complete(struct hci_dev *hdev, void *data, int err)
if (err) {
u8 mgmt_err = mgmt_status(err);
- mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
goto done;
}
@@ -7258,7 +7251,7 @@ static void get_conn_info_complete(struct hci_dev *hdev, void *data, int err)
rp.max_tx_power = HCI_TX_POWER_INVALID;
}
- mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO, status,
+ mgmt_cmd_complete(cmd->sk, cmd->hdev->id, MGMT_OP_GET_CONN_INFO, status,
&rp, sizeof(rp));
mgmt_pending_free(cmd);
@@ -7418,7 +7411,7 @@ static void get_clock_info_complete(struct hci_dev *hdev, void *data, int err)
}
complete:
- mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp,
+ mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, status, &rp,
sizeof(rp));
mgmt_pending_free(cmd);
@@ -8622,10 +8615,10 @@ static void add_advertising_complete(struct hci_dev *hdev, void *data, int err)
rp.instance = cp->instance;
if (err)
- mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode,
mgmt_status(err));
else
- mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
+ mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
mgmt_status(err), &rp, sizeof(rp));
add_adv_complete(hdev, cmd->sk, cp->instance, err);
@@ -8813,10 +8806,10 @@ static void add_ext_adv_params_complete(struct hci_dev *hdev, void *data,
hci_remove_adv_instance(hdev, cp->instance);
- mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode,
mgmt_status(err));
} else {
- mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
+ mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
mgmt_status(err), &rp, sizeof(rp));
}
@@ -8964,10 +8957,10 @@ static void add_ext_adv_data_complete(struct hci_dev *hdev, void *data, int err)
rp.instance = cp->instance;
if (err)
- mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode,
mgmt_status(err));
else
- mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
+ mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
mgmt_status(err), &rp, sizeof(rp));
mgmt_pending_free(cmd);
@@ -9126,10 +9119,10 @@ static void remove_advertising_complete(struct hci_dev *hdev, void *data,
rp.instance = cp->instance;
if (err)
- mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode,
mgmt_status(err));
else
- mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
+ mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
mgmt_pending_free(cmd);
@@ -9400,7 +9393,7 @@ void mgmt_index_removed(struct hci_dev *hdev)
if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
return;
- mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &match);
+ mgmt_pending_foreach(0, hdev, true, cmd_complete_rsp, &match);
if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev, NULL, 0,
@@ -9438,7 +9431,8 @@ void mgmt_power_on(struct hci_dev *hdev, int err)
hci_update_passive_scan(hdev);
}
- mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
+ mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, true, settings_rsp,
+ &match);
new_settings(hdev, match.sk);
@@ -9453,7 +9447,8 @@ void __mgmt_power_off(struct hci_dev *hdev)
struct cmd_lookup match = { NULL, hdev };
u8 zero_cod[] = { 0, 0, 0 };
- mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
+ mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, true, settings_rsp,
+ &match);
/* If the power off is because of hdev unregistration let
* use the appropriate INVALID_INDEX status. Otherwise use
@@ -9467,7 +9462,7 @@ void __mgmt_power_off(struct hci_dev *hdev)
else
match.mgmt_status = MGMT_STATUS_NOT_POWERED;
- mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &match);
+ mgmt_pending_foreach(0, hdev, true, cmd_complete_rsp, &match);
if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) {
mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
@@ -9708,7 +9703,6 @@ static void unpair_device_rsp(struct mgmt_pending_cmd *cmd, void *data)
device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
cmd->cmd_complete(cmd, 0);
- mgmt_pending_remove(cmd);
}
bool mgmt_powering_down(struct hci_dev *hdev)
@@ -9761,8 +9755,8 @@ void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
struct mgmt_cp_disconnect *cp;
struct mgmt_pending_cmd *cmd;
- mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
- hdev);
+ mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, true,
+ unpair_device_rsp, hdev);
cmd = pending_find(MGMT_OP_DISCONNECT, hdev);
if (!cmd)
@@ -9955,7 +9949,7 @@ void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
if (status) {
u8 mgmt_err = mgmt_status(status);
- mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev,
+ mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, true,
cmd_status_rsp, &mgmt_err);
return;
}
@@ -9965,8 +9959,8 @@ void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
else
changed = hci_dev_test_and_clear_flag(hdev, HCI_LINK_SECURITY);
- mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, settings_rsp,
- &match);
+ mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, true,
+ settings_rsp, &match);
if (changed)
new_settings(hdev, match.sk);
@@ -9990,9 +9984,12 @@ void mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class,
{
struct cmd_lookup match = { NULL, hdev, mgmt_status(status) };
- mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, sk_lookup, &match);
- mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, sk_lookup, &match);
- mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, sk_lookup, &match);
+ mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, false, sk_lookup,
+ &match);
+ mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, false, sk_lookup,
+ &match);
+ mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, false, sk_lookup,
+ &match);
if (!status) {
mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, dev_class,
diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index dba6a0d66500f..4ba500c377a4c 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -217,30 +217,47 @@ int mgmt_cmd_complete(struct sock *sk, u16 index, u16 cmd, u8 status,
struct mgmt_pending_cmd *mgmt_pending_find(unsigned short channel, u16 opcode,
struct hci_dev *hdev)
{
- struct mgmt_pending_cmd *cmd;
+ struct mgmt_pending_cmd *cmd, *tmp;
+
+ mutex_lock(&hdev->mgmt_pending_lock);
- list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
+ list_for_each_entry_safe(cmd, tmp, &hdev->mgmt_pending, list) {
if (hci_sock_get_channel(cmd->sk) != channel)
continue;
- if (cmd->opcode == opcode)
+
+ if (cmd->opcode == opcode) {
+ mutex_unlock(&hdev->mgmt_pending_lock);
return cmd;
+ }
}
+ mutex_unlock(&hdev->mgmt_pending_lock);
+
return NULL;
}
-void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev,
+void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev, bool remove,
void (*cb)(struct mgmt_pending_cmd *cmd, void *data),
void *data)
{
struct mgmt_pending_cmd *cmd, *tmp;
+ mutex_lock(&hdev->mgmt_pending_lock);
+
list_for_each_entry_safe(cmd, tmp, &hdev->mgmt_pending, list) {
if (opcode > 0 && cmd->opcode != opcode)
continue;
+ if (remove)
+ list_del(&cmd->list);
+
cb(cmd, data);
+
+ if (remove)
+ mgmt_pending_free(cmd);
}
+
+ mutex_unlock(&hdev->mgmt_pending_lock);
}
struct mgmt_pending_cmd *mgmt_pending_new(struct sock *sk, u16 opcode,
@@ -254,7 +271,7 @@ struct mgmt_pending_cmd *mgmt_pending_new(struct sock *sk, u16 opcode,
return NULL;
cmd->opcode = opcode;
- cmd->index = hdev->id;
+ cmd->hdev = hdev;
cmd->param = kmemdup(data, len, GFP_KERNEL);
if (!cmd->param) {
@@ -280,7 +297,9 @@ struct mgmt_pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
if (!cmd)
return NULL;
+ mutex_lock(&hdev->mgmt_pending_lock);
list_add_tail(&cmd->list, &hdev->mgmt_pending);
+ mutex_unlock(&hdev->mgmt_pending_lock);
return cmd;
}
@@ -294,7 +313,10 @@ void mgmt_pending_free(struct mgmt_pending_cmd *cmd)
void mgmt_pending_remove(struct mgmt_pending_cmd *cmd)
{
+ mutex_lock(&cmd->hdev->mgmt_pending_lock);
list_del(&cmd->list);
+ mutex_unlock(&cmd->hdev->mgmt_pending_lock);
+
mgmt_pending_free(cmd);
}
diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h
index f2ba994ab1d84..024e51dd69375 100644
--- a/net/bluetooth/mgmt_util.h
+++ b/net/bluetooth/mgmt_util.h
@@ -33,7 +33,7 @@ struct mgmt_mesh_tx {
struct mgmt_pending_cmd {
struct list_head list;
u16 opcode;
- int index;
+ struct hci_dev *hdev;
void *param;
size_t param_len;
struct sock *sk;
@@ -54,7 +54,7 @@ int mgmt_cmd_complete(struct sock *sk, u16 index, u16 cmd, u8 status,
struct mgmt_pending_cmd *mgmt_pending_find(unsigned short channel, u16 opcode,
struct hci_dev *hdev);
-void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev,
+void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev, bool remove,
void (*cb)(struct mgmt_pending_cmd *cmd, void *data),
void *data);
struct mgmt_pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 295/356] ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 294/356] Bluetooth: MGMT: Protect mgmt_pending list with its own lock Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 296/356] ath10k: snoc: fix unbalanced IRQ enable in crash recovery Greg Kroah-Hartman
` (69 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeongjun Park, Richard Cochran,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
[ Upstream commit 87f7ce260a3c838b49e1dc1ceedf1006795157a2 ]
There is no disagreement that we should check both ptp->is_virtual_clock
and ptp->n_vclocks to check if the ptp virtual clock is in use.
However, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in
ptp_vclock_in_use(), we observe a recursive lock in the call trace
starting from n_vclocks_store().
============================================
WARNING: possible recursive locking detected
6.15.0-rc6 #1 Not tainted
--------------------------------------------
syz.0.1540/13807 is trying to acquire lock:
ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at:
ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [inline]
ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at:
ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415
but task is already holding lock:
ffff888030704868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at:
n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&ptp->n_vclocks_mux);
lock(&ptp->n_vclocks_mux);
*** DEADLOCK ***
....
============================================
The best way to solve this is to remove the logic that checks
ptp->n_vclocks in ptp_vclock_in_use().
The reason why this is appropriate is that any path that uses
ptp->n_vclocks must unconditionally check if ptp->n_vclocks is greater
than 0 before unregistering vclocks, and all functions are already
written this way. And in the function that uses ptp->n_vclocks, we
already get ptp->n_vclocks_mux before unregistering vclocks.
Therefore, we need to remove the redundant check for ptp->n_vclocks in
ptp_vclock_in_use() to prevent recursive locking.
Fixes: 73f37068d540 ("ptp: support ptp physical/virtual clocks conversion")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Link: https://patch.msgid.link/20250520160717.7350-1-aha310510@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ptp/ptp_private.h | 12 +-----------
1 file changed, 1 insertion(+), 11 deletions(-)
diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
index b8d4f61f14be4..d0eb4555720eb 100644
--- a/drivers/ptp/ptp_private.h
+++ b/drivers/ptp/ptp_private.h
@@ -89,17 +89,7 @@ static inline int queue_cnt(const struct timestamp_event_queue *q)
/* Check if ptp virtual clock is in use */
static inline bool ptp_vclock_in_use(struct ptp_clock *ptp)
{
- bool in_use = false;
-
- if (mutex_lock_interruptible(&ptp->n_vclocks_mux))
- return true;
-
- if (!ptp->is_virtual_clock && ptp->n_vclocks)
- in_use = true;
-
- mutex_unlock(&ptp->n_vclocks_mux);
-
- return in_use;
+ return !ptp->is_virtual_clock;
}
/* Check if ptp clock shall be free running */
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 296/356] ath10k: snoc: fix unbalanced IRQ enable in crash recovery
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 295/356] ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-18 18:06 ` Casey Connolly
2025-06-17 15:26 ` [PATCH 6.6 297/356] wifi: ath11k: fix soc_dp_stats debugfs file permission Greg Kroah-Hartman
` (68 subsequent siblings)
364 siblings, 1 reply; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Caleb Connolly, Loic Poulain,
Jeff Johnson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Caleb Connolly <caleb.connolly@linaro.org>
[ Upstream commit 1650d32b92b01db03a1a95d69ee74fcbc34d4b00 ]
In ath10k_snoc_hif_stop() we skip disabling the IRQs in the crash
recovery flow, but we still unconditionally call enable again in
ath10k_snoc_hif_start().
We can't check the ATH10K_FLAG_CRASH_FLUSH bit since it is cleared
before hif_start() is called, so instead check the
ATH10K_SNOC_FLAG_RECOVERY flag and skip enabling the IRQs during crash
recovery.
This fixes unbalanced IRQ enable splats that happen after recovering from
a crash.
Fixes: 0e622f67e041 ("ath10k: add support for WCN3990 firmware crash recovery")
Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org>
Tested-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
Link: https://patch.msgid.link/20250318205043.1043148-1-caleb.connolly@linaro.org
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/snoc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath10k/snoc.c b/drivers/net/wireless/ath/ath10k/snoc.c
index 2c39bad7ebfb9..1d06d4125992d 100644
--- a/drivers/net/wireless/ath/ath10k/snoc.c
+++ b/drivers/net/wireless/ath/ath10k/snoc.c
@@ -937,7 +937,9 @@ static int ath10k_snoc_hif_start(struct ath10k *ar)
dev_set_threaded(&ar->napi_dev, true);
ath10k_core_napi_enable(ar);
- ath10k_snoc_irq_enable(ar);
+ /* IRQs are left enabled when we restart due to a firmware crash */
+ if (!test_bit(ATH10K_SNOC_FLAG_RECOVERY, &ar_snoc->flags))
+ ath10k_snoc_irq_enable(ar);
ath10k_snoc_rx_post(ar);
clear_bit(ATH10K_SNOC_FLAG_RECOVERY, &ar_snoc->flags);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 297/356] wifi: ath11k: fix soc_dp_stats debugfs file permission
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 296/356] ath10k: snoc: fix unbalanced IRQ enable in crash recovery Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 298/356] wifi: ath11k: convert timeouts to secs_to_jiffies() Greg Kroah-Hartman
` (67 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Johnson, Kalle Valo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Johnson <quic_jjohnson@quicinc.com>
[ Upstream commit fa645e663165d69f05f95a0c3aa3b3d08f4fdeda ]
Currently the soc_dp_stats debugfs file has the following permissions:
# ls -l /sys/kernel/debug/ath11k/pci-0000:03:00.0/soc_dp_stats
-rw------- 1 root root 0 Mar 4 15:04 /sys/kernel/debug/ath11k/pci-0000:03:00.0/soc_dp_stats
However this file does not actually support write operations -- no .write()
method is registered. Therefore use the correct permissions when creating
the file.
After the change:
# ls -l /sys/kernel/debug/ath11k/pci-0000:03:00.0/soc_dp_stats
-r-------- 1 root root 0 Mar 4 15:15 /sys/kernel/debug/ath11k/pci-0000:03:00.0/soc_dp_stats
Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://msgid.link/20240305-fix-soc_dp_stats-permission-v1-1-2ec10b42f755@quicinc.com
Stable-dep-of: 9f6e82d11bb9 ("wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/debugfs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/debugfs.c b/drivers/net/wireless/ath/ath11k/debugfs.c
index 8cda73b78ebf4..34aa04d27a1d7 100644
--- a/drivers/net/wireless/ath/ath11k/debugfs.c
+++ b/drivers/net/wireless/ath/ath11k/debugfs.c
@@ -1,7 +1,7 @@
// SPDX-License-Identifier: BSD-3-Clause-Clear
/*
* Copyright (c) 2018-2020 The Linux Foundation. All rights reserved.
- * Copyright (c) 2021-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include <linux/vmalloc.h>
@@ -980,7 +980,7 @@ int ath11k_debugfs_pdev_create(struct ath11k_base *ab)
debugfs_create_file("simulate_fw_crash", 0600, ab->debugfs_soc, ab,
&fops_simulate_fw_crash);
- debugfs_create_file("soc_dp_stats", 0600, ab->debugfs_soc, ab,
+ debugfs_create_file("soc_dp_stats", 0400, ab->debugfs_soc, ab,
&fops_soc_dp_stats);
if (ab->hw_params.sram_dump.start != 0)
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 298/356] wifi: ath11k: convert timeouts to secs_to_jiffies()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 297/356] wifi: ath11k: fix soc_dp_stats debugfs file permission Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 299/356] wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() Greg Kroah-Hartman
` (66 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeff Johnson, Easwar Hariharan,
Alexander Gordeev, Andrew Lunn, Anna-Maria Behnsen,
Catalin Marinas, Christian Borntraeger, Christophe Leroy,
Daniel Mack, David Airlie, David S. Miller, Dick Kennedy,
Eric Dumazet, Florian Fainelli, Haojian Zhuang, Heiko Carstens,
Ilya Dryomov, Jack Wang, Jakub Kicinski, James Bottomley,
James Smart, Jaroslav Kysela, Jeff Johnson, Jens Axboe,
Jeroen de Borst, Jiri Kosina, Joe Lawrence, Johan Hedberg,
Josh Poimboeuf, Jozsef Kadlecsik, Julia Lawall, Kalle Valo,
Louis Peens, Lucas De Marchi, Luiz Augusto von Dentz,
Maarten Lankhorst, Madhavan Srinivasan, Marcel Holtmann,
Martin K. Petersen, Maxime Ripard, Michael Ellerman,
Miroslav Benes, Naveen N Rao, Nicholas Piggin, Nicolas Palix,
Oded Gabbay, Ofir Bitton, Pablo Neira Ayuso, Paolo Abeni,
Petr Mladek, Praveen Kaligineedi, Ray Jui, Robert Jarzmik,
Rodrigo Vivi, Roger Pau Monné, Russell King, Scott Branden,
Shailend Chand, Simona Vetter, Simon Horman, Sven Schnelle,
Takashi Iwai, Thomas Hellström, Thomas Zimmermann,
Vasily Gorbik, Xiubo Li, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Easwar Hariharan <eahariha@linux.microsoft.com>
[ Upstream commit b29425972c5234a59b6fb634125420ed74266377 ]
Commit b35108a51cf7 ("jiffies: Define secs_to_jiffies()") introduced
secs_to_jiffies(). As the value here is a multiple of 1000, use
secs_to_jiffies() instead of msecs_to_jiffies to avoid the multiplication.
This is converted using scripts/coccinelle/misc/secs_to_jiffies.cocci with
the following Coccinelle rules:
@@ constant C; @@
- msecs_to_jiffies(C * 1000)
+ secs_to_jiffies(C)
@@ constant C; @@
- msecs_to_jiffies(C * MSEC_PER_SEC)
+ secs_to_jiffies(C)
Link: https://lkml.kernel.org/r/20241210-converge-secs-to-jiffies-v3-14-ddfefd7e9f2a@linux.microsoft.com
Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Easwar Hariharan <eahariha@linux.microsoft.com>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Cc: Anna-Maria Behnsen <anna-maria@linutronix.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Daniel Mack <daniel@zonque.org>
Cc: David Airlie <airlied@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Dick Kennedy <dick.kennedy@broadcom.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Florian Fainelli <florian.fainelli@broadcom.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Haojian Zhuang <haojian.zhuang@gmail.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Ilya Dryomov <idryomov@gmail.com>
Cc: Jack Wang <jinpu.wang@cloud.ionos.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: James Smart <james.smart@broadcom.com>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Jeff Johnson <jjohnson@kernel.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Jeroen de Borst <jeroendb@google.com>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Joe Lawrence <joe.lawrence@redhat.com>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: Jozsef Kadlecsik <kadlec@netfilter.org>
Cc: Julia Lawall <julia.lawall@inria.fr>
Cc: Kalle Valo <kvalo@kernel.org>
Cc: Louis Peens <louis.peens@corigine.com>
Cc: Lucas De Marchi <lucas.demarchi@intel.com>
Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Miroslav Benes <mbenes@suse.cz>
Cc: Naveen N Rao <naveen@kernel.org>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Nicolas Palix <nicolas.palix@imag.fr>
Cc: Oded Gabbay <ogabbay@kernel.org>
Cc: Ofir Bitton <obitton@habana.ai>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Praveen Kaligineedi <pkaligineedi@google.com>
Cc: Ray Jui <rjui@broadcom.com>
Cc: Robert Jarzmik <robert.jarzmik@free.fr>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: Roger Pau Monné <roger.pau@citrix.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Scott Branden <sbranden@broadcom.com>
Cc: Shailend Chand <shailend@google.com>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: Simon Horman <horms@kernel.org>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Xiubo Li <xiubli@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 9f6e82d11bb9 ("wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/debugfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath11k/debugfs.c b/drivers/net/wireless/ath/ath11k/debugfs.c
index 34aa04d27a1d7..a8bd944f76d92 100644
--- a/drivers/net/wireless/ath/ath11k/debugfs.c
+++ b/drivers/net/wireless/ath/ath11k/debugfs.c
@@ -178,7 +178,7 @@ static int ath11k_debugfs_fw_stats_request(struct ath11k *ar,
* received 'update stats' event, we keep a 3 seconds timeout in case,
* fw_stats_done is not marked yet
*/
- timeout = jiffies + msecs_to_jiffies(3 * 1000);
+ timeout = jiffies + secs_to_jiffies(3);
ath11k_debugfs_fw_stats_reset(ar);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 299/356] wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 298/356] wifi: ath11k: convert timeouts to secs_to_jiffies() Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 300/356] wifi: ath11k: dont use static variables in ath11k_debugfs_fw_stats_process() Greg Kroah-Hartman
` (65 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yury Vostrikov, Baochen Qiang,
Vasanthakumar Thiagarajan, Jeff Johnson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baochen Qiang <quic_bqiang@quicinc.com>
[ Upstream commit 9f6e82d11bb9692a90d20b10f87345598945c803 ]
We get report [1] that CPU is running a hot loop in
ath11k_debugfs_fw_stats_request():
94.60% 0.00% i3status [kernel.kallsyms] [k] do_syscall_64
|
--94.60%--do_syscall_64
|
--94.55%--__sys_sendmsg
___sys_sendmsg
____sys_sendmsg
netlink_sendmsg
netlink_unicast
genl_rcv
netlink_rcv_skb
genl_rcv_msg
|
--94.55%--genl_family_rcv_msg_dumpit
__netlink_dump_start
netlink_dump
genl_dumpit
nl80211_dump_station
|
--94.55%--ieee80211_dump_station
sta_set_sinfo
|
--94.55%--ath11k_mac_op_sta_statistics
ath11k_debugfs_get_fw_stats
|
--94.55%--ath11k_debugfs_fw_stats_request
|
|--41.73%--_raw_spin_lock_bh
|
|--22.74%--__local_bh_enable_ip
|
|--9.22%--_raw_spin_unlock_bh
|
--6.66%--srso_alias_safe_ret
This is because, if for whatever reason ar->fw_stats_done is not set by
ath11k_update_stats_event(), ath11k_debugfs_fw_stats_request() won't yield
CPU before an up to 3s timeout.
Change to completion mechanism to avoid CPU burning.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.37
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Reported-by: Yury Vostrikov <mon@unformed.ru>
Closes: https://lore.kernel.org/all/7324ac7a-8b7a-42a5-aa19-de52138ff638@app.fastmail.com/ # [1]
Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Link: https://patch.msgid.link/20250220082448.31039-2-quic_bqiang@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/core.c | 1 +
drivers/net/wireless/ath/ath11k/core.h | 2 +-
drivers/net/wireless/ath/ath11k/debugfs.c | 38 +++++++++--------------
drivers/net/wireless/ath/ath11k/mac.c | 2 +-
drivers/net/wireless/ath/ath11k/wmi.c | 2 +-
5 files changed, 18 insertions(+), 27 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index f9870ba651d8f..12c5f50f61f90 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -748,6 +748,7 @@ void ath11k_fw_stats_init(struct ath11k *ar)
INIT_LIST_HEAD(&ar->fw_stats.bcn);
init_completion(&ar->fw_stats_complete);
+ init_completion(&ar->fw_stats_done);
}
void ath11k_fw_stats_free(struct ath11k_fw_stats *stats)
diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
index b044477624837..41ccf59a4fd93 100644
--- a/drivers/net/wireless/ath/ath11k/core.h
+++ b/drivers/net/wireless/ath/ath11k/core.h
@@ -732,7 +732,7 @@ struct ath11k {
u8 alpha2[REG_ALPHA2_LEN + 1];
struct ath11k_fw_stats fw_stats;
struct completion fw_stats_complete;
- bool fw_stats_done;
+ struct completion fw_stats_done;
/* protected by conf_mutex */
bool ps_state_enable;
diff --git a/drivers/net/wireless/ath/ath11k/debugfs.c b/drivers/net/wireless/ath/ath11k/debugfs.c
index a8bd944f76d92..a5791155fe065 100644
--- a/drivers/net/wireless/ath/ath11k/debugfs.c
+++ b/drivers/net/wireless/ath/ath11k/debugfs.c
@@ -1,7 +1,7 @@
// SPDX-License-Identifier: BSD-3-Clause-Clear
/*
* Copyright (c) 2018-2020 The Linux Foundation. All rights reserved.
- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include <linux/vmalloc.h>
@@ -96,7 +96,6 @@ void ath11k_debugfs_add_dbring_entry(struct ath11k *ar,
static void ath11k_debugfs_fw_stats_reset(struct ath11k *ar)
{
spin_lock_bh(&ar->data_lock);
- ar->fw_stats_done = false;
ath11k_fw_stats_pdevs_free(&ar->fw_stats.pdevs);
ath11k_fw_stats_vdevs_free(&ar->fw_stats.vdevs);
spin_unlock_bh(&ar->data_lock);
@@ -114,7 +113,7 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
/* WMI_REQUEST_PDEV_STAT request has been already processed */
if (stats->stats_id == WMI_REQUEST_RSSI_PER_CHAIN_STAT) {
- ar->fw_stats_done = true;
+ complete(&ar->fw_stats_done);
return;
}
@@ -138,7 +137,7 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
&ar->fw_stats.vdevs);
if (is_end) {
- ar->fw_stats_done = true;
+ complete(&ar->fw_stats_done);
num_vdev = 0;
}
return;
@@ -158,7 +157,7 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
&ar->fw_stats.bcn);
if (is_end) {
- ar->fw_stats_done = true;
+ complete(&ar->fw_stats_done);
num_bcn = 0;
}
}
@@ -168,21 +167,15 @@ static int ath11k_debugfs_fw_stats_request(struct ath11k *ar,
struct stats_request_params *req_param)
{
struct ath11k_base *ab = ar->ab;
- unsigned long timeout, time_left;
+ unsigned long time_left;
int ret;
lockdep_assert_held(&ar->conf_mutex);
- /* FW stats can get split when exceeding the stats data buffer limit.
- * In that case, since there is no end marking for the back-to-back
- * received 'update stats' event, we keep a 3 seconds timeout in case,
- * fw_stats_done is not marked yet
- */
- timeout = jiffies + secs_to_jiffies(3);
-
ath11k_debugfs_fw_stats_reset(ar);
reinit_completion(&ar->fw_stats_complete);
+ reinit_completion(&ar->fw_stats_done);
ret = ath11k_wmi_send_stats_request_cmd(ar, req_param);
@@ -193,21 +186,18 @@ static int ath11k_debugfs_fw_stats_request(struct ath11k *ar,
}
time_left = wait_for_completion_timeout(&ar->fw_stats_complete, 1 * HZ);
-
if (!time_left)
return -ETIMEDOUT;
- for (;;) {
- if (time_after(jiffies, timeout))
- break;
+ /* FW stats can get split when exceeding the stats data buffer limit.
+ * In that case, since there is no end marking for the back-to-back
+ * received 'update stats' event, we keep a 3 seconds timeout in case,
+ * fw_stats_done is not marked yet
+ */
+ time_left = wait_for_completion_timeout(&ar->fw_stats_done, 3 * HZ);
+ if (!time_left)
+ return -ETIMEDOUT;
- spin_lock_bh(&ar->data_lock);
- if (ar->fw_stats_done) {
- spin_unlock_bh(&ar->data_lock);
- break;
- }
- spin_unlock_bh(&ar->data_lock);
- }
return 0;
}
diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
index 4247c0f840a48..c3bfbc40273d0 100644
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -9010,11 +9010,11 @@ static int ath11k_fw_stats_request(struct ath11k *ar,
lockdep_assert_held(&ar->conf_mutex);
spin_lock_bh(&ar->data_lock);
- ar->fw_stats_done = false;
ath11k_fw_stats_pdevs_free(&ar->fw_stats.pdevs);
spin_unlock_bh(&ar->data_lock);
reinit_completion(&ar->fw_stats_complete);
+ reinit_completion(&ar->fw_stats_done);
ret = ath11k_wmi_send_stats_request_cmd(ar, req_param);
if (ret) {
diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
index 2cc13e60f422f..9a829b8282420 100644
--- a/drivers/net/wireless/ath/ath11k/wmi.c
+++ b/drivers/net/wireless/ath/ath11k/wmi.c
@@ -8183,7 +8183,7 @@ static void ath11k_update_stats_event(struct ath11k_base *ab, struct sk_buff *sk
*/
if (stats.stats_id == WMI_REQUEST_PDEV_STAT) {
list_splice_tail_init(&stats.pdevs, &ar->fw_stats.pdevs);
- ar->fw_stats_done = true;
+ complete(&ar->fw_stats_done);
goto complete;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 300/356] wifi: ath11k: dont use static variables in ath11k_debugfs_fw_stats_process()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 299/356] wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 301/356] wifi: ath11k: dont wait when there is no vdev started Greg Kroah-Hartman
` (64 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baochen Qiang, Kalle Valo,
Vasanthakumar Thiagarajan, Jeff Johnson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baochen Qiang <quic_bqiang@quicinc.com>
[ Upstream commit 2bcf73b2612dda7432f2c2eaad6679bd291791f2 ]
Currently ath11k_debugfs_fw_stats_process() is using static variables to count
firmware stat events. Taking num_vdev as an example, if for whatever reason (
say ar->num_started_vdevs is 0 or firmware bug etc.) the following condition
(++num_vdev) == total_vdevs_started
is not met, is_end is not set thus num_vdev won't be cleared. Next time when
firmware stats is requested again, even if everything is working fine, we will
fail due to the condition above will never be satisfied.
The same applies to num_bcn as well.
Change to use non-static counters so that we have a chance to clear them each
time firmware stats is requested. Currently only ath11k_fw_stats_request() and
ath11k_debugfs_fw_stats_request() are requesting firmware stats, so clear
counters there.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.37
Fixes: da3a9d3c1576 ("ath11k: refactor debugfs code into debugfs.c")
Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
Acked-by: Kalle Valo <kvalo@kernel.org>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Link: https://patch.msgid.link/20250220082448.31039-3-quic_bqiang@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/core.h | 2 ++
drivers/net/wireless/ath/ath11k/debugfs.c | 16 +++++++---------
drivers/net/wireless/ath/ath11k/mac.c | 2 ++
3 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
index 41ccf59a4fd93..555deafd8399a 100644
--- a/drivers/net/wireless/ath/ath11k/core.h
+++ b/drivers/net/wireless/ath/ath11k/core.h
@@ -550,6 +550,8 @@ struct ath11k_fw_stats {
struct list_head pdevs;
struct list_head vdevs;
struct list_head bcn;
+ u32 num_vdev_recvd;
+ u32 num_bcn_recvd;
};
struct ath11k_dbg_htt_stats {
diff --git a/drivers/net/wireless/ath/ath11k/debugfs.c b/drivers/net/wireless/ath/ath11k/debugfs.c
index a5791155fe065..5a375d6680594 100644
--- a/drivers/net/wireless/ath/ath11k/debugfs.c
+++ b/drivers/net/wireless/ath/ath11k/debugfs.c
@@ -98,6 +98,8 @@ static void ath11k_debugfs_fw_stats_reset(struct ath11k *ar)
spin_lock_bh(&ar->data_lock);
ath11k_fw_stats_pdevs_free(&ar->fw_stats.pdevs);
ath11k_fw_stats_vdevs_free(&ar->fw_stats.vdevs);
+ ar->fw_stats.num_vdev_recvd = 0;
+ ar->fw_stats.num_bcn_recvd = 0;
spin_unlock_bh(&ar->data_lock);
}
@@ -106,7 +108,6 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
struct ath11k_base *ab = ar->ab;
struct ath11k_pdev *pdev;
bool is_end;
- static unsigned int num_vdev, num_bcn;
size_t total_vdevs_started = 0;
int i;
@@ -131,15 +132,14 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
total_vdevs_started += ar->num_started_vdevs;
}
- is_end = ((++num_vdev) == total_vdevs_started);
+ is_end = ((++ar->fw_stats.num_vdev_recvd) == total_vdevs_started);
list_splice_tail_init(&stats->vdevs,
&ar->fw_stats.vdevs);
- if (is_end) {
+ if (is_end)
complete(&ar->fw_stats_done);
- num_vdev = 0;
- }
+
return;
}
@@ -151,15 +151,13 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
/* Mark end until we reached the count of all started VDEVs
* within the PDEV
*/
- is_end = ((++num_bcn) == ar->num_started_vdevs);
+ is_end = ((++ar->fw_stats.num_bcn_recvd) == ar->num_started_vdevs);
list_splice_tail_init(&stats->bcn,
&ar->fw_stats.bcn);
- if (is_end) {
+ if (is_end)
complete(&ar->fw_stats_done);
- num_bcn = 0;
- }
}
}
diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
index c3bfbc40273d0..9df3f6449f768 100644
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -9011,6 +9011,8 @@ static int ath11k_fw_stats_request(struct ath11k *ar,
spin_lock_bh(&ar->data_lock);
ath11k_fw_stats_pdevs_free(&ar->fw_stats.pdevs);
+ ar->fw_stats.num_vdev_recvd = 0;
+ ar->fw_stats.num_bcn_recvd = 0;
spin_unlock_bh(&ar->data_lock);
reinit_completion(&ar->fw_stats_complete);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 301/356] wifi: ath11k: dont wait when there is no vdev started
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 300/356] wifi: ath11k: dont use static variables in ath11k_debugfs_fw_stats_process() Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 302/356] wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready Greg Kroah-Hartman
` (63 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baochen Qiang,
Vasanthakumar Thiagarajan, Jeff Johnson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baochen Qiang <quic_bqiang@quicinc.com>
[ Upstream commit 3b6d00fa883075dcaf49221538230e038a9c0b43 ]
For WMI_REQUEST_VDEV_STAT request, firmware might split response into
multiple events dut to buffer limit, hence currently in
ath11k_debugfs_fw_stats_process() we wait until all events received.
In case there is no vdev started, this results in that below condition
would never get satisfied
((++ar->fw_stats.num_vdev_recvd) == total_vdevs_started)
finally the requestor would be blocked until wait time out.
The same applies to WMI_REQUEST_BCN_STAT request as well due to:
((++ar->fw_stats.num_bcn_recvd) == ar->num_started_vdevs)
Change to check the number of started vdev first: if it is zero, finish
wait directly; if not, follow the old way.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.37
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Link: https://patch.msgid.link/20250220082448.31039-4-quic_bqiang@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/debugfs.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/debugfs.c b/drivers/net/wireless/ath/ath11k/debugfs.c
index 5a375d6680594..50bc17127e68a 100644
--- a/drivers/net/wireless/ath/ath11k/debugfs.c
+++ b/drivers/net/wireless/ath/ath11k/debugfs.c
@@ -107,7 +107,7 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
{
struct ath11k_base *ab = ar->ab;
struct ath11k_pdev *pdev;
- bool is_end;
+ bool is_end = true;
size_t total_vdevs_started = 0;
int i;
@@ -132,7 +132,9 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
total_vdevs_started += ar->num_started_vdevs;
}
- is_end = ((++ar->fw_stats.num_vdev_recvd) == total_vdevs_started);
+ if (total_vdevs_started)
+ is_end = ((++ar->fw_stats.num_vdev_recvd) ==
+ total_vdevs_started);
list_splice_tail_init(&stats->vdevs,
&ar->fw_stats.vdevs);
@@ -151,7 +153,9 @@ void ath11k_debugfs_fw_stats_process(struct ath11k *ar, struct ath11k_fw_stats *
/* Mark end until we reached the count of all started VDEVs
* within the PDEV
*/
- is_end = ((++ar->fw_stats.num_bcn_recvd) == ar->num_started_vdevs);
+ if (ar->num_started_vdevs)
+ is_end = ((++ar->fw_stats.num_bcn_recvd) ==
+ ar->num_started_vdevs);
list_splice_tail_init(&stats->bcn,
&ar->fw_stats.bcn);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 302/356] wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 301/356] wifi: ath11k: dont wait when there is no vdev started Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 303/356] regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() Greg Kroah-Hartman
` (62 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Gobbi, kernel test robot,
Dan Carpenter, Baochen Qiang, Jeff Johnson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Gobbi <rodrigo.gobbi.7@gmail.com>
[ Upstream commit b0d226a60856a1b765bb9a3848c7b2322fd08c47 ]
if ath11k_crypto_mode is invalid (not ATH11K_CRYPT_MODE_SW/ATH11K_CRYPT_MODE_HW),
ath11k_core_qmi_firmware_ready() will not undo some actions that was previously
started/configured. Do the validation as soon as possible in order to avoid
undoing actions in that case and also to fix the following smatch warning:
drivers/net/wireless/ath/ath11k/core.c:2166 ath11k_core_qmi_firmware_ready()
warn: missing unwind goto?
Signed-off-by: Rodrigo Gobbi <rodrigo.gobbi.7@gmail.com>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202304151955.oqAetVFd-lkp@intel.com/
Fixes: aa2092a9bab3 ("ath11k: add raw mode and software crypto support")
Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
Link: https://patch.msgid.link/20250522200519.16858-1-rodrigo.gobbi.7@gmail.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/core.c | 28 +++++++++++++-------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index 12c5f50f61f90..609d8387c41f3 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -1638,6 +1638,20 @@ int ath11k_core_qmi_firmware_ready(struct ath11k_base *ab)
{
int ret;
+ switch (ath11k_crypto_mode) {
+ case ATH11K_CRYPT_MODE_SW:
+ set_bit(ATH11K_FLAG_HW_CRYPTO_DISABLED, &ab->dev_flags);
+ set_bit(ATH11K_FLAG_RAW_MODE, &ab->dev_flags);
+ break;
+ case ATH11K_CRYPT_MODE_HW:
+ clear_bit(ATH11K_FLAG_HW_CRYPTO_DISABLED, &ab->dev_flags);
+ clear_bit(ATH11K_FLAG_RAW_MODE, &ab->dev_flags);
+ break;
+ default:
+ ath11k_info(ab, "invalid crypto_mode: %d\n", ath11k_crypto_mode);
+ return -EINVAL;
+ }
+
ret = ath11k_core_start_firmware(ab, ab->fw_mode);
if (ret) {
ath11k_err(ab, "failed to start firmware: %d\n", ret);
@@ -1656,20 +1670,6 @@ int ath11k_core_qmi_firmware_ready(struct ath11k_base *ab)
goto err_firmware_stop;
}
- switch (ath11k_crypto_mode) {
- case ATH11K_CRYPT_MODE_SW:
- set_bit(ATH11K_FLAG_HW_CRYPTO_DISABLED, &ab->dev_flags);
- set_bit(ATH11K_FLAG_RAW_MODE, &ab->dev_flags);
- break;
- case ATH11K_CRYPT_MODE_HW:
- clear_bit(ATH11K_FLAG_HW_CRYPTO_DISABLED, &ab->dev_flags);
- clear_bit(ATH11K_FLAG_RAW_MODE, &ab->dev_flags);
- break;
- default:
- ath11k_info(ab, "invalid crypto_mode: %d\n", ath11k_crypto_mode);
- return -EINVAL;
- }
-
if (ath11k_frame_mode == ATH11K_HW_TXRX_RAW)
set_bit(ATH11K_FLAG_RAW_MODE, &ab->dev_flags);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 303/356] regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 302/356] wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 304/356] pinctrl: qcom: pinctrl-qcm2290: Add missing pins Greg Kroah-Hartman
` (61 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Laurent Pinchart,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 06118ae36855b7d3d22688298e74a766ccf0cb7a ]
There is a missing call to of_node_put() if devm_kcalloc() fails.
Fix this by changing the code to use cleanup.h magic to drop the
refcount.
Fixes: 6b0cd72757c6 ("regulator: max20086: fix invalid memory access")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/aDVRLqgJWMxYU03G@stanley.mountain
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/max20086-regulator.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/regulator/max20086-regulator.c b/drivers/regulator/max20086-regulator.c
index ebfbcadbca529..1cf04d1efb331 100644
--- a/drivers/regulator/max20086-regulator.c
+++ b/drivers/regulator/max20086-regulator.c
@@ -5,6 +5,7 @@
// Copyright (C) 2022 Laurent Pinchart <laurent.pinchart@idesonboard.com>
// Copyright (C) 2018 Avnet, Inc.
+#include <linux/cleanup.h>
#include <linux/err.h>
#include <linux/gpio/consumer.h>
#include <linux/i2c.h>
@@ -133,11 +134,11 @@ static int max20086_regulators_register(struct max20086 *chip)
static int max20086_parse_regulators_dt(struct max20086 *chip, bool *boot_on)
{
struct of_regulator_match *matches;
- struct device_node *node;
unsigned int i;
int ret;
- node = of_get_child_by_name(chip->dev->of_node, "regulators");
+ struct device_node *node __free(device_node) =
+ of_get_child_by_name(chip->dev->of_node, "regulators");
if (!node) {
dev_err(chip->dev, "regulators node not found\n");
return -ENODEV;
@@ -153,7 +154,6 @@ static int max20086_parse_regulators_dt(struct max20086 *chip, bool *boot_on)
ret = of_regulator_match(chip->dev, node, matches,
chip->info->num_outputs);
- of_node_put(node);
if (ret < 0) {
dev_err(chip->dev, "Failed to match regulators\n");
return -EINVAL;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 304/356] pinctrl: qcom: pinctrl-qcm2290: Add missing pins
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 303/356] regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() Greg Kroah-Hartman
@ 2025-06-17 15:26 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 305/356] scsi: iscsi: Fix incorrect error path labels for flashnode operations Greg Kroah-Hartman
` (60 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:26 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wojciech Slenska, Dmitry Baryshkov,
Linus Walleij, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wojciech Slenska <wojciech.slenska@gmail.com>
[ Upstream commit 315345610faee8a0568b522dba9e35067d1732ab ]
Added the missing pins to the qcm2290_pins table.
Signed-off-by: Wojciech Slenska <wojciech.slenska@gmail.com>
Fixes: 48e049ef1238 ("pinctrl: qcom: Add QCM2290 pinctrl driver")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/20250523101437.59092-1-wojciech.slenska@gmail.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/qcom/pinctrl-qcm2290.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/pinctrl/qcom/pinctrl-qcm2290.c b/drivers/pinctrl/qcom/pinctrl-qcm2290.c
index f5c1c427b44e9..61b7c22e963c2 100644
--- a/drivers/pinctrl/qcom/pinctrl-qcm2290.c
+++ b/drivers/pinctrl/qcom/pinctrl-qcm2290.c
@@ -165,6 +165,10 @@ static const struct pinctrl_pin_desc qcm2290_pins[] = {
PINCTRL_PIN(62, "GPIO_62"),
PINCTRL_PIN(63, "GPIO_63"),
PINCTRL_PIN(64, "GPIO_64"),
+ PINCTRL_PIN(65, "GPIO_65"),
+ PINCTRL_PIN(66, "GPIO_66"),
+ PINCTRL_PIN(67, "GPIO_67"),
+ PINCTRL_PIN(68, "GPIO_68"),
PINCTRL_PIN(69, "GPIO_69"),
PINCTRL_PIN(70, "GPIO_70"),
PINCTRL_PIN(71, "GPIO_71"),
@@ -179,12 +183,17 @@ static const struct pinctrl_pin_desc qcm2290_pins[] = {
PINCTRL_PIN(80, "GPIO_80"),
PINCTRL_PIN(81, "GPIO_81"),
PINCTRL_PIN(82, "GPIO_82"),
+ PINCTRL_PIN(83, "GPIO_83"),
+ PINCTRL_PIN(84, "GPIO_84"),
+ PINCTRL_PIN(85, "GPIO_85"),
PINCTRL_PIN(86, "GPIO_86"),
PINCTRL_PIN(87, "GPIO_87"),
PINCTRL_PIN(88, "GPIO_88"),
PINCTRL_PIN(89, "GPIO_89"),
PINCTRL_PIN(90, "GPIO_90"),
PINCTRL_PIN(91, "GPIO_91"),
+ PINCTRL_PIN(92, "GPIO_92"),
+ PINCTRL_PIN(93, "GPIO_93"),
PINCTRL_PIN(94, "GPIO_94"),
PINCTRL_PIN(95, "GPIO_95"),
PINCTRL_PIN(96, "GPIO_96"),
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 305/356] scsi: iscsi: Fix incorrect error path labels for flashnode operations
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2025-06-17 15:26 ` [PATCH 6.6 304/356] pinctrl: qcom: pinctrl-qcm2290: Add missing pins Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 306/356] net_sched: sch_sfq: fix a potential crash on gso_skb handling Greg Kroah-Hartman
` (59 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Mike Christie,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 9b17621366d210ffee83262a8754086ebbde5e55 ]
Correct the error handling goto labels used when host lookup fails in
various flashnode-related event handlers:
- iscsi_new_flashnode()
- iscsi_del_flashnode()
- iscsi_login_flashnode()
- iscsi_logout_flashnode()
- iscsi_logout_flashnode_sid()
scsi_host_put() is not required when shost is NULL, so jumping to the
correct label avoids unnecessary operations. These functions previously
jumped to the wrong goto label (put_host), which did not match the
intended cleanup logic.
Use the correct exit labels (exit_new_fnode, exit_del_fnode, etc.) to
ensure proper error handling. Also remove the unused put_host label
under iscsi_new_flashnode() as it is no longer needed.
No functional changes beyond accurate error path correction.
Fixes: c6a4bb2ef596 ("[SCSI] scsi_transport_iscsi: Add flash node mgmt support")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://lore.kernel.org/r/20250530193012.3312911-1-alok.a.tiwari@oracle.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_transport_iscsi.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
index 0c30fec555475..f2c31e74d8ed0 100644
--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -3525,7 +3525,7 @@ static int iscsi_new_flashnode(struct iscsi_transport *transport,
pr_err("%s could not find host no %u\n",
__func__, ev->u.new_flashnode.host_no);
err = -ENODEV;
- goto put_host;
+ goto exit_new_fnode;
}
index = transport->new_flashnode(shost, data, len);
@@ -3535,7 +3535,6 @@ static int iscsi_new_flashnode(struct iscsi_transport *transport,
else
err = -EIO;
-put_host:
scsi_host_put(shost);
exit_new_fnode:
@@ -3560,7 +3559,7 @@ static int iscsi_del_flashnode(struct iscsi_transport *transport,
pr_err("%s could not find host no %u\n",
__func__, ev->u.del_flashnode.host_no);
err = -ENODEV;
- goto put_host;
+ goto exit_del_fnode;
}
idx = ev->u.del_flashnode.flashnode_idx;
@@ -3602,7 +3601,7 @@ static int iscsi_login_flashnode(struct iscsi_transport *transport,
pr_err("%s could not find host no %u\n",
__func__, ev->u.login_flashnode.host_no);
err = -ENODEV;
- goto put_host;
+ goto exit_login_fnode;
}
idx = ev->u.login_flashnode.flashnode_idx;
@@ -3654,7 +3653,7 @@ static int iscsi_logout_flashnode(struct iscsi_transport *transport,
pr_err("%s could not find host no %u\n",
__func__, ev->u.logout_flashnode.host_no);
err = -ENODEV;
- goto put_host;
+ goto exit_logout_fnode;
}
idx = ev->u.logout_flashnode.flashnode_idx;
@@ -3704,7 +3703,7 @@ static int iscsi_logout_flashnode_sid(struct iscsi_transport *transport,
pr_err("%s could not find host no %u\n",
__func__, ev->u.logout_flashnode.host_no);
err = -ENODEV;
- goto put_host;
+ goto exit_logout_sid;
}
session = iscsi_session_lookup(ev->u.logout_flashnode_sid.sid);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 306/356] net_sched: sch_sfq: fix a potential crash on gso_skb handling
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 305/356] scsi: iscsi: Fix incorrect error path labels for flashnode operations Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 307/356] powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap Greg Kroah-Hartman
` (58 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcus Wichelmann, Eric Dumazet,
Toke Høiland-Jørgensen, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 82ffbe7776d0ac084031f114167712269bf3d832 ]
SFQ has an assumption of always being able to queue at least one packet.
However, after the blamed commit, sch->q.len can be inflated by packets
in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed
by an immediate drop.
Fix sfq_drop() to properly clear q->tail in this situation.
Tested:
ip netns add lb
ip link add dev to-lb type veth peer name in-lb netns lb
ethtool -K to-lb tso off # force qdisc to requeue gso_skb
ip netns exec lb ethtool -K in-lb gro on # enable NAPI
ip link set dev to-lb up
ip -netns lb link set dev in-lb up
ip addr add dev to-lb 192.168.20.1/24
ip -netns lb addr add dev in-lb 192.168.20.2/24
tc qdisc replace dev to-lb root sfq limit 100
ip netns exec lb netserver
netperf -H 192.168.20.2 -l 100 &
netperf -H 192.168.20.2 -l 100 &
netperf -H 192.168.20.2 -l 100 &
netperf -H 192.168.20.2 -l 100 &
Fixes: a53851e2c321 ("net: sched: explicit locking in gso_cpu fallback")
Reported-by: Marcus Wichelmann <marcus.wichelmann@hetzner-cloud.de>
Closes: https://lore.kernel.org/netdev/9da42688-bfaa-4364-8797-e9271f3bdaef@hetzner-cloud.de/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Link: https://patch.msgid.link/20250606165127.3629486-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_sfq.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index 002941d35b643..d564675a8be4d 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -310,7 +310,10 @@ static unsigned int sfq_drop(struct Qdisc *sch, struct sk_buff **to_free)
/* It is difficult to believe, but ALL THE SLOTS HAVE LENGTH 1. */
x = q->tail->next;
slot = &q->slots[x];
- q->tail->next = slot->next;
+ if (slot->next == x)
+ q->tail = NULL; /* no more active slots */
+ else
+ q->tail->next = slot->next;
q->ht[slot->hash] = SFQ_EMPTY_SLOT;
goto drop;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 307/356] powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 306/356] net_sched: sch_sfq: fix a potential crash on gso_skb handling Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 308/356] powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() Greg Kroah-Hartman
` (57 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Greental,
Ritesh Harjani (IBM), Madhavan Srinivasan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
[ Upstream commit cd097df4596f3a1e9d75eb8520162de1eb8485b2 ]
memtrace mmap issue has an out of bounds issue. This patch fixes the by
checking that the requested mapping region size should stay within the
allocated region size.
Reported-by: Jonathan Greental <yonatan02greental@gmail.com>
Fixes: 08a022ad3dfa ("powerpc/powernv/memtrace: Allow mmaping trace buffers")
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250610021227.361980-1-maddy@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/powernv/memtrace.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/platforms/powernv/memtrace.c b/arch/powerpc/platforms/powernv/memtrace.c
index 877720c645151..35471b679638a 100644
--- a/arch/powerpc/platforms/powernv/memtrace.c
+++ b/arch/powerpc/platforms/powernv/memtrace.c
@@ -48,11 +48,15 @@ static ssize_t memtrace_read(struct file *filp, char __user *ubuf,
static int memtrace_mmap(struct file *filp, struct vm_area_struct *vma)
{
struct memtrace_entry *ent = filp->private_data;
+ unsigned long ent_nrpages = ent->size >> PAGE_SHIFT;
+ unsigned long vma_nrpages = vma_pages(vma);
- if (ent->size < vma->vm_end - vma->vm_start)
+ /* The requested page offset should be within object's page count */
+ if (vma->vm_pgoff >= ent_nrpages)
return -EINVAL;
- if (vma->vm_pgoff << PAGE_SHIFT >= ent->size)
+ /* The requested mapping range should remain within the bounds */
+ if (vma_nrpages > ent_nrpages - vma->vm_pgoff)
return -EINVAL;
vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 308/356] powerpc/vas: Return -EINVAL if the offset is non-zero in mmap()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 307/356] powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 309/356] drm/meson: use unsigned long long / Hz for frequency types Greg Kroah-Hartman
` (56 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Greental, Haren Myneni,
Madhavan Srinivasan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haren Myneni <haren@linux.ibm.com>
[ Upstream commit 0d67f0dee6c9176bc09a5482dd7346e3a0f14d0b ]
The user space calls mmap() to map VAS window paste address
and the kernel returns the complete mapped page for each
window. So return -EINVAL if non-zero is passed for offset
parameter to mmap().
See Documentation/arch/powerpc/vas-api.rst for mmap()
restrictions.
Co-developed-by: Jonathan Greental <yonatan02greental@gmail.com>
Signed-off-by: Jonathan Greental <yonatan02greental@gmail.com>
Reported-by: Jonathan Greental <yonatan02greental@gmail.com>
Fixes: dda44eb29c23 ("powerpc/vas: Add VAS user space API")
Signed-off-by: Haren Myneni <haren@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250610021227.361980-2-maddy@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/book3s/vas-api.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/arch/powerpc/platforms/book3s/vas-api.c b/arch/powerpc/platforms/book3s/vas-api.c
index 0b6365d85d117..dc6f75d3ac6ef 100644
--- a/arch/powerpc/platforms/book3s/vas-api.c
+++ b/arch/powerpc/platforms/book3s/vas-api.c
@@ -521,6 +521,15 @@ static int coproc_mmap(struct file *fp, struct vm_area_struct *vma)
return -EINVAL;
}
+ /*
+ * Map complete page to the paste address. So the user
+ * space should pass 0ULL to the offset parameter.
+ */
+ if (vma->vm_pgoff) {
+ pr_debug("Page offset unsupported to map paste address\n");
+ return -EINVAL;
+ }
+
/* Ensure instance has an open send window */
if (!txwin) {
pr_err("No send window open?\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 309/356] drm/meson: use unsigned long long / Hz for frequency types
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 308/356] powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 310/356] drm/meson: fix debug log statement when setting the HDMI clocks Greg Kroah-Hartman
` (55 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Hewitt,
Martin Blumenstingl, Neil Armstrong, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
[ Upstream commit 1017560164b6bbcbc93579266926e6e96675262a ]
Christian reports that 4K output using YUV420 encoding fails with the
following error:
Fatal Error, invalid HDMI vclk freq 593406
Modetest shows the following:
3840x2160 59.94 3840 4016 4104 4400 2160 2168 2178 2250 593407 flags: xxxx, xxxx,
drm calculated value -------------------------------------^
This indicates that there's a (1kHz) mismatch between the clock
calculated by the drm framework and the meson driver.
Relevant function call stack:
(drm framework)
-> meson_encoder_hdmi_atomic_enable()
-> meson_encoder_hdmi_set_vclk()
-> meson_vclk_setup()
The video clock requested by the drm framework is 593407kHz. This is
passed by meson_encoder_hdmi_atomic_enable() to
meson_encoder_hdmi_set_vclk() and the following formula is applied:
- the frequency is halved (which would be 296703.5kHz) and rounded down
to the next full integer, which is 296703kHz
- TMDS clock is calculated (296703kHz * 10)
- video encoder clock is calculated - this needs to match a table from
meson_vclk.c and so it doubles the previously halved value again
(resulting in 593406kHz)
- meson_vclk_setup() can't find (either directly, or by deriving it from
594000kHz * 1000 / 1001 and rounding to the closest integer value -
which is 593407kHz as originally requested by the drm framework) a
matching clock in it's internal table and errors out with "invalid
HDMI vclk freq"
Fix the division precision by switching the whole meson driver to use
unsigned long long (64-bit) Hz values for clock frequencies instead of
unsigned int (32-bit) kHz to fix the rouding error.
Fixes: e5fab2ec9ca4 ("drm/meson: vclk: add support for YUV420 setup")
Reported-by: Christian Hewitt <christianshewitt@gmail.com>
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20250421201300.778955-3-martin.blumenstingl@googlemail.com
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20250421201300.778955-3-martin.blumenstingl@googlemail.com
Stable-dep-of: d17e61ab63fb ("drm/meson: fix debug log statement when setting the HDMI clocks")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/meson/meson_drv.c | 2 +-
drivers/gpu/drm/meson/meson_drv.h | 2 +-
drivers/gpu/drm/meson/meson_encoder_hdmi.c | 29 +--
drivers/gpu/drm/meson/meson_vclk.c | 195 +++++++++++----------
drivers/gpu/drm/meson/meson_vclk.h | 13 +-
5 files changed, 126 insertions(+), 115 deletions(-)
diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c
index 095f634ff7c79..27441e5716300 100644
--- a/drivers/gpu/drm/meson/meson_drv.c
+++ b/drivers/gpu/drm/meson/meson_drv.c
@@ -168,7 +168,7 @@ static const struct meson_drm_soc_attr meson_drm_soc_attrs[] = {
/* S805X/S805Y HDMI PLL won't lock for HDMI PHY freq > 1,65GHz */
{
.limits = {
- .max_hdmi_phy_freq = 1650000,
+ .max_hdmi_phy_freq = 1650000000,
},
.attrs = (const struct soc_device_attribute []) {
{ .soc_id = "GXL (S805*)", },
diff --git a/drivers/gpu/drm/meson/meson_drv.h b/drivers/gpu/drm/meson/meson_drv.h
index 3f9345c14f31c..be4b0e4df6e13 100644
--- a/drivers/gpu/drm/meson/meson_drv.h
+++ b/drivers/gpu/drm/meson/meson_drv.h
@@ -37,7 +37,7 @@ struct meson_drm_match_data {
};
struct meson_drm_soc_limits {
- unsigned int max_hdmi_phy_freq;
+ unsigned long long max_hdmi_phy_freq;
};
struct meson_drm {
diff --git a/drivers/gpu/drm/meson/meson_encoder_hdmi.c b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
index c4686568c9ca5..cd0e9e2d59ee7 100644
--- a/drivers/gpu/drm/meson/meson_encoder_hdmi.c
+++ b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
@@ -70,12 +70,12 @@ static void meson_encoder_hdmi_set_vclk(struct meson_encoder_hdmi *encoder_hdmi,
{
struct meson_drm *priv = encoder_hdmi->priv;
int vic = drm_match_cea_mode(mode);
- unsigned int phy_freq;
- unsigned int vclk_freq;
- unsigned int venc_freq;
- unsigned int hdmi_freq;
+ unsigned long long phy_freq;
+ unsigned long long vclk_freq;
+ unsigned long long venc_freq;
+ unsigned long long hdmi_freq;
- vclk_freq = mode->clock;
+ vclk_freq = mode->clock * 1000;
/* For 420, pixel clock is half unlike venc clock */
if (encoder_hdmi->output_bus_fmt == MEDIA_BUS_FMT_UYYVYY8_0_5X24)
@@ -107,7 +107,8 @@ static void meson_encoder_hdmi_set_vclk(struct meson_encoder_hdmi *encoder_hdmi,
if (mode->flags & DRM_MODE_FLAG_DBLCLK)
venc_freq /= 2;
- dev_dbg(priv->dev, "vclk:%d phy=%d venc=%d hdmi=%d enci=%d\n",
+ dev_dbg(priv->dev,
+ "vclk:%lluHz phy=%lluHz venc=%lluHz hdmi=%lluHz enci=%d\n",
phy_freq, vclk_freq, venc_freq, hdmi_freq,
priv->venc.hdmi_use_enci);
@@ -122,10 +123,11 @@ static enum drm_mode_status meson_encoder_hdmi_mode_valid(struct drm_bridge *bri
struct meson_encoder_hdmi *encoder_hdmi = bridge_to_meson_encoder_hdmi(bridge);
struct meson_drm *priv = encoder_hdmi->priv;
bool is_hdmi2_sink = display_info->hdmi.scdc.supported;
- unsigned int phy_freq;
- unsigned int vclk_freq;
- unsigned int venc_freq;
- unsigned int hdmi_freq;
+ unsigned long long clock = mode->clock * 1000;
+ unsigned long long phy_freq;
+ unsigned long long vclk_freq;
+ unsigned long long venc_freq;
+ unsigned long long hdmi_freq;
int vic = drm_match_cea_mode(mode);
enum drm_mode_status status;
@@ -144,12 +146,12 @@ static enum drm_mode_status meson_encoder_hdmi_mode_valid(struct drm_bridge *bri
if (status != MODE_OK)
return status;
- return meson_vclk_dmt_supported_freq(priv, mode->clock);
+ return meson_vclk_dmt_supported_freq(priv, clock);
/* Check against supported VIC modes */
} else if (!meson_venc_hdmi_supported_vic(vic))
return MODE_BAD;
- vclk_freq = mode->clock;
+ vclk_freq = clock;
/* For 420, pixel clock is half unlike venc clock */
if (drm_mode_is_420_only(display_info, mode) ||
@@ -179,7 +181,8 @@ static enum drm_mode_status meson_encoder_hdmi_mode_valid(struct drm_bridge *bri
if (mode->flags & DRM_MODE_FLAG_DBLCLK)
venc_freq /= 2;
- dev_dbg(priv->dev, "%s: vclk:%d phy=%d venc=%d hdmi=%d\n",
+ dev_dbg(priv->dev,
+ "%s: vclk:%lluHz phy=%lluHz venc=%lluHz hdmi=%lluHz\n",
__func__, phy_freq, vclk_freq, venc_freq, hdmi_freq);
return meson_vclk_vic_supported_freq(priv, phy_freq, vclk_freq);
diff --git a/drivers/gpu/drm/meson/meson_vclk.c b/drivers/gpu/drm/meson/meson_vclk.c
index 2a82119eb58ed..3325580d885d0 100644
--- a/drivers/gpu/drm/meson/meson_vclk.c
+++ b/drivers/gpu/drm/meson/meson_vclk.c
@@ -110,7 +110,10 @@
#define HDMI_PLL_LOCK BIT(31)
#define HDMI_PLL_LOCK_G12A (3 << 30)
-#define FREQ_1000_1001(_freq) DIV_ROUND_CLOSEST(_freq * 1000, 1001)
+#define PIXEL_FREQ_1000_1001(_freq) \
+ DIV_ROUND_CLOSEST_ULL((_freq) * 1000ULL, 1001ULL)
+#define PHY_FREQ_1000_1001(_freq) \
+ (PIXEL_FREQ_1000_1001(DIV_ROUND_DOWN_ULL(_freq, 10ULL)) * 10)
/* VID PLL Dividers */
enum {
@@ -360,11 +363,11 @@ enum {
};
struct meson_vclk_params {
- unsigned int pll_freq;
- unsigned int phy_freq;
- unsigned int vclk_freq;
- unsigned int venc_freq;
- unsigned int pixel_freq;
+ unsigned long long pll_freq;
+ unsigned long long phy_freq;
+ unsigned long long vclk_freq;
+ unsigned long long venc_freq;
+ unsigned long long pixel_freq;
unsigned int pll_od1;
unsigned int pll_od2;
unsigned int pll_od3;
@@ -372,11 +375,11 @@ struct meson_vclk_params {
unsigned int vclk_div;
} params[] = {
[MESON_VCLK_HDMI_ENCI_54000] = {
- .pll_freq = 4320000,
- .phy_freq = 270000,
- .vclk_freq = 54000,
- .venc_freq = 54000,
- .pixel_freq = 54000,
+ .pll_freq = 4320000000,
+ .phy_freq = 270000000,
+ .vclk_freq = 54000000,
+ .venc_freq = 54000000,
+ .pixel_freq = 54000000,
.pll_od1 = 4,
.pll_od2 = 4,
.pll_od3 = 1,
@@ -384,11 +387,11 @@ struct meson_vclk_params {
.vclk_div = 1,
},
[MESON_VCLK_HDMI_DDR_54000] = {
- .pll_freq = 4320000,
- .phy_freq = 270000,
- .vclk_freq = 54000,
- .venc_freq = 54000,
- .pixel_freq = 27000,
+ .pll_freq = 4320000000,
+ .phy_freq = 270000000,
+ .vclk_freq = 54000000,
+ .venc_freq = 54000000,
+ .pixel_freq = 27000000,
.pll_od1 = 4,
.pll_od2 = 4,
.pll_od3 = 1,
@@ -396,11 +399,11 @@ struct meson_vclk_params {
.vclk_div = 1,
},
[MESON_VCLK_HDMI_DDR_148500] = {
- .pll_freq = 2970000,
- .phy_freq = 742500,
- .vclk_freq = 148500,
- .venc_freq = 148500,
- .pixel_freq = 74250,
+ .pll_freq = 2970000000,
+ .phy_freq = 742500000,
+ .vclk_freq = 148500000,
+ .venc_freq = 148500000,
+ .pixel_freq = 74250000,
.pll_od1 = 4,
.pll_od2 = 1,
.pll_od3 = 1,
@@ -408,11 +411,11 @@ struct meson_vclk_params {
.vclk_div = 1,
},
[MESON_VCLK_HDMI_74250] = {
- .pll_freq = 2970000,
- .phy_freq = 742500,
- .vclk_freq = 74250,
- .venc_freq = 74250,
- .pixel_freq = 74250,
+ .pll_freq = 2970000000,
+ .phy_freq = 742500000,
+ .vclk_freq = 74250000,
+ .venc_freq = 74250000,
+ .pixel_freq = 74250000,
.pll_od1 = 2,
.pll_od2 = 2,
.pll_od3 = 2,
@@ -420,11 +423,11 @@ struct meson_vclk_params {
.vclk_div = 1,
},
[MESON_VCLK_HDMI_148500] = {
- .pll_freq = 2970000,
- .phy_freq = 1485000,
- .vclk_freq = 148500,
- .venc_freq = 148500,
- .pixel_freq = 148500,
+ .pll_freq = 2970000000,
+ .phy_freq = 1485000000,
+ .vclk_freq = 148500000,
+ .venc_freq = 148500000,
+ .pixel_freq = 148500000,
.pll_od1 = 1,
.pll_od2 = 2,
.pll_od3 = 2,
@@ -432,11 +435,11 @@ struct meson_vclk_params {
.vclk_div = 1,
},
[MESON_VCLK_HDMI_297000] = {
- .pll_freq = 5940000,
- .phy_freq = 2970000,
- .venc_freq = 297000,
- .vclk_freq = 297000,
- .pixel_freq = 297000,
+ .pll_freq = 5940000000,
+ .phy_freq = 2970000000,
+ .venc_freq = 297000000,
+ .vclk_freq = 297000000,
+ .pixel_freq = 297000000,
.pll_od1 = 2,
.pll_od2 = 1,
.pll_od3 = 1,
@@ -444,11 +447,11 @@ struct meson_vclk_params {
.vclk_div = 2,
},
[MESON_VCLK_HDMI_594000] = {
- .pll_freq = 5940000,
- .phy_freq = 5940000,
- .venc_freq = 594000,
- .vclk_freq = 594000,
- .pixel_freq = 594000,
+ .pll_freq = 5940000000,
+ .phy_freq = 5940000000,
+ .venc_freq = 594000000,
+ .vclk_freq = 594000000,
+ .pixel_freq = 594000000,
.pll_od1 = 1,
.pll_od2 = 1,
.pll_od3 = 2,
@@ -456,11 +459,11 @@ struct meson_vclk_params {
.vclk_div = 1,
},
[MESON_VCLK_HDMI_594000_YUV420] = {
- .pll_freq = 5940000,
- .phy_freq = 2970000,
- .venc_freq = 594000,
- .vclk_freq = 594000,
- .pixel_freq = 297000,
+ .pll_freq = 5940000000,
+ .phy_freq = 2970000000,
+ .venc_freq = 594000000,
+ .vclk_freq = 594000000,
+ .pixel_freq = 297000000,
.pll_od1 = 2,
.pll_od2 = 1,
.pll_od3 = 1,
@@ -617,16 +620,16 @@ static void meson_hdmi_pll_set_params(struct meson_drm *priv, unsigned int m,
3 << 20, pll_od_to_reg(od3) << 20);
}
-#define XTAL_FREQ 24000
+#define XTAL_FREQ (24 * 1000 * 1000)
static unsigned int meson_hdmi_pll_get_m(struct meson_drm *priv,
- unsigned int pll_freq)
+ unsigned long long pll_freq)
{
/* The GXBB PLL has a /2 pre-multiplier */
if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXBB))
- pll_freq /= 2;
+ pll_freq = DIV_ROUND_DOWN_ULL(pll_freq, 2);
- return pll_freq / XTAL_FREQ;
+ return DIV_ROUND_DOWN_ULL(pll_freq, XTAL_FREQ);
}
#define HDMI_FRAC_MAX_GXBB 4096
@@ -635,12 +638,13 @@ static unsigned int meson_hdmi_pll_get_m(struct meson_drm *priv,
static unsigned int meson_hdmi_pll_get_frac(struct meson_drm *priv,
unsigned int m,
- unsigned int pll_freq)
+ unsigned long long pll_freq)
{
- unsigned int parent_freq = XTAL_FREQ;
+ unsigned long long parent_freq = XTAL_FREQ;
unsigned int frac_max = HDMI_FRAC_MAX_GXL;
unsigned int frac_m;
unsigned int frac;
+ u32 remainder;
/* The GXBB PLL has a /2 pre-multiplier and a larger FRAC width */
if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXBB)) {
@@ -652,11 +656,11 @@ static unsigned int meson_hdmi_pll_get_frac(struct meson_drm *priv,
frac_max = HDMI_FRAC_MAX_G12A;
/* We can have a perfect match !*/
- if (pll_freq / m == parent_freq &&
- pll_freq % m == 0)
+ if (div_u64_rem(pll_freq, m, &remainder) == parent_freq &&
+ remainder == 0)
return 0;
- frac = div_u64((u64)pll_freq * (u64)frac_max, parent_freq);
+ frac = mul_u64_u64_div_u64(pll_freq, frac_max, parent_freq);
frac_m = m * frac_max;
if (frac_m > frac)
return frac_max;
@@ -666,7 +670,7 @@ static unsigned int meson_hdmi_pll_get_frac(struct meson_drm *priv,
}
static bool meson_hdmi_pll_validate_params(struct meson_drm *priv,
- unsigned int m,
+ unsigned long long m,
unsigned int frac)
{
if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXBB)) {
@@ -694,7 +698,7 @@ static bool meson_hdmi_pll_validate_params(struct meson_drm *priv,
}
static bool meson_hdmi_pll_find_params(struct meson_drm *priv,
- unsigned int freq,
+ unsigned long long freq,
unsigned int *m,
unsigned int *frac,
unsigned int *od)
@@ -706,7 +710,7 @@ static bool meson_hdmi_pll_find_params(struct meson_drm *priv,
continue;
*frac = meson_hdmi_pll_get_frac(priv, *m, freq * *od);
- DRM_DEBUG_DRIVER("PLL params for %dkHz: m=%x frac=%x od=%d\n",
+ DRM_DEBUG_DRIVER("PLL params for %lluHz: m=%x frac=%x od=%d\n",
freq, *m, *frac, *od);
if (meson_hdmi_pll_validate_params(priv, *m, *frac))
@@ -718,7 +722,7 @@ static bool meson_hdmi_pll_find_params(struct meson_drm *priv,
/* pll_freq is the frequency after the OD dividers */
enum drm_mode_status
-meson_vclk_dmt_supported_freq(struct meson_drm *priv, unsigned int freq)
+meson_vclk_dmt_supported_freq(struct meson_drm *priv, unsigned long long freq)
{
unsigned int od, m, frac;
@@ -741,7 +745,7 @@ EXPORT_SYMBOL_GPL(meson_vclk_dmt_supported_freq);
/* pll_freq is the frequency after the OD dividers */
static void meson_hdmi_pll_generic_set(struct meson_drm *priv,
- unsigned int pll_freq)
+ unsigned long long pll_freq)
{
unsigned int od, m, frac, od1, od2, od3;
@@ -756,7 +760,7 @@ static void meson_hdmi_pll_generic_set(struct meson_drm *priv,
od1 = od / od2;
}
- DRM_DEBUG_DRIVER("PLL params for %dkHz: m=%x frac=%x od=%d/%d/%d\n",
+ DRM_DEBUG_DRIVER("PLL params for %lluHz: m=%x frac=%x od=%d/%d/%d\n",
pll_freq, m, frac, od1, od2, od3);
meson_hdmi_pll_set_params(priv, m, frac, od1, od2, od3);
@@ -764,17 +768,18 @@ static void meson_hdmi_pll_generic_set(struct meson_drm *priv,
return;
}
- DRM_ERROR("Fatal, unable to find parameters for PLL freq %d\n",
+ DRM_ERROR("Fatal, unable to find parameters for PLL freq %lluHz\n",
pll_freq);
}
enum drm_mode_status
-meson_vclk_vic_supported_freq(struct meson_drm *priv, unsigned int phy_freq,
- unsigned int vclk_freq)
+meson_vclk_vic_supported_freq(struct meson_drm *priv,
+ unsigned long long phy_freq,
+ unsigned long long vclk_freq)
{
int i;
- DRM_DEBUG_DRIVER("phy_freq = %d vclk_freq = %d\n",
+ DRM_DEBUG_DRIVER("phy_freq = %lluHz vclk_freq = %lluHz\n",
phy_freq, vclk_freq);
/* Check against soc revision/package limits */
@@ -785,19 +790,19 @@ meson_vclk_vic_supported_freq(struct meson_drm *priv, unsigned int phy_freq,
}
for (i = 0 ; params[i].pixel_freq ; ++i) {
- DRM_DEBUG_DRIVER("i = %d pixel_freq = %d alt = %d\n",
+ DRM_DEBUG_DRIVER("i = %d pixel_freq = %lluHz alt = %lluHz\n",
i, params[i].pixel_freq,
- FREQ_1000_1001(params[i].pixel_freq));
- DRM_DEBUG_DRIVER("i = %d phy_freq = %d alt = %d\n",
+ PIXEL_FREQ_1000_1001(params[i].pixel_freq));
+ DRM_DEBUG_DRIVER("i = %d phy_freq = %lluHz alt = %lluHz\n",
i, params[i].phy_freq,
- FREQ_1000_1001(params[i].phy_freq/10)*10);
+ PHY_FREQ_1000_1001(params[i].phy_freq));
/* Match strict frequency */
if (phy_freq == params[i].phy_freq &&
vclk_freq == params[i].vclk_freq)
return MODE_OK;
/* Match 1000/1001 variant */
- if (phy_freq == (FREQ_1000_1001(params[i].phy_freq/10)*10) &&
- vclk_freq == FREQ_1000_1001(params[i].vclk_freq))
+ if (phy_freq == PHY_FREQ_1000_1001(params[i].phy_freq) &&
+ vclk_freq == PIXEL_FREQ_1000_1001(params[i].vclk_freq))
return MODE_OK;
}
@@ -805,8 +810,9 @@ meson_vclk_vic_supported_freq(struct meson_drm *priv, unsigned int phy_freq,
}
EXPORT_SYMBOL_GPL(meson_vclk_vic_supported_freq);
-static void meson_vclk_set(struct meson_drm *priv, unsigned int pll_base_freq,
- unsigned int od1, unsigned int od2, unsigned int od3,
+static void meson_vclk_set(struct meson_drm *priv,
+ unsigned long long pll_base_freq, unsigned int od1,
+ unsigned int od2, unsigned int od3,
unsigned int vid_pll_div, unsigned int vclk_div,
unsigned int hdmi_tx_div, unsigned int venc_div,
bool hdmi_use_enci, bool vic_alternate_clock)
@@ -826,15 +832,15 @@ static void meson_vclk_set(struct meson_drm *priv, unsigned int pll_base_freq,
meson_hdmi_pll_generic_set(priv, pll_base_freq);
} else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXBB)) {
switch (pll_base_freq) {
- case 2970000:
+ case 2970000000:
m = 0x3d;
frac = vic_alternate_clock ? 0xd02 : 0xe00;
break;
- case 4320000:
+ case 4320000000:
m = vic_alternate_clock ? 0x59 : 0x5a;
frac = vic_alternate_clock ? 0xe8f : 0;
break;
- case 5940000:
+ case 5940000000:
m = 0x7b;
frac = vic_alternate_clock ? 0xa05 : 0xc00;
break;
@@ -844,15 +850,15 @@ static void meson_vclk_set(struct meson_drm *priv, unsigned int pll_base_freq,
} else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXM) ||
meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXL)) {
switch (pll_base_freq) {
- case 2970000:
+ case 2970000000:
m = 0x7b;
frac = vic_alternate_clock ? 0x281 : 0x300;
break;
- case 4320000:
+ case 4320000000:
m = vic_alternate_clock ? 0xb3 : 0xb4;
frac = vic_alternate_clock ? 0x347 : 0;
break;
- case 5940000:
+ case 5940000000:
m = 0xf7;
frac = vic_alternate_clock ? 0x102 : 0x200;
break;
@@ -861,15 +867,15 @@ static void meson_vclk_set(struct meson_drm *priv, unsigned int pll_base_freq,
meson_hdmi_pll_set_params(priv, m, frac, od1, od2, od3);
} else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A)) {
switch (pll_base_freq) {
- case 2970000:
+ case 2970000000:
m = 0x7b;
frac = vic_alternate_clock ? 0x140b4 : 0x18000;
break;
- case 4320000:
+ case 4320000000:
m = vic_alternate_clock ? 0xb3 : 0xb4;
frac = vic_alternate_clock ? 0x1a3ee : 0;
break;
- case 5940000:
+ case 5940000000:
m = 0xf7;
frac = vic_alternate_clock ? 0x8148 : 0x10000;
break;
@@ -1025,14 +1031,14 @@ static void meson_vclk_set(struct meson_drm *priv, unsigned int pll_base_freq,
}
void meson_vclk_setup(struct meson_drm *priv, unsigned int target,
- unsigned int phy_freq, unsigned int vclk_freq,
- unsigned int venc_freq, unsigned int dac_freq,
+ unsigned long long phy_freq, unsigned long long vclk_freq,
+ unsigned long long venc_freq, unsigned long long dac_freq,
bool hdmi_use_enci)
{
bool vic_alternate_clock = false;
- unsigned int freq;
- unsigned int hdmi_tx_div;
- unsigned int venc_div;
+ unsigned long long freq;
+ unsigned long long hdmi_tx_div;
+ unsigned long long venc_div;
if (target == MESON_VCLK_TARGET_CVBS) {
meson_venci_cvbs_clock_config(priv);
@@ -1052,27 +1058,27 @@ void meson_vclk_setup(struct meson_drm *priv, unsigned int target,
return;
}
- hdmi_tx_div = vclk_freq / dac_freq;
+ hdmi_tx_div = DIV_ROUND_DOWN_ULL(vclk_freq, dac_freq);
if (hdmi_tx_div == 0) {
- pr_err("Fatal Error, invalid HDMI-TX freq %d\n",
+ pr_err("Fatal Error, invalid HDMI-TX freq %lluHz\n",
dac_freq);
return;
}
- venc_div = vclk_freq / venc_freq;
+ venc_div = DIV_ROUND_DOWN_ULL(vclk_freq, venc_freq);
if (venc_div == 0) {
- pr_err("Fatal Error, invalid HDMI venc freq %d\n",
+ pr_err("Fatal Error, invalid HDMI venc freq %lluHz\n",
venc_freq);
return;
}
for (freq = 0 ; params[freq].pixel_freq ; ++freq) {
if ((phy_freq == params[freq].phy_freq ||
- phy_freq == FREQ_1000_1001(params[freq].phy_freq/10)*10) &&
+ phy_freq == PHY_FREQ_1000_1001(params[freq].phy_freq)) &&
(vclk_freq == params[freq].vclk_freq ||
- vclk_freq == FREQ_1000_1001(params[freq].vclk_freq))) {
+ vclk_freq == PIXEL_FREQ_1000_1001(params[freq].vclk_freq))) {
if (vclk_freq != params[freq].vclk_freq)
vic_alternate_clock = true;
else
@@ -1098,7 +1104,8 @@ void meson_vclk_setup(struct meson_drm *priv, unsigned int target,
}
if (!params[freq].pixel_freq) {
- pr_err("Fatal Error, invalid HDMI vclk freq %d\n", vclk_freq);
+ pr_err("Fatal Error, invalid HDMI vclk freq %lluHz\n",
+ vclk_freq);
return;
}
diff --git a/drivers/gpu/drm/meson/meson_vclk.h b/drivers/gpu/drm/meson/meson_vclk.h
index 60617aaf18dd1..7ac55744e5749 100644
--- a/drivers/gpu/drm/meson/meson_vclk.h
+++ b/drivers/gpu/drm/meson/meson_vclk.h
@@ -20,17 +20,18 @@ enum {
};
/* 27MHz is the CVBS Pixel Clock */
-#define MESON_VCLK_CVBS 27000
+#define MESON_VCLK_CVBS (27 * 1000 * 1000)
enum drm_mode_status
-meson_vclk_dmt_supported_freq(struct meson_drm *priv, unsigned int freq);
+meson_vclk_dmt_supported_freq(struct meson_drm *priv, unsigned long long freq);
enum drm_mode_status
-meson_vclk_vic_supported_freq(struct meson_drm *priv, unsigned int phy_freq,
- unsigned int vclk_freq);
+meson_vclk_vic_supported_freq(struct meson_drm *priv,
+ unsigned long long phy_freq,
+ unsigned long long vclk_freq);
void meson_vclk_setup(struct meson_drm *priv, unsigned int target,
- unsigned int phy_freq, unsigned int vclk_freq,
- unsigned int venc_freq, unsigned int dac_freq,
+ unsigned long long phy_freq, unsigned long long vclk_freq,
+ unsigned long long venc_freq, unsigned long long dac_freq,
bool hdmi_use_enci);
#endif /* __MESON_VCLK_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 310/356] drm/meson: fix debug log statement when setting the HDMI clocks
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 309/356] drm/meson: use unsigned long long / Hz for frequency types Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 311/356] drm/meson: use vclk_freq instead of pixel_freq in debug print Greg Kroah-Hartman
` (54 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Blumenstingl, Neil Armstrong,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
[ Upstream commit d17e61ab63fb7747b340d6a66bf1408cd5c6562b ]
The "phy" and "vclk" frequency labels were swapped, making it more
difficult to debug driver errors. Swap the label order to make them
match with the actual frequencies printed to correct this.
Fixes: e5fab2ec9ca4 ("drm/meson: vclk: add support for YUV420 setup")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20250606203729.3311592-1-martin.blumenstingl@googlemail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/meson/meson_encoder_hdmi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/meson/meson_encoder_hdmi.c b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
index cd0e9e2d59ee7..73ec7ae48510a 100644
--- a/drivers/gpu/drm/meson/meson_encoder_hdmi.c
+++ b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
@@ -108,7 +108,7 @@ static void meson_encoder_hdmi_set_vclk(struct meson_encoder_hdmi *encoder_hdmi,
venc_freq /= 2;
dev_dbg(priv->dev,
- "vclk:%lluHz phy=%lluHz venc=%lluHz hdmi=%lluHz enci=%d\n",
+ "phy:%lluHz vclk=%lluHz venc=%lluHz hdmi=%lluHz enci=%d\n",
phy_freq, vclk_freq, venc_freq, hdmi_freq,
priv->venc.hdmi_use_enci);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 311/356] drm/meson: use vclk_freq instead of pixel_freq in debug print
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 310/356] drm/meson: fix debug log statement when setting the HDMI clocks Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 312/356] drm/meson: fix more rounding issues with 59.94Hz modes Greg Kroah-Hartman
` (53 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Blumenstingl, Neil Armstrong,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
[ Upstream commit faf2f8382088e8c74bd6eeb236c8c9190e61615e ]
meson_vclk_vic_supported_freq() has a debug print which includes the
pixel freq. However, within the whole function the pixel freq is
irrelevant, other than checking the end of the params array. Switch to
printing the vclk_freq which is being compared / matched against the
inputs to the function to avoid confusion when analyzing error reports
from users.
Fixes: e5fab2ec9ca4 ("drm/meson: vclk: add support for YUV420 setup")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20250606221031.3419353-1-martin.blumenstingl@googlemail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/meson/meson_vclk.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/meson/meson_vclk.c b/drivers/gpu/drm/meson/meson_vclk.c
index 3325580d885d0..c4123bb958e4c 100644
--- a/drivers/gpu/drm/meson/meson_vclk.c
+++ b/drivers/gpu/drm/meson/meson_vclk.c
@@ -790,9 +790,9 @@ meson_vclk_vic_supported_freq(struct meson_drm *priv,
}
for (i = 0 ; params[i].pixel_freq ; ++i) {
- DRM_DEBUG_DRIVER("i = %d pixel_freq = %lluHz alt = %lluHz\n",
- i, params[i].pixel_freq,
- PIXEL_FREQ_1000_1001(params[i].pixel_freq));
+ DRM_DEBUG_DRIVER("i = %d vclk_freq = %lluHz alt = %lluHz\n",
+ i, params[i].vclk_freq,
+ PIXEL_FREQ_1000_1001(params[i].vclk_freq));
DRM_DEBUG_DRIVER("i = %d phy_freq = %lluHz alt = %lluHz\n",
i, params[i].phy_freq,
PHY_FREQ_1000_1001(params[i].phy_freq));
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 312/356] drm/meson: fix more rounding issues with 59.94Hz modes
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 311/356] drm/meson: use vclk_freq instead of pixel_freq in debug print Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 313/356] i40e: return false from i40e_reset_vf if reset is in progress Greg Kroah-Hartman
` (52 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Hewitt,
Martin Blumenstingl, Neil Armstrong, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
[ Upstream commit 0cee6c4d3518b2e757aedae78771f17149f57653 ]
Commit 1017560164b6 ("drm/meson: use unsigned long long / Hz for
frequency types") attempts to resolve video playback using 59.94Hz.
using YUV420 by changing the clock calculation to use
Hz instead of kHz (thus yielding more precision).
The basic calculation itself is correct, however the comparisions in
meson_vclk_vic_supported_freq() and meson_vclk_setup() don't work
anymore for 59.94Hz modes (using the freq * 1000 / 1001 logic). For
example, drm/edid specifies a 593407kHz clock for 3840x2160@59.94Hz.
With the mentioend commit we convert this to Hz. Then meson_vclk
tries to find a matchig "params" entry (as the clock setup code
currently only supports specific frequencies) by taking the venc_freq
from the params and calculating the "alt frequency" (used for the
59.94Hz modes) from it, which is:
(594000000Hz * 1000) / 1001 = 593406593Hz
Similar calculation is applied to the phy_freq (TMDS clock), which is 10
times the pixel clock.
Implement a new meson_vclk_freqs_are_matching_param() function whose
purpose is to compare if the requested and calculated frequencies. They
may not match exactly (for the reasons mentioned above). Allow the
clocks to deviate slightly to make the 59.94Hz modes again.
Fixes: 1017560164b6 ("drm/meson: use unsigned long long / Hz for frequency types")
Reported-by: Christian Hewitt <christianshewitt@gmail.com>
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20250609202751.962208-1-martin.blumenstingl@googlemail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/meson/meson_vclk.c | 55 ++++++++++++++++++------------
1 file changed, 34 insertions(+), 21 deletions(-)
diff --git a/drivers/gpu/drm/meson/meson_vclk.c b/drivers/gpu/drm/meson/meson_vclk.c
index c4123bb958e4c..dfe0c28a0f054 100644
--- a/drivers/gpu/drm/meson/meson_vclk.c
+++ b/drivers/gpu/drm/meson/meson_vclk.c
@@ -110,10 +110,7 @@
#define HDMI_PLL_LOCK BIT(31)
#define HDMI_PLL_LOCK_G12A (3 << 30)
-#define PIXEL_FREQ_1000_1001(_freq) \
- DIV_ROUND_CLOSEST_ULL((_freq) * 1000ULL, 1001ULL)
-#define PHY_FREQ_1000_1001(_freq) \
- (PIXEL_FREQ_1000_1001(DIV_ROUND_DOWN_ULL(_freq, 10ULL)) * 10)
+#define FREQ_1000_1001(_freq) DIV_ROUND_CLOSEST_ULL((_freq) * 1000ULL, 1001ULL)
/* VID PLL Dividers */
enum {
@@ -772,6 +769,36 @@ static void meson_hdmi_pll_generic_set(struct meson_drm *priv,
pll_freq);
}
+static bool meson_vclk_freqs_are_matching_param(unsigned int idx,
+ unsigned long long phy_freq,
+ unsigned long long vclk_freq)
+{
+ DRM_DEBUG_DRIVER("i = %d vclk_freq = %lluHz alt = %lluHz\n",
+ idx, params[idx].vclk_freq,
+ FREQ_1000_1001(params[idx].vclk_freq));
+ DRM_DEBUG_DRIVER("i = %d phy_freq = %lluHz alt = %lluHz\n",
+ idx, params[idx].phy_freq,
+ FREQ_1000_1001(params[idx].phy_freq));
+
+ /* Match strict frequency */
+ if (phy_freq == params[idx].phy_freq &&
+ vclk_freq == params[idx].vclk_freq)
+ return true;
+
+ /* Match 1000/1001 variant: vclk deviation has to be less than 1kHz
+ * (drm EDID is defined in 1kHz steps, so everything smaller must be
+ * rounding error) and the PHY freq deviation has to be less than
+ * 10kHz (as the TMDS clock is 10 times the pixel clock, so anything
+ * smaller must be rounding error as well).
+ */
+ if (abs(vclk_freq - FREQ_1000_1001(params[idx].vclk_freq)) < 1000 &&
+ abs(phy_freq - FREQ_1000_1001(params[idx].phy_freq)) < 10000)
+ return true;
+
+ /* no match */
+ return false;
+}
+
enum drm_mode_status
meson_vclk_vic_supported_freq(struct meson_drm *priv,
unsigned long long phy_freq,
@@ -790,19 +817,7 @@ meson_vclk_vic_supported_freq(struct meson_drm *priv,
}
for (i = 0 ; params[i].pixel_freq ; ++i) {
- DRM_DEBUG_DRIVER("i = %d vclk_freq = %lluHz alt = %lluHz\n",
- i, params[i].vclk_freq,
- PIXEL_FREQ_1000_1001(params[i].vclk_freq));
- DRM_DEBUG_DRIVER("i = %d phy_freq = %lluHz alt = %lluHz\n",
- i, params[i].phy_freq,
- PHY_FREQ_1000_1001(params[i].phy_freq));
- /* Match strict frequency */
- if (phy_freq == params[i].phy_freq &&
- vclk_freq == params[i].vclk_freq)
- return MODE_OK;
- /* Match 1000/1001 variant */
- if (phy_freq == PHY_FREQ_1000_1001(params[i].phy_freq) &&
- vclk_freq == PIXEL_FREQ_1000_1001(params[i].vclk_freq))
+ if (meson_vclk_freqs_are_matching_param(i, phy_freq, vclk_freq))
return MODE_OK;
}
@@ -1075,10 +1090,8 @@ void meson_vclk_setup(struct meson_drm *priv, unsigned int target,
}
for (freq = 0 ; params[freq].pixel_freq ; ++freq) {
- if ((phy_freq == params[freq].phy_freq ||
- phy_freq == PHY_FREQ_1000_1001(params[freq].phy_freq)) &&
- (vclk_freq == params[freq].vclk_freq ||
- vclk_freq == PIXEL_FREQ_1000_1001(params[freq].vclk_freq))) {
+ if (meson_vclk_freqs_are_matching_param(freq, phy_freq,
+ vclk_freq)) {
if (vclk_freq != params[freq].vclk_freq)
vic_alternate_clock = true;
else
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 313/356] i40e: return false from i40e_reset_vf if reset is in progress
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 312/356] drm/meson: fix more rounding issues with 59.94Hz modes Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 314/356] i40e: retry VFLR handling if there is ongoing VF reset Greg Kroah-Hartman
` (51 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robert Malz, Rafal Romanowski,
Tony Nguyen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robert Malz <robert.malz@canonical.com>
[ Upstream commit a2c90d63b71223d69a813333c1abf4fdacddbbe5 ]
The function i40e_vc_reset_vf attempts, up to 20 times, to handle a
VF reset request, using the return value of i40e_reset_vf as an indicator
of whether the reset was successfully triggered. Currently, i40e_reset_vf
always returns true, which causes new reset requests to be ignored if a
different VF reset is already in progress.
This patch updates the return value of i40e_reset_vf to reflect when
another VF reset is in progress, allowing the caller to properly use
the retry mechanism.
Fixes: 52424f974bc5 ("i40e: Fix VF hang when reset is triggered on another VF")
Signed-off-by: Robert Malz <robert.malz@canonical.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index d5509bc16d0d5..348869f05020f 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -1552,8 +1552,8 @@ static void i40e_cleanup_reset_vf(struct i40e_vf *vf)
* @vf: pointer to the VF structure
* @flr: VFLR was issued or not
*
- * Returns true if the VF is in reset, resets successfully, or resets
- * are disabled and false otherwise.
+ * Return: True if reset was performed successfully or if resets are disabled.
+ * False if reset is already in progress.
**/
bool i40e_reset_vf(struct i40e_vf *vf, bool flr)
{
@@ -1572,7 +1572,7 @@ bool i40e_reset_vf(struct i40e_vf *vf, bool flr)
/* If VF is being reset already we don't need to continue. */
if (test_and_set_bit(I40E_VF_STATE_RESETTING, &vf->vf_states))
- return true;
+ return false;
i40e_trigger_vf_reset(vf, flr);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 314/356] i40e: retry VFLR handling if there is ongoing VF reset
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 313/356] i40e: return false from i40e_reset_vf if reset is in progress Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 315/356] ACPI: CPPC: Fix NULL pointer dereference when nosmp is used Greg Kroah-Hartman
` (50 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robert Malz, Rafal Romanowski,
Tony Nguyen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robert Malz <robert.malz@canonical.com>
[ Upstream commit fb4e9239e029954a37a00818b21e837cebf2aa10 ]
When a VFLR interrupt is received during a VF reset initiated from a
different source, the VFLR may be not fully handled. This can
leave the VF in an undefined state.
To address this, set the I40E_VFLR_EVENT_PENDING bit again during VFLR
handling if the reset is not yet complete. This ensures the driver
will properly complete the VF reset in such scenarios.
Fixes: 52424f974bc5 ("i40e: Fix VF hang when reset is triggered on another VF")
Signed-off-by: Robert Malz <robert.malz@canonical.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index 348869f05020f..80036942dc764 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -4332,7 +4332,10 @@ int i40e_vc_process_vflr_event(struct i40e_pf *pf)
reg = rd32(hw, I40E_GLGEN_VFLRSTAT(reg_idx));
if (reg & BIT(bit_idx))
/* i40e_reset_vf will clear the bit in GLGEN_VFLRSTAT */
- i40e_reset_vf(vf, true);
+ if (!i40e_reset_vf(vf, true)) {
+ /* At least one VF did not finish resetting, retry next time */
+ set_bit(__I40E_VFLR_EVENT_PENDING, pf->state);
+ }
}
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 315/356] ACPI: CPPC: Fix NULL pointer dereference when nosmp is used
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 314/356] i40e: retry VFLR handling if there is ongoing VF reset Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 316/356] net: Fix TOCTOU issue in sk_is_readable() Greg Kroah-Hartman
` (49 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xu Lu, Yunhui Cui, Rafael J. Wysocki,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yunhui Cui <cuiyunhui@bytedance.com>
[ Upstream commit 15eece6c5b05e5f9db0711978c3e3b7f1a2cfe12 ]
With nosmp in cmdline, other CPUs are not brought up, leaving
their cpc_desc_ptr NULL. CPU0's iteration via for_each_possible_cpu()
dereferences these NULL pointers, causing panic.
Panic backtrace:
[ 0.401123] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8
...
[ 0.403255] [<ffffffff809a5818>] cppc_allow_fast_switch+0x6a/0xd4
...
Kernel panic - not syncing: Attempted to kill init!
Fixes: 3cc30dd00a58 ("cpufreq: CPPC: Enable fast_switch")
Reported-by: Xu Lu <luxu.kernel@bytedance.com>
Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
Link: https://patch.msgid.link/20250604023036.99553-1-cuiyunhui@bytedance.com
[ rjw: New subject ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/cppc_acpi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
index ed02a2a9970aa..10d531427ba77 100644
--- a/drivers/acpi/cppc_acpi.c
+++ b/drivers/acpi/cppc_acpi.c
@@ -461,7 +461,7 @@ bool cppc_allow_fast_switch(void)
struct cpc_desc *cpc_ptr;
int cpu;
- for_each_possible_cpu(cpu) {
+ for_each_present_cpu(cpu) {
cpc_ptr = per_cpu(cpc_desc_ptr, cpu);
desired_reg = &cpc_ptr->cpc_regs[DESIRED_PERF];
if (!CPC_IN_SYSTEM_MEMORY(desired_reg) &&
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 316/356] net: Fix TOCTOU issue in sk_is_readable()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 315/356] ACPI: CPPC: Fix NULL pointer dereference when nosmp is used Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 317/356] macsec: MACsec SCI assignment for ES = 0 Greg Kroah-Hartman
` (48 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Sitnicki, Michal Luczaj,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
[ Upstream commit 2660a544fdc0940bba15f70508a46cf9a6491230 ]
sk->sk_prot->sock_is_readable is a valid function pointer when sk resides
in a sockmap. After the last sk_psock_put() (which usually happens when
socket is removed from sockmap), sk->sk_prot gets restored and
sk->sk_prot->sock_is_readable becomes NULL.
This makes sk_is_readable() racy, if the value of sk->sk_prot is reloaded
after the initial check. Which in turn may lead to a null pointer
dereference.
Ensure the function pointer does not turn NULL after the check.
Fixes: 8934ce2fd081 ("bpf: sockmap redirect ingress support")
Suggested-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20250609-skisreadable-toctou-v1-1-d0dfb2d62c37@rbox.co
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/sock.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index dc625f94ee37b..e15bea43b2ecd 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -3043,8 +3043,11 @@ int sock_ioctl_inout(struct sock *sk, unsigned int cmd,
int sk_ioctl(struct sock *sk, unsigned int cmd, void __user *arg);
static inline bool sk_is_readable(struct sock *sk)
{
- if (sk->sk_prot->sock_is_readable)
- return sk->sk_prot->sock_is_readable(sk);
+ const struct proto *prot = READ_ONCE(sk->sk_prot);
+
+ if (prot->sock_is_readable)
+ return prot->sock_is_readable(sk);
+
return false;
}
#endif /* _SOCK_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 317/356] macsec: MACsec SCI assignment for ES = 0
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 316/356] net: Fix TOCTOU issue in sk_is_readable() Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 318/356] net/mdiobus: Fix potential out-of-bounds read/write access Greg Kroah-Hartman
` (47 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andreu Montiel, Carlos Fernandez,
Subbaraya Sundeep, David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Fernandez <carlos.fernandez@technica-engineering.de>
[ Upstream commit d9816ec74e6d6aa29219d010bba3f780ba1d9d75 ]
According to 802.1AE standard, when ES and SC flags in TCI are zero,
used SCI should be the current active SC_RX. Current code uses the
header MAC address. Without this patch, when ES flag is 0 (using a
bridge or switch), header MAC will not fit the SCI and MACSec frames
will be discarted.
In order to test this issue, MACsec link should be stablished between
two interfaces, setting SC and ES flags to zero and a port identifier
different than one. For example, using ip macsec tools:
ip link add link $ETH0 macsec0 type macsec port 11 send_sci off
end_station off
ip macsec add macsec0 tx sa 0 pn 2 on key 01 $ETH1_KEY
ip macsec add macsec0 rx port 11 address $ETH1_MAC
ip macsec add macsec0 rx port 11 address $ETH1_MAC sa 0 pn 2 on key 02
ip link set dev macsec0 up
ip link add link $ETH1 macsec1 type macsec port 11 send_sci off
end_station off
ip macsec add macsec1 tx sa 0 pn 2 on key 01 $ETH0_KEY
ip macsec add macsec1 rx port 11 address $ETH0_MAC
ip macsec add macsec1 rx port 11 address $ETH0_MAC sa 0 pn 2 on key 02
ip link set dev macsec1 up
Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
Co-developed-by: Andreu Montiel <Andreu.Montiel@technica-engineering.de>
Signed-off-by: Andreu Montiel <Andreu.Montiel@technica-engineering.de>
Signed-off-by: Carlos Fernandez <carlos.fernandez@technica-engineering.de>
Reviewed-by: Subbaraya Sundeep <sbhatta@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/macsec.c | 40 ++++++++++++++++++++++++++++++++++------
1 file changed, 34 insertions(+), 6 deletions(-)
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index 7c96493a367bf..767053d6c6b6f 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -243,15 +243,39 @@ static sci_t make_sci(const u8 *addr, __be16 port)
return sci;
}
-static sci_t macsec_frame_sci(struct macsec_eth_header *hdr, bool sci_present)
+static sci_t macsec_active_sci(struct macsec_secy *secy)
{
- sci_t sci;
+ struct macsec_rx_sc *rx_sc = rcu_dereference_bh(secy->rx_sc);
+
+ /* Case single RX SC */
+ if (rx_sc && !rcu_dereference_bh(rx_sc->next))
+ return (rx_sc->active) ? rx_sc->sci : 0;
+ /* Case no RX SC or multiple */
+ else
+ return 0;
+}
+
+static sci_t macsec_frame_sci(struct macsec_eth_header *hdr, bool sci_present,
+ struct macsec_rxh_data *rxd)
+{
+ struct macsec_dev *macsec;
+ sci_t sci = 0;
- if (sci_present)
+ /* SC = 1 */
+ if (sci_present) {
memcpy(&sci, hdr->secure_channel_id,
sizeof(hdr->secure_channel_id));
- else
+ /* SC = 0; ES = 0 */
+ } else if ((!(hdr->tci_an & (MACSEC_TCI_ES | MACSEC_TCI_SC))) &&
+ (list_is_singular(&rxd->secys))) {
+ /* Only one SECY should exist on this scenario */
+ macsec = list_first_or_null_rcu(&rxd->secys, struct macsec_dev,
+ secys);
+ if (macsec)
+ return macsec_active_sci(&macsec->secy);
+ } else {
sci = make_sci(hdr->eth.h_source, MACSEC_PORT_ES);
+ }
return sci;
}
@@ -1105,7 +1129,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
struct macsec_rxh_data *rxd;
struct macsec_dev *macsec;
unsigned int len;
- sci_t sci;
+ sci_t sci = 0;
u32 hdr_pn;
bool cbit;
struct pcpu_rx_sc_stats *rxsc_stats;
@@ -1152,11 +1176,14 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
macsec_skb_cb(skb)->has_sci = !!(hdr->tci_an & MACSEC_TCI_SC);
macsec_skb_cb(skb)->assoc_num = hdr->tci_an & MACSEC_AN_MASK;
- sci = macsec_frame_sci(hdr, macsec_skb_cb(skb)->has_sci);
rcu_read_lock();
rxd = macsec_data_rcu(skb->dev);
+ sci = macsec_frame_sci(hdr, macsec_skb_cb(skb)->has_sci, rxd);
+ if (!sci)
+ goto drop_nosc;
+
list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
struct macsec_rx_sc *sc = find_rx_sc(&macsec->secy, sci);
@@ -1279,6 +1306,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
macsec_rxsa_put(rx_sa);
drop_nosa:
macsec_rxsc_put(rx_sc);
+drop_nosc:
rcu_read_unlock();
drop_direct:
kfree_skb(skb);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 318/356] net/mdiobus: Fix potential out-of-bounds read/write access
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 317/356] macsec: MACsec SCI assignment for ES = 0 Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 319/356] net/mdiobus: Fix potential out-of-bounds clause 45 " Greg Kroah-Hartman
` (46 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Raczynski, Wenjing Shan,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Raczynski <j.raczynski@samsung.com>
[ Upstream commit 0e629694126ca388916f059453a1c36adde219c4 ]
When using publicly available tools like 'mdio-tools' to read/write data
from/to network interface and its PHY via mdiobus, there is no verification of
parameters passed to the ioctl and it accepts any mdio address.
Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,
but it is possible to pass higher value than that via ioctl.
While read/write operation should generally fail in this case,
mdiobus provides stats array, where wrong address may allow out-of-bounds
read/write.
Fix that by adding address verification before read/write operation.
While this excludes this access from any statistics, it improves security of
read/write operation.
Fixes: 080bb352fad00 ("net: phy: Maintain MDIO device and bus statistics")
Signed-off-by: Jakub Raczynski <j.raczynski@samsung.com>
Reported-by: Wenjing Shan <wenjing.shan@samsung.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mdio_bus.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
index 25dcaa49ab8be..103998969d44c 100644
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -850,6 +850,9 @@ int __mdiobus_read(struct mii_bus *bus, int addr, u32 regnum)
lockdep_assert_held_once(&bus->mdio_lock);
+ if (addr >= PHY_MAX_ADDR)
+ return -ENXIO;
+
if (bus->read)
retval = bus->read(bus, addr, regnum);
else
@@ -879,6 +882,9 @@ int __mdiobus_write(struct mii_bus *bus, int addr, u32 regnum, u16 val)
lockdep_assert_held_once(&bus->mdio_lock);
+ if (addr >= PHY_MAX_ADDR)
+ return -ENXIO;
+
if (bus->write)
err = bus->write(bus, addr, regnum, val);
else
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 319/356] net/mdiobus: Fix potential out-of-bounds clause 45 read/write access
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 318/356] net/mdiobus: Fix potential out-of-bounds read/write access Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 320/356] Bluetooth: Fix NULL pointer deference on eir_get_service_data Greg Kroah-Hartman
` (45 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Raczynski, Wenjing Shan,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Raczynski <j.raczynski@samsung.com>
[ Upstream commit 260388f79e94fb3026c419a208ece8358bb7b555 ]
When using publicly available tools like 'mdio-tools' to read/write data
from/to network interface and its PHY via C45 (clause 45) mdiobus,
there is no verification of parameters passed to the ioctl and
it accepts any mdio address.
Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,
but it is possible to pass higher value than that via ioctl.
While read/write operation should generally fail in this case,
mdiobus provides stats array, where wrong address may allow out-of-bounds
read/write.
Fix that by adding address verification before C45 read/write operation.
While this excludes this access from any statistics, it improves security of
read/write operation.
Fixes: 4e4aafcddbbf ("net: mdio: Add dedicated C45 API to MDIO bus drivers")
Signed-off-by: Jakub Raczynski <j.raczynski@samsung.com>
Reported-by: Wenjing Shan <wenjing.shan@samsung.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mdio_bus.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
index 103998969d44c..e02706b7cc1ed 100644
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -946,6 +946,9 @@ int __mdiobus_c45_read(struct mii_bus *bus, int addr, int devad, u32 regnum)
lockdep_assert_held_once(&bus->mdio_lock);
+ if (addr >= PHY_MAX_ADDR)
+ return -ENXIO;
+
if (bus->read_c45)
retval = bus->read_c45(bus, addr, devad, regnum);
else
@@ -977,6 +980,9 @@ int __mdiobus_c45_write(struct mii_bus *bus, int addr, int devad, u32 regnum,
lockdep_assert_held_once(&bus->mdio_lock);
+ if (addr >= PHY_MAX_ADDR)
+ return -ENXIO;
+
if (bus->write_c45)
err = bus->write_c45(bus, addr, devad, regnum, val);
else
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 320/356] Bluetooth: Fix NULL pointer deference on eir_get_service_data
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 319/356] net/mdiobus: Fix potential out-of-bounds clause 45 " Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 321/356] Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance Greg Kroah-Hartman
` (44 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 20a2aa01f5aeb6daad9aeaa7c33dd512c58d81eb ]
The len parameter is considered optional so it can be NULL so it cannot
be used for skipping to next entry of EIR_SERVICE_DATA.
Fixes: 8f9ae5b3ae80 ("Bluetooth: eir: Add helpers for managing service data")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/eir.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/eir.c b/net/bluetooth/eir.c
index 1bc51e2b05a34..3e1713673ecc9 100644
--- a/net/bluetooth/eir.c
+++ b/net/bluetooth/eir.c
@@ -366,17 +366,19 @@ u8 eir_create_scan_rsp(struct hci_dev *hdev, u8 instance, u8 *ptr)
void *eir_get_service_data(u8 *eir, size_t eir_len, u16 uuid, size_t *len)
{
- while ((eir = eir_get_data(eir, eir_len, EIR_SERVICE_DATA, len))) {
+ size_t dlen;
+
+ while ((eir = eir_get_data(eir, eir_len, EIR_SERVICE_DATA, &dlen))) {
u16 value = get_unaligned_le16(eir);
if (uuid == value) {
if (len)
- *len -= 2;
+ *len = dlen - 2;
return &eir[2];
}
- eir += *len;
- eir_len -= *len;
+ eir += dlen;
+ eir_len -= dlen;
}
return NULL;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 321/356] Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 320/356] Bluetooth: Fix NULL pointer deference on eir_get_service_data Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 322/356] Bluetooth: MGMT: Fix sparse errors Greg Kroah-Hartman
` (43 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 5725bc608252050ed8a4d47d59225b7dd73474c8 ]
When using and existing adv_info instance for broadcast source it
needs to be updated to periodic first before it can be reused, also in
case the existing instance already have data hci_set_adv_instance_data
cannot be used directly since it would overwrite the existing data so
this reappend the original data after the Broadcast ID, if one was
generated.
Example:
bluetoothctl># Add PBP to EA so it can be later referenced as the BIS ID
bluetoothctl> advertise.service 0x1856 0x00 0x00
bluetoothctl> advertise on
...
< HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 13
Handle: 0x01
Operation: Complete extended advertising data (0x03)
Fragment preference: Minimize fragmentation (0x01)
Data length: 0x09
Service Data: Public Broadcast Announcement (0x1856)
Data[2]: 0000
Flags: 0x06
LE General Discoverable Mode
BR/EDR Not Supported
...
bluetoothctl># Attempt to acquire Broadcast Source transport
bluetoothctl>transport.acquire /org/bluez/hci0/pac_bcast0/fd0
...
< HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 255
Handle: 0x01
Operation: Complete extended advertising data (0x03)
Fragment preference: Minimize fragmentation (0x01)
Data length: 0x0e
Service Data: Broadcast Audio Announcement (0x1852)
Broadcast ID: 11371620 (0xad8464)
Service Data: Public Broadcast Announcement (0x1856)
Data[2]: 0000
Flags: 0x06
LE General Discoverable Mode
BR/EDR Not Supported
Link: https://github.com/bluez/bluez/issues/1117
Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sync.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index d6f40806ee512..e92bc4ceb5add 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -1586,7 +1586,8 @@ static int hci_enable_per_advertising_sync(struct hci_dev *hdev, u8 instance)
static int hci_adv_bcast_annoucement(struct hci_dev *hdev, struct adv_info *adv)
{
u8 bid[3];
- u8 ad[4 + 3];
+ u8 ad[HCI_MAX_EXT_AD_LENGTH];
+ u8 len;
/* Skip if NULL adv as instance 0x00 is used for general purpose
* advertising so it cannot used for the likes of Broadcast Announcement
@@ -1612,8 +1613,10 @@ static int hci_adv_bcast_annoucement(struct hci_dev *hdev, struct adv_info *adv)
/* Generate Broadcast ID */
get_random_bytes(bid, sizeof(bid));
- eir_append_service_data(ad, 0, 0x1852, bid, sizeof(bid));
- hci_set_adv_instance_data(hdev, adv->instance, sizeof(ad), ad, 0, NULL);
+ len = eir_append_service_data(ad, 0, 0x1852, bid, sizeof(bid));
+ memcpy(ad + len, adv->adv_data, adv->adv_data_len);
+ hci_set_adv_instance_data(hdev, adv->instance, len + adv->adv_data_len,
+ ad, 0, NULL);
return hci_update_adv_data_sync(hdev, adv->instance);
}
@@ -1630,8 +1633,15 @@ int hci_start_per_adv_sync(struct hci_dev *hdev, u8 instance, u8 data_len,
if (instance) {
adv = hci_find_adv_instance(hdev, instance);
- /* Create an instance if that could not be found */
- if (!adv) {
+ if (adv) {
+ /* Turn it into periodic advertising */
+ adv->periodic = true;
+ adv->per_adv_data_len = data_len;
+ if (data)
+ memcpy(adv->per_adv_data, data, data_len);
+ adv->flags = flags;
+ } else if (!adv) {
+ /* Create an instance if that could not be found */
adv = hci_add_per_instance(hdev, instance, flags,
data_len, data,
sync_interval,
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 322/356] Bluetooth: MGMT: Fix sparse errors
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 321/356] Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 323/356] net/mlx5: Ensure fw pages are always allocated on same NUMA Greg Kroah-Hartman
` (42 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 7dd38ba4acbea9875b4ee061e20a26413e39d9f4 ]
This fixes the following errors:
net/bluetooth/mgmt.c:5400:59: sparse: sparse: incorrect type in argument 3
(different base types) @@ expected unsigned short [usertype] handle @@
got restricted __le16 [usertype] monitor_handle @@
net/bluetooth/mgmt.c:5400:59: sparse: expected unsigned short [usertype] handle
net/bluetooth/mgmt.c:5400:59: sparse: got restricted __le16 [usertype] monitor_handle
Fixes: e6ed54e86aae ("Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202506060347.ux2O1p7L-lkp@intel.com/
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/mgmt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 44174f59b31e6..853d217cabc91 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -5159,11 +5159,11 @@ static void mgmt_adv_monitor_added(struct sock *sk, struct hci_dev *hdev,
}
static void mgmt_adv_monitor_removed(struct sock *sk, struct hci_dev *hdev,
- u16 handle)
+ __le16 handle)
{
struct mgmt_ev_adv_monitor_removed ev;
- ev.monitor_handle = cpu_to_le16(handle);
+ ev.monitor_handle = handle;
mgmt_event(MGMT_EV_ADV_MONITOR_REMOVED, hdev, &ev, sizeof(ev), sk);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 323/356] net/mlx5: Ensure fw pages are always allocated on same NUMA
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 322/356] Bluetooth: MGMT: Fix sparse errors Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 324/356] net/mlx5: Fix ECVF vports unload on shutdown flow Greg Kroah-Hartman
` (41 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Moshe Shemesh, Tariq Toukan,
Mark Bloch, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Moshe Shemesh <moshe@nvidia.com>
[ Upstream commit f37258133c1e95e61db532e14067e28b4881bf24 ]
When firmware asks the driver to allocate more pages, using event of
give_pages, the driver should always allocate it from same NUMA, the
original device NUMA. Current code uses dev_to_node() which can result
in different NUMA as it is changed by other driver flows, such as
mlx5_dma_zalloc_coherent_node(). Instead, use saved numa node for
allocating firmware pages.
Fixes: 311c7c71c9bb ("net/mlx5e: Allocate DMA coherent memory on reader NUMA node")
Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250610151514.1094735-2-mbloch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c
index dcf58efac159c..e0581c6f9cecd 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c
@@ -291,7 +291,7 @@ static void free_4k(struct mlx5_core_dev *dev, u64 addr, u32 function)
static int alloc_system_page(struct mlx5_core_dev *dev, u32 function)
{
struct device *device = mlx5_core_dma_dev(dev);
- int nid = dev_to_node(device);
+ int nid = dev->priv.numa_node;
struct page *page;
u64 zero_addr = 1;
u64 addr;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 324/356] net/mlx5: Fix ECVF vports unload on shutdown flow
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 323/356] net/mlx5: Ensure fw pages are always allocated on same NUMA Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 325/356] net/mlx5: Fix return value when searching for existing flow group Greg Kroah-Hartman
` (40 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Jurgens, Moshe Shemesh,
Amir Tzin, Mark Bloch, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amir Tzin <amirtz@nvidia.com>
[ Upstream commit 687560d8a9a2d654829ad0da1ec24242f1de711d ]
Fix shutdown flow UAF when a virtual function is created on the embedded
chip (ECVF) of a BlueField device. In such case the vport acl ingress
table is not properly destroyed.
ECVF functionality is independent of ecpf_vport_exists capability and
thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not
test it when enabling/disabling ECVF vports.
kernel log:
[] refcount_t: underflow; use-after-free.
[] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28
refcount_warn_saturate+0x124/0x220
----------------
[] Call trace:
[] refcount_warn_saturate+0x124/0x220
[] tree_put_node+0x164/0x1e0 [mlx5_core]
[] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core]
[] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core]
[] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core]
[] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core]
[] esw_vport_cleanup+0x64/0x90 [mlx5_core]
[] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core]
[] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core]
[] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core]
[] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core]
[] mlx5_sriov_detach+0x40/0x50 [mlx5_core]
[] mlx5_unload+0x40/0xc4 [mlx5_core]
[] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core]
[] mlx5_unload_one+0x3c/0x60 [mlx5_core]
[] shutdown+0x7c/0xa4 [mlx5_core]
[] pci_device_shutdown+0x3c/0xa0
[] device_shutdown+0x170/0x340
[] __do_sys_reboot+0x1f4/0x2a0
[] __arm64_sys_reboot+0x2c/0x40
[] invoke_syscall+0x78/0x100
[] el0_svc_common.constprop.0+0x54/0x184
[] do_el0_svc+0x30/0xac
[] el0_svc+0x48/0x160
[] el0t_64_sync_handler+0xa4/0x12c
[] el0t_64_sync+0x1a4/0x1a8
[] --[ end trace 9c4601d68c70030e ]---
Fixes: a7719b29a821 ("net/mlx5: Add management of EC VF vports")
Reviewed-by: Daniel Jurgens <danielj@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Signed-off-by: Amir Tzin <amirtz@nvidia.com>
Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250610151514.1094735-3-mbloch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/eswitch.c | 21 ++++++++++++-------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
index f6022c135ec02..914b380fd3eeb 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -1295,12 +1295,15 @@ mlx5_eswitch_enable_pf_vf_vports(struct mlx5_eswitch *esw,
ret = mlx5_eswitch_load_pf_vf_vport(esw, MLX5_VPORT_ECPF, enabled_events);
if (ret)
goto ecpf_err;
- if (mlx5_core_ec_sriov_enabled(esw->dev)) {
- ret = mlx5_eswitch_load_ec_vf_vports(esw, esw->esw_funcs.num_ec_vfs,
- enabled_events);
- if (ret)
- goto ec_vf_err;
- }
+ }
+
+ /* Enable ECVF vports */
+ if (mlx5_core_ec_sriov_enabled(esw->dev)) {
+ ret = mlx5_eswitch_load_ec_vf_vports(esw,
+ esw->esw_funcs.num_ec_vfs,
+ enabled_events);
+ if (ret)
+ goto ec_vf_err;
}
/* Enable VF vports */
@@ -1331,9 +1334,11 @@ void mlx5_eswitch_disable_pf_vf_vports(struct mlx5_eswitch *esw)
{
mlx5_eswitch_unload_vf_vports(esw, esw->esw_funcs.num_vfs);
+ if (mlx5_core_ec_sriov_enabled(esw->dev))
+ mlx5_eswitch_unload_ec_vf_vports(esw,
+ esw->esw_funcs.num_ec_vfs);
+
if (mlx5_ecpf_vport_exists(esw->dev)) {
- if (mlx5_core_ec_sriov_enabled(esw->dev))
- mlx5_eswitch_unload_ec_vf_vports(esw, esw->esw_funcs.num_vfs);
mlx5_eswitch_unload_pf_vf_vport(esw, MLX5_VPORT_ECPF);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 325/356] net/mlx5: Fix return value when searching for existing flow group
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 324/356] net/mlx5: Fix ECVF vports unload on shutdown flow Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 326/356] net/mlx5e: Fix leak of Geneve TLV option object Greg Kroah-Hartman
` (39 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gavi Teitz, Roi Dayan,
Patrisious Haddad, Tariq Toukan, Mark Bloch, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Patrisious Haddad <phaddad@nvidia.com>
[ Upstream commit 8ec40e3f1f72bf8f8accf18020d487caa99f46a4 ]
When attempting to add a rule to an existing flow group, if a matching
flow group exists but is not active, the error code returned should be
EAGAIN, so that the rule can be added to the matching flow group once
it is active, rather than ENOENT, which indicates that no matching
flow group was found.
Fixes: bd71b08ec2ee ("net/mlx5: Support multiple updates of steering rules in parallel")
Signed-off-by: Gavi Teitz <gavi@nvidia.com>
Signed-off-by: Roi Dayan <roid@nvidia.com>
Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250610151514.1094735-4-mbloch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
index d2dc375f5e49c..5f35a6fc03054 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
@@ -1984,6 +1984,7 @@ try_add_to_existing_fg(struct mlx5_flow_table *ft,
struct mlx5_flow_handle *rule;
struct match_list *iter;
bool take_write = false;
+ bool try_again = false;
struct fs_fte *fte;
u64 version = 0;
int err;
@@ -2043,6 +2044,7 @@ try_add_to_existing_fg(struct mlx5_flow_table *ft,
nested_down_write_ref_node(&g->node, FS_LOCK_PARENT);
if (!g->node.active) {
+ try_again = true;
up_write_ref_node(&g->node, false);
continue;
}
@@ -2064,7 +2066,8 @@ try_add_to_existing_fg(struct mlx5_flow_table *ft,
tree_put_node(&fte->node, false);
return rule;
}
- rule = ERR_PTR(-ENOENT);
+ err = try_again ? -EAGAIN : -ENOENT;
+ rule = ERR_PTR(err);
out:
kmem_cache_free(steering->ftes_cache, fte);
return rule;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 326/356] net/mlx5e: Fix leak of Geneve TLV option object
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 325/356] net/mlx5: Fix return value when searching for existing flow group Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 327/356] net_sched: prio: fix a race in prio_tune() Greg Kroah-Hartman
` (38 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianbo Liu, Tariq Toukan, Alex Lazar,
Mark Bloch, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianbo Liu <jianbol@nvidia.com>
[ Upstream commit aa9c44b842096c553871bc68a8cebc7861fa192b ]
Previously, a unique tunnel id was added for the matching on TC
non-zero chains, to support inner header rewrite with goto action.
Later, it was used to support VF tunnel offload for vxlan, then for
Geneve and GRE. To support VF tunnel, a temporary mlx5_flow_spec is
used to parse tunnel options. For Geneve, if there is TLV option, a
object is created, or refcnt is added if already exists. But the
temporary mlx5_flow_spec is directly freed after parsing, which causes
the leak because no information regarding the object is saved in
flow's mlx5_flow_spec, which is used to free the object when deleting
the flow.
To fix the leak, call mlx5_geneve_tlv_option_del() before free the
temporary spec if it has TLV object.
Fixes: 521933cdc4aa ("net/mlx5e: Support Geneve and GRE with VF tunnel offload")
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Alex Lazar <alazar@nvidia.com>
Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20250610151514.1094735-9-mbloch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
index dc9b157a44993..2be9c69daad5f 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
@@ -1915,9 +1915,8 @@ mlx5e_tc_add_fdb_flow(struct mlx5e_priv *priv,
return err;
}
-static bool mlx5_flow_has_geneve_opt(struct mlx5e_tc_flow *flow)
+static bool mlx5_flow_has_geneve_opt(struct mlx5_flow_spec *spec)
{
- struct mlx5_flow_spec *spec = &flow->attr->parse_attr->spec;
void *headers_v = MLX5_ADDR_OF(fte_match_param,
spec->match_value,
misc_parameters_3);
@@ -1956,7 +1955,7 @@ static void mlx5e_tc_del_fdb_flow(struct mlx5e_priv *priv,
}
complete_all(&flow->del_hw_done);
- if (mlx5_flow_has_geneve_opt(flow))
+ if (mlx5_flow_has_geneve_opt(&attr->parse_attr->spec))
mlx5_geneve_tlv_option_del(priv->mdev->geneve);
if (flow->decap_route)
@@ -2456,12 +2455,13 @@ static int parse_tunnel_attr(struct mlx5e_priv *priv,
err = mlx5e_tc_tun_parse(filter_dev, priv, tmp_spec, f, match_level);
if (err) {
- kvfree(tmp_spec);
NL_SET_ERR_MSG_MOD(extack, "Failed to parse tunnel attributes");
netdev_warn(priv->netdev, "Failed to parse tunnel attributes");
- return err;
+ } else {
+ err = mlx5e_tc_set_attr_rx_tun(flow, tmp_spec);
}
- err = mlx5e_tc_set_attr_rx_tun(flow, tmp_spec);
+ if (mlx5_flow_has_geneve_opt(tmp_spec))
+ mlx5_geneve_tlv_option_del(priv->mdev->geneve);
kvfree(tmp_spec);
if (err)
return err;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 327/356] net_sched: prio: fix a race in prio_tune()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 326/356] net/mlx5e: Fix leak of Geneve TLV option object Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 329/356] net_sched: tbf: fix a race in tbf_change() Greg Kroah-Hartman
` (37 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d35acc1be3480505b5931f17e4ea9b7617fea4d3 ]
Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer
fires at the wrong time.
The race is as follows:
CPU 0 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
|
| [5]: lock root
| [6]: rehash
| [7]: qdisc_tree_reduce_backlog()
|
[4]: qdisc_put()
This can be abused to underflow a parent's qlen.
Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.
Fixes: 7b8e0b6e6599 ("net: sched: prio: delay destroying child qdiscs on change")
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Suggested-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250611111515.1983366-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_prio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_prio.c b/net/sched/sch_prio.c
index fdc5ef52c3ee9..fdd9caa41e80f 100644
--- a/net/sched/sch_prio.c
+++ b/net/sched/sch_prio.c
@@ -211,7 +211,7 @@ static int prio_tune(struct Qdisc *sch, struct nlattr *opt,
memcpy(q->prio2band, qopt->priomap, TC_PRIO_MAX+1);
for (i = q->bands; i < oldbands; i++)
- qdisc_tree_flush_backlog(q->queues[i]);
+ qdisc_purge_queue(q->queues[i]);
for (i = oldbands; i < q->bands; i++) {
q->queues[i] = queues[i];
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 329/356] net_sched: tbf: fix a race in tbf_change()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 327/356] net_sched: prio: fix a race in prio_tune() Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 330/356] net_sched: ets: fix a race in ets_qdisc_change() Greg Kroah-Hartman
` (36 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Eric Dumazet,
Zhengchao Shao, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 43eb466041216d25dedaef1c383ad7bd89929cbc ]
Gerrard Tai reported a race condition in TBF, whenever SFQ perturb timer
fires at the wrong time.
The race is as follows:
CPU 0 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
|
| [5]: lock root
| [6]: rehash
| [7]: qdisc_tree_reduce_backlog()
|
[4]: qdisc_put()
This can be abused to underflow a parent's qlen.
Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.
Fixes: b05972f01e7d ("net: sched: tbf: don't call qdisc_put() while holding tree lock")
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Suggested-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Zhengchao Shao <shaozhengchao@huawei.com>
Link: https://patch.msgid.link/20250611111515.1983366-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_tbf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
index f92174008499b..61dd5c8f23101 100644
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -452,7 +452,7 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt,
sch_tree_lock(sch);
if (child) {
- qdisc_tree_flush_backlog(q->qdisc);
+ qdisc_purge_queue(q->qdisc);
old = q->qdisc;
q->qdisc = child;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 330/356] net_sched: ets: fix a race in ets_qdisc_change()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 329/356] net_sched: tbf: fix a race in tbf_change() Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 332/356] nvmet-fcloop: access fcpreq only when holding reqlock Greg Kroah-Hartman
` (35 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d92adacdd8c2960be856e0b82acc5b7c5395fddb ]
Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer
fires at the wrong time.
The race is as follows:
CPU 0 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
|
| [5]: lock root
| [6]: rehash
| [7]: qdisc_tree_reduce_backlog()
|
[4]: qdisc_put()
This can be abused to underflow a parent's qlen.
Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.
Fixes: b05972f01e7d ("net: sched: tbf: don't call qdisc_put() while holding tree lock")
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Suggested-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250611111515.1983366-5-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_ets.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c
index 9da86db4d2c2f..3ee46f6e005da 100644
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -661,7 +661,7 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
for (i = q->nbands; i < oldbands; i++) {
if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
list_del_init(&q->classes[i].alist);
- qdisc_tree_flush_backlog(q->classes[i].qdisc);
+ qdisc_purge_queue(q->classes[i].qdisc);
}
q->nstrict = nstrict;
memcpy(q->prio2band, priomap, sizeof(priomap));
--
2.39.5
ded" Error message: "Failed to find required string:'Out-Out;'."
---- end(-1) ----
132: perf script task-analyzer tests : FAILED!
```
The buf_size if always set to phdr->p_filesz, but that may be 0
causing a free and realloc to return NULL. This is treated in
filename__read_build_id like a failure and the buffer is freed again.
To avoid this problem only grow buf, meaning the buf_size will never
be 0. This also reduces the number of memory (re)allocations.
Fixes: b691f64360ecec49 ("perf symbols: Implement poor man's ELF parser")
Signed-off-by: Ian Rogers <irogers@google.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung.kim@lge.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20250501070003.22251-1-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/symbol-minimal.c | 34 +++++++++++++++++---------------
1 file changed, 18 insertions(+), 16 deletions(-)
diff --git a/tools/perf/util/symbol-minimal.c b/tools/perf/util/symbol-minimal.c
index c6f369b5d893f..d8da3da01fe6b 100644
--- a/tools/perf/util/symbol-minimal.c
+++ b/tools/perf/util/symbol-minimal.c
@@ -147,18 +147,19 @@ int filename__read_build_id(const char *filename, struct build_id *bid)
if (phdr->p_type != PT_NOTE)
continue;
- buf_size = phdr->p_filesz;
offset = phdr->p_offset;
- tmp = realloc(buf, buf_size);
- if (tmp == NULL)
- goto out_free;
-
- buf = tmp;
+ if (phdr->p_filesz > buf_size) {
+ buf_size = phdr->p_filesz;
+ tmp = realloc(buf, buf_size);
+ if (tmp == NULL)
+ goto out_free;
+ buf = tmp;
+ }
fseek(fp, offset, SEEK_SET);
- if (fread(buf, buf_size, 1, fp) != 1)
+ if (fread(buf, phdr->p_filesz, 1, fp) != 1)
goto out_free;
- ret = read_build_id(buf, buf_size, bid, need_swap);
+ ret = read_build_id(buf, phdr->p_filesz, bid, need_swap);
if (ret == 0) {
ret = bid->size;
break;
@@ -199,18 +200,19 @@ int filename__read_build_id(const char *filename, struct build_id *bid)
if (phdr->p_type != PT_NOTE)
continue;
- buf_size = phdr->p_filesz;
offset = phdr->p_offset;
- tmp = realloc(buf, buf_size);
- if (tmp == NULL)
- goto out_free;
-
- buf = tmp;
+ if (phdr->p_filesz > buf_size) {
+ buf_size = phdr->p_filesz;
+ tmp = realloc(buf, buf_size);
+ if (tmp == NULL)
+ goto out_free;
+ buf = tmp;
+ }
fseek(fp, offset, SEEK_SET);
- if (fread(buf, buf_size, 1, fp) != 1)
+ if (fread(buf, phdr->p_filesz, 1, fp) != 1)
goto out_free;
- ret = read_build_id(buf, buf_size, bid, need_swap);
+ ret = read_build_id(buf, phdr->p_filesz, bid, need_swap);
if (ret == 0) {
ret = bid->size;
break;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 332/356] nvmet-fcloop: access fcpreq only when holding reqlock
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 330/356] net_sched: ets: fix a race in ets_qdisc_change() Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 333/356] perf: Ensure bpf_perf_link path is properly serialized Greg Kroah-Hartman
` (34 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Wagner, Christoph Hellwig,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Wagner <wagi@kernel.org>
[ Upstream commit 47a827cd7929d0550c3496d70b417fcb5649b27b ]
The abort handling logic expects that the state and the fcpreq are only
accessed when holding the reqlock lock.
While at it, only handle the aborts in the abort handler.
Signed-off-by: Daniel Wagner <wagi@kernel.org>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/fcloop.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c
index 4b35bdcac185f..aeeb7455fc2e7 100644
--- a/drivers/nvme/target/fcloop.c
+++ b/drivers/nvme/target/fcloop.c
@@ -613,12 +613,13 @@ fcloop_fcp_recv_work(struct work_struct *work)
{
struct fcloop_fcpreq *tfcp_req =
container_of(work, struct fcloop_fcpreq, fcp_rcv_work);
- struct nvmefc_fcp_req *fcpreq = tfcp_req->fcpreq;
+ struct nvmefc_fcp_req *fcpreq;
unsigned long flags;
int ret = 0;
bool aborted = false;
spin_lock_irqsave(&tfcp_req->reqlock, flags);
+ fcpreq = tfcp_req->fcpreq;
switch (tfcp_req->inistate) {
case INI_IO_START:
tfcp_req->inistate = INI_IO_ACTIVE;
@@ -633,16 +634,19 @@ fcloop_fcp_recv_work(struct work_struct *work)
}
spin_unlock_irqrestore(&tfcp_req->reqlock, flags);
- if (unlikely(aborted))
- ret = -ECANCELED;
- else {
- if (likely(!check_for_drop(tfcp_req)))
- ret = nvmet_fc_rcv_fcp_req(tfcp_req->tport->targetport,
- &tfcp_req->tgt_fcp_req,
- fcpreq->cmdaddr, fcpreq->cmdlen);
- else
- pr_info("%s: dropped command ********\n", __func__);
+ if (unlikely(aborted)) {
+ /* the abort handler will call fcloop_call_host_done */
+ return;
+ }
+
+ if (unlikely(check_for_drop(tfcp_req))) {
+ pr_info("%s: dropped command ********\n", __func__);
+ return;
}
+
+ ret = nvmet_fc_rcv_fcp_req(tfcp_req->tport->targetport,
+ &tfcp_req->tgt_fcp_req,
+ fcpreq->cmdaddr, fcpreq->cmdlen);
if (ret)
fcloop_call_host_done(fcpreq, tfcp_req, ret);
}
@@ -657,9 +661,10 @@ fcloop_fcp_abort_recv_work(struct work_struct *work)
unsigned long flags;
spin_lock_irqsave(&tfcp_req->reqlock, flags);
- fcpreq = tfcp_req->fcpreq;
switch (tfcp_req->inistate) {
case INI_IO_ABORTED:
+ fcpreq = tfcp_req->fcpreq;
+ tfcp_req->fcpreq = NULL;
break;
case INI_IO_COMPLETED:
completed = true;
@@ -681,10 +686,6 @@ fcloop_fcp_abort_recv_work(struct work_struct *work)
nvmet_fc_rcv_fcp_abort(tfcp_req->tport->targetport,
&tfcp_req->tgt_fcp_req);
- spin_lock_irqsave(&tfcp_req->reqlock, flags);
- tfcp_req->fcpreq = NULL;
- spin_unlock_irqrestore(&tfcp_req->reqlock, flags);
-
fcloop_call_host_done(fcpreq, tfcp_req, -ECANCELED);
/* call_host_done releases reference for abort downcall */
}
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 333/356] perf: Ensure bpf_perf_link path is properly serialized
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 332/356] nvmet-fcloop: access fcpreq only when holding reqlock Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 334/356] bio: Fix bio_first_folio() for SPARSEMEM without VMEMMAP Greg Kroah-Hartman
` (33 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ravi Bangoria,
Peter Zijlstra (Intel), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 7ed9138a72829d2035ecbd8dbd35b1bc3c137c40 ]
Ravi reported that the bpf_perf_link_attach() usage of
perf_event_set_bpf_prog() is not serialized by ctx->mutex, unlike the
PERF_EVENT_IOC_SET_BPF case.
Reported-by: Ravi Bangoria <ravi.bangoria@amd.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Ravi Bangoria <ravi.bangoria@amd.com>
Link: https://lkml.kernel.org/r/20250307193305.486326750@infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 34 ++++++++++++++++++++++++++++++----
1 file changed, 30 insertions(+), 4 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 6460f79280ed2..563f39518f7fe 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5913,6 +5913,9 @@ static int perf_event_set_output(struct perf_event *event,
static int perf_event_set_filter(struct perf_event *event, void __user *arg);
static int perf_copy_attr(struct perf_event_attr __user *uattr,
struct perf_event_attr *attr);
+static int __perf_event_set_bpf_prog(struct perf_event *event,
+ struct bpf_prog *prog,
+ u64 bpf_cookie);
static long _perf_ioctl(struct perf_event *event, unsigned int cmd, unsigned long arg)
{
@@ -5981,7 +5984,7 @@ static long _perf_ioctl(struct perf_event *event, unsigned int cmd, unsigned lon
if (IS_ERR(prog))
return PTR_ERR(prog);
- err = perf_event_set_bpf_prog(event, prog, 0);
+ err = __perf_event_set_bpf_prog(event, prog, 0);
if (err) {
bpf_prog_put(prog);
return err;
@@ -10583,8 +10586,9 @@ static inline bool perf_event_is_tracing(struct perf_event *event)
return false;
}
-int perf_event_set_bpf_prog(struct perf_event *event, struct bpf_prog *prog,
- u64 bpf_cookie)
+static int __perf_event_set_bpf_prog(struct perf_event *event,
+ struct bpf_prog *prog,
+ u64 bpf_cookie)
{
bool is_kprobe, is_uprobe, is_tracepoint, is_syscall_tp;
@@ -10622,6 +10626,20 @@ int perf_event_set_bpf_prog(struct perf_event *event, struct bpf_prog *prog,
return perf_event_attach_bpf_prog(event, prog, bpf_cookie);
}
+int perf_event_set_bpf_prog(struct perf_event *event,
+ struct bpf_prog *prog,
+ u64 bpf_cookie)
+{
+ struct perf_event_context *ctx;
+ int ret;
+
+ ctx = perf_event_ctx_lock(event);
+ ret = __perf_event_set_bpf_prog(event, prog, bpf_cookie);
+ perf_event_ctx_unlock(event, ctx);
+
+ return ret;
+}
+
void perf_event_free_bpf_prog(struct perf_event *event)
{
if (!perf_event_is_tracing(event)) {
@@ -10641,7 +10659,15 @@ static void perf_event_free_filter(struct perf_event *event)
{
}
-int perf_event_set_bpf_prog(struct perf_event *event, struct bpf_prog *prog,
+static int __perf_event_set_bpf_prog(struct perf_event *event,
+ struct bpf_prog *prog,
+ u64 bpf_cookie)
+{
+ return -ENOENT;
+}
+
+int perf_event_set_bpf_prog(struct perf_event *event,
+ struct bpf_prog *prog,
u64 bpf_cookie)
{
return -ENOENT;
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 334/356] bio: Fix bio_first_folio() for SPARSEMEM without VMEMMAP
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 333/356] perf: Ensure bpf_perf_link path is properly serialized Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 335/356] block: Fix bvec_set_folio() for very large folios Greg Kroah-Hartman
` (32 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle), Jens Axboe,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit f826ec7966a63d48e16e0868af4e038bf9a1a3ae ]
It is possible for physically contiguous folios to have discontiguous
struct pages if SPARSEMEM is enabled and SPARSEMEM_VMEMMAP is not.
This is correctly handled by folio_page_idx(), so remove this open-coded
implementation.
Fixes: 640d1930bef4 (block: Add bio_for_each_folio_all())
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Link: https://lore.kernel.org/r/20250612144126.2849931-1-willy@infradead.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/bio.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/bio.h b/include/linux/bio.h
index b893418c3cc02..f193aef4fac08 100644
--- a/include/linux/bio.h
+++ b/include/linux/bio.h
@@ -294,7 +294,7 @@ static inline void bio_first_folio(struct folio_iter *fi, struct bio *bio,
fi->folio = page_folio(bvec->bv_page);
fi->offset = bvec->bv_offset +
- PAGE_SIZE * (bvec->bv_page - &fi->folio->page);
+ PAGE_SIZE * folio_page_idx(fi->folio, bvec->bv_page);
fi->_seg_count = bvec->bv_len;
fi->length = min(folio_size(fi->folio) - fi->offset, fi->_seg_count);
fi->_next = folio_next(fi->folio);
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 335/356] block: Fix bvec_set_folio() for very large folios
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 334/356] bio: Fix bio_first_folio() for SPARSEMEM without VMEMMAP Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 336/356] tools/resolve_btfids: Fix build when cross compiling kernel with clang Greg Kroah-Hartman
` (31 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle), Jens Axboe,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit 5e223e06ee7c6d8f630041a0645ac90e39a42cc6 ]
Similarly to 26064d3e2b4d ("block: fix adding folio to bio"), if
we attempt to add a folio that is larger than 4GB, we'll silently
truncate the offset and len. Widen the parameters to size_t, assert
that the length is less than 4GB and set the first page that contains
the interesting data rather than the first page of the folio.
Fixes: 26db5ee15851 (block: add a bvec_set_folio helper)
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Link: https://lore.kernel.org/r/20250612144255.2850278-1-willy@infradead.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/bvec.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/include/linux/bvec.h b/include/linux/bvec.h
index bd1e361b351c5..99ab7b2bba27c 100644
--- a/include/linux/bvec.h
+++ b/include/linux/bvec.h
@@ -57,9 +57,12 @@ static inline void bvec_set_page(struct bio_vec *bv, struct page *page,
* @offset: offset into the folio
*/
static inline void bvec_set_folio(struct bio_vec *bv, struct folio *folio,
- unsigned int len, unsigned int offset)
+ size_t len, size_t offset)
{
- bvec_set_page(bv, &folio->page, len, offset);
+ unsigned long nr = offset / PAGE_SIZE;
+
+ WARN_ON_ONCE(len > UINT_MAX);
+ bvec_set_page(bv, folio_page(folio, nr), len, offset % PAGE_SIZE);
}
/**
--
2.39.5
^ permalink raw reply related [flat|nested] 378+ messages in thread
* [PATCH 6.6 336/356] tools/resolve_btfids: Fix build when cross compiling kernel with clang.
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 335/356] block: Fix bvec_set_folio() for very large folios Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 337/356] ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 Greg Kroah-Hartman
` (30 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suleiman Souhlal, Andrii Nakryiko,
Jiri Olsa
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suleiman Souhlal <suleiman@google.com>
commit a298bbab903e3fb4cbe16d36d6195e68fad1b776 upstream.
When cross compiling the kernel with clang, we need to override
CLANG_CROSS_FLAGS when preparing the step libraries.
Prior to commit d1d096312176 ("tools: fix annoying "mkdir -p ..." logs
when building tools in parallel"), MAKEFLAGS would have been set to a
value that wouldn't set a value for CLANG_CROSS_FLAGS, hiding the
fact that we weren't properly overriding it.
Fixes: 56a2df7615fa ("tools/resolve_btfids: Compile resolve_btfids as host program")
Signed-off-by: Suleiman Souhlal <suleiman@google.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/bpf/20250606074538.1608546-1-suleiman@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/bpf/resolve_btfids/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/bpf/resolve_btfids/Makefile
+++ b/tools/bpf/resolve_btfids/Makefile
@@ -19,7 +19,7 @@ endif
# Overrides for the prepare step libraries.
HOST_OVERRIDES := AR="$(HOSTAR)" CC="$(HOSTCC)" LD="$(HOSTLD)" ARCH="$(HOSTARCH)" \
- CROSS_COMPILE="" EXTRA_CFLAGS="$(HOSTCFLAGS)"
+ CROSS_COMPILE="" CLANG_CROSS_FLAGS="" EXTRA_CFLAGS="$(HOSTCFLAGS)"
RM ?= rm
HOSTCC ?= gcc
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 337/356] ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 336/356] tools/resolve_btfids: Fix build when cross compiling kernel with clang Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 338/356] HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Greg Kroah-Hartman
` (29 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Heimann, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Heimann <d@dmeh.net>
commit 6a3439a417b910e662c666993798e0691bc81147 upstream.
The RODE AI-1 audio interface requires implicit feedback sync between
playback endpoint 0x03 and feedback endpoint 0x84 on interface 3, but
doesn't advertise this in its USB descriptors.
Without this quirk, the device receives audio data but produces no output.
Signed-off-by: David Heimann <d@dmeh.net>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/084dc88c-1193-4a94-a002-5599adff936c@app.fastmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/implicit.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/usb/implicit.c
+++ b/sound/usb/implicit.c
@@ -57,6 +57,7 @@ static const struct snd_usb_implicit_fb_
IMPLICIT_FB_FIXED_DEV(0x31e9, 0x0002, 0x81, 2), /* Solid State Logic SSL2+ */
IMPLICIT_FB_FIXED_DEV(0x0499, 0x172f, 0x81, 2), /* Steinberg UR22C */
IMPLICIT_FB_FIXED_DEV(0x0d9a, 0x00df, 0x81, 2), /* RTX6001 */
+ IMPLICIT_FB_FIXED_DEV(0x19f7, 0x000a, 0x84, 3), /* RODE AI-1 */
IMPLICIT_FB_FIXED_DEV(0x22f0, 0x0006, 0x81, 3), /* Allen&Heath Qu-16 */
IMPLICIT_FB_FIXED_DEV(0x1686, 0xf029, 0x82, 2), /* Zoom UAC-2 */
IMPLICIT_FB_FIXED_DEV(0x2466, 0x8003, 0x86, 2), /* Fractal Audio Axe-Fx II */
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 338/356] HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 337/356] ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 339/356] io_uring: add io_file_can_poll() helper Greg Kroah-Hartman
` (28 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+c52569baf0c843f35495,
Terry Junge, Michael Kelley, Jiri Kosina
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Terry Junge <linuxhid@cosmicgizmosystems.com>
commit fe7f7ac8e0c708446ff017453add769ffc15deed upstream.
Update struct hid_descriptor to better reflect the mandatory and
optional parts of the HID Descriptor as per USB HID 1.11 specification.
Note: the kernel currently does not parse any optional HID class
descriptors, only the mandatory report descriptor.
Update all references to member element desc[0] to rpt_desc.
Add test to verify bLength and bNumDescriptors values are valid.
Replace the for loop with direct access to the mandatory HID class
descriptor member for the report descriptor. This eliminates the
possibility of getting an out-of-bounds fault.
Add a warning message if the HID descriptor contains any unsupported
optional HID class descriptors.
Reported-by: syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
Fixes: f043bfc98c19 ("HID: usbhid: fix out-of-bounds bug")
Cc: stable@vger.kernel.org
Signed-off-by: Terry Junge <linuxhid@cosmicgizmosystems.com>
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-hyperv.c | 4 ++--
drivers/hid/usbhid/hid-core.c | 25 ++++++++++++++-----------
drivers/usb/gadget/function/f_hid.c | 12 ++++++------
include/linux/hid.h | 3 ++-
4 files changed, 24 insertions(+), 20 deletions(-)
--- a/drivers/hid/hid-hyperv.c
+++ b/drivers/hid/hid-hyperv.c
@@ -192,7 +192,7 @@ static void mousevsc_on_receive_device_i
goto cleanup;
input_device->report_desc_size = le16_to_cpu(
- desc->desc[0].wDescriptorLength);
+ desc->rpt_desc.wDescriptorLength);
if (input_device->report_desc_size == 0) {
input_device->dev_info_status = -EINVAL;
goto cleanup;
@@ -210,7 +210,7 @@ static void mousevsc_on_receive_device_i
memcpy(input_device->report_desc,
((unsigned char *)desc) + desc->bLength,
- le16_to_cpu(desc->desc[0].wDescriptorLength));
+ le16_to_cpu(desc->rpt_desc.wDescriptorLength));
/* Send the ack */
memset(&ack, 0, sizeof(struct mousevsc_prt_msg));
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -982,12 +982,11 @@ static int usbhid_parse(struct hid_devic
struct usb_host_interface *interface = intf->cur_altsetting;
struct usb_device *dev = interface_to_usbdev (intf);
struct hid_descriptor *hdesc;
+ struct hid_class_descriptor *hcdesc;
u32 quirks = 0;
unsigned int rsize = 0;
char *rdesc;
- int ret, n;
- int num_descriptors;
- size_t offset = offsetof(struct hid_descriptor, desc);
+ int ret;
quirks = hid_lookup_quirk(hid);
@@ -1009,20 +1008,19 @@ static int usbhid_parse(struct hid_devic
return -ENODEV;
}
- if (hdesc->bLength < sizeof(struct hid_descriptor)) {
- dbg_hid("hid descriptor is too short\n");
+ if (!hdesc->bNumDescriptors ||
+ hdesc->bLength != sizeof(*hdesc) +
+ (hdesc->bNumDescriptors - 1) * sizeof(*hcdesc)) {
+ dbg_hid("hid descriptor invalid, bLen=%hhu bNum=%hhu\n",
+ hdesc->bLength, hdesc->bNumDescriptors);
return -EINVAL;
}
hid->version = le16_to_cpu(hdesc->bcdHID);
hid->country = hdesc->bCountryCode;
- num_descriptors = min_t(int, hdesc->bNumDescriptors,
- (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
-
- for (n = 0; n < num_descriptors; n++)
- if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
- rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
+ if (hdesc->rpt_desc.bDescriptorType == HID_DT_REPORT)
+ rsize = le16_to_cpu(hdesc->rpt_desc.wDescriptorLength);
if (!rsize || rsize > HID_MAX_DESCRIPTOR_SIZE) {
dbg_hid("weird size of report descriptor (%u)\n", rsize);
@@ -1050,6 +1048,11 @@ static int usbhid_parse(struct hid_devic
goto err;
}
+ if (hdesc->bNumDescriptors > 1)
+ hid_warn(intf,
+ "%u unsupported optional hid class descriptors\n",
+ (int)(hdesc->bNumDescriptors - 1));
+
hid->quirks |= quirks;
return 0;
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -118,8 +118,8 @@ static struct hid_descriptor hidg_desc =
.bcdHID = cpu_to_le16(0x0101),
.bCountryCode = 0x00,
.bNumDescriptors = 0x1,
- /*.desc[0].bDescriptorType = DYNAMIC */
- /*.desc[0].wDescriptorLenght = DYNAMIC */
+ /*.rpt_desc.bDescriptorType = DYNAMIC */
+ /*.rpt_desc.wDescriptorLength = DYNAMIC */
};
/* Super-Speed Support */
@@ -728,8 +728,8 @@ static int hidg_setup(struct usb_functio
struct hid_descriptor hidg_desc_copy = hidg_desc;
VDBG(cdev, "USB_REQ_GET_DESCRIPTOR: HID\n");
- hidg_desc_copy.desc[0].bDescriptorType = HID_DT_REPORT;
- hidg_desc_copy.desc[0].wDescriptorLength =
+ hidg_desc_copy.rpt_desc.bDescriptorType = HID_DT_REPORT;
+ hidg_desc_copy.rpt_desc.wDescriptorLength =
cpu_to_le16(hidg->report_desc_length);
length = min_t(unsigned short, length,
@@ -970,8 +970,8 @@ static int hidg_bind(struct usb_configur
* We can use hidg_desc struct here but we should not relay
* that its content won't change after returning from this function.
*/
- hidg_desc.desc[0].bDescriptorType = HID_DT_REPORT;
- hidg_desc.desc[0].wDescriptorLength =
+ hidg_desc.rpt_desc.bDescriptorType = HID_DT_REPORT;
+ hidg_desc.rpt_desc.wDescriptorLength =
cpu_to_le16(hidg->report_desc_length);
hidg_hs_in_ep_desc.bEndpointAddress =
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -736,8 +736,9 @@ struct hid_descriptor {
__le16 bcdHID;
__u8 bCountryCode;
__u8 bNumDescriptors;
+ struct hid_class_descriptor rpt_desc;
- struct hid_class_descriptor desc[1];
+ struct hid_class_descriptor opt_descs[];
} __attribute__ ((packed));
#define HID_DEVICE(b, g, ven, prod) \
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 339/356] io_uring: add io_file_can_poll() helper
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 338/356] HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 340/356] io_uring/rw: allow pollable non-blocking attempts for !FMODE_NOWAIT Greg Kroah-Hartman
` (27 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
Commit 95041b93e90a06bb613ec4bef9cd4d61570f68e4 upstream.
This adds a flag to avoid dipping dereferencing file and then f_op to
figure out if the file has a poll handler defined or not. We generally
call this at least twice for networked workloads, and if using ring
provided buffers, we do it on every buffer selection. Particularly the
latter is troublesome, as it's otherwise a very fast operation.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/io_uring_types.h | 3 +++
io_uring/io_uring.c | 2 +-
io_uring/io_uring.h | 12 ++++++++++++
io_uring/kbuf.c | 3 +--
io_uring/poll.c | 2 +-
io_uring/rw.c | 4 ++--
6 files changed, 20 insertions(+), 6 deletions(-)
--- a/include/linux/io_uring_types.h
+++ b/include/linux/io_uring_types.h
@@ -416,6 +416,7 @@ enum {
/* keep async read/write and isreg together and in order */
REQ_F_SUPPORT_NOWAIT_BIT,
REQ_F_ISREG_BIT,
+ REQ_F_CAN_POLL_BIT,
/* not a real bit, just to check we're not overflowing the space */
__REQ_F_LAST_BIT,
@@ -483,6 +484,8 @@ enum {
REQ_F_CLEAR_POLLIN = BIT(REQ_F_CLEAR_POLLIN_BIT),
/* hashed into ->cancel_hash_locked, protected by ->uring_lock */
REQ_F_HASH_LOCKED = BIT(REQ_F_HASH_LOCKED_BIT),
+ /* file is pollable */
+ REQ_F_CAN_POLL = BIT(REQ_F_CAN_POLL_BIT),
};
typedef void (*io_req_tw_func_t)(struct io_kiocb *req, struct io_tw_state *ts);
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1953,7 +1953,7 @@ fail:
if (req->flags & REQ_F_FORCE_ASYNC) {
bool opcode_poll = def->pollin || def->pollout;
- if (opcode_poll && file_can_poll(req->file)) {
+ if (opcode_poll && io_file_can_poll(req)) {
needs_poll = true;
issue_flags |= IO_URING_F_NONBLOCK;
}
--- a/io_uring/io_uring.h
+++ b/io_uring/io_uring.h
@@ -5,6 +5,7 @@
#include <linux/lockdep.h>
#include <linux/resume_user_mode.h>
#include <linux/kasan.h>
+#include <linux/poll.h>
#include <linux/io_uring_types.h>
#include <uapi/linux/eventpoll.h>
#include "io-wq.h"
@@ -410,4 +411,15 @@ static inline size_t uring_sqe_size(stru
return 2 * sizeof(struct io_uring_sqe);
return sizeof(struct io_uring_sqe);
}
+
+static inline bool io_file_can_poll(struct io_kiocb *req)
+{
+ if (req->flags & REQ_F_CAN_POLL)
+ return true;
+ if (file_can_poll(req->file)) {
+ req->flags |= REQ_F_CAN_POLL;
+ return true;
+ }
+ return false;
+}
#endif
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -148,8 +148,7 @@ static void __user *io_ring_buffer_selec
req->buf_list = bl;
req->buf_index = buf->bid;
- if (issue_flags & IO_URING_F_UNLOCKED ||
- (req->file && !file_can_poll(req->file))) {
+ if (issue_flags & IO_URING_F_UNLOCKED || !io_file_can_poll(req)) {
/*
* If we came in unlocked, we have no choice but to consume the
* buffer here, otherwise nothing ensures that the buffer won't
--- a/io_uring/poll.c
+++ b/io_uring/poll.c
@@ -717,7 +717,7 @@ int io_arm_poll_handler(struct io_kiocb
if (!def->pollin && !def->pollout)
return IO_APOLL_ABORTED;
- if (!file_can_poll(req->file))
+ if (!io_file_can_poll(req))
return IO_APOLL_ABORTED;
if (!(req->flags & REQ_F_APOLL_MULTISHOT))
mask |= EPOLLONESHOT;
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -629,7 +629,7 @@ static bool io_rw_should_retry(struct io
* just use poll if we can, and don't attempt if the fs doesn't
* support callback based unlocks
*/
- if (file_can_poll(req->file) || !(req->file->f_mode & FMODE_BUF_RASYNC))
+ if (io_file_can_poll(req) || !(req->file->f_mode & FMODE_BUF_RASYNC))
return false;
wait->wait.func = io_async_buf_func;
@@ -783,7 +783,7 @@ static int __io_read(struct io_kiocb *re
if (ret == -EAGAIN || (req->flags & REQ_F_REISSUE)) {
req->flags &= ~REQ_F_REISSUE;
/* if we can poll, just do that */
- if (req->opcode == IORING_OP_READ && file_can_poll(req->file))
+ if (req->opcode == IORING_OP_READ && io_file_can_poll(req))
return -EAGAIN;
/* IOPOLL retry should happen for io-wq threads */
if (!force_nonblock && !(req->ctx->flags & IORING_SETUP_IOPOLL))
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 340/356] io_uring/rw: allow pollable non-blocking attempts for !FMODE_NOWAIT
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 339/356] io_uring: add io_file_can_poll() helper Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 341/356] io_uring/rw: fix wrong NOWAIT check in io_rw_init_file() Greg Kroah-Hartman
` (26 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
Commit f7c9134385331c5ef36252895130aa01a92de907 upstream.
The checking for whether or not io_uring can do a non-blocking read or
write attempt is gated on FMODE_NOWAIT. However, if the file is
pollable, it's feasible to just check if it's currently in a state in
which it can sanely receive or send _some_ data.
This avoids unnecessary io-wq punts, and repeated worthless retries
before doing that punt, by assuming that some data can get delivered
or received if poll tells us that is true. It also allows multishot
reads to properly work with these types of files, enabling a bit of
a cleanup of the logic that:
c9d952b9103b ("io_uring/rw: fix cflags posting for single issue multishot read")
had to put in place.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/rw.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -28,9 +28,19 @@ struct io_rw {
rwf_t flags;
};
-static inline bool io_file_supports_nowait(struct io_kiocb *req)
+static bool io_file_supports_nowait(struct io_kiocb *req, __poll_t mask)
{
- return req->flags & REQ_F_SUPPORT_NOWAIT;
+ /* If FMODE_NOWAIT is set for a file, we're golden */
+ if (req->flags & REQ_F_SUPPORT_NOWAIT)
+ return true;
+ /* No FMODE_NOWAIT, if we can poll, check the status */
+ if (io_file_can_poll(req)) {
+ struct poll_table_struct pt = { ._key = mask };
+
+ return vfs_poll(req->file, &pt) & mask;
+ }
+ /* No FMODE_NOWAIT support, and file isn't pollable. Tough luck. */
+ return false;
}
#ifdef CONFIG_COMPAT
@@ -685,8 +695,8 @@ static int io_rw_init_file(struct io_kio
* supports async. Otherwise it's impossible to use O_NONBLOCK files
* reliably. If not, or it IOCB_NOWAIT is set, don't retry.
*/
- if ((kiocb->ki_flags & IOCB_NOWAIT) ||
- ((file->f_flags & O_NONBLOCK) && !io_file_supports_nowait(req)))
+ if (kiocb->ki_flags & IOCB_NOWAIT ||
+ ((file->f_flags & O_NONBLOCK && (req->flags & REQ_F_SUPPORT_NOWAIT))))
req->flags |= REQ_F_NOWAIT;
if (ctx->flags & IORING_SETUP_IOPOLL) {
@@ -752,7 +762,7 @@ static int __io_read(struct io_kiocb *re
if (force_nonblock) {
/* If the file doesn't support async, just async punt */
- if (unlikely(!io_file_supports_nowait(req))) {
+ if (unlikely(!io_file_supports_nowait(req, EPOLLIN))) {
ret = io_setup_async_rw(req, iovec, s, true);
return ret ?: -EAGAIN;
}
@@ -927,7 +937,7 @@ int io_write(struct io_kiocb *req, unsig
if (force_nonblock) {
/* If the file doesn't support async, just async punt */
- if (unlikely(!io_file_supports_nowait(req)))
+ if (unlikely(!io_file_supports_nowait(req, EPOLLOUT)))
goto copy_iov;
/* File path supports NOWAIT for non-direct_IO only for block devices. */
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 341/356] io_uring/rw: fix wrong NOWAIT check in io_rw_init_file()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 340/356] io_uring/rw: allow pollable non-blocking attempts for !FMODE_NOWAIT Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 342/356] Revert "io_uring: ensure deferred completions are posted for multishot" Greg Kroah-Hartman
` (25 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Julian Orth, Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
Commit ae6a888a4357131c01d85f4c91fb32552dd0bf70 upstream.
A previous commit improved how !FMODE_NOWAIT is dealt with, but
inadvertently negated a check whilst doing so. This caused -EAGAIN to be
returned from reading files with O_NONBLOCK set. Fix up the check for
REQ_F_SUPPORT_NOWAIT.
Reported-by: Julian Orth <ju.orth@gmail.com>
Link: https://github.com/axboe/liburing/issues/1270
Fixes: f7c913438533 ("io_uring/rw: allow pollable non-blocking attempts for !FMODE_NOWAIT")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/rw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -696,7 +696,7 @@ static int io_rw_init_file(struct io_kio
* reliably. If not, or it IOCB_NOWAIT is set, don't retry.
*/
if (kiocb->ki_flags & IOCB_NOWAIT ||
- ((file->f_flags & O_NONBLOCK && (req->flags & REQ_F_SUPPORT_NOWAIT))))
+ ((file->f_flags & O_NONBLOCK && !(req->flags & REQ_F_SUPPORT_NOWAIT))))
req->flags |= REQ_F_NOWAIT;
if (ctx->flags & IORING_SETUP_IOPOLL) {
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 342/356] Revert "io_uring: ensure deferred completions are posted for multishot"
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 341/356] io_uring/rw: fix wrong NOWAIT check in io_rw_init_file() Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 343/356] posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() Greg Kroah-Hartman
` (24 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 746e7d285dcb96caa1845fbbb62b14bf4010cdfb which is
commit 687b2bae0efff9b25e071737d6af5004e6e35af5 upstream.
Jens writes:
There's some missing dependencies that makes this not work
right, I'll bring it back in a series instead.
Link: https://lore.kernel.org/r/906ba919-32e6-4534-bbad-2cd18e1098ca@kernel.dk
Reported-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io_uring.c | 8 --------
1 file changed, 8 deletions(-)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -920,14 +920,6 @@ static bool __io_post_aux_cqe(struct io_
{
bool filled;
- /*
- * If multishot has already posted deferred completions, ensure that
- * those are flushed first before posting this one. If not, CQEs
- * could get reordered.
- */
- if (!wq_list_empty(&ctx->submit_state.compl_reqs))
- __io_submit_flush_completions(ctx);
-
io_cq_lock(ctx);
filled = io_fill_cqe_aux(ctx, user_data, res, cflags);
if (!filled && allow_overflow)
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 343/356] posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 342/356] Revert "io_uring: ensure deferred completions are posted for multishot" Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 344/356] kbuild: Disable -Wdefault-const-init-unsafe Greg Kroah-Hartman
` (23 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benoît Sevens, Oleg Nesterov,
Linus Torvalds
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
commit f90fff1e152dedf52b932240ebbd670d83330eca upstream.
If an exiting non-autoreaping task has already passed exit_notify() and
calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
or debugger right after unlock_task_sighand().
If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
lock_task_sighand() will fail.
Add the tsk->exit_state check into run_posix_cpu_timers() to fix this.
This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because
exit_task_work() is called before exit_notify(). But the check still
makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail
anyway in this case.
Cc: stable@vger.kernel.org
Reported-by: Benoît Sevens <bsevens@google.com>
Fixes: 0bdd2ed4138e ("sched: run_posix_cpu_timers: Don't check ->exit_state, use lock_task_sighand()")
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/posix-cpu-timers.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/kernel/time/posix-cpu-timers.c
+++ b/kernel/time/posix-cpu-timers.c
@@ -1438,6 +1438,15 @@ void run_posix_cpu_timers(void)
lockdep_assert_irqs_disabled();
/*
+ * Ensure that release_task(tsk) can't happen while
+ * handle_posix_cpu_timers() is running. Otherwise, a concurrent
+ * posix_cpu_timer_del() may fail to lock_task_sighand(tsk) and
+ * miss timer->it.cpu.firing != 0.
+ */
+ if (tsk->exit_state)
+ return;
+
+ /*
* If the actual expiry is deferred to task work context and the
* work is already scheduled there is no point to do anything here.
*/
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 344/356] kbuild: Disable -Wdefault-const-init-unsafe
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 343/356] posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 345/356] usb: usbtmc: Fix read_stb function and get_stb ioctl Greg Kroah-Hartman
` (22 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linux Kernel Functional Testing,
Marcus Seyfarth, Nathan Chancellor, Masahiro Yamada
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit d0afcfeb9e3810ec89d1ffde1a0e36621bb75dca upstream.
A new on by default warning in clang [1] aims to flags instances where
const variables without static or thread local storage or const members
in aggregate types are not initialized because it can lead to an
indeterminate value. This is quite noisy for the kernel due to
instances originating from header files such as:
drivers/gpu/drm/i915/gt/intel_ring.h:62:2: error: default initialization of an object of type 'typeof (ring->size)' (aka 'const unsigned int') leaves the object uninitialized [-Werror,-Wdefault-const-init-var-unsafe]
62 | typecheck(typeof(ring->size), next);
| ^
include/linux/typecheck.h:10:9: note: expanded from macro 'typecheck'
10 | ({ type __dummy; \
| ^
include/net/ip.h:478:14: error: default initialization of an object of type 'typeof (rt->dst.expires)' (aka 'const unsigned long') leaves the object uninitialized [-Werror,-Wdefault-const-init-var-unsafe]
478 | if (mtu && time_before(jiffies, rt->dst.expires))
| ^
include/linux/jiffies.h:138:26: note: expanded from macro 'time_before'
138 | #define time_before(a,b) time_after(b,a)
| ^
include/linux/jiffies.h:128:3: note: expanded from macro 'time_after'
128 | (typecheck(unsigned long, a) && \
| ^
include/linux/typecheck.h:11:12: note: expanded from macro 'typecheck'
11 | typeof(x) __dummy2; \
| ^
include/linux/list.h:409:27: warning: default initialization of an object of type 'union (unnamed union at include/linux/list.h:409:27)' with const member leaves the object uninitialized [-Wdefault-const-init-field-unsafe]
409 | struct list_head *next = smp_load_acquire(&head->next);
| ^
include/asm-generic/barrier.h:176:29: note: expanded from macro 'smp_load_acquire'
176 | #define smp_load_acquire(p) __smp_load_acquire(p)
| ^
arch/arm64/include/asm/barrier.h:164:59: note: expanded from macro '__smp_load_acquire'
164 | union { __unqual_scalar_typeof(*p) __val; char __c[1]; } __u; \
| ^
include/linux/list.h:409:27: note: member '__val' declared 'const' here
crypto/scatterwalk.c:66:22: error: default initialization of an object of type 'struct scatter_walk' with const member leaves the object uninitialized [-Werror,-Wdefault-const-init-field-unsafe]
66 | struct scatter_walk walk;
| ^
include/crypto/algapi.h:112:15: note: member 'addr' declared 'const' here
112 | void *const addr;
| ^
fs/hugetlbfs/inode.c:733:24: error: default initialization of an object of type 'struct vm_area_struct' with const member leaves the object uninitialized [-Werror,-Wdefault-const-init-field-unsafe]
733 | struct vm_area_struct pseudo_vma;
| ^
include/linux/mm_types.h:803:20: note: member 'vm_flags' declared 'const' here
803 | const vm_flags_t vm_flags;
| ^
Silencing the instances from typecheck.h is difficult because '= {}' is
not available in older but supported compilers and '= {0}' would cause
warnings about a literal 0 being treated as NULL. While it might be
possible to come up with a local hack to silence the warning for
clang-21+, it may not be worth it since -Wuninitialized will still
trigger if an uninitialized const variable is actually used.
In all audited cases of the "field" variant of the warning, the members
are either not used in the particular call path, modified through other
means such as memset() / memcpy() because the containing object is not
const, or are within a union with other non-const members.
Since this warning does not appear to have a high signal to noise ratio,
just disable it.
Cc: stable@vger.kernel.org
Link: https://github.com/llvm/llvm-project/commit/576161cb6069e2c7656a8ef530727a0f4aefff30 [1]
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
Closes: https://lore.kernel.org/CA+G9fYuNjKcxFKS_MKPRuga32XbndkLGcY-PVuoSwzv6VWbY=w@mail.gmail.com/
Reported-by: Marcus Seyfarth <m.seyfarth@gmail.com>
Closes: https://github.com/ClangBuiltLinux/linux/issues/2088
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
| 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/scripts/Makefile.extrawarn
+++ b/scripts/Makefile.extrawarn
@@ -29,6 +29,18 @@ KBUILD_CFLAGS-$(CONFIG_CC_NO_ARRAY_BOUND
ifdef CONFIG_CC_IS_CLANG
# The kernel builds with '-std=gnu11' so use of GNU extensions is acceptable.
KBUILD_CFLAGS += -Wno-gnu
+
+# Clang may emit a warning when a const variable, such as the dummy variables
+# in typecheck(), or const member of an aggregate type are not initialized,
+# which can result in unexpected behavior. However, in many audited cases of
+# the "field" variant of the warning, this is intentional because the field is
+# never used within a particular call path, the field is within a union with
+# other non-const members, or the containing object is not const so the field
+# can be modified via memcpy() / memset(). While the variable warning also gets
+# disabled with this same switch, there should not be too much coverage lost
+# because -Wuninitialized will still flag when an uninitialized const variable
+# is used.
+KBUILD_CFLAGS += $(call cc-disable-warning, default-const-init-unsafe)
else
# gcc inanely warns about local variables called 'main'
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 345/356] usb: usbtmc: Fix read_stb function and get_stb ioctl
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 344/356] kbuild: Disable -Wdefault-const-init-unsafe Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 346/356] VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify Greg Kroah-Hartman
` (21 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dave Penkler
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Penkler <dpenkler@gmail.com>
commit acb3dac2805d3342ded7dbbd164add32bbfdf21c upstream.
The usbtmc488_ioctl_read_stb function relied on a positive return from
usbtmc_get_stb to reset the srq condition in the driver. The
USBTMC_IOCTL_GET_STB case tested for a positive return to return the stb
to the user.
Commit: <cac01bd178d6> ("usb: usbtmc: Fix erroneous get_stb ioctl
error returns") changed the return value of usbtmc_get_stb to 0 on
success instead of returning the value of usb_control_msg which is
positive in the normal case. This change caused the function
usbtmc488_ioctl_read_stb and the USBTMC_IOCTL_GET_STB ioctl to no
longer function correctly.
Change the test in usbtmc488_ioctl_read_stb to test for failure
first and return the failure code immediately.
Change the test for the USBTMC_IOCTL_GET_STB ioctl to test for 0
instead of a positive value.
Fixes: cac01bd178d6 ("usb: usbtmc: Fix erroneous get_stb ioctl error returns")
Cc: stable@vger.kernel.org
Signed-off-by: Dave Penkler <dpenkler@gmail.com>
Link: https://lore.kernel.org/r/20250521121656.18174-3-dpenkler@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -565,14 +565,15 @@ static int usbtmc488_ioctl_read_stb(stru
rv = usbtmc_get_stb(file_data, &stb);
- if (rv > 0) {
- srq_asserted = atomic_xchg(&file_data->srq_asserted,
- srq_asserted);
- if (srq_asserted)
- stb |= 0x40; /* Set RQS bit */
+ if (rv < 0)
+ return rv;
+
+ srq_asserted = atomic_xchg(&file_data->srq_asserted, srq_asserted);
+ if (srq_asserted)
+ stb |= 0x40; /* Set RQS bit */
+
+ rv = put_user(stb, (__u8 __user *)arg);
- rv = put_user(stb, (__u8 __user *)arg);
- }
return rv;
}
@@ -2201,7 +2202,7 @@ static long usbtmc_ioctl(struct file *fi
case USBTMC_IOCTL_GET_STB:
retval = usbtmc_get_stb(file_data, &tmp_byte);
- if (retval > 0)
+ if (!retval)
retval = put_user(tmp_byte, (__u8 __user *)arg);
break;
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 346/356] VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 345/356] usb: usbtmc: Fix read_stb function and get_stb ioctl Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 347/356] usb: cdnsp: Fix issue with detecting command completion event Greg Kroah-Hartman
` (20 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Wupeng Ma
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wupeng Ma <mawupeng1@huawei.com>
commit 1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4 upstream.
During our test, it is found that a warning can be trigger in try_grab_folio
as follow:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130
Modules linked in:
CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)
RIP: 0010:try_grab_folio+0x106/0x130
Call Trace:
<TASK>
follow_huge_pmd+0x240/0x8e0
follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0
follow_pud_mask.constprop.0.isra.0+0x14a/0x170
follow_page_mask+0x1c2/0x1f0
__get_user_pages+0x176/0x950
__gup_longterm_locked+0x15b/0x1060
? gup_fast+0x120/0x1f0
gup_fast_fallback+0x17e/0x230
get_user_pages_fast+0x5f/0x80
vmci_host_unlocked_ioctl+0x21c/0xf80
RIP: 0033:0x54d2cd
---[ end trace 0000000000000000 ]---
Digging into the source, context->notify_page may init by get_user_pages_fast
and can be seen in vmci_ctx_unset_notify which will try to put_page. However
get_user_pages_fast is not finished here and lead to following
try_grab_folio warning. The race condition is shown as follow:
cpu0 cpu1
vmci_host_do_set_notify
vmci_host_setup_notify
get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page);
lockless_pages_from_mm
gup_pgd_range
gup_huge_pmd // update &context->notify_page
vmci_host_do_set_notify
vmci_ctx_unset_notify
notify_page = context->notify_page;
if (notify_page)
put_page(notify_page); // page is freed
__gup_longterm_locked
__get_user_pages
follow_trans_huge_pmd
try_grab_folio // warn here
To slove this, use local variable page to make notify_page can be seen
after finish get_user_pages_fast.
Fixes: a1d88436d53a ("VMCI: Fix two UVA mapping bugs")
Cc: stable <stable@kernel.org>
Closes: https://lore.kernel.org/all/e91da589-ad57-3969-d979-879bbd10dddd@huawei.com/
Signed-off-by: Wupeng Ma <mawupeng1@huawei.com>
Link: https://lore.kernel.org/r/20250510033040.901582-1-mawupeng1@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/vmw_vmci/vmci_host.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/drivers/misc/vmw_vmci/vmci_host.c
+++ b/drivers/misc/vmw_vmci/vmci_host.c
@@ -227,6 +227,7 @@ static int drv_cp_harray_to_user(void __
static int vmci_host_setup_notify(struct vmci_ctx *context,
unsigned long uva)
{
+ struct page *page;
int retval;
if (context->notify_page) {
@@ -243,13 +244,11 @@ static int vmci_host_setup_notify(struct
/*
* Lock physical page backing a given user VA.
*/
- retval = get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page);
- if (retval != 1) {
- context->notify_page = NULL;
+ retval = get_user_pages_fast(uva, 1, FOLL_WRITE, &page);
+ if (retval != 1)
return VMCI_ERROR_GENERIC;
- }
- if (context->notify_page == NULL)
- return VMCI_ERROR_UNAVAILABLE;
+
+ context->notify_page = page;
/*
* Map the locked page and set up notify pointer.
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 347/356] usb: cdnsp: Fix issue with detecting command completion event
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 346/356] VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 348/356] usb: cdnsp: Fix issue with detecting USB 3.2 speed Greg Kroah-Hartman
` (19 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Pawel Laszczak, Peter Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawel Laszczak <pawell@cadence.com>
commit f4ecdc352646f7d23f348e5c544dbe3212c94fc8 upstream.
In some cases, there is a small-time gap in which CMD_RING_BUSY can be
cleared by controller but adding command completion event to event ring
will be delayed. As the result driver will return error code.
This behavior has been detected on usbtest driver (test 9) with
configuration including ep1in/ep1out bulk and ep2in/ep2out isoc
endpoint.
Probably this gap occurred because controller was busy with adding some
other events to event ring.
The CMD_RING_BUSY is cleared to '0' when the Command Descriptor has been
executed and not when command completion event has been added to event
ring.
To fix this issue for this test the small delay is sufficient less than
10us) but to make sure the problem doesn't happen again in the future
the patch introduces 10 retries to check with delay about 20us before
returning error code.
Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/PH7PR07MB9538AA45362ACCF1B94EE9B7DD96A@PH7PR07MB9538.namprd07.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdnsp-gadget.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--- a/drivers/usb/cdns3/cdnsp-gadget.c
+++ b/drivers/usb/cdns3/cdnsp-gadget.c
@@ -546,6 +546,7 @@ int cdnsp_wait_for_cmd_compl(struct cdns
dma_addr_t cmd_deq_dma;
union cdnsp_trb *event;
u32 cycle_state;
+ u32 retry = 10;
int ret, val;
u64 cmd_dma;
u32 flags;
@@ -577,8 +578,23 @@ int cdnsp_wait_for_cmd_compl(struct cdns
flags = le32_to_cpu(event->event_cmd.flags);
/* Check the owner of the TRB. */
- if ((flags & TRB_CYCLE) != cycle_state)
+ if ((flags & TRB_CYCLE) != cycle_state) {
+ /*
+ * Give some extra time to get chance controller
+ * to finish command before returning error code.
+ * Checking CMD_RING_BUSY is not sufficient because
+ * this bit is cleared to '0' when the Command
+ * Descriptor has been executed by controller
+ * and not when command completion event has
+ * be added to event ring.
+ */
+ if (retry--) {
+ udelay(20);
+ continue;
+ }
+
return -EINVAL;
+ }
cmd_dma = le64_to_cpu(event->event_cmd.cmd_trb);
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 348/356] usb: cdnsp: Fix issue with detecting USB 3.2 speed
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 347/356] usb: cdnsp: Fix issue with detecting command completion event Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 349/356] usb: Flush altsetting 0 endpoints before reinitializating them after reset Greg Kroah-Hartman
` (18 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Pawel Laszczak, Peter Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawel Laszczak <pawell@cadence.com>
commit 2852788cfbe9ca1ab68509d65804413871f741f9 upstream.
Patch adds support for detecting SuperSpeedPlus Gen1 x2 and
SuperSpeedPlus Gen2 x2 speed.
Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/PH7PR07MB95387AD98EDCA695FECE52BADD96A@PH7PR07MB9538.namprd07.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdnsp-gadget.c | 3 ++-
drivers/usb/cdns3/cdnsp-gadget.h | 4 ++++
2 files changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/cdns3/cdnsp-gadget.c
+++ b/drivers/usb/cdns3/cdnsp-gadget.c
@@ -28,7 +28,8 @@
unsigned int cdnsp_port_speed(unsigned int port_status)
{
/*Detect gadget speed based on PORTSC register*/
- if (DEV_SUPERSPEEDPLUS(port_status))
+ if (DEV_SUPERSPEEDPLUS(port_status) ||
+ DEV_SSP_GEN1x2(port_status) || DEV_SSP_GEN2x2(port_status))
return USB_SPEED_SUPER_PLUS;
else if (DEV_SUPERSPEED(port_status))
return USB_SPEED_SUPER;
--- a/drivers/usb/cdns3/cdnsp-gadget.h
+++ b/drivers/usb/cdns3/cdnsp-gadget.h
@@ -285,11 +285,15 @@ struct cdnsp_port_regs {
#define XDEV_HS (0x3 << 10)
#define XDEV_SS (0x4 << 10)
#define XDEV_SSP (0x5 << 10)
+#define XDEV_SSP1x2 (0x6 << 10)
+#define XDEV_SSP2x2 (0x7 << 10)
#define DEV_UNDEFSPEED(p) (((p) & DEV_SPEED_MASK) == (0x0 << 10))
#define DEV_FULLSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_FS)
#define DEV_HIGHSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_HS)
#define DEV_SUPERSPEED(p) (((p) & DEV_SPEED_MASK) == XDEV_SS)
#define DEV_SUPERSPEEDPLUS(p) (((p) & DEV_SPEED_MASK) == XDEV_SSP)
+#define DEV_SSP_GEN1x2(p) (((p) & DEV_SPEED_MASK) == XDEV_SSP1x2)
+#define DEV_SSP_GEN2x2(p) (((p) & DEV_SPEED_MASK) == XDEV_SSP2x2)
#define DEV_SUPERSPEED_ANY(p) (((p) & DEV_SPEED_MASK) >= XDEV_SS)
#define DEV_PORT_SPEED(p) (((p) >> 10) & 0x0f)
/* Port Link State Write Strobe - set this when changing link state */
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 349/356] usb: Flush altsetting 0 endpoints before reinitializating them after reset.
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 348/356] usb: cdnsp: Fix issue with detecting USB 3.2 speed Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 350/356] usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() Greg Kroah-Hartman
` (17 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Mathias Nyman
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 89bb3dc13ac29a563f4e4c555e422882f64742bd upstream.
usb core avoids sending a Set-Interface altsetting 0 request after device
reset, and instead relies on calling usb_disable_interface() and
usb_enable_interface() to flush and reset host-side of those endpoints.
xHCI hosts allocate and set up endpoint ring buffers and host_ep->hcpriv
during usb_hcd_alloc_bandwidth() callback, which in this case is called
before flushing the endpoint in usb_disable_interface().
Call usb_disable_interface() before usb_hcd_alloc_bandwidth() to ensure
URBs are flushed before new ring buffers for the endpoints are allocated.
Otherwise host driver will attempt to find and remove old stale URBs
from a freshly allocated new ringbuffer.
Cc: stable <stable@kernel.org>
Fixes: 4fe0387afa89 ("USB: don't send Set-Interface after reset")
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20250514132520.225345-1-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hub.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -6103,6 +6103,7 @@ static int usb_reset_and_verify_device(s
struct usb_hub *parent_hub;
struct usb_hcd *hcd = bus_to_hcd(udev->bus);
struct usb_device_descriptor descriptor;
+ struct usb_interface *intf;
struct usb_host_bos *bos;
int i, j, ret = 0;
int port1 = udev->portnum;
@@ -6160,6 +6161,18 @@ static int usb_reset_and_verify_device(s
if (!udev->actconfig)
goto done;
+ /*
+ * Some devices can't handle setting default altsetting 0 with a
+ * Set-Interface request. Disable host-side endpoints of those
+ * interfaces here. Enable and reset them back after host has set
+ * its internal endpoint structures during usb_hcd_alloc_bandwith()
+ */
+ for (i = 0; i < udev->actconfig->desc.bNumInterfaces; i++) {
+ intf = udev->actconfig->interface[i];
+ if (intf->cur_altsetting->desc.bAlternateSetting == 0)
+ usb_disable_interface(udev, intf, true);
+ }
+
mutex_lock(hcd->bandwidth_mutex);
ret = usb_hcd_alloc_bandwidth(udev, udev->actconfig, NULL, NULL);
if (ret < 0) {
@@ -6191,12 +6204,11 @@ static int usb_reset_and_verify_device(s
*/
for (i = 0; i < udev->actconfig->desc.bNumInterfaces; i++) {
struct usb_host_config *config = udev->actconfig;
- struct usb_interface *intf = config->interface[i];
struct usb_interface_descriptor *desc;
+ intf = config->interface[i];
desc = &intf->cur_altsetting->desc;
if (desc->bAlternateSetting == 0) {
- usb_disable_interface(udev, intf, true);
usb_enable_interface(udev, intf, true);
ret = 0;
} else {
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 350/356] usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx()
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 349/356] usb: Flush altsetting 0 endpoints before reinitializating them after reset Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 351/356] xen/arm: call uaccess_ttbr0_enable for dm_op hypercall Greg Kroah-Hartman
` (16 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amit Sunil Dhamne,
Badhri Jagan Sridharan, Kyle Tso, stable, Heikki Krogerus
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amit Sunil Dhamne <amitsd@google.com>
commit 0736299d090f5c6a1032678705c4bc0a9511a3db upstream.
Register read of TCPC_RX_BYTE_CNT returns the total size consisting of:
PD message (pending read) size + 1 Byte for Frame Type (SOP*)
This is validated against the max PD message (`struct pd_message`) size
without accounting for the extra byte for the frame type. Note that the
struct pd_message does not contain a field for the frame_type. This
results in false negatives when the "PD message (pending read)" is equal
to the max PD message size.
Fixes: 6f413b559f86 ("usb: typec: tcpci_maxim: Chip level TCPC driver")
Signed-off-by: Amit Sunil Dhamne <amitsd@google.com>
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Reviewed-by: Kyle Tso <kyletso@google.com>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/stable/20250502-b4-new-fix-pd-rx-count-v1-1-e5711ed09b3d%40google.com
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250502-b4-new-fix-pd-rx-count-v1-1-e5711ed09b3d@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpci_maxim_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/typec/tcpm/tcpci_maxim_core.c
+++ b/drivers/usb/typec/tcpm/tcpci_maxim_core.c
@@ -145,7 +145,8 @@ static void process_rx(struct max_tcpci_
return;
}
- if (count > sizeof(struct pd_message) || count + 1 > TCPC_RECEIVE_BUFFER_LEN) {
+ if (count > sizeof(struct pd_message) + 1 ||
+ count + 1 > TCPC_RECEIVE_BUFFER_LEN) {
dev_err(chip->dev, "Invalid TCPC_RX_BYTE_CNT %d\n", count);
return;
}
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 351/356] xen/arm: call uaccess_ttbr0_enable for dm_op hypercall
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 350/356] usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 352/356] x86/iopl: Cure TIF_IO_BITMAP inconsistencies Greg Kroah-Hartman
` (15 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Stefano Stabellini,
Juergen Gross
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Stabellini <stefano.stabellini@amd.com>
commit 7f9bbc1140ff8796230bc2634055763e271fd692 upstream.
dm_op hypercalls might come from userspace and pass memory addresses as
parameters. The memory addresses typically correspond to buffers
allocated in userspace to hold extra hypercall parameters.
On ARM, when CONFIG_ARM64_SW_TTBR0_PAN is enabled, they might not be
accessible by Xen, as a result ioreq hypercalls might fail. See the
existing comment in arch/arm64/xen/hypercall.S regarding privcmd_call
for reference.
For privcmd_call, Linux calls uaccess_ttbr0_enable before issuing the
hypercall thanks to commit 9cf09d68b89a. We need to do the same for
dm_op. This resolves the problem.
Cc: stable@kernel.org
Fixes: 9cf09d68b89a ("arm64: xen: Enable user access before a privcmd hvc call")
Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Message-ID: <alpine.DEB.2.22.394.2505121446370.8380@ubuntu-linux-20-04-desktop>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/xen/hypercall.S | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
--- a/arch/arm64/xen/hypercall.S
+++ b/arch/arm64/xen/hypercall.S
@@ -83,7 +83,26 @@ HYPERCALL3(vcpu_op);
HYPERCALL1(platform_op_raw);
HYPERCALL2(multicall);
HYPERCALL2(vm_assist);
-HYPERCALL3(dm_op);
+
+SYM_FUNC_START(HYPERVISOR_dm_op)
+ mov x16, #__HYPERVISOR_dm_op; \
+ /*
+ * dm_op hypercalls are issued by the userspace. The kernel needs to
+ * enable access to TTBR0_EL1 as the hypervisor would issue stage 1
+ * translations to user memory via AT instructions. Since AT
+ * instructions are not affected by the PAN bit (ARMv8.1), we only
+ * need the explicit uaccess_enable/disable if the TTBR0 PAN emulation
+ * is enabled (it implies that hardware UAO and PAN disabled).
+ */
+ uaccess_ttbr0_enable x6, x7, x8
+ hvc XEN_IMM
+
+ /*
+ * Disable userspace access from kernel once the hyp call completed.
+ */
+ uaccess_ttbr0_disable x6, x7
+ ret
+SYM_FUNC_END(HYPERVISOR_dm_op);
SYM_FUNC_START(privcmd_call)
mov x16, x0
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 352/356] x86/iopl: Cure TIF_IO_BITMAP inconsistencies
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 351/356] xen/arm: call uaccess_ttbr0_enable for dm_op hypercall Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 353/356] calipso: unlock rcu before returning -EAFNOSUPPORT Greg Kroah-Hartman
` (14 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+e2b1803445d236442e54,
Thomas Gleixner, Borislav Petkov (AMD)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit 8b68e978718f14fdcb080c2a7791c52a0d09bc6d upstream.
io_bitmap_exit() is invoked from exit_thread() when a task exists or
when a fork fails. In the latter case the exit_thread() cleans up
resources which were allocated during fork().
io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up
in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the
current task. If current has TIF_IO_BITMAP set, but no bitmap installed,
tss_update_io_bitmap() crashes with a NULL pointer dereference.
There are two issues, which lead to that problem:
1) io_bitmap_exit() should not invoke task_update_io_bitmap() when
the task, which is cleaned up, is not the current task. That's a
clear indicator for a cleanup after a failed fork().
2) A task should not have TIF_IO_BITMAP set and neither a bitmap
installed nor IOPL emulation level 3 activated.
This happens when a kernel thread is created in the context of
a user space thread, which has TIF_IO_BITMAP set as the thread
flags are copied and the IO bitmap pointer is cleared.
Other than in the failed fork() case this has no impact because
kernel threads including IO workers never return to user space and
therefore never invoke tss_update_io_bitmap().
Cure this by adding the missing cleanups and checks:
1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if
the to be cleaned up task is not the current task.
2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user
space forks it is set later, when the IO bitmap is inherited in
io_bitmap_share().
For paranoia sake, add a warning into tss_update_io_bitmap() to catch
the case, when that code is invoked with inconsistent state.
Fixes: ea5f1cd7ab49 ("x86/ioperm: Remove bitmap if all permissions dropped")
Reported-by: syzbot+e2b1803445d236442e54@syzkaller.appspotmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/87wmdceom2.ffs@tglx
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/ioport.c | 13 +++++++++----
arch/x86/kernel/process.c | 6 ++++++
2 files changed, 15 insertions(+), 4 deletions(-)
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -33,8 +33,9 @@ void io_bitmap_share(struct task_struct
set_tsk_thread_flag(tsk, TIF_IO_BITMAP);
}
-static void task_update_io_bitmap(struct task_struct *tsk)
+static void task_update_io_bitmap(void)
{
+ struct task_struct *tsk = current;
struct thread_struct *t = &tsk->thread;
if (t->iopl_emul == 3 || t->io_bitmap) {
@@ -54,7 +55,12 @@ void io_bitmap_exit(struct task_struct *
struct io_bitmap *iobm = tsk->thread.io_bitmap;
tsk->thread.io_bitmap = NULL;
- task_update_io_bitmap(tsk);
+ /*
+ * Don't touch the TSS when invoked on a failed fork(). TSS
+ * reflects the state of @current and not the state of @tsk.
+ */
+ if (tsk == current)
+ task_update_io_bitmap();
if (iobm && refcount_dec_and_test(&iobm->refcnt))
kfree(iobm);
}
@@ -192,8 +198,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, leve
}
t->iopl_emul = level;
- task_update_io_bitmap(current);
-
+ task_update_io_bitmap();
return 0;
}
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -180,6 +180,7 @@ int copy_thread(struct task_struct *p, c
frame->ret_addr = (unsigned long) ret_from_fork_asm;
p->thread.sp = (unsigned long) fork_frame;
p->thread.io_bitmap = NULL;
+ clear_tsk_thread_flag(p, TIF_IO_BITMAP);
p->thread.iopl_warn = 0;
memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps));
@@ -468,6 +469,11 @@ void native_tss_update_io_bitmap(void)
} else {
struct io_bitmap *iobm = t->io_bitmap;
+ if (WARN_ON_ONCE(!iobm)) {
+ clear_thread_flag(TIF_IO_BITMAP);
+ native_tss_invalidate_io_bitmap();
+ }
+
/*
* Only copy bitmap data when the sequence number differs. The
* update time is accounted to the incoming task.
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 353/356] calipso: unlock rcu before returning -EAFNOSUPPORT
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 352/356] x86/iopl: Cure TIF_IO_BITMAP inconsistencies Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 354/356] regulator: dt-bindings: mt6357: Drop fixed compatible requirement Greg Kroah-Hartman
` (13 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
Kuniyuki Iwashima, Paul Moore, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 3cae906e1a6184cdc9e4d260e4dbdf9a118d94ad upstream.
syzbot reported that a recent patch forgot to unlock rcu
in the error path.
Adopt the convention that netlbl_conn_setattr() is already using.
Fixes: 6e9f2df1c550 ("calipso: Don't call calipso functions for AF_INET sk.")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Link: https://patch.msgid.link/20250604133826.1667664-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netlabel/netlabel_kapi.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -1140,8 +1140,10 @@ int netlbl_conn_setattr(struct sock *sk,
break;
#if IS_ENABLED(CONFIG_IPV6)
case AF_INET6:
- if (sk->sk_family != AF_INET6)
- return -EAFNOSUPPORT;
+ if (sk->sk_family != AF_INET6) {
+ ret_val = -EAFNOSUPPORT;
+ goto conn_setattr_return;
+ }
addr6 = (struct sockaddr_in6 *)addr;
entry = netlbl_domhsh_getentry_af6(secattr->domain,
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 354/356] regulator: dt-bindings: mt6357: Drop fixed compatible requirement
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 353/356] calipso: unlock rcu before returning -EAFNOSUPPORT Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 355/356] net: usb: aqc111: debug info before sanitation Greg Kroah-Hartman
` (12 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nícolas F . R . A . Prado,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
commit 9cfdd7752ba5f8cc9b8191e8c9aeeec246241fa4 upstream.
Some of the regulators on the MT6357 PMIC currently reference the
fixed-regulator dt-binding, which enforces the presence of a
regulator-fixed compatible. However since all regulators on the MT6357
PMIC are handled by a single mt6357-regulator driver, probed through
MFD, the compatibles don't serve any purpose. In fact they cause
failures in the DT kselftest since they aren't probed by the fixed
regulator driver as would be expected. Furthermore this is the only
dt-binding in this family like this: mt6359-regulator and
mt6358-regulator don't require those compatibles.
Commit d77e89b7b03f ("arm64: dts: mediatek: mt6357: Drop regulator-fixed
compatibles") removed the compatibles from Devicetree, but missed
updating the binding, which still requires them, introducing dt-binding
errors. Remove the compatible requirement by referencing the plain
regulator dt-binding instead to fix the dt-binding errors.
Fixes: d77e89b7b03f ("arm64: dts: mediatek: mt6357: Drop regulator-fixed compatibles")
Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
Link: https://patch.msgid.link/20250514-mt6357-regulator-fixed-compatibles-removal-bindings-v1-1-2421e9cc6cc7@collabora.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/regulator/mediatek,mt6357-regulator.yaml | 12 ----------
1 file changed, 1 insertion(+), 11 deletions(-)
--- a/Documentation/devicetree/bindings/regulator/mediatek,mt6357-regulator.yaml
+++ b/Documentation/devicetree/bindings/regulator/mediatek,mt6357-regulator.yaml
@@ -33,7 +33,7 @@ patternProperties:
"^ldo-v(camio18|aud28|aux18|io18|io28|rf12|rf18|cn18|cn28|fe28)$":
type: object
- $ref: fixed-regulator.yaml#
+ $ref: regulator.yaml#
unevaluatedProperties: false
description:
Properties for single fixed LDO regulator.
@@ -112,7 +112,6 @@ examples:
regulator-enable-ramp-delay = <220>;
};
mt6357_vfe28_reg: ldo-vfe28 {
- compatible = "regulator-fixed";
regulator-name = "vfe28";
regulator-min-microvolt = <2800000>;
regulator-max-microvolt = <2800000>;
@@ -125,14 +124,12 @@ examples:
regulator-enable-ramp-delay = <110>;
};
mt6357_vrf18_reg: ldo-vrf18 {
- compatible = "regulator-fixed";
regulator-name = "vrf18";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
regulator-enable-ramp-delay = <110>;
};
mt6357_vrf12_reg: ldo-vrf12 {
- compatible = "regulator-fixed";
regulator-name = "vrf12";
regulator-min-microvolt = <1200000>;
regulator-max-microvolt = <1200000>;
@@ -157,14 +154,12 @@ examples:
regulator-enable-ramp-delay = <264>;
};
mt6357_vcn28_reg: ldo-vcn28 {
- compatible = "regulator-fixed";
regulator-name = "vcn28";
regulator-min-microvolt = <2800000>;
regulator-max-microvolt = <2800000>;
regulator-enable-ramp-delay = <264>;
};
mt6357_vcn18_reg: ldo-vcn18 {
- compatible = "regulator-fixed";
regulator-name = "vcn18";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
@@ -183,7 +178,6 @@ examples:
regulator-enable-ramp-delay = <264>;
};
mt6357_vcamio_reg: ldo-vcamio18 {
- compatible = "regulator-fixed";
regulator-name = "vcamio";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
@@ -212,28 +206,24 @@ examples:
regulator-always-on;
};
mt6357_vaux18_reg: ldo-vaux18 {
- compatible = "regulator-fixed";
regulator-name = "vaux18";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
regulator-enable-ramp-delay = <264>;
};
mt6357_vaud28_reg: ldo-vaud28 {
- compatible = "regulator-fixed";
regulator-name = "vaud28";
regulator-min-microvolt = <2800000>;
regulator-max-microvolt = <2800000>;
regulator-enable-ramp-delay = <264>;
};
mt6357_vio28_reg: ldo-vio28 {
- compatible = "regulator-fixed";
regulator-name = "vio28";
regulator-min-microvolt = <2800000>;
regulator-max-microvolt = <2800000>;
regulator-enable-ramp-delay = <264>;
};
mt6357_vio18_reg: ldo-vio18 {
- compatible = "regulator-fixed";
regulator-name = "vio18";
regulator-min-microvolt = <1800000>;
regulator-max-microvolt = <1800000>;
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 355/356] net: usb: aqc111: debug info before sanitation
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 354/356] regulator: dt-bindings: mt6357: Drop fixed compatible requirement Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 356/356] drm/meson: Use 1000ULL when operating with mode->clock Greg Kroah-Hartman
` (11 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Andrew Lunn,
David S. Miller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit d3faab9b5a6a0477d69c38bd11c43aa5e936f929 upstream.
If we sanitize error returns, the debug statements need
to come before that so that we don't lose information.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Fixes: 405b0d610745 ("net: usb: aqc111: fix error handling of usbnet read calls")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/aqc111.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/net/usb/aqc111.c
+++ b/drivers/net/usb/aqc111.c
@@ -31,11 +31,11 @@ static int aqc111_read_cmd_nopm(struct u
USB_RECIP_DEVICE, value, index, data, size);
if (unlikely(ret < size)) {
- ret = ret < 0 ? ret : -ENODATA;
-
netdev_warn(dev->net,
"Failed to read(0x%x) reg index 0x%04x: %d\n",
cmd, index, ret);
+
+ ret = ret < 0 ? ret : -ENODATA;
}
return ret;
@@ -50,11 +50,11 @@ static int aqc111_read_cmd(struct usbnet
USB_RECIP_DEVICE, value, index, data, size);
if (unlikely(ret < size)) {
- ret = ret < 0 ? ret : -ENODATA;
-
netdev_warn(dev->net,
"Failed to read(0x%x) reg index 0x%04x: %d\n",
cmd, index, ret);
+
+ ret = ret < 0 ? ret : -ENODATA;
}
return ret;
^ permalink raw reply [flat|nested] 378+ messages in thread
* [PATCH 6.6 356/356] drm/meson: Use 1000ULL when operating with mode->clock
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 355/356] net: usb: aqc111: debug info before sanitation Greg Kroah-Hartman
@ 2025-06-17 15:27 ` Greg Kroah-Hartman
2025-06-17 16:31 ` [PATCH 6.6 000/356] 6.6.94-rc1 review Florian Fainelli
` (10 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-17 15:27 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, I Hsin Cheng, Martin Blumenstingl,
Neil Armstrong
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: I Hsin Cheng <richard120310@gmail.com>
commit eb0851e14432f3b87c77b704c835ac376deda03a upstream.
Coverity scan reported the usage of "mode->clock * 1000" may lead to
integer overflow. Use "1000ULL" instead of "1000"
when utilizing it to avoid potential integer overflow issue.
Link: https://scan5.scan.coverity.com/#/project-view/10074/10063?selectedIssue=1646759
Signed-off-by: I Hsin Cheng <richard120310@gmail.com>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Fixes: 1017560164b6 ("drm/meson: use unsigned long long / Hz for frequency types")
Link: https://lore.kernel.org/r/20250505184338.678540-1-richard120310@gmail.com
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/meson/meson_encoder_hdmi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/meson/meson_encoder_hdmi.c
+++ b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
@@ -75,7 +75,7 @@ static void meson_encoder_hdmi_set_vclk(
unsigned long long venc_freq;
unsigned long long hdmi_freq;
- vclk_freq = mode->clock * 1000;
+ vclk_freq = mode->clock * 1000ULL;
/* For 420, pixel clock is half unlike venc clock */
if (encoder_hdmi->output_bus_fmt == MEDIA_BUS_FMT_UYYVYY8_0_5X24)
@@ -123,7 +123,7 @@ static enum drm_mode_status meson_encode
struct meson_encoder_hdmi *encoder_hdmi = bridge_to_meson_encoder_hdmi(bridge);
struct meson_drm *priv = encoder_hdmi->priv;
bool is_hdmi2_sink = display_info->hdmi.scdc.supported;
- unsigned long long clock = mode->clock * 1000;
+ unsigned long long clock = mode->clock * 1000ULL;
unsigned long long phy_freq;
unsigned long long vclk_freq;
unsigned long long venc_freq;
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 225/356] PCI: Explicitly put devices into D0 when initializing
2025-06-17 15:25 ` [PATCH 6.6 225/356] PCI: Explicitly put devices into D0 when initializing Greg Kroah-Hartman
@ 2025-06-17 16:09 ` Limonciello, Mario
0 siblings, 0 replies; 378+ messages in thread
From: Limonciello, Mario @ 2025-06-17 16:09 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable@vger.kernel.org, Bjorn Helgaas
Cc: patches@lists.linux.dev, Denis Benato, Yijun Shen, Perry, David,
Rafael J. Wysocki, Sasha Levin
On 6/17/25 10:25 AM, Greg Kroah-Hartman wrote:
> 6.6-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Mario Limonciello <mario.limonciello@amd.com>
>
> [ Upstream commit 4d4c10f763d7808fbade28d83d237411603bca05 ]
>
> AMD BIOS team has root caused an issue that NVMe storage failed to come
> back from suspend to a lack of a call to _REG when NVMe device was probed.
>
> 112a7f9c8edbf ("PCI/ACPI: Call _REG when transitioning D-states") added
> support for calling _REG when transitioning D-states, but this only works
> if the device actually "transitions" D-states.
>
> 967577b062417 ("PCI/PM: Keep runtime PM enabled for unbound PCI devices")
> added support for runtime PM on PCI devices, but never actually
> 'explicitly' sets the device to D0.
>
> To make sure that devices are in D0 and that platform methods such as
> _REG are called, explicitly set all devices into D0 during initialization.
>
> Fixes: 967577b062417 ("PCI/PM: Keep runtime PM enabled for unbound PCI devices")
> Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
> Tested-by: Denis Benato <benato.denis96@gmail.com>
> Tested-By: Yijun Shen <Yijun_Shen@Dell.com>
> Tested-By: David Perry <david.perry@amd.com>
> Reviewed-by: Rafael J. Wysocki <rafael@kernel.org>
> Link: https://patch.msgid.link/20250424043232.1848107-1-superm1@kernel.org
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
I do think this should come back to stable, but I think we need to wait
a stable cycle to pick it up so that it can come with this fix too.
https://lore.kernel.org/linux-pci/20250611233117.61810-1-superm1@kernel.org/
> drivers/pci/pci-driver.c | 6 ------
> drivers/pci/pci.c | 13 ++++++++++---
> drivers/pci/pci.h | 1 +
> 3 files changed, 11 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
> index 9c59bf03d6579..258ba97d07242 100644
> --- a/drivers/pci/pci-driver.c
> +++ b/drivers/pci/pci-driver.c
> @@ -564,12 +564,6 @@ static void pci_pm_default_resume(struct pci_dev *pci_dev)
> pci_enable_wake(pci_dev, PCI_D0, false);
> }
>
> -static void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev)
> -{
> - pci_power_up(pci_dev);
> - pci_update_current_state(pci_dev, PCI_D0);
> -}
> -
> static void pci_pm_default_resume_early(struct pci_dev *pci_dev)
> {
> pci_pm_power_up_and_verify_state(pci_dev);
> diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
> index 503304aba9eac..89c6b161f80c9 100644
> --- a/drivers/pci/pci.c
> +++ b/drivers/pci/pci.c
> @@ -3227,6 +3227,12 @@ void pci_d3cold_disable(struct pci_dev *dev)
> }
> EXPORT_SYMBOL_GPL(pci_d3cold_disable);
>
> +void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev)
> +{
> + pci_power_up(pci_dev);
> + pci_update_current_state(pci_dev, PCI_D0);
> +}
> +
> /**
> * pci_pm_init - Initialize PM functions of given PCI device
> * @dev: PCI device to handle.
> @@ -3237,9 +3243,6 @@ void pci_pm_init(struct pci_dev *dev)
> u16 status;
> u16 pmc;
>
> - pm_runtime_forbid(&dev->dev);
> - pm_runtime_set_active(&dev->dev);
> - pm_runtime_enable(&dev->dev);
> device_enable_async_suspend(&dev->dev);
> dev->wakeup_prepared = false;
>
> @@ -3301,6 +3304,10 @@ void pci_pm_init(struct pci_dev *dev)
> pci_read_config_word(dev, PCI_STATUS, &status);
> if (status & PCI_STATUS_IMM_READY)
> dev->imm_ready = 1;
> + pci_pm_power_up_and_verify_state(dev);
> + pm_runtime_forbid(&dev->dev);
> + pm_runtime_set_active(&dev->dev);
> + pm_runtime_enable(&dev->dev);
> }
>
> static unsigned long pci_ea_flags(struct pci_dev *dev, u8 prop)
> diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
> index d69a17947ffce..a621ba243c25e 100644
> --- a/drivers/pci/pci.h
> +++ b/drivers/pci/pci.h
> @@ -92,6 +92,7 @@ void pci_dev_adjust_pme(struct pci_dev *dev);
> void pci_dev_complete_resume(struct pci_dev *pci_dev);
> void pci_config_pm_runtime_get(struct pci_dev *dev);
> void pci_config_pm_runtime_put(struct pci_dev *dev);
> +void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev);
> void pci_pm_init(struct pci_dev *dev);
> void pci_ea_init(struct pci_dev *dev);
> void pci_msi_init(struct pci_dev *dev);
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 000/356] 6.6.94-rc1 review
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2025-06-17 15:27 ` [PATCH 6.6 356/356] drm/meson: Use 1000ULL when operating with mode->clock Greg Kroah-Hartman
@ 2025-06-17 16:31 ` Florian Fainelli
2025-06-17 21:19 ` Shuah Khan
` (9 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Florian Fainelli @ 2025-06-17 16:31 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow,
conor, hargar, broonie
On 6/17/25 08:21, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.94 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 19 Jun 2025 15:22:33 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.94-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMTB using 32-bit and 64-bit kernels, build on BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 277/356] net: dsa: microchip: update tag_ksz masks for KSZ9477 family
2025-06-17 15:26 ` [PATCH 6.6 277/356] net: dsa: microchip: update tag_ksz masks for KSZ9477 family Greg Kroah-Hartman
@ 2025-06-17 20:23 ` Pieter Van Trappen
2025-06-18 13:09 ` Greg Kroah-Hartman
0 siblings, 1 reply; 378+ messages in thread
From: Pieter Van Trappen @ 2025-06-17 20:23 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, Florian Fainelli, Jakub Kicinski, Sasha Levin
On 6/17/25 17:26, Greg Kroah-Hartman wrote:
> 6.6-stable review patch. If anyone has any objections, please let me know.
Hi Greg, no objection since it's a cosmetic patch really. However
there's two related commits from 6.12 upstream that are worth
considering and do contain fixes, see below. I checked with stable
linux-6.6.y and they don't apply cleanly but resolving the merge
conflicts is easy enough; not sure if that's worth the hassle and how to
go about it - let me know.
6f2b72c04d58a40c16f3cd858776517f16226119
0d3edc90c4a0ac77332a25e1e6b709a39b202de9
Cheers, Pieter
> ------------------
>
> From: Pieter Van Trappen <pieter.van.trappen@cern.ch>
>
> [ Upstream commit 3f464b193d40e49299dcd087b10cc3b77cbbea68 ]
>
> Remove magic number 7 by introducing a GENMASK macro instead.
> Remove magic number 0x80 by using the BIT macro instead.
>
> Signed-off-by: Pieter Van Trappen <pieter.van.trappen@cern.ch>
> Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
> Link: https://patch.msgid.link/20240909134301.75448-1-vtpieter@gmail.com
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
> Stable-dep-of: ba54bce747fa ("net: dsa: microchip: linearize skb for tail-tagging switches")
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> net/dsa/tag_ksz.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/net/dsa/tag_ksz.c b/net/dsa/tag_ksz.c
> index ea100bd25939b..7bf87fa471a0c 100644
> --- a/net/dsa/tag_ksz.c
> +++ b/net/dsa/tag_ksz.c
> @@ -176,8 +176,9 @@ MODULE_ALIAS_DSA_TAG_DRIVER(DSA_TAG_PROTO_KSZ8795, KSZ8795_NAME);
>
> #define KSZ9477_INGRESS_TAG_LEN 2
> #define KSZ9477_PTP_TAG_LEN 4
> -#define KSZ9477_PTP_TAG_INDICATION 0x80
> +#define KSZ9477_PTP_TAG_INDICATION BIT(7)
>
> +#define KSZ9477_TAIL_TAG_EG_PORT_M GENMASK(2, 0)
> #define KSZ9477_TAIL_TAG_PRIO GENMASK(8, 7)
> #define KSZ9477_TAIL_TAG_OVERRIDE BIT(9)
> #define KSZ9477_TAIL_TAG_LOOKUP BIT(10)
> @@ -302,7 +303,7 @@ static struct sk_buff *ksz9477_rcv(struct sk_buff *skb, struct net_device *dev)
> {
> /* Tag decoding */
> u8 *tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN;
> - unsigned int port = tag[0] & 7;
> + unsigned int port = tag[0] & KSZ9477_TAIL_TAG_EG_PORT_M;
> unsigned int len = KSZ_EGRESS_TAG_LEN;
>
> /* Extra 4-bytes PTP timestamp */
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 000/356] 6.6.94-rc1 review
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2025-06-17 16:31 ` [PATCH 6.6 000/356] 6.6.94-rc1 review Florian Fainelli
@ 2025-06-17 21:19 ` Shuah Khan
2025-06-18 5:43 ` Peter Schneider
` (8 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Shuah Khan @ 2025-06-17 21:19 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie, Shuah Khan
On 6/17/25 09:21, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.94 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 19 Jun 2025 15:22:33 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.94-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 000/356] 6.6.94-rc1 review
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2025-06-17 21:19 ` Shuah Khan
@ 2025-06-18 5:43 ` Peter Schneider
2025-06-18 6:34 ` Ron Economos
` (7 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Peter Schneider @ 2025-06-18 5:43 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie
Am 17.06.2025 um 17:21 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.6.94 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg
oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 000/356] 6.6.94-rc1 review
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2025-06-18 5:43 ` Peter Schneider
@ 2025-06-18 6:34 ` Ron Economos
2025-06-18 6:41 ` Jon Hunter
` (6 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Ron Economos @ 2025-06-18 6:34 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie
On 6/17/25 08:21, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.94 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 19 Jun 2025 15:22:33 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.94-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 000/356] 6.6.94-rc1 review
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2025-06-18 6:34 ` Ron Economos
@ 2025-06-18 6:41 ` Jon Hunter
2025-06-18 10:20 ` Naresh Kamboju
` (5 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Jon Hunter @ 2025-06-18 6:41 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie,
linux-tegra, stable
On Tue, 17 Jun 2025 17:21:55 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.94 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 19 Jun 2025 15:22:33 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.94-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.6:
10 builds: 10 pass, 0 fail
28 boots: 28 pass, 0 fail
120 tests: 120 pass, 0 fail
Linux version: 6.6.94-rc1-g7ef12da06319
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
tegra194-p3509-0000+p3668-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 000/356] 6.6.94-rc1 review
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2025-06-18 6:41 ` Jon Hunter
@ 2025-06-18 10:20 ` Naresh Kamboju
2025-06-18 12:02 ` Mark Brown
` (4 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Naresh Kamboju @ 2025-06-18 10:20 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie
On Tue, 17 Jun 2025 at 20:58, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.6.94 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 19 Jun 2025 15:22:33 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.94-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build
* kernel: 6.6.94-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git commit: 7ef12da06319e12118a7bbb823004d011c57f718
* git describe: v6.6.93-357-g7ef12da06319
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.6.y/build/v6.6.93-357-g7ef12da06319
## Test Regressions (compared to v6.6.92-445-g58cbe685685b)
## Metric Regressions (compared to v6.6.92-445-g58cbe685685b)
## Test Fixes (compared to v6.6.92-445-g58cbe685685b)
## Metric Fixes (compared to v6.6.92-445-g58cbe685685b)
## Test result summary
total: 217939, pass: 198129, fail: 4284, skip: 15211, xfail: 315
## Build Summary
* arc: 5 total, 5 passed, 0 failed
* arm: 129 total, 127 passed, 0 failed, 2 skipped
* arm64: 44 total, 43 passed, 0 failed, 1 skipped
* i386: 23 total, 23 passed, 0 failed
* mips: 26 total, 25 passed, 1 failed
* parisc: 4 total, 4 passed, 0 failed
* powerpc: 32 total, 31 passed, 1 failed
* riscv: 15 total, 15 passed, 0 failed
* s390: 14 total, 13 passed, 1 failed
* sh: 10 total, 10 passed, 0 failed
* sparc: 7 total, 7 passed, 0 failed
* x86_64: 37 total, 37 passed, 0 failed
## Test suites summary
* boot
* commands
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-efivarfs
* kselftest-exec
* kselftest-fpu
* kselftest-ftrace
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-kcmp
* kselftest-kvm
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-mincore
* kselftest-mm
* kselftest-mqueue
* kselftest-net
* kselftest-net-mptcp
* kselftest-openat2
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-tc-testing
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user_events
* kselftest-vDSO
* kselftest-x86
* kunit
* kvm-unit-tests
* lava
* libgpiod
* libhugetlbfs
* log-parser-boot
* log-parser-build-clang
* log-parser-build-gcc
* log-parser-test
* ltp-capability
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-hugetlb
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-pty
* ltp-sched
* ltp-smoke
* ltp-syscalls
* ltp-tracing
* modules
* perf
* rcutorture
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 000/356] 6.6.94-rc1 review
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2025-06-18 10:20 ` Naresh Kamboju
@ 2025-06-18 12:02 ` Mark Brown
2025-06-18 12:45 ` Miguel Ojeda
` (3 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Mark Brown @ 2025-06-18 12:02 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar
[-- Attachment #1: Type: text/plain, Size: 345 bytes --]
On Tue, Jun 17, 2025 at 05:21:55PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.94 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 000/356] 6.6.94-rc1 review
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2025-06-18 12:02 ` Mark Brown
@ 2025-06-18 12:45 ` Miguel Ojeda
2025-06-18 17:58 ` Hardik Garg
` (2 subsequent siblings)
364 siblings, 0 replies; 378+ messages in thread
From: Miguel Ojeda @ 2025-06-18 12:45 UTC (permalink / raw)
To: gregkh
Cc: akpm, broonie, conor, f.fainelli, hargar, jonathanh, linux-kernel,
linux, lkft-triage, patches, patches, pavel, rwarsow, shuah, srw,
stable, sudipm.mukherjee, torvalds, Miguel Ojeda
On Tue, 17 Jun 2025 17:21:55 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.6.94 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 19 Jun 2025 15:22:33 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 277/356] net: dsa: microchip: update tag_ksz masks for KSZ9477 family
2025-06-17 20:23 ` Pieter Van Trappen
@ 2025-06-18 13:09 ` Greg Kroah-Hartman
0 siblings, 0 replies; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-18 13:09 UTC (permalink / raw)
To: Pieter Van Trappen
Cc: stable, patches, Florian Fainelli, Jakub Kicinski, Sasha Levin
On Tue, Jun 17, 2025 at 10:23:21PM +0200, Pieter Van Trappen wrote:
> On 6/17/25 17:26, Greg Kroah-Hartman wrote:
> > 6.6-stable review patch. If anyone has any objections, please let me know.
>
> Hi Greg, no objection since it's a cosmetic patch really. However there's
> two related commits from 6.12 upstream that are worth considering and do
> contain fixes, see below. I checked with stable linux-6.6.y and they don't
> apply cleanly but resolving the merge conflicts is easy enough; not sure if
> that's worth the hassle and how to go about it - let me know.
>
> 6f2b72c04d58a40c16f3cd858776517f16226119
> 0d3edc90c4a0ac77332a25e1e6b709a39b202de9
Thanks for letting me know, I've just dropped this, and the patch after
this from all queues.
greg k-h
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 257/356] net: Fix checksum update for ILA adj-transport
2025-06-17 15:26 ` [PATCH 6.6 257/356] net: Fix checksum update for ILA adj-transport Greg Kroah-Hartman
@ 2025-06-18 16:57 ` Paul Chaignon
2025-06-19 4:22 ` Greg Kroah-Hartman
0 siblings, 1 reply; 378+ messages in thread
From: Paul Chaignon @ 2025-06-18 16:57 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, Greg Kroah-Hartman, patches, Daniel Borkmann,
Jakub Kicinski, Sasha Levin
On Tue, Jun 17, 2025 at 05:26:12PM +0200, Greg Kroah-Hartman wrote:
> 6.6-stable review patch. If anyone has any objections, please let me know.
Not an objection per se, but I've sent the same backport at
https://lore.kernel.org/stable/6520b247c2d367849f41689f71961e9741b1b7eb.1750168920.git.paul.chaignon@gmail.com/
The only difference is that I also backported the second patch in the
series, which had a conflict. The backported patchset should apply on
6.1, 6.6, and 6.12. I hope that was the correct way to proceed :)
>
> ------------------
>
> From: Paul Chaignon <paul.chaignon@gmail.com>
>
> [ Upstream commit 6043b794c7668c19dabc4a93c75b924a19474d59 ]
>
> During ILA address translations, the L4 checksums can be handled in
> different ways. One of them, adj-transport, consist in parsing the
> transport layer and updating any found checksum. This logic relies on
> inet_proto_csum_replace_by_diff and produces an incorrect skb->csum when
> in state CHECKSUM_COMPLETE.
>
> This bug can be reproduced with a simple ILA to SIR mapping, assuming
> packets are received with CHECKSUM_COMPLETE:
>
> $ ip a show dev eth0
> 14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
> link/ether 62:ae:35:9e:0f:8d brd ff:ff:ff:ff:ff:ff link-netnsid 0
> inet6 3333:0:0:1::c078/64 scope global
> valid_lft forever preferred_lft forever
> inet6 fd00:10:244:1::c078/128 scope global nodad
> valid_lft forever preferred_lft forever
> inet6 fe80::60ae:35ff:fe9e:f8d/64 scope link proto kernel_ll
> valid_lft forever preferred_lft forever
> $ ip ila add loc_match fd00:10:244:1 loc 3333:0:0:1 \
> csum-mode adj-transport ident-type luid dev eth0
>
> Then I hit [fd00:10:244:1::c078]:8000 with a server listening only on
> [3333:0:0:1::c078]:8000. With the bug, the SYN packet is dropped with
> SKB_DROP_REASON_TCP_CSUM after inet_proto_csum_replace_by_diff changed
> skb->csum. The translation and drop are visible on pwru [1] traces:
>
> IFACE TUPLE FUNC
> eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) ipv6_rcv
> eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) ip6_rcv_core
> eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) nf_hook_slow
> eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) inet_proto_csum_replace_by_diff
> eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) tcp_v6_early_demux
> eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_route_input
> eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_input
> eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_input_finish
> eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_protocol_deliver_rcu
> eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) raw6_local_deliver
> eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ipv6_raw_deliver
> eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) tcp_v6_rcv
> eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) __skb_checksum_complete
> eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) kfree_skb_reason(SKB_DROP_REASON_TCP_CSUM)
> eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_release_head_state
> eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_release_data
> eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_free_head
> eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) kfree_skbmem
>
> This is happening because inet_proto_csum_replace_by_diff is updating
> skb->csum when it shouldn't. The L4 checksum is updated such that it
> "cancels" the IPv6 address change in terms of checksum computation, so
> the impact on skb->csum is null.
>
> Note this would be different for an IPv4 packet since three fields
> would be updated: the IPv4 address, the IP checksum, and the L4
> checksum. Two would cancel each other and skb->csum would still need
> to be updated to take the L4 checksum change into account.
>
> This patch fixes it by passing an ipv6 flag to
> inet_proto_csum_replace_by_diff, to skip the skb->csum update if we're
> in the IPv6 case. Note the behavior of the only other user of
> inet_proto_csum_replace_by_diff, the BPF subsystem, is left as is in
> this patch and fixed in the subsequent patch.
>
> With the fix, using the reproduction from above, I can confirm
> skb->csum is not touched by inet_proto_csum_replace_by_diff and the TCP
> SYN proceeds to the application after the ILA translation.
>
> Link: https://github.com/cilium/pwru [1]
> Fixes: 65d7ab8de582 ("net: Identifier Locator Addressing module")
> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
> Acked-by: Daniel Borkmann <daniel@iogearbox.net>
> Link: https://patch.msgid.link/b5539869e3550d46068504feb02d37653d939c0b.1748509484.git.paul.chaignon@gmail.com
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> include/net/checksum.h | 2 +-
> net/core/filter.c | 2 +-
> net/core/utils.c | 4 ++--
> net/ipv6/ila/ila_common.c | 6 +++---
> 4 files changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/include/net/checksum.h b/include/net/checksum.h
> index 1338cb92c8e72..28b101f26636e 100644
> --- a/include/net/checksum.h
> +++ b/include/net/checksum.h
> @@ -158,7 +158,7 @@ void inet_proto_csum_replace16(__sum16 *sum, struct sk_buff *skb,
> const __be32 *from, const __be32 *to,
> bool pseudohdr);
> void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb,
> - __wsum diff, bool pseudohdr);
> + __wsum diff, bool pseudohdr, bool ipv6);
>
> static __always_inline
> void inet_proto_csum_replace2(__sum16 *sum, struct sk_buff *skb,
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 5143c8a9e52ca..e92f3a9017bb4 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -1987,7 +1987,7 @@ BPF_CALL_5(bpf_l4_csum_replace, struct sk_buff *, skb, u32, offset,
> if (unlikely(from != 0))
> return -EINVAL;
>
> - inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo);
> + inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo, false);
> break;
> case 2:
> inet_proto_csum_replace2(ptr, skb, from, to, is_pseudo);
> diff --git a/net/core/utils.c b/net/core/utils.c
> index c994e95172acf..5895d034bf279 100644
> --- a/net/core/utils.c
> +++ b/net/core/utils.c
> @@ -473,11 +473,11 @@ void inet_proto_csum_replace16(__sum16 *sum, struct sk_buff *skb,
> EXPORT_SYMBOL(inet_proto_csum_replace16);
>
> void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb,
> - __wsum diff, bool pseudohdr)
> + __wsum diff, bool pseudohdr, bool ipv6)
> {
> if (skb->ip_summed != CHECKSUM_PARTIAL) {
> csum_replace_by_diff(sum, diff);
> - if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
> + if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr && !ipv6)
> skb->csum = ~csum_sub(diff, skb->csum);
> } else if (pseudohdr) {
> *sum = ~csum_fold(csum_add(diff, csum_unfold(*sum)));
> diff --git a/net/ipv6/ila/ila_common.c b/net/ipv6/ila/ila_common.c
> index 95e9146918cc6..b8d43ed4689db 100644
> --- a/net/ipv6/ila/ila_common.c
> +++ b/net/ipv6/ila/ila_common.c
> @@ -86,7 +86,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb,
>
> diff = get_csum_diff(ip6h, p);
> inet_proto_csum_replace_by_diff(&th->check, skb,
> - diff, true);
> + diff, true, true);
> }
> break;
> case NEXTHDR_UDP:
> @@ -97,7 +97,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb,
> if (uh->check || skb->ip_summed == CHECKSUM_PARTIAL) {
> diff = get_csum_diff(ip6h, p);
> inet_proto_csum_replace_by_diff(&uh->check, skb,
> - diff, true);
> + diff, true, true);
> if (!uh->check)
> uh->check = CSUM_MANGLED_0;
> }
> @@ -111,7 +111,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb,
>
> diff = get_csum_diff(ip6h, p);
> inet_proto_csum_replace_by_diff(&ih->icmp6_cksum, skb,
> - diff, true);
> + diff, true, true);
> }
> break;
> }
> --
> 2.39.5
>
>
>
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 000/356] 6.6.94-rc1 review
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2025-06-18 12:45 ` Miguel Ojeda
@ 2025-06-18 17:58 ` Hardik Garg
2025-06-19 6:48 ` Harshit Mogalapalli
2025-06-19 7:53 ` Pavel Machek
364 siblings, 0 replies; 378+ messages in thread
From: Hardik Garg @ 2025-06-18 17:58 UTC (permalink / raw)
To: gregkh
Cc: akpm, broonie, conor, f.fainelli, hargar, jonathanh, linux-kernel,
linux, lkft-triage, patches, patches, pavel, rwarsow, shuah, srw,
stable, sudipm.mukherjee, torvalds
The kernel, bpf tool, and perf tool builds fine for v6.6.94-rc1 on x86 and arm64 Azure VM.
Kernel binary size for x86 build:
text data bss dec hex filename
27323024 16732614 4640768 48696406 2e70c56 vmlinux
Kernel binary size for arm64 build:
text data bss dec hex filename
34718829 13854454 970368 49543651 2f3f9e3 vmlinux
Tested-by: Hardik Garg <hargar@linux.microsoft.com>
Thanks,
Hardik
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 296/356] ath10k: snoc: fix unbalanced IRQ enable in crash recovery
2025-06-17 15:26 ` [PATCH 6.6 296/356] ath10k: snoc: fix unbalanced IRQ enable in crash recovery Greg Kroah-Hartman
@ 2025-06-18 18:06 ` Casey Connolly
2025-06-19 4:21 ` Greg Kroah-Hartman
0 siblings, 1 reply; 378+ messages in thread
From: Casey Connolly @ 2025-06-18 18:06 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, Caleb Connolly, Loic Poulain, Jeff Johnson, Sasha Levin
On 6/17/25 17:26, Greg Kroah-Hartman wrote:
> 6.6-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Caleb Connolly <caleb.connolly@linaro.org>
>
> [ Upstream commit 1650d32b92b01db03a1a95d69ee74fcbc34d4b00 ]
>
> In ath10k_snoc_hif_stop() we skip disabling the IRQs in the crash
> recovery flow, but we still unconditionally call enable again in
> ath10k_snoc_hif_start().
>
> We can't check the ATH10K_FLAG_CRASH_FLUSH bit since it is cleared
> before hif_start() is called, so instead check the
> ATH10K_SNOC_FLAG_RECOVERY flag and skip enabling the IRQs during crash
> recovery.
>
> This fixes unbalanced IRQ enable splats that happen after recovering from
> a crash.
>
> Fixes: 0e622f67e041 ("ath10k: add support for WCN3990 firmware crash recovery")
> Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org>
If fixing my name is acceptable, that would be appreciated...
Otherwise I believe this patch makes sense for 6.6
Thanks,
> Tested-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
> Link: https://patch.msgid.link/20250318205043.1043148-1-caleb.connolly@linaro.org
> Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> drivers/net/wireless/ath/ath10k/snoc.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/ath10k/snoc.c b/drivers/net/wireless/ath/ath10k/snoc.c
> index 2c39bad7ebfb9..1d06d4125992d 100644
> --- a/drivers/net/wireless/ath/ath10k/snoc.c
> +++ b/drivers/net/wireless/ath/ath10k/snoc.c
> @@ -937,7 +937,9 @@ static int ath10k_snoc_hif_start(struct ath10k *ar)
>
> dev_set_threaded(&ar->napi_dev, true);
> ath10k_core_napi_enable(ar);
> - ath10k_snoc_irq_enable(ar);
> + /* IRQs are left enabled when we restart due to a firmware crash */
> + if (!test_bit(ATH10K_SNOC_FLAG_RECOVERY, &ar_snoc->flags))
> + ath10k_snoc_irq_enable(ar);
> ath10k_snoc_rx_post(ar);
>
> clear_bit(ATH10K_SNOC_FLAG_RECOVERY, &ar_snoc->flags);
--
Casey (she/they)
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 296/356] ath10k: snoc: fix unbalanced IRQ enable in crash recovery
2025-06-18 18:06 ` Casey Connolly
@ 2025-06-19 4:21 ` Greg Kroah-Hartman
2025-06-19 14:09 ` Casey Connolly
0 siblings, 1 reply; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-19 4:21 UTC (permalink / raw)
To: Casey Connolly
Cc: stable, patches, Caleb Connolly, Loic Poulain, Jeff Johnson,
Sasha Levin
On Wed, Jun 18, 2025 at 08:06:45PM +0200, Casey Connolly wrote:
>
>
> On 6/17/25 17:26, Greg Kroah-Hartman wrote:
> > 6.6-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Caleb Connolly <caleb.connolly@linaro.org>
> >
> > [ Upstream commit 1650d32b92b01db03a1a95d69ee74fcbc34d4b00 ]
> >
> > In ath10k_snoc_hif_stop() we skip disabling the IRQs in the crash
> > recovery flow, but we still unconditionally call enable again in
> > ath10k_snoc_hif_start().
> >
> > We can't check the ATH10K_FLAG_CRASH_FLUSH bit since it is cleared
> > before hif_start() is called, so instead check the
> > ATH10K_SNOC_FLAG_RECOVERY flag and skip enabling the IRQs during crash
> > recovery.
> >
> > This fixes unbalanced IRQ enable splats that happen after recovering from
> > a crash.
> >
> > Fixes: 0e622f67e041 ("ath10k: add support for WCN3990 firmware crash recovery")
> > Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org>
>
> If fixing my name is acceptable, that would be appreciated...
I can, to what? This was a cherry-pick from what is in Linus's tree
right now, and what was sent to the mailing list, was that incorrect?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 257/356] net: Fix checksum update for ILA adj-transport
2025-06-18 16:57 ` Paul Chaignon
@ 2025-06-19 4:22 ` Greg Kroah-Hartman
2025-06-19 7:50 ` Paul Chaignon
0 siblings, 1 reply; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-19 4:22 UTC (permalink / raw)
To: Paul Chaignon
Cc: stable, patches, Daniel Borkmann, Jakub Kicinski, Sasha Levin
On Wed, Jun 18, 2025 at 06:57:24PM +0200, Paul Chaignon wrote:
> On Tue, Jun 17, 2025 at 05:26:12PM +0200, Greg Kroah-Hartman wrote:
> > 6.6-stable review patch. If anyone has any objections, please let me know.
>
> Not an objection per se, but I've sent the same backport at
> https://lore.kernel.org/stable/6520b247c2d367849f41689f71961e9741b1b7eb.1750168920.git.paul.chaignon@gmail.com/
> The only difference is that I also backported the second patch in the
> series, which had a conflict. The backported patchset should apply on
> 6.1, 6.6, and 6.12. I hope that was the correct way to proceed :)
Ah, that is nicer, I'll drop this and then queue those up for the next
round of stable releases, thanks!
greg k-h
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 000/356] 6.6.94-rc1 review
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2025-06-18 17:58 ` Hardik Garg
@ 2025-06-19 6:48 ` Harshit Mogalapalli
2025-06-19 7:53 ` Pavel Machek
364 siblings, 0 replies; 378+ messages in thread
From: Harshit Mogalapalli @ 2025-06-19 6:48 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie
Hi Greg,
On 17/06/25 20:51, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.94 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
No problems seen on x86_64 and aarch64 with our testing.
Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Thanks,
Harshit
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 257/356] net: Fix checksum update for ILA adj-transport
2025-06-19 4:22 ` Greg Kroah-Hartman
@ 2025-06-19 7:50 ` Paul Chaignon
0 siblings, 0 replies; 378+ messages in thread
From: Paul Chaignon @ 2025-06-19 7:50 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Daniel Borkmann, Jakub Kicinski, Sasha Levin
On Thu, Jun 19, 2025 at 06:22:39AM +0200, Greg Kroah-Hartman wrote:
> On Wed, Jun 18, 2025 at 06:57:24PM +0200, Paul Chaignon wrote:
> > On Tue, Jun 17, 2025 at 05:26:12PM +0200, Greg Kroah-Hartman wrote:
> > > 6.6-stable review patch. If anyone has any objections, please let me know.
> >
> > Not an objection per se, but I've sent the same backport at
> > https://lore.kernel.org/stable/6520b247c2d367849f41689f71961e9741b1b7eb.1750168920.git.paul.chaignon@gmail.com/
> > The only difference is that I also backported the second patch in the
> > series, which had a conflict. The backported patchset should apply on
> > 6.1, 6.6, and 6.12. I hope that was the correct way to proceed :)
>
> Ah, that is nicer, I'll drop this and then queue those up for the next
> round of stable releases, thanks!
Great, thanks! There's the same for the 6.12 round of course:
https://lore.kernel.org/stable/20250617152434.326263517@linuxfoundation.org/
The 6.15 round does have both patches from the series.
>
> greg k-h
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 000/356] 6.6.94-rc1 review
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2025-06-19 6:48 ` Harshit Mogalapalli
@ 2025-06-19 7:53 ` Pavel Machek
364 siblings, 0 replies; 378+ messages in thread
From: Pavel Machek @ 2025-06-19 7:53 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, jonathanh, f.fainelli, sudipm.mukherjee,
srw, rwarsow, conor, hargar, broonie
[-- Attachment #1: Type: text/plain, Size: 659 bytes --]
Hi!
> This is the start of the stable review cycle for the 6.6.94 release.
> There are 356 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-6.6.y
Tested-by: Pavel Machek (CIP) <pavel@denx.de>
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 296/356] ath10k: snoc: fix unbalanced IRQ enable in crash recovery
2025-06-19 4:21 ` Greg Kroah-Hartman
@ 2025-06-19 14:09 ` Casey Connolly
2025-06-19 14:53 ` Greg Kroah-Hartman
0 siblings, 1 reply; 378+ messages in thread
From: Casey Connolly @ 2025-06-19 14:09 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Caleb Connolly, Loic Poulain, Jeff Johnson,
Sasha Levin
On 6/19/25 06:21, Greg Kroah-Hartman wrote:
> On Wed, Jun 18, 2025 at 08:06:45PM +0200, Casey Connolly wrote:
>>
>>
>> On 6/17/25 17:26, Greg Kroah-Hartman wrote:
>>> 6.6-stable review patch. If anyone has any objections, please let me know.
>>>
>>> ------------------
>>>
>>> From: Caleb Connolly <caleb.connolly@linaro.org>
>>>
>>> [ Upstream commit 1650d32b92b01db03a1a95d69ee74fcbc34d4b00 ]
>>>
>>> In ath10k_snoc_hif_stop() we skip disabling the IRQs in the crash
>>> recovery flow, but we still unconditionally call enable again in
>>> ath10k_snoc_hif_start().
>>>
>>> We can't check the ATH10K_FLAG_CRASH_FLUSH bit since it is cleared
>>> before hif_start() is called, so instead check the
>>> ATH10K_SNOC_FLAG_RECOVERY flag and skip enabling the IRQs during crash
>>> recovery.
>>>
>>> This fixes unbalanced IRQ enable splats that happen after recovering from
>>> a crash.
>>>
>>> Fixes: 0e622f67e041 ("ath10k: add support for WCN3990 firmware crash recovery")
>>> Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org>
>>
>> If fixing my name is acceptable, that would be appreciated...
>
> I can, to what? This was a cherry-pick from what is in Linus's tree
> right now, and what was sent to the mailing list, was that incorrect?
s/Caleb/Casey/ I sent this patch before updating my name.
Kind regards,
>
> thanks,
>
> greg k-h
--
Casey (she/they)
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 296/356] ath10k: snoc: fix unbalanced IRQ enable in crash recovery
2025-06-19 14:09 ` Casey Connolly
@ 2025-06-19 14:53 ` Greg Kroah-Hartman
2025-06-19 14:59 ` Casey Connolly
0 siblings, 1 reply; 378+ messages in thread
From: Greg Kroah-Hartman @ 2025-06-19 14:53 UTC (permalink / raw)
To: Casey Connolly
Cc: stable, patches, Caleb Connolly, Loic Poulain, Jeff Johnson,
Sasha Levin
On Thu, Jun 19, 2025 at 04:09:00PM +0200, Casey Connolly wrote:
>
>
> On 6/19/25 06:21, Greg Kroah-Hartman wrote:
> > On Wed, Jun 18, 2025 at 08:06:45PM +0200, Casey Connolly wrote:
> > >
> > >
> > > On 6/17/25 17:26, Greg Kroah-Hartman wrote:
> > > > 6.6-stable review patch. If anyone has any objections, please let me know.
> > > >
> > > > ------------------
> > > >
> > > > From: Caleb Connolly <caleb.connolly@linaro.org>
> > > >
> > > > [ Upstream commit 1650d32b92b01db03a1a95d69ee74fcbc34d4b00 ]
> > > >
> > > > In ath10k_snoc_hif_stop() we skip disabling the IRQs in the crash
> > > > recovery flow, but we still unconditionally call enable again in
> > > > ath10k_snoc_hif_start().
> > > >
> > > > We can't check the ATH10K_FLAG_CRASH_FLUSH bit since it is cleared
> > > > before hif_start() is called, so instead check the
> > > > ATH10K_SNOC_FLAG_RECOVERY flag and skip enabling the IRQs during crash
> > > > recovery.
> > > >
> > > > This fixes unbalanced IRQ enable splats that happen after recovering from
> > > > a crash.
> > > >
> > > > Fixes: 0e622f67e041 ("ath10k: add support for WCN3990 firmware crash recovery")
> > > > Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org>
> > >
> > > If fixing my name is acceptable, that would be appreciated...
> >
> > I can, to what? This was a cherry-pick from what is in Linus's tree
> > right now, and what was sent to the mailing list, was that incorrect?
>
> s/Caleb/Casey/ I sent this patch before updating my name.
Ah, sorry, I already did the release. I would recommend sending in a
.mailmap update for the kernel so this gets caught going forward.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 296/356] ath10k: snoc: fix unbalanced IRQ enable in crash recovery
2025-06-19 14:53 ` Greg Kroah-Hartman
@ 2025-06-19 14:59 ` Casey Connolly
0 siblings, 0 replies; 378+ messages in thread
From: Casey Connolly @ 2025-06-19 14:59 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Caleb Connolly, Loic Poulain, Jeff Johnson,
Sasha Levin
On 6/19/25 16:53, Greg Kroah-Hartman wrote:
> On Thu, Jun 19, 2025 at 04:09:00PM +0200, Casey Connolly wrote:
>>
>>
>> On 6/19/25 06:21, Greg Kroah-Hartman wrote:
>>> On Wed, Jun 18, 2025 at 08:06:45PM +0200, Casey Connolly wrote:
>>>>
>>>>
>>>> On 6/17/25 17:26, Greg Kroah-Hartman wrote:
>>>>> 6.6-stable review patch. If anyone has any objections, please let me know.
>>>>>
>>>>> ------------------
>>>>>
>>>>> From: Caleb Connolly <caleb.connolly@linaro.org>
>>>>>
>>>>> [ Upstream commit 1650d32b92b01db03a1a95d69ee74fcbc34d4b00 ]
>>>>>
>>>>> In ath10k_snoc_hif_stop() we skip disabling the IRQs in the crash
>>>>> recovery flow, but we still unconditionally call enable again in
>>>>> ath10k_snoc_hif_start().
>>>>>
>>>>> We can't check the ATH10K_FLAG_CRASH_FLUSH bit since it is cleared
>>>>> before hif_start() is called, so instead check the
>>>>> ATH10K_SNOC_FLAG_RECOVERY flag and skip enabling the IRQs during crash
>>>>> recovery.
>>>>>
>>>>> This fixes unbalanced IRQ enable splats that happen after recovering from
>>>>> a crash.
>>>>>
>>>>> Fixes: 0e622f67e041 ("ath10k: add support for WCN3990 firmware crash recovery")
>>>>> Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org>
>>>>
>>>> If fixing my name is acceptable, that would be appreciated...
>>>
>>> I can, to what? This was a cherry-pick from what is in Linus's tree
>>> right now, and what was sent to the mailing list, was that incorrect?
>>
>> s/Caleb/Casey/ I sent this patch before updating my name.
>
> Ah, sorry, I already did the release. I would recommend sending in a
> .mailmap update for the kernel so this gets caught going forward.
Ok, no worries.
I already updated mailmap and all the other references so this shouldn't
happen again, just bad timing with this patch.
Kind regards,>
> thanks,
>
> greg k-h
--
Casey (she/they)
^ permalink raw reply [flat|nested] 378+ messages in thread
* Re: [PATCH 6.6 025/356] powerpc: do not build ppc_save_regs.o always
2025-06-17 15:22 ` [PATCH 6.6 025/356] powerpc: do not build ppc_save_regs.o always Greg Kroah-Hartman
@ 2025-06-20 1:50 ` Shiji Yang
0 siblings, 0 replies; 378+ messages in thread
From: Shiji Yang @ 2025-06-20 1:50 UTC (permalink / raw)
To: gregkh; +Cc: jirislaby, maddy, patches, sashal, sfr, stable, Shiji Yang
Hi! This patch seems to have broken the build on powerpc. I guess
we also need to backport:
93bd4a80efeb ("powerpc/kernel: Fix ppc_save_regs inclusion in build")
Perhaps other stable versions need this patch, too.
Ref: https://github.com/openwrt/openwrt/actions/runs/15760870446/job/44427245071?pr=19183
^ permalink raw reply [flat|nested] 378+ messages in thread
end of thread, other threads:[~2025-06-20 1:50 UTC | newest]
Thread overview: 378+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-17 15:21 [PATCH 6.6 000/356] 6.6.94-rc1 review Greg Kroah-Hartman
2025-06-17 15:21 ` [PATCH 6.6 001/356] tracing: Fix compilation warning on arm32 Greg Kroah-Hartman
2025-06-17 15:21 ` [PATCH 6.6 002/356] pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 Greg Kroah-Hartman
2025-06-17 15:21 ` [PATCH 6.6 003/356] pinctrl: armada-37xx: set GPIO output value before setting direction Greg Kroah-Hartman
2025-06-17 15:21 ` [PATCH 6.6 004/356] acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 005/356] rtc: Make rtc_time64_to_tm() support dates before 1970 Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 006/356] rtc: Fix offset calculation for .start_secs < 0 Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 007/356] usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 008/356] usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 009/356] USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 010/356] usb: typec: ucsi: fix Clang -Wsign-conversion warning Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 011/356] Bluetooth: hci_qca: move the SoC type check to the right place Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 012/356] serial: jsm: fix NPE during jsm_uart_port_init Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 013/356] usb: usbtmc: Fix timeout value in get_stb Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 014/356] thunderbolt: Do not double dequeue a configuration request Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 015/356] dt-bindings: usb: cypress,hx3: Add support for all variants Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 016/356] dt-bindings: phy: imx8mq-usb: fix fsl,phy-tx-vboost-level-microvolt property Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 017/356] Revert "drm/amd/display: more liberal vmin/vmax update for freesync" Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 018/356] tools/x86/kcpuid: Fix error handling Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 019/356] x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 020/356] crypto: sun8i-ce-hash - fix error handling in sun8i_ce_hash_run() Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 021/356] gfs2: gfs2_create_inode error handling fix Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 022/356] perf/core: Fix broken throttling when max_samples_per_tick=1 Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 023/356] crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 024/356] crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 025/356] powerpc: do not build ppc_save_regs.o always Greg Kroah-Hartman
2025-06-20 1:50 ` Shiji Yang
2025-06-17 15:22 ` [PATCH 6.6 026/356] powerpc/crash: Fix non-smp kexec preparation Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 027/356] x86/microcode/AMD: Do not return error when microcode update is not necessary Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 028/356] x86/cpu: Sanitize CPUID(0x80000000) output Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 029/356] crypto: marvell/cesa - Handle zero-length skcipher requests Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 030/356] crypto: marvell/cesa - Avoid empty transfer descriptor Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 031/356] btrfs: scrub: update device stats when an error is detected Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 032/356] btrfs: scrub: fix a wrong error type when metadata bytenr mismatches Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 033/356] rcu/cpu_stall_cputime: fix the hardirq count for x86 architecture Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 034/356] crypto: lrw - Only add ecb if it is not already there Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 035/356] crypto: xts " Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 036/356] crypto: sun8i-ce - move fallback ahash_request to the end of the struct Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 037/356] kunit: Fix wrong parameter to kunit_deactivate_static_stub() Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 038/356] ACPICA: exserial: dont forget to handle FFixedHW opregions for reading Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 039/356] tools/nolibc/types.h: fix mismatched parenthesis in minor() Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 040/356] ASoC: tas2764: Enable main IRQs Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 041/356] EDAC/skx_common: Fix general protection fault Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 042/356] EDAC/{skx_common,i10nm}: Fix the loss of saved RRL for HBM pseudo channel 0 Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 043/356] tools/nolibc: fix integer overflow in i{64,}toa_r() and Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 044/356] spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 045/356] spi: tegra210-quad: remove redundant error handling code Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 046/356] spi: tegra210-quad: modify chip select (CS) deactivation Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 047/356] power: reset: at91-reset: Optimize at91_reset() Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 048/356] ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 049/356] PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 050/356] x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 051/356] PM: sleep: Print PM debug messages during hibernation Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 052/356] ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 053/356] spi: sh-msiof: Fix maximum DMA transfer size Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 054/356] ASoC: apple: mca: Constrain channels according to TDM mask Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 055/356] drm/vmwgfx: Add seqno waiter for sync_files Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 056/356] drm/vc4: tests: Use return instead of assert Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 057/356] drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 058/356] media: rkvdec: Fix frame size enumeration Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 059/356] arm64/fpsimd: Avoid RES0 bits in the SME trap handler Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 060/356] arm64/fpsimd: Discard stale CPU state when handling SME traps Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 061/356] arm64/fpsimd: Fix merging of FPSIMD state during signal return Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 062/356] drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 063/356] fs/ntfs3: handle hdr_first_de() return value Greg Kroah-Hartman
2025-06-17 15:22 ` [PATCH 6.6 064/356] watchdog: exar: Shorten identity name to fit correctly Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 065/356] m68k: mac: Fix macintosh_config for Mac II Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 066/356] firmware: psci: Fix refcount leak in psci_dt_init Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 067/356] arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 068/356] selftests/seccomp: fix syscall_restart test for arm compat Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 069/356] drm: rcar-du: Fix memory leak in rcar_du_vsps_init() Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 070/356] drm/vkms: Adjust vkms_state->active_planes allocation type Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 071/356] drm/tegra: rgb: Fix the unbound reference count Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 072/356] firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 073/356] arm64/fpsimd: Do not discard modified SVE state Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 074/356] scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 075/356] perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create() Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 076/356] drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 077/356] drm/mediatek: Fix kobject put for component sub-drivers Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 078/356] drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 079/356] xen/x86: fix initial memory balloon target Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 080/356] wifi: ath11k: fix node corruption in ar->arvifs list Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 081/356] IB/cm: use rwlock for MAD agent lock Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 082/356] selftests/bpf: Fix bpf_nf selftest failure Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 083/356] bpf: fix ktls panic with sockmap Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 084/356] bpf, sockmap: fix duplicated data transmission Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 085/356] bpf, sockmap: Fix panic when calling skb_linearize Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 086/356] wifi: ath12k: Fix WMI tag for EHT rate in peer assoc Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 087/356] f2fs: fix to do sanity check on sbi->total_valid_block_count Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 088/356] net: ncsi: Fix GCPS 64-bit member variables Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 089/356] libbpf: Fix buffer overflow in bpf_object__init_prog Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 090/356] xfrm: Use xdo.dev instead of xdo.real_dev Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 091/356] wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 092/356] wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 093/356] wifi: rtw88: do not ignore hardware read error during DPK Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 094/356] wifi: ath12k: Add MSDU length validation for TKIP MIC error Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 095/356] wifi: ath12k: fix node corruption in ar->arvifs list Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 096/356] RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 097/356] scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 098/356] libbpf: Remove sample_period init in perf_buffer Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 099/356] Use thread-safe function pointer in libbpf_print Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 100/356] iommu: Protect against overflow in iommu_pgsize() Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 101/356] bonding: assign random address if device address is same as bond Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 102/356] f2fs: clean up w/ fscrypt_is_bounce_page() Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 103/356] f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed() Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 104/356] libbpf: Use proper errno value in linker Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 105/356] bpf: Allow XDP dev-bound programs to perform XDP_REDIRECT into maps Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 106/356] netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 107/356] netfilter: nft_quota: match correctly when the quota just depleted Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 108/356] RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 109/356] bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 110/356] tracing: Move histogram trigger variables from stack to per CPU structure Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 111/356] clk: qcom: camcc-sm6350: Add *_wait_val values for GDSCs Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 112/356] clk: qcom: dispcc-sm6350: " Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 113/356] clk: qcom: gcc-sm6350: " Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 114/356] clk: qcom: gpucc-sm6350: " Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 115/356] clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 116/356] efi/libstub: Describe missing out parameter in efi_load_initrd Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 117/356] tracing: Rename event_trigger_alloc() to trigger_data_alloc() Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 118/356] tracing: Fix error handling in event_trigger_parse() Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 119/356] ktls, sockmap: Fix missing uncharge operation Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 120/356] libbpf: Use proper errno value in nlattr Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 121/356] pinctrl: at91: Fix possible out-of-boundary access Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 122/356] bpf: Fix WARN() in get_bpf_raw_tp_regs Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 123/356] clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz Greg Kroah-Hartman
2025-06-17 15:23 ` [PATCH 6.6 124/356] s390/bpf: Store backchain even for leaf progs Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 125/356] wifi: rtw88: fix the para buffer size to avoid reading out of bounds Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 126/356] iommu: remove duplicate selection of DMAR_TABLE Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 127/356] wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 128/356] hisi_acc_vfio_pci: fix XQE dma address error Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 129/356] hisi_acc_vfio_pci: add eq and aeq interruption restore Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 130/356] hisi_acc_vfio_pci: bugfix live migration function without VF device driver Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 131/356] wifi: ath9k_htc: Abort software beacon handling if disabled Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 132/356] scsi: ufs: mcq: Delete ufshcd_release_scsi_cmd() in ufshcd_mcq_abort() Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 133/356] kernfs: Relax constraint in draining guard Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 134/356] wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 135/356] wifi: mt76: mt7996: set EHT max ampdu length capability Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 136/356] wifi: mt76: mt7996: fix RX buffer size of MCU event Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 137/356] netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 138/356] vfio/type1: Fix error unwind in migration dirty bitmap allocation Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 139/356] Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 140/356] bpf, sockmap: Avoid using sk_socket after free when sending Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 141/356] netfilter: nft_tunnel: fix geneve_opt dump Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 142/356] RISC-V: KVM: lock the correct mp_state during reset Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 143/356] net: usb: aqc111: fix error handling of usbnet read calls Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 144/356] RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 145/356] net: lan966x: Fix 1-step timestamping over ipv4 or ipv6 Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 146/356] bpf: Avoid __bpf_prog_ret0_warn when jit fails Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 147/356] net: phy: clear phydev->devlink when the link is deleted Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 148/356] net: phy: fix up const issues in to_mdio_device() and to_phy_device() Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 149/356] net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 150/356] net: phy: mscc: Fix memory leak when using one step timestamping Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 151/356] octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 152/356] calipso: Dont call calipso functions for AF_INET sk Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 153/356] net: openvswitch: Fix the dead loop of MPLS parse Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 154/356] net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 155/356] f2fs: use d_inode(dentry) cleanup dentry->d_inode Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 156/356] f2fs: fix to correct check conditions in f2fs_cross_rename Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 157/356] arm64: dts: qcom: sdm845-starqltechn: remove wifi Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 158/356] arm64: dts: qcom: sdm845-starqltechn: fix usb regulator mistake Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 159/356] arm64: dts: qcom: sdm845-starqltechn: refactor node order Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 160/356] arm64: dts: qcom: sdm845-starqltechn: remove excess reserved gpios Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 161/356] arm64: dts: qcom: sm8350: Reenable crypto & cryptobam Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 162/356] arm64: dts: qcom: sm8250: Fix CPU7 opp table Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 163/356] arm64: dts: qcom: sc8280xp-x13s: Drop duplicate DMIC supplies Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 164/356] ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 165/356] ARM: dts: at91: at91sam9263: fix NAND chip selects Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 166/356] arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power domains Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 167/356] arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect GPIO Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 168/356] arm64: dts: imx8mm-beacon: Fix RTC capacitive load Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 169/356] arm64: dts: imx8mn-beacon: " Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 170/356] arm64: dts: imx8mp-beacon: " Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 171/356] arm64: dts: imx8mm-beacon: Set SAI5 MCLK direction to output for HDMI audio Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 172/356] arm64: dts: imx8mn-beacon: " Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 173/356] arm64: dts: mediatek: mt6357: Drop regulator-fixed compatibles Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 174/356] arm64: dts: mt6359: Add missing compatible property to regulators node Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 175/356] arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 176/356] arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 177/356] arm64: dts: rockchip: Update eMMC for NanoPi R5 series Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 178/356] arm64: tegra: Drop remaining serial clock-names and reset-names Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 179/356] arm64: dts: ti: k3-j721e-common-proc-board: Enable OSPI1 on J721E Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 180/356] Squashfs: check return result of sb_min_blocksize Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 181/356] ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 182/356] nilfs2: add pointer check for nilfs_direct_propagate() Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 183/356] nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() Greg Kroah-Hartman
2025-06-17 15:24 ` [PATCH 6.6 184/356] bus: fsl-mc: fix double-free on mc_dev Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 185/356] dt-bindings: vendor-prefixes: Add Liontron name Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 186/356] ARM: dts: qcom: apq8064: add missing clocks to the timer node Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 187/356] ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 188/356] arm64: defconfig: mediatek: enable PHY drivers Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 189/356] arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 190/356] arm64: dts: renesas: white-hawk-ard-audio: Fix TPU0 groups Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 191/356] arm64: dts: mt6359: Rename RTC node to match binding expectations Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 192/356] ARM: aspeed: Dont select SRAM Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 193/356] soc: aspeed: lpc: Fix impossible judgment condition Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 194/356] soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 195/356] fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 196/356] randstruct: gcc-plugin: Remove bogus void member Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 197/356] randstruct: gcc-plugin: Fix attribute addition Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 198/356] perf build: Warn when libdebuginfod devel files are not available Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 199/356] perf ui browser hists: Set actions->thread before calling do_zoom_thread() Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 200/356] dm: dont change md if dm_table_set_restrictions() fails Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 201/356] dm: free table mempools if not used in __bind Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 202/356] backlight: pm8941: Add NULL check in wled_configure() Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 203/356] mtd: nand: ecc-mxic: Fix use of uninitialized variable ret Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 204/356] hwmon: (asus-ec-sensors) check sensor index in read_string() Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 205/356] dm-flakey: error all IOs when num_features is absent Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 206/356] dm-flakey: make corrupting read bios work Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 207/356] perf trace: Fix leaks of struct thread in set_filter_loop_pids() Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 208/356] perf intel-pt: Fix PEBS-via-PT data_src Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 209/356] perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3 Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 210/356] remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 211/356] remoteproc: k3-r5: Drop check performed in k3_r5_rproc_{mbox_callback/kick} Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 212/356] rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 213/356] mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 214/356] mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 215/356] perf tests switch-tracking: Fix timestamp comparison Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 216/356] perf record: Fix incorrect --user-regs comments Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 217/356] perf trace: Always print return value for syscalls returning a pid Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 218/356] nfs: clear SB_RDONLY before getting superblock Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 219/356] nfs: ignore SB_RDONLY when remounting nfs Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 220/356] cifs: Fix validation of SMB1 query reparse point response Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 221/356] rtc: sh: assign correct interrupts with DT Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 222/356] PCI: Print the actual delay time in pci_bridge_wait_for_secondary_bus() Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 223/356] PCI: cadence: Fix runtime atomic count underflow Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 224/356] PCI: apple: Use gpiod_set_value_cansleep in probe flow Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 225/356] PCI: Explicitly put devices into D0 when initializing Greg Kroah-Hartman
2025-06-17 16:09 ` Limonciello, Mario
2025-06-17 15:25 ` [PATCH 6.6 226/356] phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 227/356] dmaengine: ti: Add NULL check in udma_probe() Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 228/356] PCI/DPC: Initialize aer_err_info before using it Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 229/356] rtc: loongson: Add missing alarm notifications for ACPI RTC events Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 230/356] usb: renesas_usbhs: Reorder clock handling and power management in probe Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 231/356] serial: Fix potential null-ptr-deref in mlb_usio_probe() Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 232/356] thunderbolt: Fix a logic error in wake on connect Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 233/356] iio: filter: admv8818: fix band 4, state 15 Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 234/356] iio: filter: admv8818: fix integer overflow Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 235/356] iio: filter: admv8818: fix range calculation Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 236/356] iio: filter: admv8818: Support frequencies >= 2^32 Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 237/356] iio: adc: ad7124: Fix 3dB filter frequency reading Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 238/356] MIPS: Loongson64: Add missing #interrupt-cells for loongson64c_ls7a Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 239/356] counter: interrupt-cnt: Protect enable/disable OPs with mutex Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 240/356] fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt() Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 241/356] coresight: prevent deactivate active config while enabling the config Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 242/356] vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 243/356] net: stmmac: platform: guarantee uniqueness of bus_id Greg Kroah-Hartman
2025-06-17 15:25 ` [PATCH 6.6 244/356] gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 245/356] net: tipc: fix refcount warning in tipc_aead_encrypt Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 246/356] driver: net: ethernet: mtk_star_emac: fix suspend/resume issue Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 247/356] net/mlx4_en: Prevent potential integer overflow calculating Hz Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 248/356] net: lan966x: Make sure to insert the vlan tags also in host mode Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 249/356] spi: bcm63xx-spi: fix shared reset Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 250/356] spi: bcm63xx-hsspi: " Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 251/356] Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 252/356] ice: fix Tx scheduler error handling in XDP callback Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 253/356] ice: create new Tx scheduler nodes for new queues only Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 254/356] ice: fix rebuilding the Tx scheduler tree for large queue counts Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 255/356] net: dsa: tag_brcm: legacy: fix pskb_may_pull length Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 256/356] net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 257/356] net: Fix checksum update for ILA adj-transport Greg Kroah-Hartman
2025-06-18 16:57 ` Paul Chaignon
2025-06-19 4:22 ` Greg Kroah-Hartman
2025-06-19 7:50 ` Paul Chaignon
2025-06-17 15:26 ` [PATCH 6.6 258/356] net: fix udp gso skb_segment after pull from frag_list Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 259/356] net: wwan: t7xx: Fix napi rx poll issue Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 260/356] vmxnet3: correctly report gso type for UDP tunnels Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 261/356] PM: sleep: Fix power.is_suspended cleanup for direct-complete devices Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 262/356] gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 263/356] netfilter: nf_set_pipapo_avx2: fix initial map fill Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 264/356] netfilter: nf_nat: also check reverse tuple to obtain clashing entry Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 265/356] net: dsa: b53: do not enable RGMII delay on bcm63xx Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 266/356] net: dsa: b53: allow RGMII for bcm63xx RGMII ports Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 267/356] wireguard: device: enable threaded NAPI Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 268/356] seg6: Fix validation of nexthop addresses Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 269/356] scsi: ufs: qcom: Prevent calling phy_exit() before phy_init() Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 270/356] ASoC: codecs: hda: Fix RPM usage count underflow Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 271/356] ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 272/356] ASoC: Intel: avs: Verify content returned by parse_int_array() Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 273/356] ASoC: ti: omap-hdmi: Re-add dai_link->platform to fix card init Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 274/356] path_overmount(): avoid false negatives Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 275/356] fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2) Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 276/356] do_change_type(): refuse to operate on unmounted/not ours mounts Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 277/356] net: dsa: microchip: update tag_ksz masks for KSZ9477 family Greg Kroah-Hartman
2025-06-17 20:23 ` Pieter Van Trappen
2025-06-18 13:09 ` Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 278/356] net: dsa: microchip: linearize skb for tail-tagging switches Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 279/356] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 280/356] Input: synaptics-rmi - fix crash with unsupported versions of F34 Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 281/356] kasan: use unchecked __memset internally Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 282/356] arm64: dts: ti: k3-am65-main: Fix sdhci node properties Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 283/356] arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0 Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 284/356] arm64: dts: ti: k3-j721e-sk: Model CSI2RX connector mux Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 285/356] arm64: dts: ti: k3-j721e-sk: Add support for multiple CAN instances Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 286/356] arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 287/356] serial: sh-sci: Check if TX data was written to device in .tx_empty() Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 288/356] serial: sh-sci: Move runtime PM enable to sci_probe_single() Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 289/356] serial: sh-sci: Clean sci_ports[0] after at earlycon exit Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 290/356] scsi: core: ufs: Fix a hang in the error handler Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 291/356] Bluetooth: hci_core: fix list_for_each_entry_rcu usage Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 292/356] Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 293/356] Bluetooth: MGMT: Remove unused mgmt_pending_find_data Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 294/356] Bluetooth: MGMT: Protect mgmt_pending list with its own lock Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 295/356] ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 296/356] ath10k: snoc: fix unbalanced IRQ enable in crash recovery Greg Kroah-Hartman
2025-06-18 18:06 ` Casey Connolly
2025-06-19 4:21 ` Greg Kroah-Hartman
2025-06-19 14:09 ` Casey Connolly
2025-06-19 14:53 ` Greg Kroah-Hartman
2025-06-19 14:59 ` Casey Connolly
2025-06-17 15:26 ` [PATCH 6.6 297/356] wifi: ath11k: fix soc_dp_stats debugfs file permission Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 298/356] wifi: ath11k: convert timeouts to secs_to_jiffies() Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 299/356] wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 300/356] wifi: ath11k: dont use static variables in ath11k_debugfs_fw_stats_process() Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 301/356] wifi: ath11k: dont wait when there is no vdev started Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 302/356] wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 303/356] regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() Greg Kroah-Hartman
2025-06-17 15:26 ` [PATCH 6.6 304/356] pinctrl: qcom: pinctrl-qcm2290: Add missing pins Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 305/356] scsi: iscsi: Fix incorrect error path labels for flashnode operations Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 306/356] net_sched: sch_sfq: fix a potential crash on gso_skb handling Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 307/356] powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 308/356] powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 309/356] drm/meson: use unsigned long long / Hz for frequency types Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 310/356] drm/meson: fix debug log statement when setting the HDMI clocks Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 311/356] drm/meson: use vclk_freq instead of pixel_freq in debug print Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 312/356] drm/meson: fix more rounding issues with 59.94Hz modes Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 313/356] i40e: return false from i40e_reset_vf if reset is in progress Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 314/356] i40e: retry VFLR handling if there is ongoing VF reset Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 315/356] ACPI: CPPC: Fix NULL pointer dereference when nosmp is used Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 316/356] net: Fix TOCTOU issue in sk_is_readable() Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 317/356] macsec: MACsec SCI assignment for ES = 0 Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 318/356] net/mdiobus: Fix potential out-of-bounds read/write access Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 319/356] net/mdiobus: Fix potential out-of-bounds clause 45 " Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 320/356] Bluetooth: Fix NULL pointer deference on eir_get_service_data Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 321/356] Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 322/356] Bluetooth: MGMT: Fix sparse errors Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 323/356] net/mlx5: Ensure fw pages are always allocated on same NUMA Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 324/356] net/mlx5: Fix ECVF vports unload on shutdown flow Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 325/356] net/mlx5: Fix return value when searching for existing flow group Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 326/356] net/mlx5e: Fix leak of Geneve TLV option object Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 327/356] net_sched: prio: fix a race in prio_tune() Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 329/356] net_sched: tbf: fix a race in tbf_change() Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 330/356] net_sched: ets: fix a race in ets_qdisc_change() Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 332/356] nvmet-fcloop: access fcpreq only when holding reqlock Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 333/356] perf: Ensure bpf_perf_link path is properly serialized Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 334/356] bio: Fix bio_first_folio() for SPARSEMEM without VMEMMAP Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 335/356] block: Fix bvec_set_folio() for very large folios Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 336/356] tools/resolve_btfids: Fix build when cross compiling kernel with clang Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 337/356] ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 338/356] HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 339/356] io_uring: add io_file_can_poll() helper Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 340/356] io_uring/rw: allow pollable non-blocking attempts for !FMODE_NOWAIT Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 341/356] io_uring/rw: fix wrong NOWAIT check in io_rw_init_file() Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 342/356] Revert "io_uring: ensure deferred completions are posted for multishot" Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 343/356] posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 344/356] kbuild: Disable -Wdefault-const-init-unsafe Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 345/356] usb: usbtmc: Fix read_stb function and get_stb ioctl Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 346/356] VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 347/356] usb: cdnsp: Fix issue with detecting command completion event Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 348/356] usb: cdnsp: Fix issue with detecting USB 3.2 speed Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 349/356] usb: Flush altsetting 0 endpoints before reinitializating them after reset Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 350/356] usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 351/356] xen/arm: call uaccess_ttbr0_enable for dm_op hypercall Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 352/356] x86/iopl: Cure TIF_IO_BITMAP inconsistencies Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 353/356] calipso: unlock rcu before returning -EAFNOSUPPORT Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 354/356] regulator: dt-bindings: mt6357: Drop fixed compatible requirement Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 355/356] net: usb: aqc111: debug info before sanitation Greg Kroah-Hartman
2025-06-17 15:27 ` [PATCH 6.6 356/356] drm/meson: Use 1000ULL when operating with mode->clock Greg Kroah-Hartman
2025-06-17 16:31 ` [PATCH 6.6 000/356] 6.6.94-rc1 review Florian Fainelli
2025-06-17 21:19 ` Shuah Khan
2025-06-18 5:43 ` Peter Schneider
2025-06-18 6:34 ` Ron Economos
2025-06-18 6:41 ` Jon Hunter
2025-06-18 10:20 ` Naresh Kamboju
2025-06-18 12:02 ` Mark Brown
2025-06-18 12:45 ` Miguel Ojeda
2025-06-18 17:58 ` Hardik Garg
2025-06-19 6:48 ` Harshit Mogalapalli
2025-06-19 7:53 ` Pavel Machek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).